Skip to content

feat: Initial release #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
amanstep merged 6 commits into from
Sep 19, 2025
Merged

feat: Initial release #2

amanstep merged 6 commits into from
Sep 19, 2025

Conversation

@amanstep
Copy link
Collaborator

@amanstep amanstep commented Sep 18, 2025

No description provided.

@amanstep amanstep added the review required Claude review required for PR. label Sep 18, 2025
Raj-StepSecurity
Raj-StepSecurity reviewed Sep 18, 2025
View reviewed changes
Raj-StepSecurity
Raj-StepSecurity reviewed Sep 18, 2025
View reviewed changes
Raj-StepSecurity
Raj-StepSecurity reviewed Sep 18, 2025
View reviewed changes
@Raj-StepSecurity
Copy link
Contributor

Raj-StepSecurity commented Sep 18, 2025

check for both claude comments

@step-security step-security deleted a comment from claude bot Sep 18, 2025
@step-security step-security deleted a comment from claude bot Sep 18, 2025
@step-security step-security deleted a comment from claude bot Sep 18, 2025
@claude
Copy link

claude bot commented Sep 18, 2025
edited
Loading

Claude finished @amanstep's task —— View job

Claude Code PR Review

Conducted comprehensive review of this Docker-based GitHub Action PR based on Step Security criteria.

Review Tasks:

  • Identify action type (Docker/Node/Composite)
  • Check general requirements (license, author, security.md, workflows, etc.)
  • Verify Docker-based action specific requirements
  • Review security vulnerabilities
  • Check if previous reviewer feedback has been addressed
  • Provide comprehensive feedback

✅ General Requirements - COMPLIANT

  • License: ✅ Present with copyright for both Step Security (2025) and PlanetScale (2023) as original author (LICENSE:190-191)
  • Author in action.yaml: ✅ Set to "step-security" (action.yaml:3)
  • Security.md: ✅ Present and correct
  • FUNDING files: ✅ None present (correct)
  • Required workflows: ✅ All present (.github/workflows/auto_cherry_pick.yml, actions_release.yml, claude_review.yml)
  • Forbidden files: ✅ None present (renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
  • README usage examples: ✅ Uses major version (@v0) instead of full semver (README.md:45, 57)
  • Subscription check: ✅ Correctly implemented in entrypoint.sh:7-23 with proper API URL

❌ Docker-based Action Requirements - CRITICAL ISSUES FOUND

  1. Published docker image: ❌ CRITICAL - action.yaml:36 uses local "Dockerfile" instead of a published image from ghcr.io/step-security org
  2. Major version tagging: ❌ CRITICAL - docker.yaml:54-55 only tags with full semver, missing major version tags
  3. Security hardening: ❌ Missing harden-runner from workflows:
    • ci.yaml:13 (uses pinned SHA checkout but no harden-runner)
    • licensing.yaml:17 (uses pinned SHA checkout but no harden-runner)

✅ Security Analysis - SECURE

  • No security vulnerabilities detected in the code
  • Proper input validation and error handling in entrypoint.sh
  • Secure subscription check implementation with timeout handling (entrypoint.sh:7-23)
  • No secrets or sensitive information exposed

❌ Previous Review Comments - PARTIALLY ADDRESSED

The PR still has unresolved review comments from Raj-StepSecurity:

  1. docker.yaml: Remove pinned SHAs and update with latest tags (NOT ADDRESSED - ci.yaml:13 and licensing.yaml:17 still use pinned SHAs)
  2. README.md: Remove unspecified line (UNCLEAR - specific line not identified)
  3. README.md:36: Update version to v5 (NOT FOUND - no v5 reference exists in README)

🔧 Critical Issues Requiring Resolution

HIGH PRIORITY:

  1. Fix Docker image usage: Update action.yaml:36 to use published image:

    runs:
  using: "docker"
  image: "ghcr.io/step-security/ghcommit-action:v0"

  2. Add major version tagging: Update docker.yaml:54-55 to include major version:

    tags: |
  ghcr.io/${{ github.repository }}:${{ github.event.inputs.release_tag }}
  ghcr.io/${{ github.repository }}:v0

  3. Add harden-runner: Include step-security/harden-runner in workflows:

    • Add to ci.yaml before actions/checkout (line 13)
    • Add to licensing.yaml before actions/checkout (line 17)

MEDIUM PRIORITY:
4. Address reviewer feedback:

  • Update pinned SHAs in ci.yaml:13 and licensing.yaml:17 to latest tags
  • Clarify which README.md line needs removal

Overall Assessment

This action FAILS Docker-based action requirements due to critical issues with Docker image usage and tagging. The action uses a local Dockerfile instead of a published image, which violates Step Security requirements for Docker-based actions.

@step-security step-security deleted a comment from claude bot Sep 18, 2025
@claude
Copy link

claude bot commented Sep 18, 2025
edited
Loading

Claude finished @amanstep's task —— View job

Claude Code PR Review

Conducted comprehensive review of this Docker-based GitHub Action PR based on Step Security criteria.

Review Tasks:

  • Identify action type (Docker/Node/Composite)
  • Check general requirements (license, author, security.md, workflows, etc.)
  • Verify Docker-based action specific requirements
  • Review security vulnerabilities
  • Check if previous reviewer feedback has been addressed
  • Provide comprehensive review feedback

✅ General Requirements - COMPLIANT

  • License: ✅ Present with copyright for both Step Security (2025) and PlanetScale (2023) as original author (LICENSE:190-191)
  • Author in action.yaml: ✅ Set to "step-security" (action.yaml:3)
  • Security.md: ✅ Present and correct
  • FUNDING files: ✅ None present (correct)
  • Required workflows: ✅ All present (.github/workflows/auto_cherry_pick.yml, actions_release.yml, claude_review.yml)
  • Forbidden files: ✅ None present (renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
  • README usage examples: ✅ Uses major version (@v0) instead of full semver (README.md:45, 57)
  • Subscription check: ✅ Correctly implemented in entrypoint.sh:7-23 with proper API URL

❌ Docker-based Action Requirements - CRITICAL ISSUES FOUND

  1. Published docker image: ❌ CRITICAL - action.yaml:36 uses local "Dockerfile" instead of a published image from ghcr.io/step-security org
  2. Major version tagging: ❌ CRITICAL - docker.yaml:54-55 only tags with full semver, missing major version tags
  3. Security hardening: ❌ Missing harden-runner from workflows:
    • ci.yaml:13 (uses pinned SHA checkout but no harden-runner)
    • licensing.yaml:17 (uses pinned SHA checkout but no harden-runner)

✅ Security Analysis - SECURE

  • No security vulnerabilities detected in the code
  • Proper input validation and error handling in entrypoint.sh
  • Secure subscription check implementation with timeout handling (entrypoint.sh:7-23)
  • No secrets or sensitive information exposed

❌ Previous Review Comments - PARTIALLY ADDRESSED

The PR still has unresolved review comments from Raj-StepSecurity:

  1. docker.yaml: Remove pinned SHAs and update with latest tags (NOT ADDRESSED - ci.yaml:13 and licensing.yaml:17 still use pinned SHAs)
  2. README.md: Remove unspecified line (UNCLEAR - specific line not identified)
  3. README.md:36: Update version to v5 (NOT FOUND - no v5 reference exists in README)

🔧 Critical Issues Requiring Resolution

HIGH PRIORITY:

  1. Fix Docker image usage: Update action.yaml:36 to use published image:

    runs:
  using: "docker"
  image: "ghcr.io/step-security/ghcommit-action:v0"

  2. Add major version tagging: Update docker.yaml:54-55 to include major version:

    tags: |
  ghcr.io/${{ github.repository }}:${{ github.event.inputs.release_tag }}
  ghcr.io/${{ github.repository }}:v0

  3. Add harden-runner: Include step-security/harden-runner in workflows:

    • Add to ci.yaml before actions/checkout (line 13)
    • Add to licensing.yaml before actions/checkout (line 17)

MEDIUM PRIORITY:
4. Address reviewer feedback:

  • Update pinned SHAs in ci.yaml:13 and licensing.yaml:17 to latest tags
  • Clarify which README.md line needs removal

Overall Assessment

This action FAILS Docker-based action requirements due to critical issues with Docker image usage and tagging. The action uses a local Dockerfile instead of a published image, which violates Step Security requirements for Docker-based actions.

varunsh-coder
varunsh-coder reviewed Sep 19, 2025
View reviewed changes
Dockerfile Outdated
FROM --platform=$TARGETARCH ghcr.io/planetscale/ghcommit:v0.1.74 AS ghcommit

# hadolint ignore=DL3007
FROM --platform=$TARGETARCH pscale.dev/wolfi-prod/base:latest AS base
Copy link
Member

@varunsh-coder varunsh-coder Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might have to remove it since we cannot pin it and it is fetching from pscale.dev

@claude
Copy link

claude bot commented Sep 19, 2025
edited
Loading

Claude finished @amanstep's task —— View job

Claude Code PR Review

Conducted comprehensive review of this Docker-based GitHub Action PR based on Step Security criteria.

Review Tasks:

  • Identify action type (Docker/Node/Composite)
  • Check general requirements (license, author, security.md, workflows, etc.)
  • Verify Docker-based action specific requirements
  • Review security vulnerabilities
  • Check if previous reviewer feedback has been addressed
  • Provide comprehensive review feedback

✅ General Requirements - COMPLIANT

  • License: ✅ Present with copyright for both Step Security (2025) and PlanetScale (2023) as original author (LICENSE:190-191)
  • Author in action.yaml: ✅ Set to "step-security" (action.yaml:3)
  • Security.md: ✅ Present and correct
  • FUNDING files: ✅ None present (correct)
  • Required workflows: ✅ All present (.github/workflows/auto_cherry_pick.yml, actions_release.yml, claude_review.yml)
  • Forbidden files: ✅ None present (renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
  • README usage examples: ✅ Uses major version (@v0) instead of full semver (README.md:45, 57)
  • Subscription check: ✅ Correctly implemented in entrypoint.sh:7-23 with proper API URL

❌ Docker-based Action Requirements - CRITICAL ISSUES FOUND

  1. Published docker image: ❌ CRITICAL - action.yaml:36 uses local "Dockerfile" instead of a published image from ghcr.io/step-security org
  2. Major version tagging: ❌ CRITICAL - docker.yaml:54-55 only tags with full semver, missing major version tags
  3. Security hardening: ⚠️ MIXED - Missing harden-runner from ci.yaml:13, but present in docker.yaml:20-23

✅ Security Analysis - SECURE

  • No security vulnerabilities detected in the code
  • Proper input validation and error handling in entrypoint.sh
  • Secure subscription check implementation with timeout handling (entrypoint.sh:7-23)
  • No secrets or sensitive information exposed
  • Dockerfile follows security best practices with specific version pinning

❌ Previous Review Comments - PARTIALLY ADDRESSED

The PR still has unresolved review comments from team members:

  1. ci.yaml:13: ❌ Still uses pinned SHA actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 instead of latest tag
  2. README.md line removal: ❓ Unclear which specific line needs removal
  3. README.md v5 reference: ❓ No v5 reference found in current README
  4. Dockerfile concerns: ⚠️ New comment from varunsh-coder about potential removal due to pscale.dev dependency

🔧 Critical Issues Requiring Resolution

HIGH PRIORITY:

  1. Fix Docker image usage: Update action.yaml:36 to use published image:

    runs:
  using: "docker"
  image: "ghcr.io/step-security/ghcommit-action:v0"

  2. Add major version tagging: Update docker.yaml:54-55 to include major version:

    tags: |
  ghcr.io/${{ github.repository }}:${{ github.event.inputs.release_tag }}
  ghcr.io/${{ github.repository }}:v0

  3. Add harden-runner to ci.yaml: Include step-security/harden-runner before actions/checkout (line 13)

MEDIUM PRIORITY:
4. Address reviewer feedback:

  • Update pinned SHA in ci.yaml:13 to use actions/checkout@v5 instead of SHA
  • Clarify which README.md line needs removal
  • Address Dockerfile dependency concerns raised by varunsh-coder

Overall Assessment

This action FAILS Docker-based action requirements due to critical issues with Docker image usage and tagging. The action uses a local Dockerfile instead of a published image, which violates Step Security requirements for Docker-based actions.

Recommendation: Address the critical Docker image and tagging issues before merging this PR.

@amanstep amanstep merged commit 27abbc7 into main Sep 19, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@varunsh-coder varunsh-coder varunsh-coder left review comments

@Raj-StepSecurity Raj-StepSecurity Raj-StepSecurity approved these changes

Assignees

No one assigned

Labels

review required Claude review required for PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@amanstep @Raj-StepSecurity @varunsh-coder