Skip to content

feat: Initial release #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
amanstep merged 2 commits into from
Nov 13, 2025
Merged

feat: Initial release #2

amanstep merged 2 commits into from
Nov 13, 2025

Conversation

@amanstep
Copy link
Collaborator

@amanstep amanstep commented Nov 12, 2025

No description provided.

@claude
Copy link

claude bot commented Nov 12, 2025
edited
Loading

Claude finished @amanstep's task —— View job

PR Review: feat: Initial release

I've performed a comprehensive review of this GitHub Action based on the specified criteria.

Action Type Analysis

This is a Docker-based GitHub Action that uses a Dockerfile to build the execution environment.

General Requirements Review

Requirement Status Details
License with step-security copyright Pass MIT license present with both original author (Anish Athalye) and StepSecurity copyright
action.yml with step-security author Pass action.yml:2 correctly shows author: step-security
SECURITY.md file Pass Present with proper reporting email
No FUNDING.yml/funding.yml Pass Not present
Required workflows Pass Both auto_cherry_pick.yml and actions_release.yml present
No unwanted files Pass No renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode
README.md semver usage Pass Examples use @v2 (major version only)
Subscription check Pass Implemented in entrypoint.sh:4-20 with correct URL

Docker-Specific Requirements Review

Requirement Status Details
Uses published docker image Critical Issue action.yml:69 uses image: "Dockerfile" - builds locally instead of using published image
Published to step-security org Critical Issue docker.yml:18 publishes to anishathalye/proof-html instead of step-security org
Tagged with major version Critical Issue No published image means no proper versioning

Security Analysis

Area Status Details
Subscription check Pass Properly implemented with timeout and correct API endpoint
No secrets exposed Pass No hardcoded secrets or keys found
Container security ⚠️ Warning Uses specific commit hash for validator (good), but builds from local Dockerfile
Input validation Pass Ruby script properly validates inputs and handles edge cases

Critical Issues to Fix

  1. Docker Image Publishing (docker.yml:13-18)

    • Currently publishes to anishathalye/proof-html
    • Should publish to stepsecurity/proof-html or step-security organization

  2. Action Configuration (action.yml:69)

    • Uses local Dockerfile build instead of published image
    • Should reference published Docker image like docker://stepsecurity/proof-html:v2

  3. Docker Workflow Authentication (docker.yml:13-15)

    • Uses anishathalye username and personal token
    • Should use step-security organization credentials

Recommendations

  1. Immediate: Update Docker workflow to publish to step-security organization
  2. After publishing: Update action.yml to reference the published image instead of building from Dockerfile
  3. Consider: Adding input validation for required parameters in the action metadata

Summary

The action has excellent subscription checking implementation and proper file structure, but requires critical Docker publishing fixes to meet step-security requirements. Most general requirements are satisfied, but the Docker-specific requirements need addressing before this can be considered compliant.

Raj-StepSecurity
Raj-StepSecurity reviewed Nov 12, 2025
View reviewed changes
Raj-StepSecurity
Raj-StepSecurity reviewed Nov 12, 2025
View reviewed changes
@claude
Copy link

claude bot commented Nov 13, 2025
edited
Loading

Claude finished @amanstep's task —— View job

PR Review: feat: Initial release

Action Type Analysis

This is a Docker-based GitHub Action that uses a Dockerfile to build the execution environment.

General Requirements Review

Requirement Status Details
License with step-security copyright Pass MIT license present with both original author (Anish Athalye) and StepSecurity copyright
action.yml with step-security author Pass action.yml:2 correctly shows author: step-security
SECURITY.md file Pass Present with proper reporting email [email protected]
No FUNDING.yml/funding.yml Pass Not present
Required workflows Pass Both auto_cherry_pick.yml and actions_release.yml present and correctly configured
No unwanted files Pass No renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode
README.md semver usage Pass Examples use @v2 (major version only) throughout
Subscription check Pass Properly implemented in entrypoint.sh:4-20 with correct URL and timeout handling

Docker-Specific Requirements Review

Requirement Status Details
Uses published docker image Critical Issue action.yml:69 uses image: "Dockerfile" - builds locally instead of using published image
Published to step-security org Pass docker.yml:55 correctly publishes to ghcr.io/${{ github.repository }} (step-security/proof-html)
Tagged with major version Critical Issue Local build means no published image versioning; needs to reference published image

Security Analysis

Area Status Details
Subscription check Pass Properly implemented with 3-second timeout, correct API endpoint, and appropriate error handling
No secrets exposed Pass No hardcoded secrets, tokens, or keys found in codebase
Container security Pass Uses specific commit hash 84a1b28ff4cc28b7e9a31784688dbee6366b3467 for validator (good practice)
Input validation Pass Ruby script properly validates inputs with type checking and handles edge cases
Dependencies Pass Uses pinned versions (html-proofer -v 5.0.10, alpine:3.22)

Maintainer Review Comments to Address

  1. Remove docker.yml file (docker.yml) - @Raj-StepSecurity requested removal to use their standard workflow
  2. Remove author name from README (README.md:171) - Currently shows "Copyright (c) Anish Athalye. Copyright (c) StepSecurity"

Critical Issues to Fix

  1. Action Configuration (action.yml:69)
    • Currently uses local image: "Dockerfile" build
    • Should reference published Docker image like docker://ghcr.io/step-security/proof-html:v2
    • This is the main blocker for compliance with Docker-based action requirements

Recommendations

  1. Immediate: Address maintainer comments:

    • Remove .github/workflows/docker.yml as requested
    • Update README.md copyright line to remove original author name

  2. After Docker image is published: Update action.yml to reference published image:

    runs:
  using: docker
  image: "docker://ghcr.io/step-security/proof-html:v2"

  3. Consider: The workflow structure suggests step-security may have a standard Docker publishing workflow that should replace the current one

Summary

This action has excellent implementation with proper subscription checking, security practices, and file structure compliance. The main issue is that it builds locally instead of using a published Docker image, which violates step-security's Docker-based action requirements. Once the maintainer-requested changes are made and the action references a published image, this will be fully compliant.

Status: ❌ Requires changes - Docker publishing and maintainer requests must be addressed

@amanstep amanstep merged commit 4350bf4 into main Nov 13, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Raj-StepSecurity Raj-StepSecurity Raj-StepSecurity left review comments

@varunsh-coder varunsh-coder varunsh-coder approved these changes

Assignees

No one assigned

Labels

review-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@amanstep @varunsh-coder @Raj-StepSecurity