feat: Onboard peter-evans/create-issue-from-file

[anurag-stepsecurity]

Description

This PR onboards https://github.com/peter-evans/create-issue-from-file.

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

PR Review: Onboarding peter-evans/create-issue-from-file

Reviewing this PR against step-security standards for GitHub Actions...

Review Checklist:

General Requirements:

• License present with step-security and original author copyright
• action.yml file with step-security as author
• SECURITY.md file present
• No FUNDING.yml or funding.yml files
• Required workflows present (auto_cherry_pick.yml, actions_release.yml)
• No prohibited files (renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/)
• README.md banner and semver usage check
• Subscription check implementation
• Upstream variable validation
• Security vulnerability scan

Node.js Specific Requirements:

• package.json author field check
• package.json repository field check
• Unused dependencies check
• dist/ folder present
• Build configuration validation

Final Assessment:

• Provide comprehensive review summary

---

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

PR Review: Onboarding peter-evans/create-issue-from-file

Reviewing this PR against step-security standards for GitHub Actions...

Review Checklist:

Action Type Identification:

• Determine action type (Node.js/Docker/Composite) - Node.js based action

General Requirements:

• License present with step-security and original author copyright - ✅ PASS
• action.yml file with step-security as author - ❌ FAIL - Missing author field in action.yml
• SECURITY.md file present - ✅ PASS
• No FUNDING.yml or funding.yml files - ✅ PASS
• Required workflows present (auto_cherry_pick.yml, actions_release.yml) - ✅ PASS
• No prohibited files (renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/) - ✅ PASS
• README.md banner and semver usage check - ✅ PASS - Banner present, using @v6 (major version only)
• Subscription check implementation - ✅ PASS
• Upstream variable validation - ✅ PASS
• Security vulnerability scan - ✅ PASS

Node.js Specific Requirements:

• package.json author field check - ✅ PASS
• package.json repository field check - ✅ PASS
• Unused dependencies check - ✅ PASS - Both @actions/core and @actions/github are used
• dist/ folder present - ✅ PASS
• Build configuration validation - ✅ PASS - package.json contains build script

Final Assessment:

• Provide comprehensive review summary

---

🔍 Comprehensive Review Summary

✅ PASSES (14/15 checks)

General Requirements:

• License: Properly includes both Peter Evans (2019) and StepSecurity (2026) copyright
• SECURITY.md: Present as required
• File Structure: All prohibited files absent (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/)
• Workflows: Required auto_cherry_pick.yml and actions_release.yml present
• README.md: Contains required StepSecurity banner and uses major version (@v6) in examples
• Subscription Check: Implemented in src/main.ts:8-68, correctly calls https://agent.api.stepsecurity.io/v1/github/.../maintained-actions-subscription
• Upstream Validation: Upstream variable "peter-evans/create-issue-from-file" matches original-owner/repo-name from auto_cherry_pick.yml

Node.js Requirements:

• package.json: Author field set to "step-security", repository field points to step-security org
• Dependencies: Both @actions/core and @actions/github are properly used in source code
• dist/ folder: Present as required for Node.js actions
• Build Configuration: package.json contains build script using tsc && ncc

Security Analysis:

• File Operations: Only reads from GitHub event path and user-specified content filepath
• Input Validation: Proper input handling with truncation for issue body length limits
• No Dynamic Code Execution: No eval(), Function(), or dynamic imports detected
• JSON Parsing: Only parses GitHub event data, which is safe

❌ ISSUES (1 critical issue)

1. Missing Author Field in action.yml (action.yml:1-30)
   • The action.yml file lacks an author field
   • According to step-security standards, this should be set to "step-security"
   • Recommendation: Add author: 'step-security' to action.yml

📋 Code Quality Observations

• Good Practices: Proper error handling, input validation, and TypeScript usage
• Clean Architecture: Well-separated utilities and main logic
• Security: Subscription validation with timeout and proper error handling

✅ Final Verdict: APPROVED with Minor Fix Required

The onboarding is well-executed and follows step-security standards. Only one minor issue needs addressing: adding the author field to action.yml.

---

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

PR Review: Onboarding peter-evans/create-issue-from-file

Conducting comprehensive review against step-security standards...

Review Checklist:

Action Type Identification:

• Determine action type (Node.js/Docker/Composite) - Node.js based action

General Requirements:

• License present with step-security and original author copyright - ✅ PASS
• action.yml file with step-security as author - ✅ PASS
• SECURITY.md file present - ✅ PASS
• No FUNDING.yml or funding.yml files - ✅ PASS
• Required workflows present (auto_cherry_pick.yml, actions_release.yml) - ✅ PASS
• No prohibited files (renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/) - ✅ PASS
• README.md banner and semver usage check - ✅ PASS - Banner present, using @v6 (major version only)
• Subscription check implementation - ✅ PASS
• Upstream variable validation - ✅ PASS
• Security vulnerability scan - ✅ PASS

Node.js Specific Requirements:

• package.json author field check - ✅ PASS
• package.json repository field check - ✅ PASS
• Unused dependencies check - ✅ PASS - Both @actions/core and @actions/github are used
• dist/ folder present - ✅ PASS
• Build configuration validation - ✅ PASS - package.json contains build script

Final Assessment:

• Provide comprehensive review summary

---

🔍 Comprehensive Review Summary

✅ PASSES (15/15 checks)

General Requirements:

• License: Properly includes both Peter Evans (2019) and StepSecurity (2026) copyright
• action.yml: Contains required author: 'step-security' field (action.yml:3)
• SECURITY.md: Present as required
• File Structure: All prohibited files absent (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/)
• Workflows: Required auto_cherry_pick.yml and actions_release.yml present
• README.md: Contains required StepSecurity banner and uses major version (@v6) in examples (README.md:18)
• Subscription Check: Implemented in src/main.ts:8-68, correctly calls https://agent.api.stepsecurity.io/v1/github/.../maintained-actions-subscription
• Upstream Validation: Upstream variable "peter-evans/create-issue-from-file" (src/main.ts:17) matches original-owner/repo-name from auto_cherry_pick.yml (auto_cherry_pick.yml:29-30)

Node.js Requirements:

• package.json: Author field set to "step-security" (package.json:26), repository field points to step-security org (package.json:19)
• Dependencies: Both @actions/core and @actions/github are properly used in source code
• dist/ folder: Present as required for Node.js actions
• Build Configuration: package.json contains build script using tsc && ncc (package.json:11)

Security Analysis:

• File Operations: Only reads from GitHub event path and user-specified content filepath
• Input Validation: Proper input handling with truncation for issue body length limits (src/main.ts:70-78)
• No Dynamic Code Execution: No eval(), Function(), or dynamic imports detected
• Environment Variables: Only uses standard GitHub Actions environment variables (GITHUB_EVENT_PATH, GITHUB_ACTION_REPOSITORY, GITHUB_SERVER_URL, GITHUB_REPOSITORY)
• API Calls: Only makes calls to GitHub API and StepSecurity subscription endpoint

📋 Code Quality Observations

• Good Practices: Proper error handling, input validation, and TypeScript usage
• Clean Architecture: Well-separated utilities and main logic
• Security: Subscription validation with timeout (3s) and proper error handling
• Functionality: Maintains original peter-evans/create-issue-from-file functionality while adding required StepSecurity enhancements

✅ Final Verdict: FULLY APPROVED

The onboarding is excellent and fully complies with all step-security standards. This PR demonstrates proper implementation of:

• Complete license attribution
• Correct metadata configuration
• Required security and workflow files
• Proper subscription validation
• Clean, secure code with no vulnerabilities
• Appropriate dependency management

No issues found. Ready for merge. 🎉

---

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

PR Review: Onboarding peter-evans/create-issue-from-file

Conducting comprehensive review against step-security standards...

Review Checklist:

Action Type Identification:

• Determine action type (Node.js/Docker/Composite) - Node.js based action

General Requirements:

• License present with step-security and original author copyright - ✅ PASS
• action.yml file with step-security as author - ✅ PASS
• SECURITY.md file present - ✅ PASS
• No FUNDING.yml or funding.yml files - ✅ PASS
• Required workflows present (auto_cherry_pick.yml, actions_release.yml) - ✅ PASS
• No prohibited files (renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/) - ✅ PASS
• README.md banner and semver usage check - ✅ PASS - Banner present, using @v6 (major version only)
• Subscription check implementation - ✅ PASS
• Upstream variable validation - ✅ PASS
• Security vulnerability scan - ✅ PASS

Node.js Specific Requirements:

• package.json author field check - ✅ PASS
• package.json repository field check - ✅ PASS
• Unused dependencies check - ✅ PASS - Both @actions/core and @actions/github are used
• dist/ folder present - ✅ PASS
• Build configuration validation - ✅ PASS - package.json contains build script

Final Assessment:

• Provide comprehensive review summary

---

🔍 Comprehensive Review Summary

✅ PASSES (15/15 checks)

General Requirements:

• License: Properly includes both Peter Evans (2019) and StepSecurity (2026) copyright
• action.yml: Contains required author: 'step-security' field (action.yml:3)
• SECURITY.md: Present as required
• File Structure: All prohibited files absent (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/)
• Workflows: Required auto_cherry_pick.yml and actions_release.yml present
• README.md: Contains required StepSecurity banner and uses major version (@v6) in examples (README.md:18)
• Subscription Check: Implemented in src/main.ts:8-68, correctly calls https://agent.api.stepsecurity.io/v1/github/.../maintained-actions-subscription
• Upstream Validation: Upstream variable "peter-evans/create-issue-from-file" (src/main.ts:17) matches original-owner/repo-name from auto_cherry_pick.yml (auto_cherry_pick.yml:29-30)

Node.js Requirements:

• package.json: Author field set to "step-security" (package.json:26), repository field points to step-security org (package.json:19)
• Dependencies: Both @actions/core and @actions/github are properly used in source code
• dist/ folder: Present as required for Node.js actions
• Build Configuration: package.json contains build script using tsc && ncc (package.json:11)

Security Analysis:

• File Operations: Only reads from GitHub event path and user-specified content filepath
• Input Validation: Proper input handling with truncation for issue body length limits (src/main.ts:70-78)
• No Dynamic Code Execution: No eval(), Function(), or dynamic imports detected
• Environment Variables: Only uses standard GitHub Actions environment variables (GITHUB_EVENT_PATH, GITHUB_ACTION_REPOSITORY, GITHUB_SERVER_URL, GITHUB_REPOSITORY)
• API Calls: Only makes calls to GitHub API and StepSecurity subscription endpoint

📋 Code Quality Observations

• Good Practices: Proper error handling, input validation, and TypeScript usage
• Clean Architecture: Well-separated utilities and main logic
• Security: Subscription validation with timeout (3s) and proper error handling
• Functionality: Maintains original peter-evans/create-issue-from-file functionality while adding required StepSecurity enhancements

✅ Final Verdict: FULLY APPROVED

The onboarding is excellent and fully complies with all step-security standards. This PR demonstrates proper implementation of:

• Complete license attribution
• Correct metadata configuration
• Required security and workflow files
• Proper subscription validation
• Clean, secure code with no vulnerabilities
• Appropriate dependency management

No issues found. Ready for merge. 🎉

---

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

PR Review: Onboarding peter-evans/create-issue-from-file

Conducting comprehensive review against step-security standards...

Review Checklist:

Action Type Identification:

• Determine action type (Node.js/Docker/Composite) - Node.js based action

General Requirements:

• License present with step-security and original author copyright - ✅ PASS
• action.yml file with step-security as author - ✅ PASS
• SECURITY.md file present - ✅ PASS
• No FUNDING.yml or funding.yml files - ✅ PASS
• Required workflows present (auto_cherry_pick.yml, actions_release.yml) - ✅ PASS
• No prohibited files (renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/) - ✅ PASS
• README.md banner and semver usage check - ✅ PASS - Banner present, using @v6 (major version only)
• Subscription check implementation - ✅ PASS
• Upstream variable validation - ✅ PASS
• Security vulnerability scan - ✅ PASS

Node.js Specific Requirements:

• package.json author field check - ✅ PASS
• package.json repository field check - ✅ PASS
• Unused dependencies check - ✅ PASS - Both @actions/core and @actions/github are used
• dist/ folder present - ✅ PASS
• Build configuration validation - ✅ PASS - package.json contains build script

Final Assessment:

• Provide comprehensive review summary

---

🔍 Comprehensive Review Summary

✅ PASSES (15/15 checks)

General Requirements:

• License: Properly includes both Peter Evans (2019) and StepSecurity (2026) copyright
• action.yml: Contains required author: 'step-security' field (action.yml:3)
• SECURITY.md: Present as required
• File Structure: All prohibited files absent (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/)
• Workflows: Required auto_cherry_pick.yml and actions_release.yml present
• README.md: Contains required StepSecurity banner and uses major version (@v6) in examples (README.md:18)
• Subscription Check: Implemented in src/main.ts:8-68, correctly calls https://agent.api.stepsecurity.io/v1/github/.../maintained-actions-subscription
• Upstream Validation: Upstream variable "peter-evans/create-issue-from-file" (src/main.ts:17) matches original-owner/repo-name from auto_cherry_pick.yml (auto_cherry_pick.yml:29-30)

Node.js Requirements:

• package.json: Author field set to "step-security" (package.json:26), repository field points to step-security org (package.json:19)
• Dependencies: Both @actions/core and @actions/github are properly used in source code
• dist/ folder: Present as required for Node.js actions
• Build Configuration: package.json contains build script using tsc && ncc (package.json:11)

Security Analysis:

• File Operations: Only reads from GitHub event path and user-specified content filepath
• Input Validation: Proper input handling with truncation for issue body length limits (src/main.ts:70-78)
• No Dynamic Code Execution: No eval(), Function(), or dynamic imports detected
• Environment Variables: Only uses standard GitHub Actions environment variables (GITHUB_EVENT_PATH, GITHUB_ACTION_REPOSITORY, GITHUB_SERVER_URL, GITHUB_REPOSITORY)
• API Calls: Only makes calls to GitHub API and StepSecurity subscription endpoint

📋 Code Quality Observations

• Good Practices: Proper error handling, input validation, and TypeScript usage
• Clean Architecture: Well-separated utilities and main logic
• Security: Subscription validation with timeout (3s) and proper error handling
• Functionality: Maintains original peter-evans/create-issue-from-file functionality while adding required StepSecurity enhancements

✅ Final Verdict: FULLY APPROVED

The onboarding is excellent and fully complies with all step-security standards. This PR demonstrates proper implementation of:

• Complete license attribution
• Correct metadata configuration
• Required security and workflow files
• Proper subscription validation
• Clean, secure code with no vulnerabilities
• Appropriate dependency management

No issues found. Ready for merge. 🎉

---

[amanstep]

add node_version input and pass it to reusable workflow

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

PR Review: Onboarding peter-evans/create-issue-from-file

Conducting comprehensive review against step-security standards and addressing review comments...

Review Checklist:

Action Type Identification:

• Determine action type (Node.js/Docker/Composite) - Node.js based action

General Requirements:

• License present with step-security and original author copyright - ✅ PASS
• action.yml file with step-security as author - ✅ PASS
• SECURITY.md file present - ✅ PASS
• No FUNDING.yml or funding.yml files - ✅ PASS
• Required workflows present (auto_cherry_pick.yml, actions_release.yml) - ✅ PASS
• No prohibited files (renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/) - ✅ PASS
• README.md banner and semver usage check - ✅ PASS - Banner present, using @v6 (major version only)
• Subscription check implementation - ✅ PASS
• Upstream variable validation - ✅ PASS
• Security vulnerability scan - ✅ PASS

Node.js Specific Requirements:

• package.json author field check - ✅ PASS
• package.json repository field check - ✅ PASS
• Unused dependencies check - ✅ PASS - Both @actions/core and @actions/github are used
• dist/ folder present - ✅ PASS
• Build configuration validation - ✅ PASS - package.json contains build script

Review Comments:

• Address node_version input request for actions_release.yml - ✅ ALREADY IMPLEMENTED

Final Assessment:

• Provide comprehensive review summary

---

🔍 Comprehensive Review Summary

✅ PASSES (15/15 checks)

General Requirements:

• License: Properly includes both Peter Evans (2019) and StepSecurity (2026) copyright
• action.yml: Contains required author: 'step-security' field (action.yml:3)
• SECURITY.md: Present as required
• File Structure: All prohibited files absent (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/)
• Workflows: Required auto_cherry_pick.yml and actions_release.yml present
• README.md: Contains required StepSecurity banner and uses major version (@v6) in examples (README.md:18)
• Subscription Check: Implemented in src/main.ts:7-67, correctly calls https://agent.api.stepsecurity.io/v1/github/.../maintained-actions-subscription
• Upstream Validation: Upstream variable "peter-evans/create-issue-from-file" (src/main.ts:16) matches original-owner/repo-name from auto_cherry_pick.yml (auto_cherry_pick.yml:29-30)

Node.js Requirements:

• package.json: Author field set to "step-security" (package.json:26), repository field points to step-security org (package.json:19)
• Dependencies: Both @actions/core and @actions/github are properly used in source code
• dist/ folder: Present as required for Node.js actions
• Build Configuration: package.json contains build script using tsc && ncc (package.json:11)

Security Analysis:

• File Operations: Only reads from GitHub event path and user-specified content filepath (src/main.ts:102-114)
• Input Validation: Proper input handling with truncation for issue body length limits (src/main.ts:69-77)
• No Dynamic Code Execution: No eval(), Function(), or dynamic imports detected
• Environment Variables: Only uses standard GitHub Actions environment variables (GITHUB_EVENT_PATH, GITHUB_ACTION_REPOSITORY, GITHUB_SERVER_URL, GITHUB_REPOSITORY)
• API Calls: Only makes calls to GitHub API and StepSecurity subscription endpoint (src/main.ts:43-51)

Review Comments Status:

• node_version input: Already properly implemented in actions_release.yml:23 with value '24' matching package.json engines requirement

📋 Code Quality Observations

• Good Practices: Proper error handling, input validation, and TypeScript usage
• Clean Architecture: Well-separated utilities and main logic
• Security: Subscription validation with timeout (3s) and proper error handling
• Functionality: Maintains original peter-evans/create-issue-from-file functionality while adding required StepSecurity enhancements

✅ Final Verdict: FULLY APPROVED

The onboarding is excellent and fully complies with all step-security standards. This PR demonstrates proper implementation of:

• Complete license attribution
• Correct metadata configuration
• Required security and workflow files
• Proper subscription validation
• Clean, secure code with no vulnerabilities
• Appropriate dependency management

No issues found. Ready for merge. 🎉

---