Skip to content

feat: Onboard peter-evans/find-comment#2

Open
anurag-stepsecurity wants to merge 1 commit intomainfrom
release
Open

feat: Onboard peter-evans/find-comment#2
anurag-stepsecurity wants to merge 1 commit intomainfrom
release

Conversation

@anurag-stepsecurity
Copy link
Collaborator

@anurag-stepsecurity anurag-stepsecurity commented Mar 18, 2026

Description

This PR onboards https://github.com/peter-evans/find-comment.

@anurag-stepsecurity anurag-stepsecurity added the review-required Trigger Claude AI code review on the PR label Mar 18, 2026
@claude
Copy link

claude bot commented Mar 18, 2026
edited
Loading

Claude finished @anurag-stepsecurity's task —— View job

PR Review: Onboarding peter-evans/find-comment

I've completed a comprehensive review of this PR based on the Step Security action onboarding requirements.

Review Checklist:

  • Determine action type and analyze structure
  • Check license and copyright requirements
  • Verify action.yml and author configuration
  • Check required security and workflow files
  • Verify README banner and usage examples
  • Review subscription check implementation
  • Check Node.js specific requirements
  • Scan for security vulnerabilities
  • Provide final recommendations

Approved Requirements

Action Type: Node.js based action ✅

  • Has package.json with build script
  • Has dist/ folder with index.js
  • Uses node24 runtime in action.yml

License & Copyright:

  • LICENSE file present with both Peter Evans (2020) and StepSecurity (2026) copyrights
  • Proper MIT license format

Author Configuration:

  • action.yml author: 'step-security'
  • package.json "author": "step-security"
  • package.json repository field contains step-security ✅

Security & Required Files:

  • SECURITY.md present with security@stepsecurity.io contact ✅
  • Required workflows present:
    • .github/workflows/auto_cherry_pick.yml
    • .github/workflows/actions_release.yml
  • No unwanted files (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/) ✅

README Requirements:

  • Contains required StepSecurity banner ✅
  • All usage examples use @v4 (major version only, not full semver) ✅

Subscription Check:

  • Code makes correct API call to https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
  • Upstream variable correctly set to peter-evans/find-comment (matches auto_cherry_pick.yml) ✅
  • Proper subscription validation logic with 403 error handling ✅

Node.js Specific Requirements:

  • dist/ folder present ✅
  • Dependencies appear to be used (@actions/core, @actions/github) ✅
  • Build script present in package.json ✅

🔍 Security Analysis

Code Security:

  • No hardcoded secrets or keys detected
  • Input validation present (proper type conversion for numbers)
  • Proper error handling with try/catch blocks
  • Uses official GitHub Actions libraries
  • Subscription check has timeout protection (3 seconds)
  • No obvious security vulnerabilities in the comment finding logic

⚠️ Minor Issues Found

  1. Logic Issue in findCommentPredicate (src/find.ts:44-55):

    return (
  (inputs.commentAuthor && comment.user
    ? comment.user.login === inputs.commentAuthor
    : true) && // This should be false when commentAuthor is provided but comment.user is null
  // ... similar issues for bodyIncludes and bodyRegex

    The current logic returns true when filters are provided but the corresponding comment fields are missing/null. This could lead to false positives.

  2. Missing Output in README:
    The README mentions comment-created-at in the outputs section but this field is not defined in action.yml outputs.

Overall Assessment

This PR successfully meets all Step Security onboarding requirements. The action is properly configured with correct authorship, licensing, security files, workflows, and subscription checking. The code is secure and follows best practices.

Recommendation: APPROVE with the minor logic issues noted above as optional improvements.

@anurag-stepsecurity
feat: Onboard peter-evans/find-comment
eee235f 
Signed-off-by: Anurag Rajawat <anurag@stepsecurity.io>
@claude
Copy link

claude bot commented Mar 18, 2026
edited
Loading

Claude finished @anurag-stepsecurity's task —— View job

PR Review: Onboarding peter-evans/find-comment

I've completed a comprehensive review of this PR based on Step Security's action onboarding requirements.

Review Checklist:

  • Determine action type and analyze structure
  • Check license and copyright requirements
  • Verify action.yml and author configuration
  • Check required security and workflow files
  • Verify README banner and usage examples
  • Review subscription check implementation
  • Check Node.js specific requirements
  • Scan for security vulnerabilities
  • Provide final recommendations

Approved Requirements

Action Type: Node.js based action ✅

  • Has package.json with build script
  • Has dist/ folder with index.js
  • Uses node24 runtime in action.yml

License & Copyright:

  • LICENSE file present with both Peter Evans (2020) and StepSecurity (2026) copyrights
  • Proper MIT license format

Author Configuration:

  • action.yml author: 'step-security'
  • package.json "author": "step-security"
  • package.json repository field contains step-security ✅

Security & Required Files:

  • SECURITY.md present with security@stepsecurity.io contact ✅
  • Required workflows present:
    • .github/workflows/auto_cherry_pick.yml
    • .github/workflows/actions_release.yml
  • No unwanted files (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE/, CHANGELOG.md, .vscode/) ✅

README Requirements:

  • Contains required StepSecurity banner ✅
  • All usage examples use @v4 (major version only, not full semver) ✅

Subscription Check:

  • Code makes correct API call to https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription (src/main.ts:48) ✅
  • Upstream variable correctly set to peter-evans/find-comment (matches auto_cherry_pick.yml) ✅
  • Proper subscription validation logic with 403 error handling ✅

Node.js Specific Requirements:

  • dist/ folder present ✅
  • Dependencies appear to be used (@actions/core, @actions/github) ✅
  • Build script present in package.json ✅

🔍 Security Analysis

Code Security:

  • No hardcoded secrets or keys detected
  • Input validation present (proper type conversion for numbers)
  • Proper error handling with try/catch blocks
  • Uses official GitHub Actions libraries
  • Subscription check has timeout protection (3 seconds)
  • No obvious security vulnerabilities in the comment finding logic

⚠️ Minor Issues Found

  1. Logic Issue in findCommentPredicate (src/find.ts:44-55):

    return (
  (inputs.commentAuthor && comment.user
    ? comment.user.login === inputs.commentAuthor
    : true) && // This should be false when commentAuthor is provided but comment.user is null
  // ... similar issues for bodyIncludes and bodyRegex

    The current logic returns true when filters are provided but the corresponding comment fields are missing/null. This could lead to false positives.

  2. Missing Output in README:
    The README mentions comment-created-at in the outputs section but this field is not defined in action.yml outputs.

Overall Assessment

This PR successfully meets all Step Security onboarding requirements. The action is properly configured with correct authorship, licensing, security files, workflows, and subscription checking. The code is secure and follows best practices.

Recommendation: APPROVE with the minor logic issues noted above as optional improvements.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

review-required Trigger Claude AI code review on the PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anurag-stepsecurity