chore: Cherry-pick upstream changes

[anurag-stepsecurity]

Cherry-picked changes from upstream.

[anurag-stepsecurity]

📦 Target Release Version: v4.0.1
📋 Previous Release Version: v4.0.0

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Comprehensive PR Review ✅

I've completed a thorough review of this cherry-pick PR based on step-security action standards.

Review Checklist:

• Determine action type (node/docker/composite)
• Review changed files for compliance
• Check repository structure and required files
• Verify license and author information
• Analyze security implementation
• Scan for security vulnerabilities
• Provide final assessment

Review Summary

Action Type: ✅ Node-based action (using node24)

Changed Files Analysis:

• Only dependency updates in package.json and package-lock.json
• esbuild updated from 0.27.7 → 0.28.0
• Changes appear to be routine dependency maintenance

Compliance Assessment

✅ PASSING Requirements:

File Structure & Required Files:

• ✅ LICENSE present with both step-security and original author (Dave Olsthoorn) copyright
• ✅ SECURITY.md present with correct security@stepsecurity.io contact
• ✅ action.yml present with step-security as author
• ✅ .github/workflows/ contains required files:
  • ✅ auto_cherry_pick.yml
  • ✅ actions_release.yml
• ✅ dist/ folder present for Node.js action
• ✅ No prohibited files found (renovate.json, FUNDING.yml, PULL_REQUEST.md, CHANGELOG.md, .vscode, ISSUE_TEMPLATE)

Author & Repository Information:

• ✅ package.json author: "step-security"
• ✅ package.json repository URL points to step-security/setup-android
• ✅ action.yml author: "step-security"

Security Implementation:

• ✅ Subscription check implementation present in src/main.ts:139-184
• ✅ Correct subscription URL: https://agent.api.stepsecurity.io/v1/github/${GITHUB_REPOSITORY}/actions/maintained-actions-subscription
• ✅ Upstream variable matches auto_cherry_pick.yml: "android-actions/setup-android" (lines 148, 36-37 in workflow)
• ✅ StepSecurity maintained action banner present in README.md

Dependencies & Build:

• ✅ package.json contains "build" script
• ✅ All dependencies appear to be in use
• ✅ README.md uses major version tagging (@v4) not full semver

Security Analysis

Vulnerability Scan Results: ✅ NO ISSUES FOUND

• Input validation present (lines 37-40: path injection protection for cmdline-tools-version)
• Subscription check handles private/public repos correctly
• No hardcoded secrets or credentials
• Uses secure HTTPS URLs for downloads
• Proper error handling for API timeouts
• File system operations use safe path handling

Final Assessment

✅ APPROVED - This PR meets all step-security action standards

This cherry-pick PR only contains routine dependency updates (esbuild version bump) and maintains full compliance with step-security requirements. The repository structure, security implementation, and all mandatory files are correctly in place.

Recommendation: Safe to merge after standard testing procedures.

[github-actions]

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v4.0.0...v4.0.1

📋 File-by-File Analysis:

.github/workflows/build-test.yml

• Upstream has changes: ✅ Yes
• File exists in PR: ❌ No
• Status: 🔴 Missing - ❌ No PR patch available (+5 -5)

.github/workflows/codeql-analysis.yml

• Upstream has changes: ✅ Yes
• File exists in PR: ❌ No
• Status: 🔴 Missing - File missing in PR (upstream has 1 additions, 1 deletions)

.github/workflows/run.yml

• Upstream has changes: ✅ Yes
• File exists in PR: ❌ No
• Status: 🔴 Missing - File missing in PR (upstream has 2 additions, 2 deletions)

README.md

• Upstream has changes: ✅ Yes
• File exists in PR: ❌ No
• Status: 🔴 Missing - ❌ No PR patch available (+1 -1)

---

📊 Summary:

• Total files changed upstream: 4
• Files present in PR: 0/4
• Files with matching changes: 0/4

❌ Overall Status: 🔴 INCOMPLETE - Missing files or changes