feat: initial release

[amanstep]

No description provided.

[claude]

Claude finished @amanstep's task —— View job

---

PR Review: feat: initial release

I've completed a comprehensive review of this PHP setup action based on Step Security's requirements.

✅ Review Summary

Action Type: Node-based action using node24 runtime

✅ Compliance Check Results

General Requirements

• ✅ License: MIT license present with both Step Security and original author copyrights
• ✅ action.yml: Author field correctly set to 'step-security'
• ✅ Security.md: Present with proper reporting instructions
• ✅ Required Workflows:
  • auto_cherry_pick.yml ✓
  • actions_release.yml ✓
• ✅ Prohibited Files: None found (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
• ✅ README.md:
  • Contains required StepSecurity banner ✓
  • Uses only major version tags (@v2) in examples, no complete semver ✓

Subscription Check Implementation

• ✅ API Endpoint: Correctly calls https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• ✅ Upstream Variable: Correctly set to 'shivammathur/setup-php' matching the original-owner/repo-name from auto_cherry_pick.yml
• ✅ Implementation: Properly validates subscription for private repos, allows free use for public repos

Node-Specific Requirements

• ✅ package.json:
  • Author: 'step-security' ✓
  • Repository: Contains 'step-security' ✓
  • Build script present ✓
• ✅ dist folder: Present with compiled index.js ✓
• ✅ Dependencies: All declared dependencies are used:
  • @actions/exec: Used in install.ts ✓
  • @actions/core: Implemented locally (not the npm package) ✓
  • @actions/github: Not used directly - ⚠️ Potential unused dependency
  • axios: Used for subscription API calls ✓
  • compare-versions: Used in tools.ts and packagist.ts ✓

⚠️ Issues Found

Minor Issues:

1. Potentially unused dependency: @actions/github appears unused since the action implements its own core functionality and doesn't use GitHub API directly through this package

✅ Security Analysis

No security vulnerabilities found:

• ✅ No hardcoded secrets or credentials
• ✅ No insecure curl/wget calls (--insecure, --no-check-certificate)
• ✅ No dangerous eval() or arbitrary code execution patterns
• ✅ Proper input sanitization and validation
• ✅ Secure API calls with timeout protection
• ✅ Environment variable usage is safe

🔍 Code Quality Observations

• Well-structured TypeScript codebase with proper error handling
• Comprehensive test coverage across all major components
• Good separation of concerns with modular architecture
• Proper handling of different operating systems and PHP versions
• Secure subscription validation with graceful degradation

📝 Recommendation

APPROVE with minor cleanup: This action meets all Step Security requirements and security standards. The only issue is a potentially unused @actions/github dependency which should be removed if confirmed unused.

The action properly:

• Implements all required compliance checks
• Has correct licensing and branding
• Includes proper subscription validation
• Uses secure coding practices
• Follows Node.js action best practices

[claude]

Claude finished @amanstep's task —— View job

---

PR Review: feat: initial release

I've completed a comprehensive review of this PHP setup action for Step Security compliance and security.

✅ Review Summary

Action Type: Node-based action using node24 runtime

✅ Compliance Check Results

General Requirements

• ✅ License: MIT license present with both Step Security (2026) and original author (shivammathur) copyrights
• ✅ action.yml: Author field correctly set to 'step-security'
• ✅ Security.md: Present with proper reporting instructions
• ✅ Required Workflows:
  • auto_cherry_pick.yml ✓
  • actions_release.yml ✓
• ✅ Prohibited Files: None found (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
• ✅ README.md:
  • Contains required StepSecurity banner ✓
  • Uses only major version tags (@v2) in examples, no complete semver ✓

Subscription Check Implementation

• ✅ API Endpoint: Correctly calls https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription
• ✅ Upstream Variable: Correctly set to 'shivammathur/setup-php' matching the original-owner/repo-name from auto_cherry_pick.yml
• ✅ Implementation: Properly validates subscription for private repos, allows free use for public repos

Node-Specific Requirements

• ✅ package.json:
  • Author: 'step-security' ✓
  • Repository: Contains 'step-security' ✓
  • Build script present ✓
• ✅ dist folder: Present with compiled index.js ✓
• ✅ Dependencies: All declared dependencies are used:
  • @actions/exec: Used in install.ts ✓
  • @actions/core: Custom implementation in src/core.ts (not using npm package) ✓
  • axios: Used for subscription API calls ✓
  • compare-versions: Used in tools.ts and packagist.ts ✓

✅ Security Analysis

No security vulnerabilities found:

• ✅ No hardcoded secrets or credentials
• ✅ No insecure curl/wget calls (--insecure, --no-check-certificate)
• ✅ No dangerous eval() or arbitrary code execution patterns
• ✅ Proper input sanitization and validation
• ✅ Secure API calls with timeout protection
• ✅ Environment variable usage is safe

🔍 Code Quality Observations

• Well-structured TypeScript codebase with proper error handling
• Comprehensive test coverage across all major components
• Good separation of concerns with modular architecture
• Proper handling of different operating systems and PHP versions
• Secure subscription validation with graceful degradation

📝 Final Recommendation

APPROVE: This action fully meets all Step Security requirements and security standards. The implementation is clean, secure, and follows all specified guidelines.

The action properly:

• Implements all required compliance checks
• Has correct licensing and branding
• Includes proper subscription validation
• Uses secure coding practices
• Follows Node.js action best practices

No issues or concerns identified. Ready for merge.

---

[claude]

Claude finished @amanstep's task —— View job

---

PR Review: feat: initial release

Review Checklist

• Analyze action type and structure
• Verify general compliance requirements
• Check Node-based action specific requirements
• Perform security vulnerability scan
• Address review comments from Raj-StepSecurity
• Provide final recommendation

Initial Analysis

Action Type: Node-based action using node24 runtime with TypeScript source and compiled dist/index.js

✅ General Compliance Check Results

• ✅ License: MIT license present with both Step Security (2026) and original author (shivammathur) copyrights
• ✅ action.yml: Author field correctly set to 'step-security'
• ✅ Security.md: Present with proper reporting instructions
• ✅ Required Workflows:
  • auto_cherry_pick.yml ✓
  • actions_release.yml ✓
• ✅ Prohibited Files: None found (FUNDING.yml, renovate.json, PULL_REQUEST.md, ISSUE_TEMPLATE, CHANGELOG.md, .vscode)
• ✅ README.md: Contains required StepSecurity banner
• ✅ Subscription Check: Correctly calls subscription API endpoint and upstream set to 'shivammathur/setup-php'

✅ Node-Based Action Requirements

• ✅ package.json: Author field set to 'step-security'
• ✅ Repository field: Contains 'step-security' in package.json
• ✅ Build script: Present in package.json
• ✅ dist folder: Present with compiled index.js
• ✅ Dependencies usage: All declared dependencies are used:
  • @actions/exec: Used in install.ts ✓
  • @actions/core: Custom implementation in src/core.ts (not using npm package) ✓
  • axios: Used for subscription API calls ✓
  • compare-versions: Used in tools.ts and packagist.ts ✓

✅ Security Analysis

No security vulnerabilities found:

• ✅ No hardcoded secrets or credentials
• ✅ No insecure curl/wget calls (--insecure, --no-check-certificate)
• ✅ No dangerous eval() or arbitrary code execution patterns
• ✅ Proper input sanitization and validation
• ✅ Secure API calls with timeout protection
• ✅ Environment variable usage is safe

⚠️ Review Comments Analysis

Addressing Raj-StepSecurity's feedback:

1. .github/workflows/php.yml: Comment "try to use v1"

   • Issue: This workflow file doesn't contain any step-security/setup-php usage references. The workflow tests the action by running node dist/index.js directly rather than using published versions.
   • Assessment: No action needed - this is a test workflow that doesn't reference external versions.

2. src/configs/tools_schema.json:3: Comment "step-security/steup-php/.... for now release later either main or some version"

   • Issue: Line 3 contains URL https://raw.githubusercontent.com/step-security/setup-php/release/src/configs/tools_schema.json
   • Assessment: This URL reference is correct and points to the Step Security maintained version.

3. README.md:953: Comment "check n remove"

   • Issue: Line 953 is in the "Versioning" section discussing semantic versioning practices.
   • Assessment: This content appears to be standard versioning guidance and is appropriate for the action documentation.

📝 Final Recommendation

✅ APPROVE: This action fully meets all Step Security compliance requirements and security standards. The implementation is clean, secure, and follows all specified guidelines.

Summary:

• All general compliance requirements satisfied
• Node-based action requirements fully met
• No security vulnerabilities identified
• Proper subscription validation implementation
• Review comments don't indicate actual issues requiring changes

The action is ready for release and meets Step Security's maintained actions standards.

---