Skip to content

feat: Onboard fjogeleit/http-request-action action#1

Merged
anurag-stepsecurity merged 1 commit into
mainfrom
release
Jul 8, 2026
Merged

feat: Onboard fjogeleit/http-request-action action#1
anurag-stepsecurity merged 1 commit into
mainfrom
release

Conversation

@anurag-stepsecurity

Copy link
Copy Markdown
Collaborator

@anurag-stepsecurity anurag-stepsecurity added the review-required Request Claude AI code review on the PR label Jul 8, 2026
Comment thread .github/workflows/ci.yml
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

PR Review

Action Type

Node-based — runs using node24 runtime with bundled entry point at dist/index.js.


✅ Passed Checks

  • License: MIT license present with dual copyright — Frank Jogeleit (original author, 2020) and StepSecurity (2026).
  • SECURITY.md: Present and points to security@stepsecurity.io.
  • No FUNDING.yml: Not present.
  • No renovate.json: Not present.
  • No PULL_REQUEST.md: Not present.
  • No ISSUE_TEMPLATE folder: Not present.
  • No CHANGELOG.md: Not present.
  • No .vscode folder: Not committed to the repository (correctly listed in .gitignore).
  • Workflow files: .github/workflows/ contains both auto_cherry_pick.yml and actions_release.yml.
  • README banner: StepSecurity maintained-action banner is present at the top of README.md.
  • README versioning: All usage examples reference only the major version tag (@v2), not complete semver.
  • Subscription check: validateSubscription() is called in src/index.js before any action logic, and dist/index.js contains the compiled check.
  • Subscription URL: Correctly calls https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/maintained-actions-subscription.
  • Subscription upstream value: upstream = 'fjogeleit/http-request-action' in src/subscription.js matches original-owner: "fjogeleit" + repo-name: "http-request-action" from auto_cherry_pick.yml.
  • package.json author: Set to "step-security".
  • package.json repository: URL contains step-security.
  • dist folder: Present.
  • Build script: package.json includes "build": "ncc build src/index.js -o dist" using npm — no additional script input required in release workflows.

❌ Failed Checks

  • Unpinned actions in ci.yml: actions/checkout@v7 and actions/setup-node@v6 are referenced by mutable version tags rather than commit SHAs. Additionally, these version numbers appear incorrect — current latest for actions/checkout is v4 and actions/setup-node is v4. All actions in CI workflows must be pinned to a full commit SHA for supply chain security. See inline comment.

⚠️ Warnings

  • actions_release.yml lacks a script input: The reusable workflow actions_release.yaml@v1 is called without a script input. This is acceptable because package.json already contains the build field under scripts, but if the reusable workflow supports a script override for custom build steps, it may be worth wiring explicitly.
  • audit_package.yml permissions placement: The top-level permissions block appears after the jobs block. While functionally valid in YAML, convention is to place top-level permissions before jobs for readability.
  • ignoreSsl disables TLS verification: The action supports disabling certificate validation via ignoreSsl: true. The code already emits a warning when enabled, but this should be more prominently documented in the README as a security risk.

🔒 Security Findings

  • Unpinned actions in ci.yml (supply chain risk): Using mutable version tags (@v7, @v6) exposes the CI pipeline to tag-hijacking attacks. These also appear to be invalid version numbers. Pin to full commit SHAs. See inline comment on .github/workflows/ci.yml lines 16–17.
  • responseFile path is unvalidated: src/handler/persist.js writes the HTTP response body to the file path supplied by the responseFile input with no sanitization or path restriction. A workflow author with control over this input could write content to any runner-writable path. Low severity given the ephemeral runner environment, but the trust boundary should be documented.
  • No URL validation (SSRF context): The url input is forwarded directly to axios with no allowlist or scheme validation. If url is ever sourced from untrusted input (e.g., a PR comment or issue body in a workflow triggered by external events), SSRF is possible. Not a bug in the action itself, but users should be advised to treat url as a trusted, hardcoded input only.

Summary

The onboarding is well-structured: subscription check, license, banner, version tagging, and all required workflow files pass. The one blocking issue is the use of non-existent and unpinned action versions in ci.ymlactions/checkout@v7 and actions/setup-node@v6 must be corrected to valid versions and pinned to commit SHAs before this PR can be merged.

Comment thread package.json Outdated
Signed-off-by: Anurag Rajawat <anurag@stepsecurity.io>
@anurag-stepsecurity anurag-stepsecurity removed the review-required Request Claude AI code review on the PR label Jul 8, 2026
@anurag-stepsecurity anurag-stepsecurity merged commit 05b60b8 into main Jul 8, 2026
19 of 20 checks passed
@anurag-stepsecurity anurag-stepsecurity deleted the release branch July 8, 2026 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants