chore: Cherry-picked changes from upstream

[github-actions]

Cherry-picked changes from upstream.

[github-actions]

🚀 PR Updated!

The PR has been updated with the latest cherry-picked commits.

@step-security/maintained-actions-dev Please review and approve the changes.

📦 Target Release Version: v6.0.0

⚠️ Completely Skipped Commits Due to only modifying files in: package.json, package-lock.json, yarn.lock, node_modules/, dist/, or .gitignore

• 9fa4cb99cf546f9b064624433f8cad5428cb1e79
• ed295bd35ad61ad0d546bb7c3b8475f51b90f6ad
• 739fd03b2d357d2fae3db0870fdc627f1f4c7380
• 3058f91afb4f03b73d38f33c35023fb22cf546b8
• ae114628ea78fd141aa4fa7730f70c984b29c391
• ddb7ae415961225797e0234a7018a30ba1e66bb3
• 3cc016cfc892e0844046da36fc68da4e525e081f

❗ Missing Files:

• UPGRADING.md
• UPGRADING.md
• CHANGELOG.md

🛑 Workflow Files (Cannot be auto-applied by GitHub Actions):

• .github/workflows/git-auto-commit.yml from commit 1666a490833865ae4964dfc0c155c9b450734002
• .github/workflows/git-auto-commit.yml from commit bd434eed48c672601bdf68cdb9149a0c75d5c29c

❌ Conflicting Files:

• action.yml from commit 76f415fb30f4c37c8ee7ace2b2f21217c91ca084
• README.md from commit 7f171889c8ca7ce254ba1b6e34aa6a6d16b679de
• entrypoint.sh from commit ad56d4eb467fcb3066f2523ad469ae14c9b3f556
• entrypoint.sh from commit 1d986f74dd4f20731beebbd9ad52610c804b9484

[claude]

Claude finished @github-actions[bot]'s task —— View job

---

PR Review: Cherry-picked changes from upstream

Reviewing this cherry-pick PR based on CLAUDE.md requirements...

Todo List:

• Read and analyze all changed files
• General compliance review per CLAUDE.md requirements
• MANDATORY: Cherry-pick verification with upstream comparison
• Check upstream repository releases and changes
• Perform file-by-file comparison with upstream
• Security vulnerability scan
• Final review summary and recommendations

✅ General Compliance Review

CLAUDE.md Requirements Status:

• ❌ package.json author: Missing "author": "step-security" field
• ✅ LICENSE: MIT license with proper StepSecurity copyright
• ✅ action.yml: Present (author field not specified in requirements)
• ✅ SECURITY.md: Present with StepSecurity contact
• ✅ dist folder: Present with required files (index.js, entrypoint.sh)
• ✅ Subscription check: Properly implemented in index.js with correct API URL
• ✅ .github/workflows: Contains all required workflow files
• ✅ Prohibited files: No renovate.json, FUNDING.yml, PULL_REQUEST.md, etc.
• ✅ Dependencies: All dependencies appear to be used (bats, ncc, axios)

❌ Cherry-Pick Verification: v6.0.1

Based on CLAUDE.md fallback data for stefanzweifel/git-auto-commit-action v6.0.0→v6.0.1:

Upstream Analysis

Target Version: v6.0.1
Previous Version: v6.0.0
Upstream Files Changed: 3 files

File-by-File Comparison

CHANGELOG.md

• Upstream: +15 lines, -1 line (release notes)
• Our PR: ❌ Not included
• Status: ❌ Missing from our PR

entrypoint.sh

• Upstream: +1 line, -1 line (commented out detached state check)
• Our PR: ✅ Present in both locations
• Status: ⚠️ Present but cannot verify exact changes match

tests/git-auto-commit.bats

• Upstream: +1 line, -0 lines (added skip to test)
• Our PR: ✅ Present
• Status: ⚠️ Present but cannot verify exact changes match

Summary

• Total upstream files: 3 files
• Missing files: 1 file ❌ (CHANGELOG.md)
• Extra files: 2 files ⚠️ (README.md, action.yml - not part of upstream v6.0.1)

Result: ❌ Incomplete cherry-pick

✅ Security Analysis

Security Review Results:

• ✅ No hardcoded secrets: No credentials found in code
• ✅ Proper input validation: Shell variables are properly quoted and escaped
• ✅ Shellcheck compliance: Code uses shellcheck disable directives appropriately
• ✅ Command injection protection: Git commands use proper variable expansion
• ✅ Subscription validation: Secure API endpoint with timeout protection
• ✅ Error handling: Proper error checking and exit codes

Security Strengths:

• All shell variables are properly quoted ("$VARIABLE")
• Input validation through git status checks before operations
• Timeout protection in subscription API calls
• Proper error handling with meaningful error messages

📋 Final Review Summary

❌ Issues Found:

1. CRITICAL: Incomplete Cherry-Pick

   • Missing CHANGELOG.md from upstream v6.0.1
   • Cannot verify if entrypoint.sh changes match upstream exactly
   • Additional files (README.md, action.yml) not part of upstream release

2. COMPLIANCE: Missing Author Field

   • package.json lacks required "author": "step-security" field

✅ Positive Findings:

1. Security: No vulnerabilities detected, proper input validation
2. License: Correct MIT license with StepSecurity copyright
3. Dependencies: All required and no unused dependencies
4. Structure: All required files and workflows present
5. Subscription: Proper StepSecurity API integration

🔧 Recommended Actions:

1. Fix package.json: Add "author": "step-security" field
2. Cherry-pick verification: Include missing CHANGELOG.md or verify this is intentional
3. Upstream alignment: Confirm that README.md and action.yml changes are intended customizations

🎯 Recommendation: NEEDS CHANGES

While the code is secure and mostly compliant, the missing author field and incomplete cherry-pick verification need to be addressed before merging.

---