feat: Onboard azure/static-web-apps-deploy action

[anurag-stepsecurity]

Description

This PR onboards https://github.com/azure/static-web-apps-deploy action.

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Comprehensive PR Review Results

I've completed a thorough review of this PR that onboards the azure/static-web-apps-deploy action. Here are my findings:

Progress Checklist:

• Gather context by reading key files to understand the action structure
• Determine action type (node/docker/composite)
• Review general compliance requirements (license, author, security.md, etc.)
• Check for prohibited files/folders
• Verify README.md requirements (banner, semver usage)
• Review subscription check implementation
• Verify docker-specific requirements (if applicable)
• Scan for security vulnerabilities
• Provide comprehensive review feedback

Review Findings

✅ Compliant Items

Action Type: Docker-based action ✅

• Correctly uses docker in action.yml:65
• References Dockerfile properly in action.yml:66

General Compliance:

• ✅ License: Present with both Microsoft and StepSecurity copyright (LICENSE:4)
• ✅ Security.md: Present (SECURITY.md)
• ✅ Required workflows: Both actions_release.yml and auto_cherry_pick.yml exist in .github/workflows/
• ✅ Prohibited files: No FUNDING.yml, funding.yml, renovate.json, PULL_REQUEST.md, CHANGELOG.md, .vscode, or ISSUE_TEMPLATE found
• ✅ README banner: Correctly includes the StepSecurity maintained action banner (README.md:1)

Subscription Check:

• ✅ API endpoint: Correctly calls https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription (entrypoint.sh:32)
• ✅ Upstream variable: Value "Azure/static-web-apps-deploy" matches the original-owner/repo-name from auto_cherry_pick.yml:39-40
• ✅ Implementation: Proper subscription validation logic with timeout handling and error messages

Docker-specific Requirements:

• ✅ Published image: Uses mcr.microsoft.com/appsvc/staticappsclient:stable (Dockerfile:1)

❌ Non-Compliant Items

Critical Issues:

1. Missing Author in action.yml ❌

   • The action.yml file is missing the author field that should be set to step-security
   • Location: action.yml (field missing)

2. Docker Image Not from StepSecurity Org ❌

   • The Docker image mcr.microsoft.com/appsvc/staticappsclient:stable is not published to the StepSecurity organization
   • Should use a StepSecurity published image instead
   • Location: Dockerfile:1

3. Docker Image Not Tagged with Major Version ❌

   • The image uses :stable tag instead of a major version tag
   • Should follow semantic versioning with major version tags
   • Location: Dockerfile:1

Security Assessment:

• ✅ Input validation: Proper validation of INPUT_ACTION with character restrictions (entrypoint.sh:49-52)
• ✅ No secrets exposure: No hardcoded secrets or sensitive information found
• ✅ Safe shell practices: Uses set -eu for error handling (entrypoint.sh:2)

📋 Recommendations

1. Add author field to action.yml:

   author: "step-security"

2. Update Docker image: Replace the Microsoft image with a StepSecurity-published equivalent that:

   • Is hosted under a StepSecurity organization registry
   • Uses major version tagging (e.g., :v1, :v2)

3. Minor: Consider adding input sanitization for other inputs beyond just action if they are used in shell commands.

🔍 Summary

This PR shows good compliance with most StepSecurity requirements, including proper subscription checks, required workflows, and licensing. However, there are critical issues with the Docker image source and versioning that must be addressed before merging. The action structure and security practices are generally sound.

[claude]

Claude finished @anurag-stepsecurity's task —— View job

---

Comprehensive PR Review Results

I've completed a thorough review of this PR that onboards the azure/static-web-apps-deploy action. Here are my findings:

Progress Checklist:

• Gather context by reading key files to understand the action structure
• Determine action type (node/docker/composite)
• Review general compliance requirements (license, author, security.md, etc.)
• Check for prohibited files/folders
• Verify README.md requirements (banner, semver usage)
• Review subscription check implementation
• Verify docker-specific requirements (if applicable)
• Scan for security vulnerabilities
• Provide comprehensive review feedback

Review Findings

✅ Compliant Items

Action Type: Docker-based action ✅

• Correctly uses docker in action.yml:65
• References Dockerfile properly in action.yml:66

General Compliance:

• ✅ License: Present with both Microsoft and StepSecurity copyright (LICENSE:4)
• ✅ Security.md: Present (SECURITY.md)
• ✅ Required workflows: Both actions_release.yml and auto_cherry_pick.yml exist in .github/workflows/
• ✅ Prohibited files: No FUNDING.yml, funding.yml, renovate.json, PULL_REQUEST.md, CHANGELOG.md, .vscode, or ISSUE_TEMPLATE found
• ✅ README banner: Correctly includes the StepSecurity maintained action banner (README.md:1)

Subscription Check:

• ✅ API endpoint: Correctly calls https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/maintained-actions-subscription (entrypoint.sh:32)
• ✅ Upstream variable: Value "Azure/static-web-apps-deploy" matches the original-owner/repo-name from auto_cherry_pick.yml:39-40
• ✅ Implementation: Proper subscription validation logic with timeout handling and error messages

Docker-specific Requirements:

• ✅ Published image: Uses mcr.microsoft.com/appsvc/staticappsclient:stable (Dockerfile:1)

❌ Non-Compliant Items

Critical Issues:

1. Missing Author in action.yml ❌

   • The action.yml file is missing the author field that should be set to step-security
   • Location: action.yml (field missing)

2. Docker Image Not from StepSecurity Org ❌

   • The Docker image mcr.microsoft.com/appsvc/staticappsclient:stable is not published to the StepSecurity organization
   • Should use a StepSecurity published image instead
   • Location: Dockerfile:1

3. Docker Image Not Tagged with Major Version ❌

   • The image uses :stable tag instead of a major version tag
   • Should follow semantic versioning with major version tags
   • Location: Dockerfile:1

Security Assessment:

• ✅ Input validation: Proper validation of INPUT_ACTION with character restrictions (entrypoint.sh:49-52)
• ✅ No secrets exposure: No hardcoded secrets or sensitive information found
• ✅ Safe shell practices: Uses set -eu for error handling (entrypoint.sh:2)

📋 Recommendations

1. Add author field to action.yml:

   author: "step-security"

2. Update Docker image: Replace the Microsoft image with a StepSecurity-published equivalent that:

   • Is hosted under a StepSecurity organization registry
   • Uses major version tagging (e.g., :v1, :v2)

3. Minor: Consider adding input sanitization for other inputs beyond just action if they are used in shell commands.

🔍 Summary

This PR shows good compliance with most StepSecurity requirements, including proper subscription checks, required workflows, and licensing. However, there are critical issues with the Docker image source and versioning that must be addressed before merging. The action structure and security practices are generally sound.