Add API validation

.github/workflows/release.yml

@@ -0,0 +1,37 @@
+name: Release new action version
+on:
+  workflow_dispatch:
+    inputs:
+      TAG_NAME:
+        description: "Tag name that the major tag will point to"
+        required: true
+
+env:
+  TAG_NAME: ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }}
+defaults:
+  run:
+    shell: pwsh
+
+permissions:
+  contents: read
+
+jobs:
+  update_tag:
+    name: Update the major tag to include the ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} changes
+    # Remember to configure the releaseNewActionVersion environment with required approvers in the repository settings
+    environment:
+      name: releaseNewActionVersion
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+      - name: Update the ${{ env.TAG_NAME }} tag
+        uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
+        with:
+          source-tag: ${{ env.TAG_NAME }}

README.md

@@ -95,51 +95,6 @@ Check your favorite development and test environment for its JSON, TRX file or J
 |[sbt](https://www.scala-sbt.org/release/docs/Testing.html#Test+Reports)|Scala|:heavy_check_mark:| | | | |
 |Your favorite<br/>environment|Your favorite<br/>language|probably<br/>:heavy_check_mark:| | | | |
 
-## What is new in version 2
-
-<details>
-<summary>These changes have to be considered when moving from version 1 to version 2:</summary>
-
-### Default value for `check_name` changed
-Unless `check_name` is set in your config, the check name used to publish test results changes from `"Unit Test Results"` to `"Test Results"`.
-
-**Impact:**
-The check with the old name will not be updated once moved to version 2.
-
-**Workaround to get version 1 behaviour:**
-Add `check_name: "Unit Test Results"` to your config.
-
-### Default value for `comment_title` changed
-Unless `comment_title` or `check_name` are set in your config, the title used to comment on open pull requests changes from `"Unit Test Results"` to `"Test Results"`.
-
-**Impact:**
-Existing comments with the old title will not be updated once moved to version 2, but a new comment is created.
-
-**Workaround to get version 1 behaviour:**
-See workaround for `check_name`.
-
-### Modes `create new` and `update last` removed for option `comment_mode`
-The action always updates an earlier pull request comment, which is the exact behaviour of mode `update last`.
-The [configuration](#configuration) options `create new` and `update last` are therefore removed.
-
-**Impact:**
-An existing pull request comment is always updated.
-
-**Workaround to get version 1 behaviour:**
-Not supported.
-
-### Option `hiding_comments` removed
-The action always updates an earlier pull request comment, so hiding comments is not required anymore.
-
-### Option `comment_on_pr` removed
-Option `comment_on_pr` has been removed.
-
-**Workaround to get version 1 behaviour:**
-Set `comment_mode` to `always` (the default) or `off`.
-
-</details>
-
-
 ## Publishing test results
 
 Test results are published on GitHub at various ([configurable](#configuration)) places:

SECURITY.md

@@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities to [email protected]

action.yml

@@ -143,7 +143,7 @@ outputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/step-security.io/publish-unit-test-result-action:v1.0.0'
+  image: 'docker://ghcr.io/step-security.io/publish-unit-test-result-action:v1.0.1'
 
 branding:
   icon: 'check-square'

python/publish/__init__.py

@@ -11,7 +11,7 @@
     UnitTestRunDeltaResults, UnitTestRunResultsOrDeltaResults, ParseError
 
 # keep the version in sync with action.yml
-__version__ = 'v1.0.0'
+__version__ = 'v1.0.1'
 
 logger = logging.getLogger('publish')
 digest_prefix = '[test-results]:data:'

python/publish_test_results.py

@@ -6,7 +6,7 @@
 from glob import glob
 from pathlib import Path
 from typing import List, Optional, Union, Mapping, Tuple, Any, Iterable, Callable
-
+import requests
 import github
 import humanize
 import psutil
@@ -229,7 +229,22 @@ def action_fail_required(conclusion: str, action_fail: bool, action_fail_on_inco
            action_fail_on_inconclusive and conclusion == 'inconclusive'
 
 
+def validate_subscription():
+    API_URL = f"https://agent.api.stepsecurity.io/v1/github/{os.environ['GITHUB_REPOSITORY']}/actions/subscription"
+
+    try:
+        response = requests.get(API_URL, timeout=3)
+        response.raise_for_status()
+    except requests.exceptions.HTTPError:
+        print("Subscription is not valid. Reach out to [email protected]")
+        exit(1)
+    except requests.exceptions.RequestException:
+        print("Timeout or API not reachable. Continuing to next step.")
+
+
 def main(settings: Settings, gha: GithubAction) -> None:
+    validate_subscription()
+
     if settings.is_fork and not settings.job_summary:
         gha.warning(f'This action is running on a pull_request event for a fork repository. '
                     f'The only useful thing it can do in this situation is creating a job summary, which is disabled in settings. '