From f55fc0e44d18d2e86b8c6e4845a3ec5264059736 Mon Sep 17 00:00:00 2001
From: Varun Sharma <varunsh@stepsecurity.io>
Date: Thu, 30 Nov 2023 13:51:28 -0800
Subject: [PATCH] Add API validation

---
 .github/workflows/release.yml  | 37 ++++++++++++++++++++++++++++
 README.md                      | 45 ----------------------------------
 SECURITY.md                    |  5 ++++
 action.yml                     |  2 +-
 python/publish/__init__.py     |  2 +-
 python/publish_test_results.py | 17 ++++++++++++-
 6 files changed, 60 insertions(+), 48 deletions(-)
 create mode 100644 .github/workflows/release.yml
 create mode 100644 SECURITY.md

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..e8522c4
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,37 @@
+name: Release new action version
+on:
+  workflow_dispatch:
+    inputs:
+      TAG_NAME:
+        description: "Tag name that the major tag will point to"
+        required: true
+
+env:
+  TAG_NAME: ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }}
+defaults:
+  run:
+    shell: pwsh
+
+permissions:
+  contents: read
+
+jobs:
+  update_tag:
+    name: Update the major tag to include the ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} changes
+    # Remember to configure the releaseNewActionVersion environment with required approvers in the repository settings
+    environment:
+      name: releaseNewActionVersion
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+      - name: Update the ${{ env.TAG_NAME }} tag
+        uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
+        with:
+          source-tag: ${{ env.TAG_NAME }}
\ No newline at end of file
diff --git a/README.md b/README.md
index 1ea41e8..373c1fe 100644
--- a/README.md
+++ b/README.md
@@ -95,51 +95,6 @@ Check your favorite development and test environment for its JSON, TRX file or J
 |[sbt](https://www.scala-sbt.org/release/docs/Testing.html#Test+Reports)|Scala|:heavy_check_mark:| | | | |
 |Your favorite<br/>environment|Your favorite<br/>language|probably<br/>:heavy_check_mark:| | | | |
 
-## What is new in version 2
-
-<details>
-<summary>These changes have to be considered when moving from version 1 to version 2:</summary>
-
-### Default value for `check_name` changed
-Unless `check_name` is set in your config, the check name used to publish test results changes from `"Unit Test Results"` to `"Test Results"`.
-
-**Impact:**
-The check with the old name will not be updated once moved to version 2.
-
-**Workaround to get version 1 behaviour:**
-Add `check_name: "Unit Test Results"` to your config.
-
-### Default value for `comment_title` changed
-Unless `comment_title` or `check_name` are set in your config, the title used to comment on open pull requests changes from `"Unit Test Results"` to `"Test Results"`.
-
-**Impact:**
-Existing comments with the old title will not be updated once moved to version 2, but a new comment is created.
-
-**Workaround to get version 1 behaviour:**
-See workaround for `check_name`.
-
-### Modes `create new` and `update last` removed for option `comment_mode`
-The action always updates an earlier pull request comment, which is the exact behaviour of mode `update last`.
-The [configuration](#configuration) options `create new` and `update last` are therefore removed.
-
-**Impact:**
-An existing pull request comment is always updated.
-
-**Workaround to get version 1 behaviour:**
-Not supported.
-
-### Option `hiding_comments` removed
-The action always updates an earlier pull request comment, so hiding comments is not required anymore.
-
-### Option `comment_on_pr` removed
-Option `comment_on_pr` has been removed.
-
-**Workaround to get version 1 behaviour:**
-Set `comment_mode` to `always` (the default) or `off`.
-
-</details>
-
-
 ## Publishing test results
 
 Test results are published on GitHub at various ([configurable](#configuration)) places:
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..33fc4f1
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities to support@stepsecurity.io
\ No newline at end of file
diff --git a/action.yml b/action.yml
index 181f02e..682af82 100644
--- a/action.yml
+++ b/action.yml
@@ -143,7 +143,7 @@ outputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/step-security.io/publish-unit-test-result-action:v1.0.0'
+  image: 'docker://ghcr.io/step-security.io/publish-unit-test-result-action:v1.0.1'
 
 branding:
   icon: 'check-square'
diff --git a/python/publish/__init__.py b/python/publish/__init__.py
index 15a1c6b..322cc63 100644
--- a/python/publish/__init__.py
+++ b/python/publish/__init__.py
@@ -11,7 +11,7 @@
     UnitTestRunDeltaResults, UnitTestRunResultsOrDeltaResults, ParseError
 
 # keep the version in sync with action.yml
-__version__ = 'v1.0.0'
+__version__ = 'v1.0.1'
 
 logger = logging.getLogger('publish')
 digest_prefix = '[test-results]:data:'
diff --git a/python/publish_test_results.py b/python/publish_test_results.py
index 0fd8da0..313215f 100644
--- a/python/publish_test_results.py
+++ b/python/publish_test_results.py
@@ -6,7 +6,7 @@
 from glob import glob
 from pathlib import Path
 from typing import List, Optional, Union, Mapping, Tuple, Any, Iterable, Callable
-
+import requests
 import github
 import humanize
 import psutil
@@ -229,7 +229,22 @@ def action_fail_required(conclusion: str, action_fail: bool, action_fail_on_inco
            action_fail_on_inconclusive and conclusion == 'inconclusive'
 
 
+def validate_subscription():
+    API_URL = f"https://agent.api.stepsecurity.io/v1/github/{os.environ['GITHUB_REPOSITORY']}/actions/subscription"
+
+    try:
+        response = requests.get(API_URL, timeout=3)
+        response.raise_for_status()
+    except requests.exceptions.HTTPError:
+        print("Subscription is not valid. Reach out to support@stepsecurity.io")
+        exit(1)
+    except requests.exceptions.RequestException:
+        print("Timeout or API not reachable. Continuing to next step.")
+
+
 def main(settings: Settings, gha: GithubAction) -> None:
+    validate_subscription()
+
     if settings.is_fork and not settings.job_summary:
         gha.warning(f'This action is running on a pull_request event for a fork repository. '
                     f'The only useful thing it can do in this situation is creating a job summary, which is disabled in settings. '