chore: pin GitHub Actions to SHA for supply chain security

[luis-hong]

Summary

This PR pins GitHub Actions to specific commit SHAs instead of mutable tags/branches to improve supply chain security.

Changes

• .github/workflows/enforce-license-compliance.yml: pinned 1 action(s)
• .github/workflows/integration-tests-benchmarks.yml: pinned 1 action(s)
• .github/workflows/release.yml: pinned 1 action(s)

Why?

Mutable references (@v2, @main) can be changed by upstream maintainers at any time. SHA pinning ensures reproducible builds and protects against supply chain attacks.

References

• GitHub Actions security hardening

[coderabbitai]

워크스루

여러 GitHub 워크플로우 파일에서 태그 기반 액션 참조를 특정 커밋 해시로 고정(pin)했습니다. 변경 대상에는 build, codeql-analysis, format-code, generate-javadocs, integration-tests-* 계열, release, enforce-license-compliance 등 다수의 워크플로우가 포함되며 각 액션의 버전 태그(v2/v3/v1/main 등)를 구체적 커밋 SHA로 교체했습니다. 추가로 새로운 워크플로우 파일(.github/workflows/security-check.yaml)이 생성되어 외부 리포지토리의 보안 체크 워크플로우를 재사용하도록 구성했습니다. 제어 흐름이나 입력/환경 변수 등 워크플로우 논리는 변경되지 않았습니다.

예상 코드 리뷰 노력

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	Pull request description covers the change summary and motivation, but the listed files (3 workflows) do not match the actual changes in the PR (8 workflows including build.yml, codeql-analysis.yml, etc.), creating a discrepancy between description and actual scope.	Update the PR description to accurately list all modified workflow files and reflect the full scope of changes across all 8 workflows, not just the 3 mentioned.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	Pull request title accurately summarizes the main change: pinning GitHub Actions to SHA for supply chain security, which aligns with all the workflow file modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/pin-github-actions-sha

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/release.yml (1)

20-20: 일관성을 위해 나머지 액션도 SHA 핀닝 고려

getsentry/action-prepare-release는 SHA로 핀닝했지만, actions/checkout@v3는 여전히 mutable 태그를 사용하고 있습니다. 공급망 보안을 완전히 강화하려면 모든 액션에 동일한 정책을 적용하는 것이 좋습니다.

참고: actions/checkout과 같은 GitHub 공식 액션은 상대적으로 신뢰도가 높지만, 완전한 재현 가능한 빌드를 위해서는 SHA 핀닝이 권장됩니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 20, 현재 워크플로에 있는 mutable 태그
actions/checkout@v3이 다른 액션(getsentry/action-prepare-release)의 SHA 핀닝과 일관되지 않으므로,
actions/checkout@v3를 고정된 커밋 SHA로 교체하여 공급망 보안을 강화하세요; 즉,
.github/workflows/release.yml에서 사용할 액션 식별자(actions/checkout@v3)를 해당 액션 리포지토리의 특정
git commit SHA로 변경하고(예: actions/checkout@<full-commit-sha>) 다른 이미 SHA로 핀닝된
getsentry/action-prepare-release와 동일한 정책을 적용하도록 업데이트하세요.

.github/workflows/integration-tests-benchmarks.yml (1)

25-31: 일관성을 위해 GitHub 공식 액션도 SHA 핀닝 고려

getsentry/* 및 saucelabs/* 액션은 SHA로 핀닝되어 있지만, actions/checkout@v3, actions/setup-java@v3, actions/cache@v3는 mutable 태그를 사용 중입니다. 공급망 보안 정책의 일관성을 위해 이 액션들도 SHA 핀닝을 고려해 보세요.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/integration-tests-benchmarks.yml around lines 25 - 31, The
workflow uses mutable tags for actions (actions/checkout@v3,
actions/setup-java@v3, actions/cache@v3) while other steps are SHA-pinned;
update these three usages to pinned commit SHAs to match the security policy by
replacing the tag refs with the corresponding full commit SHA for each action
(e.g., actions/checkout@<commit-sha>) and verify the SHA values from the
official GitHub Actions repos before committing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/integration-tests-benchmarks.yml:
- Around line 25-31: The workflow uses mutable tags for actions
(actions/checkout@v3, actions/setup-java@v3, actions/cache@v3) while other steps
are SHA-pinned; update these three usages to pinned commit SHAs to match the
security policy by replacing the tag refs with the corresponding full commit SHA
for each action (e.g., actions/checkout@<commit-sha>) and verify the SHA values
from the official GitHub Actions repos before committing.

In @.github/workflows/release.yml:
- Line 20: 현재 워크플로에 있는 mutable 태그 actions/checkout@v3이 다른
액션(getsentry/action-prepare-release)의 SHA 핀닝과 일관되지 않으므로, actions/checkout@v3를
고정된 커밋 SHA로 교체하여 공급망 보안을 강화하세요; 즉, .github/workflows/release.yml에서 사용할 액션
식별자(actions/checkout@v3)를 해당 액션 리포지토리의 특정 git commit SHA로 변경하고(예:
actions/checkout@<full-commit-sha>) 다른 이미 SHA로 핀닝된
getsentry/action-prepare-release와 동일한 정책을 적용하도록 업데이트하세요.

[github-actions]

• 🚫 Please pin the action by specifying a commit SHA instead of a tag/branch.

[github-actions]

	Fails
🚫	Please consider adding a changelog entry for the next release.

Instructions and example for changelog

Please add an entry to CHANGELOG.md to the "Unreleased" section. Make sure the entry includes this PR's number.

Example:

## Unreleased

- pin GitHub Actions to SHA for supply chain security ([#1](https://github.com/Buzzvil/sentry-java/pull/1))

If none of the above apply, you can opt out of this check by adding #skip-changelog to the PR description or adding a skip-changelog label.

Generated by 🚫 dangerJS against 0b17641

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/security-check.yaml (1)

7-8: secrets: inherit 범위를 최소화하는 것을 권장합니다.

필요한 시크릿만 명시적으로 전달해 권한 범위를 줄이는 편이 안전합니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/security-check.yaml around lines 7 - 8, The workflow
currently uses "secrets: inherit" which grants excessive secret scope; replace
it by explicitly listing only the required secrets instead of inherit. In the
referenced step using "uses:
Buzzvil/workflows/.github/workflows/security-check.yaml@main" remove "secrets:
inherit" and add a secrets map that enumerates each needed secret key (e.g.,
SECRET_NAME: ${{ secrets.SECRET_NAME }}) so only those specific secrets are
passed; ensure you include exactly the minimal set required by the
security-check workflow.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/security-check.yaml:
- Line 7: 현재 "uses:
Buzzvil/workflows/.github/workflows/security-check.yaml@main" 참조가 가변적인 `@main`
브랜치를 사용하므로 공급망 위험이 있습니다; 해당 참조를 Buzzvil/workflows 저장소의 안정적인 커밋 SHA로 교체하세요 (예:
"uses: Buzzvil/workflows/.github/workflows/security-check.yaml@<COMMIT_SHA>") —
즉, 현재 파일의 uses 항목을 찾아 위 문자열의 `@main` 부분을 정확한 커밋 SHA로 대체하고 변경사항을 커밋하여 PR에 반영하세요.

---

Nitpick comments:
In @.github/workflows/security-check.yaml:
- Around line 7-8: The workflow currently uses "secrets: inherit" which grants
excessive secret scope; replace it by explicitly listing only the required
secrets instead of inherit. In the referenced step using "uses:
Buzzvil/workflows/.github/workflows/security-check.yaml@main" remove "secrets:
inherit" and add a secrets map that enumerates each needed secret key (e.g.,
SECRET_NAME: ${{ secrets.SECRET_NAME }}) so only those specific secrets are
passed; ensure you include exactly the minimal set required by the
security-check workflow.

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9ddcade and ca877b6.

📒 Files selected for processing (1)

• .github/workflows/security-check.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check the full content of the security-check.yaml file
cat -n .github/workflows/security-check.yaml 2>/dev/null || echo "File not found or cannot be read"

Repository: Buzzvil/sentry-java

Length of output: 276

---

🏁 Script executed:

# Search for any other workflow files in the repository to understand the pinning pattern
fd "\.yaml$|\.yml$" .github/workflows/ | head -20

Repository: Buzzvil/sentry-java

Length of output: 565

---

🏁 Script executed:

# Check git history to understand the PR context and pinning goal
git log --oneline -20 -- ".github/workflows/" 2>/dev/null | head -10

Repository: Buzzvil/sentry-java

Length of output: 125

---

🌐 Web query:

Buzzvil/workflows GitHub repository security-check.yaml reusable workflow recommended commit SHA pinning

💡 Result:

I couldn’t locate a public Buzzvil/workflows GitHub repository (the URL returns 404 Not Found in this environment), so I can’t tell you the exact commit SHA that security-check.yaml should be pinned to.

That said, for reusable workflows, GitHub explicitly supports referencing the called workflow by commit SHA, tag, or branch, and states that using a commit SHA is the safest option for stability and security. [1]

Recommended pinning (caller workflow)

jobs:
  security_check:
    uses: Buzzvil/workflows/.github/workflows/security-check.yaml@<FULL_COMMIT_SHA>

How to get the correct SHA to pin

1. Open security-check.yaml in the Buzzvil/workflows repo.
2. Click History for that file.
3. Copy the full commit SHA for the exact revision you want to trust, and use it in @<FULL_COMMIT_SHA>.

If you paste the repository URL (or confirm it’s private and share the file’s “History” page output), I can tell you which SHA corresponds to the latest version.

Sources: [1]

---

커밋 SHA로 고정하세요.

현재 @main은 변동 가능하며 공급망 위험을 야기합니다. PR 목표인 액션 SHA 고정과 일치하도록 Buzzvil/workflows 저장소의 안정적인 커밋 SHA로 교체가 필요합니다.

✅ 제안 수정

-    uses: Buzzvil/workflows/.github/workflows/security-check.yaml@main
+    uses: Buzzvil/workflows/.github/workflows/security-check.yaml@<PINNED_SHA>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/security-check.yaml at line 7, 현재 "uses:
Buzzvil/workflows/.github/workflows/security-check.yaml@main" 참조가 가변적인 `@main`
브랜치를 사용하므로 공급망 위험이 있습니다; 해당 참조를 Buzzvil/workflows 저장소의 안정적인 커밋 SHA로 교체하세요 (예:
"uses: Buzzvil/workflows/.github/workflows/security-check.yaml@<COMMIT_SHA>") —
즉, 현재 파일의 uses 항목을 찾아 위 문자열의 `@main` 부분을 정확한 커밋 SHA로 대체하고 변경사항을 커밋하여 PR에 반영하세요.

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build.yml:
- Around line 32-33: The workflow pins an unsupported actions/cache SHA (uses:
actions/cache@8492260343ad570701412c2f464a5877dc76bace) which is v2 and will
fail; update the uses entry to a supported release (prefer actions/cache@v4) or
if you must pin a commit SHA use the v4.2.0 or v3.4.0 SHAs as recommended,
replacing the current pinned SHA in the "uses: actions/cache@..." line so the
workflow uses a supported version.

In @.github/workflows/codeql-analysis.yml:
- Around line 32-33: The workflow step "Cache Gradle packages" is using the
deprecated actions/cache@v2; update that step to use the supported major version
by changing the uses reference from actions/cache@v2 (or the specific commit) to
actions/cache@v4, ensuring the step name "Cache Gradle packages" and any
associated with: keys (e.g., path, key, restore-keys) remain intact so the cache
behavior is preserved.
- Around line 26-27: The step name references an undefined matrix variable
(matrix.java) which is always empty; fix by either adding a java entry to the
matrix (e.g., add matrix.java with versions) so ${ matrix.java } is populated,
or simpler: remove the interpolation from the step name and use a static name
like "Set up Java" and guard the step with an if condition (e.g., if:
matrix.language == 'java') so actions/setup-java runs only for Java matrix
entries; update the step’s name line and, if you choose the matrix change, add
the new java key to the matrix definition so actions/setup-java@... and the name
use the defined variable.

In @.github/workflows/format-code.yml:
- Around line 19-20: The workflow step named "Cache Gradle packages" currently
pins actions/cache to an unsupported commit hash (uses:
actions/cache@8492260343ad570701412c2f464a5877dc76bace); update that uses:
reference to a supported release by replacing the pinned hash with a supported
version tag such as actions/cache@v4 (or at minimum actions/cache@v3.4.0) so the
GitHub Actions runner uses a maintained release and the workflow no longer
fails.

In @.github/workflows/generate-javadocs.yml:
- Around line 12-20: The workflow step named "Cache Gradle packages" uses the
deprecated pinned ref actions/cache@8492260343ad570701412c2f464a5877dc76bace
(v2) and is causing CI failures; update that step to use the supported
actions/cache@v4 reference (or actions/cache@v3 if you prefer v3), keeping the
existing inputs intact, then commit and re-run the
.github/workflows/generate-javadocs.yml workflow to verify the failure is
resolved.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ca877b6 and 0b17641.

📒 Files selected for processing (8)

• .github/workflows/build.yml
• .github/workflows/codeql-analysis.yml
• .github/workflows/format-code.yml
• .github/workflows/generate-javadocs.yml
• .github/workflows/gradle-wrapper-validation.yml
• .github/workflows/integration-tests-benchmarks.yml
• .github/workflows/integration-tests-ui.yml
• .github/workflows/release.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/integration-tests-benchmarks.yml
• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

actions/cache@v2가 더 이상 지원되지 않습니다.

actions/cache의 일부 버전이 더 이상 지원되지 않습니다. 2025년 2월 1일 이전에 v4 또는 v3으로 업그레이드하는 것이 권장되며, 핀된 SHA를 사용하는 경우 v4.2.0 또는 v3.4.0의 SHA를 사용해야 합니다.

이 PR의 목적이 공급망 보안이지만, 더 이상 지원되지 않는 v2 SHA를 핀하면 워크플로우가 실패합니다.

🔧 v4로 업그레이드 제안

      - name: Cache Gradle packages
-       uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace  # v2
+       uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build.yml around lines 32 - 33, The workflow pins an
unsupported actions/cache SHA (uses:
actions/cache@8492260343ad570701412c2f464a5877dc76bace) which is v2 and will
fail; update the uses entry to a supported release (prefer actions/cache@v4) or
if you must pin a commit SHA use the v4.2.0 or v3.4.0 SHAs as recommended,
replacing the current pinned SHA in the "uses: actions/cache@..." line so the
workflow uses a supported version.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

matrix.java가 정의되지 않았습니다 (기존 버그).

정적 분석 도구(actionlint)가 19-20번 줄의 matrix 정의에서 java 속성이 존재하지 않음을 지적했습니다. matrix는 language: ['cpp', 'java']만 정의하고 있어서 ${{ matrix.java }}는 항상 빈 문자열로 평가됩니다.

이것은 이 PR에서 도입된 문제가 아닌 기존 버그입니다.

🐛 step name 수정 제안

-     - name: 'Set up Java: ${{ matrix.java }}'
+     - name: 'Set up Java: 17'

🧰 Tools

🪛 actionlint (1.7.11)

[error] 26-26: property "java" is not defined in object type {language: string}

(expression)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql-analysis.yml around lines 26 - 27, The step name
references an undefined matrix variable (matrix.java) which is always empty; fix
by either adding a java entry to the matrix (e.g., add matrix.java with
versions) so ${ matrix.java } is populated, or simpler: remove the interpolation
from the step name and use a static name like "Set up Java" and guard the step
with an if condition (e.g., if: matrix.language == 'java') so actions/setup-java
runs only for Java matrix entries; update the step’s name line and, if you
choose the matrix change, add the new java key to the matrix definition so
actions/setup-java@... and the name use the defined variable.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

actions/cache@v2가 더 이상 지원되지 않습니다.

actions/cache의 일부 버전이 더 이상 지원되지 않으며, 업그레이드하지 않으면 워크플로우가 실패합니다.

🔧 v4로 업그레이드 제안

      - name: Cache Gradle packages
-       uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace  # v2
+       uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Cache Gradle packages
	uses: actions/cache@v2
	uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
	- name: Cache Gradle packages
	uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql-analysis.yml around lines 32 - 33, The workflow
step "Cache Gradle packages" is using the deprecated actions/cache@v2; update
that step to use the supported major version by changing the uses reference from
actions/cache@v2 (or the specific commit) to actions/cache@v4, ensuring the step
name "Cache Gradle packages" and any associated with: keys (e.g., path, key,
restore-keys) remain intact so the cache behavior is preserved.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

actions/cache@v2가 더 이상 지원되지 않습니다.

actions/cache의 일부 버전이 더 이상 지원되지 않으며, 업그레이드하지 않으면 워크플로우가 실패합니다. v4 또는 최소 v3.4.0 이상으로 업그레이드가 필요합니다.

🔧 v4로 업그레이드 제안

      - name: Cache Gradle packages
-       uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace  # v2
+       uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684  # v4

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/format-code.yml around lines 19 - 20, The workflow step
named "Cache Gradle packages" currently pins actions/cache to an unsupported
commit hash (uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace);
update that uses: reference to a supported release by replacing the pinned hash
with a supported version tag such as actions/cache@v4 (or at minimum
actions/cache@v3.4.0) so the GitHub Actions runner uses a maintained release and
the workflow no longer fails.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

actions/cache v2 deprecation 2025 github actions

💡 Result:

actions/cache@v2 (and @v1) was deprecated as part of GitHub Actions’ cache-service migration:

• Deprecation began: February 1, 2025 (cache v1–v2 deprecation starts) [1]
• Fully retired / hard-fail date: March 1, 2025 (workflows using v1/v2 can fail) [1]
• GitHub recommended upgrading to actions/cache@v3 or @v4 (and newer releases exist, e.g. @v5) [1][2].
• The underlying @actions/cache toolkit package likewise required upgrading (e.g., to 4.0.0+) to avoid failures after the retirement date [3].

What to do (workflow fix):

- uses: actions/cache@v4
  with:
    path: ~/.cache
    key: ${{ runner.os }}-cache-${{ hashFiles('**/lockfiles') }}

(Or use actions/cache@v5 if you’re ready for its runtime/runner requirements.) [2]

Sources: [1] GitHub Changelog (Sep 16, 2024 notice) (github.blog), [2] actions/cache repo docs/announcement (github.com), [3] @actions/cache toolkit deprecation notice (github.com)

Citations:

• 1: https://github.blog/changelog/2024-09-16-notice-of-upcoming-deprecations-and-changes-in-github-actions-services/?utm_source=openai
• 2: https://github.com/actions/cache?utm_source=openai
• 3: @actions/cache Package Deprecation Notice. Upgrade to the latest `4.0.0` or higher before February 1st 2025 actions/toolkit#1890

---

🌐 Web query:

actions/cache v4 latest sha github

💡 Result:

The current commit SHA that the actions/cache@v4 tag points to is:

• 0057852bfaa89a56745cba8c7296529d2fc39830 (tag v4, dated Sep 24, 2025) [1][2]

Sources:
[1] https://github.com/actions/cache/tags
[2] actions/cache@0057852

---

🌐 Web query:

github actions cache deprecated february 2025 status

💡 Result:

As of February 2025, GitHub had started moving Actions cache storage to a new cache service architecture (v2 APIs) starting February 1, 2025, and deprecated/closed down actions/cache v1–v2 (and @actions/cache package versions < 4.0.0). Runs using the retired versions were expected to fail after full retirement on March 1, 2025. [1][2]

What you needed to do (Feb 2025):

• Upgrade workflows to use actions/cache@v3 or actions/cache@v4 (and avoid pinning to old SHAs). [1][2]
• If you use the toolkit package directly, bump to @actions/cache >= 4.0.0. [3]

Feb 2025 operational status:

• GitHub scheduled “brownouts” (intentional failures) to surface breakages on Feb 4, Feb 11, and Feb 18, 2025 (UTC). [1][2]

Key dates:

• Feb 1, 2025: new cache storage architecture rollout; v1–v2 deprecated/closing down. [1][2]
• Mar 1, 2025: full retirement; deprecated versions expected to fail. [1][2]

Note: GitHub stated this did not impact GitHub Enterprise Server customers in the same way (they could continue using versions without the hosted-service retirement behavior). [1][2]

Sources: [1] [2] [3]

---

actions/cache@v2 완전 중단으로 인해 워크플로우가 현재 실패 중입니다.

actions/cache@v2는 2025년 3월 1일부로 완전히 중단되었습니다. 현재(2026년 2월) 이 버전을 사용하는 워크플로우는 실패합니다. v3 또는 v4로 즉시 업그레이드해야 합니다.

v4로 업그레이드 제안

      - name: Cache Gradle packages
-       uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace  # v2
+       uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830  # v4
        with:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/generate-javadocs.yml around lines 12 - 20, The workflow
step named "Cache Gradle packages" uses the deprecated pinned ref
actions/cache@8492260343ad570701412c2f464a5877dc76bace (v2) and is causing CI
failures; update that step to use the supported actions/cache@v4 reference (or
actions/cache@v3 if you prefer v3), keeping the existing inputs intact, then
commit and re-run the .github/workflows/generate-javadocs.yml workflow to verify
the failure is resolved.

[luis-hong]

외부 fork 저장소는 SHA 핀닝 일괄 적용 대상에서 제외합니다.

사유: fork 저장소는 org self-hosted runner 접근 제한 및 private reusable workflow 호출 제한으로 security-check CI가 정상 동작하지 않습니다. 필요 시 개별 대응합니다.