chore: pin GitHub Actions to SHA for supply chain security

[luis-hong]

Summary

This PR pins GitHub Actions to specific commit SHAs instead of mutable tags/branches to improve supply chain security.

Changes

• .github/workflows/test-framework-ada.yml: pinned 1 action(s)
• .github/workflows/test-framework-clojure.yml: pinned 1 action(s)
• .github/workflows/test-framework-dart.yml: pinned 1 action(s)
• .github/workflows/test-framework-lua.yml: pinned 2 action(s)
• .github/workflows/test-framework-php.yml: pinned 1 action(s)
• .github/workflows/test-framework-sbt.yml: pinned 1 action(s)
• .github/workflows/test-framework-v2-ada.yml: pinned 1 action(s)
• .github/workflows/test-framework-v2-php.yml: pinned 1 action(s)
• .github/workflows/test-generation-v2.yml: pinned 1 action(s)

Why?

Mutable references (@v2, @main) can be changed by upstream maintainers at any time. SHA pinning ensures reproducible builds and protects against supply chain attacks.

References

• GitHub Actions security hardening

[coderabbitai]

Walkthrough

다수의 GitHub 워크플로우 파일(.github/workflows/...)에서 외부 액션 참조를 태그/브랜치(v1, v2, dev 등)에서 특정 커밋 SHA로 고정(pinning)하도록 변경했습니다. 변경 대상에는 actions/checkout, actions/setup-java, actions/upload-artifact, actions/download-artifact 등과 언어·도구별 설정 액션들이 포함됩니다. 워크플로우의 입력, 단계 순서 및 제어 흐름에는 변경이 없으며, 새 워크플로우 파일 .github/workflows/security-check.yaml이 추가되었습니다.

예상 코드 리뷰 노력

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	제목이 변경 사항의 주요 내용을 명확하게 요약합니다. GitHub Actions를 SHA로 고정하는 공급망 보안 개선이 핵심 변경 사항입니다.
Description check	✅ Passed	설명이 변경 사항과 관련이 있으며, 영향받는 파일 목록과 변경 이유를 제시합니다.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/pin-github-actions-sha

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/test-framework-php.yml (1)

160-164: SHA 고정이 올바르게 적용되었습니다.

shivammathur/setup-php 액션이 v2 태그에 해당하는 커밋 SHA(d59004228537ca90c8dca680592a08a675bf52b6)로 정확히 고정되었으며, 인라인 주석으로 원래 버전(# v2)이 명시되어 있어 유지보수에 도움이 됩니다.

다만, 이 파일의 다른 액션들(actions/checkout@v2, actions/setup-java@v1, actions/download-artifact@v2, actions/upload-artifact@v2)은 여전히 mutable 태그를 사용하고 있습니다. 일관성을 위해 향후 이들도 SHA로 고정하는 것을 고려해 주세요.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-php.yml around lines 160 - 164, 현재 파일에서
shivammathur/setup-php는 SHA로 고정되어 있지만 다른 액션들(actions/checkout@v2,
actions/setup-java@v1, actions/download-artifact@v2,
actions/upload-artifact@v2)은 여전히 mutable 태그를 사용하고 있어 일관성이 없습니다; 각 해당 사용처를 찾아 태그
대신 안정적인 커밋 SHA로 고정하도록 변경하고(예: actions/checkout, actions/setup-java,
actions/download-artifact, actions/upload-artifact 각각의 리포지토리에서 적절한 커밋 SHA를 확인해
교체) 커밋 또는 PR 설명에 원래 태그 버전(예: v2, v1)을 인라인 주석으로 남겨 유지보수성을 유지하세요.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/test-framework-ada.yml:
- Around line 160-163: Replace the pinned commit SHA for the GitHub Action usage
with the stable release tag: update the uses line
"ada-actions/toolchain@d6c5b8a6e7d5205b96948c84f66a2d3fe3a24707" to the stable
release "ada-actions/toolchain@v0.2.0" so the workflow uses the official v0.2.0
release (keep the existing with: distrib: fsf and target: native entries
unchanged).

---

Nitpick comments:
In @.github/workflows/test-framework-php.yml:
- Around line 160-164: 현재 파일에서 shivammathur/setup-php는 SHA로 고정되어 있지만 다른
액션들(actions/checkout@v2, actions/setup-java@v1, actions/download-artifact@v2,
actions/upload-artifact@v2)은 여전히 mutable 태그를 사용하고 있어 일관성이 없습니다; 각 해당 사용처를 찾아 태그
대신 안정적인 커밋 SHA로 고정하도록 변경하고(예: actions/checkout, actions/setup-java,
actions/download-artifact, actions/upload-artifact 각각의 리포지토리에서 적절한 커밋 SHA를 확인해
교체) 커밋 또는 PR 설명에 원래 태그 버전(예: v2, v1)을 인라인 주석으로 남겨 유지보수성을 유지하세요.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

ada-actions/toolchain releases tags GitHub

💡 Result:

On GitHub, ada-actions/toolchain currently has 2 releases, and the release tags match the repository tags:

• v0.2.0 (Release “Latest”) — released Jun 9, 2020; tag commit b55aaa7; tag date shown as May 26, 2020 (tagging date). [1][2]
• v0.1.0 — released Dec 10, 2019; tag commit e7110b4. [1][2]

You can view them here:

• Releases page: [1]
• Tags page: [2]

Sources: [1] [2]

---

🏁 Script executed:

#!/bin/bash
# Check available release tags for ada-actions/toolchain repository
curl -s "https://api.github.com/repos/ada-actions/toolchain/tags" | jq -r '.[0:15] | .[] | "\(.name) - \(.commit.sha)"' 2>/dev/null || echo "Failed to fetch tags"

Repository: Buzzvil/swagger-codegen

Length of output: 166

---

🏁 Script executed:

#!/bin/bash
# Check for releases (which are typically more stable than tags)
curl -s "https://api.github.com/repos/ada-actions/toolchain/releases" | jq -r '.[0:10] | .[] | "\(.tag_name) - \(.draft) - \(.prerelease)"' 2>/dev/null || echo "Failed to fetch releases"

Repository: Buzzvil/swagger-codegen

Length of output: 112

---

🏁 Script executed:

#!/bin/bash
# Get information about the specific commit to verify branch
curl -s "https://api.github.com/repos/ada-actions/toolchain/commits/d6c5b8a6e7d5205b96948c84f66a2d3fe3a24707" | jq '{sha: .sha, message: .commit.message, author: .commit.author.name}' 2>/dev/null || echo "Failed to fetch commit info"

Repository: Buzzvil/swagger-codegen

Length of output: 191

---

안정적인 릴리스 태그를 사용하세요.

ada-actions/toolchain에는 v0.2.0 (b55aaa7), v0.1.0 (e7110b4) 등 안정적인 릴리스가 존재합니다. 현재 고정된 SHA(d6c5b8a6e7d5205b96948c84f66a2d3fe3a24707)는 이러한 안정 릴리스와 일치하지 않으며, 개발 중인 커밋입니다. 최신 안정 릴리스인 v0.2.0을 사용하도록 변경하세요:

- uses: ada-actions/toolchain@v0.2.0
  with:
    distrib: fsf
    target: native

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-ada.yml around lines 160 - 163, Replace the
pinned commit SHA for the GitHub Action usage with the stable release tag:
update the uses line
"ada-actions/toolchain@d6c5b8a6e7d5205b96948c84f66a2d3fe3a24707" to the stable
release "ada-actions/toolchain@v0.2.0" so the workflow uses the official v0.2.0
release (keep the existing with: distrib: fsf and target: native entries
unchanged).

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/security-check.yaml:
- Line 7: 현재 워크플로우는 외부 액션 참조를
`Buzzvil/workflows/.github/workflows/security-check.yaml@main`으로 사용하고 있어 SHA 고정
목적과 모순됩니다; 해당 `uses:` 참조를 특정 커밋 SHA로 교체해(예:
`Buzzvil/workflows/.github/workflows/security-check.yaml@<commit-sha>`) 불변성을
보장하고, 사용하려는 커밋 SHA를 선택한 후 커밋 해시로 정확히 대체했는지(`uses` 항목) 확인하세요.

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2b4d600 and 801277d.

📒 Files selected for processing (1)

• .github/workflows/security-check.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check the workflow file and surrounding files
git ls-files .github/workflows/

Repository: Buzzvil/swagger-codegen

Length of output: 3348

---

🏁 Script executed:

# Examine the security-check.yaml file
cat -n .github/workflows/security-check.yaml

Repository: Buzzvil/swagger-codegen

Length of output: 280

---

🏁 Script executed:

# Search for other uses of GitHub Actions references in workflow files to identify pattern
rg "uses:" .github/workflows/ -A 0 -B 0 | head -30

Repository: Buzzvil/swagger-codegen

Length of output: 2462

---

🏁 Script executed:

# Look for any recent commits or PR description that clarifies the objective
git log --oneline -20 | head -20

Repository: Buzzvil/swagger-codegen

Length of output: 130

---

🏁 Script executed:

# Check if this file was newly added or modified in this PR
git log --oneline --follow -- .github/workflows/security-check.yaml | head -5

Repository: Buzzvil/swagger-codegen

Length of output: 130

---

🏁 Script executed:

# Look at git diff to understand what changed in this commit
git show 801277df9 --stat

Repository: Buzzvil/swagger-codegen

Length of output: 50381

---

🏁 Script executed:

# Get more details about the commit to understand the PR objective
git show 801277df9 --format=fuller | head -50

Repository: Buzzvil/swagger-codegen

Length of output: 1174

---

PR 목적과 일치하지 않는 mutable 참조 사용

이 PR의 목적은 공급망 보안을 위해 GitHub Actions를 SHA로 고정하는 것입니다. 그러나 새로 추가된 이 워크플로우는 @main 브랜치 참조를 사용하고 있어 PR의 목적과 모순됩니다.

Buzzvil/workflows/.github/workflows/security-check.yaml@main 대신 특정 커밋 SHA로 고정하세요.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/security-check.yaml at line 7, 현재 워크플로우는 외부 액션 참조를
`Buzzvil/workflows/.github/workflows/security-check.yaml@main`으로 사용하고 있어 SHA 고정
목적과 모순됩니다; 해당 `uses:` 참조를 특정 커밋 SHA로 교체해(예:
`Buzzvil/workflows/.github/workflows/security-check.yaml@<commit-sha>`) 불변성을
보장하고, 사용하려는 커밋 SHA를 선택한 후 커밋 해시로 정확히 대체했는지(`uses` 항목) 확인하세요.

[coderabbitai]

Actionable comments posted: 14

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

.github/workflows/test-framework-v2-ruby.yml (1)

138-141: ⚠️ Potential issue | 🟡 Minor

ruby/setup-ruby 액션을 SHA로 고정하세요.

이 워크플로우의 모든 다른 GitHub Actions는 특정 커밋 SHA로 고정되어 있는데, ruby/setup-ruby@v1만 변경 가능한 태그 참조를 사용하고 있습니다. 공급망 보안 일관성을 위해 이 액션도 SHA로 고정해야 합니다.

제안된 수정

      - name: Set up Ruby
-       uses: ruby/setup-ruby@v1
+       uses: ruby/setup-ruby@<commit-sha>  # v1
        with:
          ruby-version: ${{ matrix.ruby }}

ruby/setup-ruby 저장소에서 v1 태그에 해당하는 커밋 SHA를 조회하여 적용하세요.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-ruby.yml around lines 138 - 141, Replace
the floating tag reference "ruby/setup-ruby@v1" with its specific commit SHA to
match other actions' pinning; find the commit SHA that corresponds to the v1 tag
in the ruby/setup-ruby repo and update the workflow step (the "Set up Ruby" step
that currently uses ruby/setup-ruby@v1) to use the pinned ref format (e.g.
ruby/setup-ruby@<commit-sha>) so the action is locked to that exact commit.

.github/workflows/test-framework-ruby.yml (1)

160-161: ⚠️ Potential issue | 🟡 Minor

라인 161의 ruby/setup-ruby 액션을 SHA로 고정하세요.

ruby/setup-ruby@v1은 여전히 가변적인 태그를 사용하고 있습니다. 공급망 보안을 위해 다음과 같이 특정 커밋 SHA로 고정해야 합니다:

uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-ruby.yml around lines 160 - 161, Replace
the floating GitHub Action reference ruby/setup-ruby@v1 with a pinned commit SHA
to harden supply-chain security: update the uses entry referencing
ruby/setup-ruby@v1 to use the specific commit SHA (e.g.,
ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd) so the workflow always
runs the exact action version.

.github/workflows/test-generation-v2.yml (1)

122-170: ⚠️ Potential issue | 🟠 Major

ruby/setup-ruby가 태그로 남아 있음

136번 라인의 ruby/setup-ruby@v1 태그가 그대로 유지되고 있어 PR의 공급망 보안 목표와 불일치합니다. 동일 워크플로우의 다른 모든 작업(actions/checkout, actions/setup-java, actions/upload-artifact 등)은 커밋 SHA로 고정되어 있으므로, ruby/setup-ruby도 v1 태그가 가리키는 커밋 SHA로 고정해 주세요.

🔒 수정 예시 (SHA로 고정)

-      - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@<sha>  # v1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-generation-v2.yml around lines 122 - 170, Set up Ruby
스텝의 사용 버전이 태그(ruby/setup-ruby@v1)로 남아 있어 공급망 보안 규칙과 불일치합니다; "Set up Ruby" 단계에서
사용된 식별자 ruby/setup-ruby@v1를 태그 대신 해당 태그가 가리키는 커밋 SHA로 고정하도록 변경하세요 (즉, uses:
ruby/setup-ruby@<commit-sha>로 교체), 기존 워크플로우의 다른 액션들(actions/checkout,
actions/setup-java, actions/upload-artifact)처럼 SHA로 핀 고정하고 matrix.ruby 입력과 동작은
그대로 유지하세요.

🧹 Nitpick comments (3)

.github/workflows/test-framework-dotnet.yml (1)

90-90: actions/download-artifact@v2는 deprecated 상태입니다.

actions/download-artifact@v2도 마찬가지로 deprecated되었습니다. upload-artifact와 함께 v4로 업그레이드하는 것이 좋습니다. 두 액션은 함께 사용되므로 버전을 맞추는 것이 중요합니다.

Also applies to: 149-149, 154-154

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-dotnet.yml at line 90, Replace the
deprecated actions/download-artifact@v2 usage with actions/download-artifact@v4
and ensure the paired actions/upload-artifact is also upgraded to
actions/upload-artifact@v4 so versions match; locate the lines containing the
uses: actions/download-artifact@... and uses: actions/upload-artifact@...
entries (the occurrences shown in the diff and at the other noted locations) and
update their version tags from v2 (or older) to v4, then run a quick workflow
lint or dry-run to confirm compatibility.

.github/workflows/test-framework-v2-java-retrofit2.yml (1)

20-21: 향후 개선 사항: 최신 버전으로 업그레이드 고려

현재 고정된 버전들(v1, v2)은 Node.js 16을 사용하며, GitHub에서 2024년 6월부터 JavaScript 액션에 대해 Node.js 16 런타임 지원을 중단했습니다. 이 PR의 범위는 SHA 고정이므로, 별도 PR에서 최신 버전으로 업그레이드를 고려해 보세요.

• actions/checkout@v6
• actions/setup-java@v5
• actions/upload-artifact@v4 (이상)
• actions/download-artifact@v4 (이상)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-java-retrofit2.yml around lines 20 - 21,
Update the hard‑pinned GitHub Action SHAs to the latest stable major releases in
a follow-up PR: replace uses:
actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 with
actions/checkout@v6, uses:
actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde with
actions/setup-java@v5, and also update actions/upload-artifact and
actions/download-artifact to `@v4`; ensure the workflow still passes CI after the
change and adjust any config differences required by the newer action versions
(look for usages of actions/checkout, actions/setup-java,
actions/upload-artifact, actions/download-artifact in the file).

.github/workflows/test-framework-v2-java-jersey1.yml (1)

71-72: set-output 명령어가 더 이상 사용되지 않습니다.

이 라인들은 이번 PR의 변경 범위에 포함되지 않지만, ::set-output 명령어는 2022년부터 deprecated 되었으며 2023년 6월부터 완전히 비활성화되었습니다. 후속 PR에서 $GITHUB_OUTPUT 환경 파일 방식으로 마이그레이션을 권장합니다.

-        echo "::set-output name=generate_outcome::${{ steps.generate.outcome }}"
+        echo "generate_outcome=${{ steps.generate.outcome }}" >> $GITHUB_OUTPUT

Also applies to: 138-139

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-java-jersey1.yml around lines 71 - 72,
The workflow uses the deprecated ::set-output command (echo "::set-output
name=generate_outcome::${{ steps.generate.outcome }}"); replace it by writing
the output as key=value into the GitHub Actions environment file (use the
GITHUB_OUTPUT file) — e.g. write "generate_outcome=${{ steps.generate.outcome
}}" to $GITHUB_OUTPUT — and keep the existing artifact file write (echo ${{
steps.generate.outcome }} > generate_outcome_${{ env.JOB_NAME }}); apply the
same replacement for the other occurrence referenced (lines 138-139) so all uses
of steps.generate.outcome use the environment file method instead of
::set-output.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/test-framework-dotnet.yml:
- Line 161: Replace the deprecated runner reference uses:
actions/setup-dotnet@871f041373faaad213a635d9afb62905ec029bbb with the current
major release uses: actions/setup-dotnet@v5; also locate any dotnet-version keys
(e.g., dotnet-version: 3.1.x) in the same job and update them to a supported
SDK/runtime (for example 6.x or 7.x) so the workflow uses the v5 action and a
supported .NET version.
- Line 62: 워크플로에서 사용 중인 actions/upload-artifact@v2 및
actions/download-artifact@v2 를 최신 안정 버전(v4 또는 v6 권장)으로 모두 교체하고 서로 같은 버전을 사용하도록
맞추세요; 파일 내의 모든 `uses: actions/upload-artifact` 및 `uses:
actions/download-artifact` 항목(현재 보고된 위치들 포함)을 찾아 각각 `@v4`(또는 프로젝트 정책에 따른 최신 v6)로
변경하고, matrix로 여러 번 업로드하는 경우 아티팩트 이름에 고유 식별자(예: matrix 값) 추가하여 중복 업로드를 방지하며 기존
덮어쓰기가 의도된 동작일 때는 업로드 스텝에 `overwrite: true` 옵션을 설정하세요.
- Around line 40-41: The workflow pins are using outdated major versions for the
GitHub Actions; update the checkout and Java setup steps so actions/checkout
uses the v6 release and actions/setup-java uses the v5 release (i.e., change
actions/checkout@... to actions/checkout@v6 and actions/setup-java@... to
actions/setup-java@v5) and replace the existing SHAs with the corresponding
current release SHAs for those tags to maintain SHA pinning; ensure the updated
setup-java version aligns with Node24-compatible runners (v5.x) as recommended.

In @.github/workflows/test-framework-go.yml:
- Around line 40-41: The workflow uses a floating v2 tag for the download
artifact action which reduces reproducibility and security; update the
actions/download-artifact reference (currently
actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281) to a
specific released patch tag (e.g., actions/download-artifact@v2.0.2 or the
latest specific v2.x.x release) so the workflow pins to a concrete version;
ensure any other similar floating tags are also replaced with exact release
tags.

In @.github/workflows/test-framework-php.yml:
- Around line 40-41: The workflow pins for the GitHub Action
shivammathur/setup-php are using an invalid commit SHA
(d59004228537ca90c8dca680592a08a675bf52b6) which causes runs to fail; update the
pin in the uses entry that references shivammathur/setup-php to a valid
ref—either replace the bad SHA with the current v2 commit SHA
(44454db4f0199b8b9685a5d763dc37cbf79108e1) or change to the tag form
(shivammathur/setup-php@v2); ensure the comment "# v2" matches the chosen ref
and run a quick workflow lint to verify resolution.

In @.github/workflows/test-framework-sbt.yml:
- Around line 147-166: The workflow references matrix.node-version in the "Use
Node.js ${ matrix.node-version }" step (uses: actions/setup-node) but the
strategy matrix only defines java-version, causing evaluation failures; fix by
either adding a node-version entry to the job's strategy matrix (e.g., include
node-version alongside java-version) or replace the matrix reference with a
fixed Node.js version or an existing env var so the setup-node step can resolve
a concrete version; update the matrix or the "Use Node.js" step accordingly
(look for the setup-node step and any uses of matrix.node-version).

In @.github/workflows/test-framework-v2-java-feign.yml:
- Around line 20-21: Replace the deprecated actions/setup-java@v1 pin with a v4
release (e.g., actions/setup-java@v4 or its corresponding commit SHA for
supply-chain pinning) so the action runs on the Node20 runtime; while here, also
update actions/checkout and actions/upload-artifact to their v4 releases (or
pinned SHAs) to keep the workflow current and avoid Node12 deprecation warnings,
ensuring the updated "uses:" lines reference the new tag/SHA for setup-java,
checkout, and upload-artifact.

In @.github/workflows/test-framework-v2-java-jersey1.yml:
- Around line 20-21: The workflow pins GitHub Actions to specific SHAs for
supply-chain security, but the pinned actions are outdated; update the action
references in the YAML (the uses entries for actions/checkout,
actions/setup-java, actions/upload-artifact, and actions/download-artifact) to
either current stable major releases (e.g., v4 for checkout/setup-java and v6/v7
for artifact actions) or pin to their latest commit SHAs, and keep the inline
original version comments (e.g., "# v1", "# v2") for traceability; prioritize
upgrading the artifact actions (upload/download) due to upcoming v3 support
changes.

In @.github/workflows/test-framework-v2-java-okhttp-parcelable.yml:
- Around line 20-21: Update the deprecated artifact actions and deprecated
output usage: replace all usages of actions/upload-artifact@v2 with
actions/upload-artifact@v4 and actions/download-artifact@v2 with
actions/download-artifact@v4 (search for the action identifiers
"actions/upload-artifact" and "actions/download-artifact" to locate each
occurrence), and replace any deprecated set-output steps (search for
"set-output") with the recommended workflow-command file method (write output
lines to the GITHUB_OUTPUT file, e.g., echo "name=value" >> "$GITHUB_OUTPUT")
while keeping commit-SHA pinning for other actions as-is.

In @.github/workflows/test-framework-v2-java-retrofit2-play25.yml:
- Around line 20-21: Replace the deprecated actions/upload-artifact@v2 and
actions/download-artifact@v2 uses in the workflow with the current v4 releases
and pin them to their exact commit SHAs (e.g., change uses:
actions/upload-artifact@v2 → uses: actions/upload-artifact@v4@<commit-sha> and
similarly for actions/download-artifact), and verify any input/output names
still match v4 semantics to avoid breaking the job; keep the inline version
comments updated to reflect v4.

In @.github/workflows/test-framework-v2-ts-angular-v12.yml:
- Around line 20-21: The workflow uses deprecated action versions (e.g.,
actions/download-artifact, actions/upload-artifact, actions/checkout,
actions/setup-java, actions/setup-node) and must be upgraded while preserving
SHA pinning; replace the current pinned SHAs for actions/download-artifact with
the v4 release SHA (actions/download-artifact@v4), actions/upload-artifact with
the v4 release SHA (actions/upload-artifact@v4), and actions/checkout with the
v4 release SHA (actions/checkout@v4), and update actions/setup-java and
actions/setup-node to their latest supported major-version SHAs; ensure each
replacement keeps the commit-hash pin (not floating tags), run a quick workflow
validation, and update any references to the old action names (e.g., occurrences
of actions/download-artifact, actions/upload-artifact, actions/checkout,
actions/setup-java, actions/setup-node) to the new pinned SHAs.
- Around line 20-21: The workflow pins older action SHAs for actions/checkout
and actions/setup-java (and several other steps) which are deprecated; update
the uses entries to the current major releases while keeping SHA pinning:
replace occurrences of uses: actions/checkout@... (v2) with actions/checkout@v6
(pinned to the corresponding v6 commit SHA), actions/setup-java@... (v1) with
actions/setup-java@v5, actions/upload-artifact@v2 with
actions/upload-artifact@v4, actions/download-artifact@v2 with
actions/download-artifact@v4, and actions/setup-node@v1 with
actions/setup-node@v6 (apply same pattern for all other listed occurrences such
as lines referenced 32,55-56,60,77,82,88,112,114,119,126,145,150), ensuring each
uses: entry is updated to the latest major version and pinned to the appropriate
commit SHA for security.

In @.github/workflows/test-framework-v2-ts-angular-v4_3.yml:
- Around line 20-21: Update the GitHub Actions "uses" pins to current stable
major releases and pin their corresponding SHAs: replace uses:
actions/checkout@ee0669bd1... with the latest checkout major (e.g.,
actions/checkout@v6) and its SHA, actions/setup-java@b6e674f... with
setup-java@v5 and its SHA, actions/upload-artifact@v2 with upload-artifact@v6
and SHA, actions/download-artifact@v2 with a current download-artifact major and
SHA, and actions/setup-node@v1 with setup-node@v6 and SHA; ensure you update
every occurrence of these action identifiers in the workflow so each "uses:"
line references the new major tag and the exact commit SHA for reproducible
runs.

In @.github/workflows/test-framework-v2-ts-angular-v4.yml:
- Around line 20-21: The workflow uses deprecated action versions (e.g.,
actions/checkout, actions/setup-java, actions/setup-node,
actions/upload-artifact, actions/download-artifact) and must be updated: edit
the uses entries (the lines containing uses: actions/checkout@...,
actions/setup-java@..., actions/setup-node@..., actions/upload-artifact@...,
actions/download-artifact@...) to reference supported major releases (prefer v4
for checkout/setup-java/setup-node and v4 or newer like v7 for
upload/download-artifact) so all occurrences of those symbols are replaced with
their modern stable tags.

---

Outside diff comments:
In @.github/workflows/test-framework-ruby.yml:
- Around line 160-161: Replace the floating GitHub Action reference
ruby/setup-ruby@v1 with a pinned commit SHA to harden supply-chain security:
update the uses entry referencing ruby/setup-ruby@v1 to use the specific commit
SHA (e.g., ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd) so the
workflow always runs the exact action version.

In @.github/workflows/test-framework-v2-ruby.yml:
- Around line 138-141: Replace the floating tag reference "ruby/setup-ruby@v1"
with its specific commit SHA to match other actions' pinning; find the commit
SHA that corresponds to the v1 tag in the ruby/setup-ruby repo and update the
workflow step (the "Set up Ruby" step that currently uses ruby/setup-ruby@v1) to
use the pinned ref format (e.g. ruby/setup-ruby@<commit-sha>) so the action is
locked to that exact commit.

In @.github/workflows/test-generation-v2.yml:
- Around line 122-170: Set up Ruby 스텝의 사용 버전이 태그(ruby/setup-ruby@v1)로 남아 있어 공급망
보안 규칙과 불일치합니다; "Set up Ruby" 단계에서 사용된 식별자 ruby/setup-ruby@v1를 태그 대신 해당 태그가 가리키는
커밋 SHA로 고정하도록 변경하세요 (즉, uses: ruby/setup-ruby@<commit-sha>로 교체), 기존 워크플로우의 다른
액션들(actions/checkout, actions/setup-java, actions/upload-artifact)처럼 SHA로 핀 고정하고
matrix.ruby 입력과 동작은 그대로 유지하세요.

---

Nitpick comments:
In @.github/workflows/test-framework-dotnet.yml:
- Line 90: Replace the deprecated actions/download-artifact@v2 usage with
actions/download-artifact@v4 and ensure the paired actions/upload-artifact is
also upgraded to actions/upload-artifact@v4 so versions match; locate the lines
containing the uses: actions/download-artifact@... and uses:
actions/upload-artifact@... entries (the occurrences shown in the diff and at
the other noted locations) and update their version tags from v2 (or older) to
v4, then run a quick workflow lint or dry-run to confirm compatibility.

In @.github/workflows/test-framework-v2-java-jersey1.yml:
- Around line 71-72: The workflow uses the deprecated ::set-output command (echo
"::set-output name=generate_outcome::${{ steps.generate.outcome }}"); replace it
by writing the output as key=value into the GitHub Actions environment file (use
the GITHUB_OUTPUT file) — e.g. write "generate_outcome=${{
steps.generate.outcome }}" to $GITHUB_OUTPUT — and keep the existing artifact
file write (echo ${{ steps.generate.outcome }} > generate_outcome_${{
env.JOB_NAME }}); apply the same replacement for the other occurrence referenced
(lines 138-139) so all uses of steps.generate.outcome use the environment file
method instead of ::set-output.

In @.github/workflows/test-framework-v2-java-retrofit2.yml:
- Around line 20-21: Update the hard‑pinned GitHub Action SHAs to the latest
stable major releases in a follow-up PR: replace uses:
actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 with
actions/checkout@v6, uses:
actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde with
actions/setup-java@v5, and also update actions/upload-artifact and
actions/download-artifact to `@v4`; ensure the workflow still passes CI after the
change and adjust any config differences required by the newer action versions
(look for usages of actions/checkout, actions/setup-java,
actions/upload-artifact, actions/download-artifact in the file).

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 801277d and b4943a1.

📒 Files selected for processing (63)

• .github/workflows/test-framework-ada.yml
• .github/workflows/test-framework-clojure.yml
• .github/workflows/test-framework-dart.yml
• .github/workflows/test-framework-dotnet.yml
• .github/workflows/test-framework-elixir.yml
• .github/workflows/test-framework-go.yml
• .github/workflows/test-framework-java.yml
• .github/workflows/test-framework-js.yml
• .github/workflows/test-framework-lua.yml
• .github/workflows/test-framework-no-build.yml
• .github/workflows/test-framework-php.yml
• .github/workflows/test-framework-python.yml
• .github/workflows/test-framework-ruby.yml
• .github/workflows/test-framework-sbt.yml
• .github/workflows/test-framework-v2-ada.yml
• .github/workflows/test-framework-v2-inflector.yml
• .github/workflows/test-framework-v2-java-8-jersey2.yml
• .github/workflows/test-framework-v2-java-feign.yml
• .github/workflows/test-framework-v2-java-google-api.yml
• .github/workflows/test-framework-v2-java-jersey1.yml
• .github/workflows/test-framework-v2-java-jersey2.yml
• .github/workflows/test-framework-v2-java-okhttp-parcelable.yml
• .github/workflows/test-framework-v2-java-okhttp.yml
• .github/workflows/test-framework-v2-java-pkmst.yml
• .github/workflows/test-framework-v2-java-rest-assured.yml
• .github/workflows/test-framework-v2-java-resteasy.yml
• .github/workflows/test-framework-v2-java-resttemplate-with-xml.yml
• .github/workflows/test-framework-v2-java-resttemplate.yml
• .github/workflows/test-framework-v2-java-retrofit.yml
• .github/workflows/test-framework-v2-java-retrofit2-play24.yml
• .github/workflows/test-framework-v2-java-retrofit2-play25.yml
• .github/workflows/test-framework-v2-java-retrofit2.yml
• .github/workflows/test-framework-v2-java-retrofit2rx.yml
• .github/workflows/test-framework-v2-java-retrofit2rx2.yml
• .github/workflows/test-framework-v2-java-vertx.yml
• .github/workflows/test-framework-v2-javascript.yml
• .github/workflows/test-framework-v2-php.yml
• .github/workflows/test-framework-v2-python-asyncio.yml
• .github/workflows/test-framework-v2-python.yml
• .github/workflows/test-framework-v2-ruby.yml
• .github/workflows/test-framework-v2-scala.yml
• .github/workflows/test-framework-v2-ts-angular-v10.yml
• .github/workflows/test-framework-v2-ts-angular-v11.yml
• .github/workflows/test-framework-v2-ts-angular-v12.yml
• .github/workflows/test-framework-v2-ts-angular-v4.yml
• .github/workflows/test-framework-v2-ts-angular-v4_3.yml
• .github/workflows/test-framework-v2-ts-angular-v5.yml
• .github/workflows/test-framework-v2-ts-angular-v6.yml
• .github/workflows/test-framework-v2-ts-angular-v7.yml
• .github/workflows/test-framework-v2-ts-angular-v8.yml
• .github/workflows/test-framework-v2-ts-angular-v9.yml
• .github/workflows/test-framework-v3-java-feign.yml
• .github/workflows/test-framework-v3-java-inflector.yml
• .github/workflows/test-framework-v3-java-jersey1.yml
• .github/workflows/test-framework-v3-java-jersey2.yml
• .github/workflows/test-framework-v3-java-okhttp-gson.yml
• .github/workflows/test-framework-v3-java-resteasy.yml
• .github/workflows/test-framework-v3-java-resttemplate-withXml.yml
• .github/workflows/test-framework-v3-java-resttemplate.yml
• .github/workflows/test-framework-v3-java-retrofit.yml
• .github/workflows/test-framework-v3-java-retrofit2.yml
• .github/workflows/test-framework-v3-java-retrofit2rx.yml
• .github/workflows/test-generation-v2.yml

✅ Files skipped from review due to trivial changes (6)

• .github/workflows/test-framework-java.yml
• .github/workflows/test-framework-v2-ts-angular-v8.yml
• .github/workflows/test-framework-v2-java-google-api.yml
• .github/workflows/test-framework-elixir.yml
• .github/workflows/test-framework-v2-ts-angular-v5.yml
• .github/workflows/test-framework-v2-java-retrofit2-play24.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/test-framework-dart.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify SHA hashes and version information for GitHub Actions

echo "=== Checking actions/checkout ==="
echo "Looking for SHA: ee0669bd1cc54295c223e0bb666b733df41de1c5 (claimed v2)"
# Using curl to query GitHub API for releases
curl -s https://api.github.com/repos/actions/checkout/releases | jq -r '.[] | "\(.tag_name): \(.target_commitish)"' | head -20

echo ""
echo "=== Checking actions/setup-java ==="
echo "Looking for SHA: b6e674f4b717d7b0ae3baee0fbe79f498905dfde (claimed v1)"
curl -s https://api.github.com/repos/actions/setup-java/releases | jq -r '.[] | "\(.tag_name): \(.target_commitish)"' | head -20

echo ""
echo "=== Checking upload-artifact versions ==="
curl -s https://api.github.com/repos/actions/upload-artifact/releases | jq -r '.[] | "\(.tag_name): \(.target_commitish)"' | head -5

echo ""
echo "=== Checking download-artifact versions ==="
curl -s https://api.github.com/repos/actions/download-artifact/releases | jq -r '.[] | "\(.tag_name): \(.target_commitish)"' | head -5

echo ""
echo "=== Checking setup-dotnet versions ==="
curl -s https://api.github.com/repos/actions/setup-dotnet/releases | jq -r '.[] | "\(.tag_name): \(.target_commitish)"' | head -5

Repository: Buzzvil/swagger-codegen

Length of output: 714

---

🏁 Script executed:

#!/bin/bash
# Get release information for GitHub Actions using simpler approach

echo "=== Checking actions/checkout releases ==="
curl -s -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/actions/checkout/tags | head -100

echo ""
echo "=== Checking actions/setup-java releases ==="
curl -s -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/actions/setup-java/tags | head -100

Repository: Buzzvil/swagger-codegen

Length of output: 3778

---

🌐 Web query:

GitHub Actions actions/checkout latest version 2024 2025

💡 Result:

• Current latest (as of Feb 23, 2026): v6.0.2 (Jan 9, 2026) — use uses: actions/checkout@v6 (or pin to @v6.0.2). [1][2]
• Latest released in 2025: v6.0.1 (Dec 2, 2025) (with v6.0.0 on Nov 20, 2025; v5.0.1 on Nov 13/17, 2025; v5.0.0 on Aug 11, 2025). [1][2]
• Latest released in 2024: v4.2.2 (Oct 23, 2024). [1][2]

Sources: GitHub releases page for actions/checkout [1]; Release Alert’s dated release list (adds years) [2].

---

🌐 Web query:

GitHub Actions actions/setup-java latest version deprecation v1 v4

💡 Result:

• Latest actions/setup-java major: v5 (current latest release shown is v5.2.0, published Jan 22, 2026). [1]
• Why people say “v1 is deprecated”: it’s effectively obsolete—newer majors track supported GitHub-hosted runner Node runtimes (Node16 → Node20 → Node24). GitHub has removed Node16 from runners (Nov 12, 2024), so actions built on Node16 (e.g., setup-java@v3) trigger warnings / eventual breakage on updated runners. [2]
• v4 vs v5 (the key difference):
  • v4 updated the action runtime to Node20 (from Node16). [3]
  • v5 updated the action runtime to Node24 (from Node20). [4]
• Why v5 matters “now”: GitHub has started the Node20 deprecation and plans for runners to use Node24 by default starting March 4, 2026—so moving from @v4 (Node20) to @v5 (Node24) is the forward-compatible path. [5]

Recommended workflow change (use the major tag):

- uses: actions/setup-java@v5
  with:
    distribution: temurin
    java-version: '21'

Sources: [1] [2] [3] [4] [5]

---

SHA 고정은 올바르지만, 제안된 버전이 현재 최신 버전보다 훨씬 뒤쳐져 있습니다.

공급망 보안을 위한 SHA 고정 방식은 올바른 접근입니다. 그러나 현재 권장되는 버전은 다음과 같습니다:

• actions/checkout → v6 (현재 v6.0.2, 2026년 1월)
• actions/setup-java → v5 (현재 v5.2.0, 2026년 1월)

v1/v2는 더 이상 지원되지 않으며, v4도 곧 Node20 런타임 제거로 인해 문제가 될 예정입니다. GitHub은 2026년 3월 4일부터 기본 러너를 Node24로 전환할 계획이므로, v5로 업그레이드하여 Node24 런타임 기반으로 이동하는 것이 필수입니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-dotnet.yml around lines 40 - 41, The
workflow pins are using outdated major versions for the GitHub Actions; update
the checkout and Java setup steps so actions/checkout uses the v6 release and
actions/setup-java uses the v5 release (i.e., change actions/checkout@... to
actions/checkout@v6 and actions/setup-java@... to actions/setup-java@v5) and
replace the existing SHAs with the corresponding current release SHAs for those
tags to maintain SHA pinning; ensure the updated setup-java version aligns with
Node24-compatible runners (v5.x) as recommended.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

actions/upload-artifact v2 deprecation date GitHub Actions

💡 Result:

actions/upload-artifact@v2 (along with v1) was deprecated effective June 30, 2024—after that date, attempting to use v2 results in workflow failures on GitHub.com. Update to actions/upload-artifact@v4. [1][2]

---

🌐 Web query:

actions/upload-artifact v4 migration guide changes

💡 Result:

actions/upload-artifact@v4 migration: key changes

• No mix-and-match with v3: if you upload with upload-artifact@v4, you must download with download-artifact@v4 (artifacts v4 aren’t cross-compatible with v1–v3). [4][5]
• Artifacts are immutable + names must be unique per run: you can’t upload to the same artifact name multiple times anymore (common matrix pattern breaks). Use unique names (e.g., suffix with matrix values) and download via pattern + merge-multiple. [1][3][5]
• Overwriting requires explicit delete/recreate: use overwrite: true if you need “replace same artifact name” behavior (it deletes the prior artifact and creates a new one with a new ID). [3][1]
• Merging multiple artifacts is a new explicit step: use the new helper action actions/upload-artifact/merge@v4 to combine artifacts into one. [1][3]
• Hidden files behavior changed (v4.4+): hidden files are excluded by default; opt in with include-hidden-files: true. [1][3]
• New limits/behavior:
  • 500 artifacts per job limit. [1][5]
  • Artifacts become available immediately and artifact-id is returned (no need to wait for the run to finish). [1][5]
• Platform/network considerations:
  • Self-hosted runners may need additional firewall allowlists due to backend changes. [1]
  • GHES: upload-artifact@v4+ is/was not supported on GHES (use v3 / v3-node20 there per repo guidance). [1]

Primary migration reference (examples for matrix uploads, overwrite, merge, hidden files): docs/MIGRATION.md. [3]

---

🌐 Web query:

actions/upload-artifact current recommended version 2025

💡 Result:

For 2025, GitHub’s guidance was to use Artifacts v4:

• Recommended (per GitHub deprecation guidance): actions/upload-artifact@v4 (GitHub told users to migrate from v3 to v4, and noted v3 would stop working starting January 30, 2025). [1][2]

For context on “current” within 2025 (latest releases that year):

• v5.0.0 was tagged Oct 24, 2025. [3]
• v6.0.0 was tagged Dec 12, 2025. [3]

Sources:
[1] GitHub Changelog (v3 deprecation; migrate to v4) (github.blog)
[2] actions/upload-artifact README (advises updating to v4) (github.com)
[3] actions/upload-artifact tags (release dates for v5/v6) (github.com)

Citations:

• 1: https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions?utm_source=openai
• 2: https://github.com/actions/upload-artifact
• 3: https://github.com/actions/upload-artifact/tags

---

🏁 Script executed:

cat .github/workflows/test-framework-dotnet.yml

Repository: Buzzvil/swagger-codegen

Length of output: 7263

---

actions/upload-artifact@v2와 actions/download-artifact@v2 모두 즉시 업그레이드 필수

actions/upload-artifact@v2와 actions/download-artifact@v2는 2024년 6월 30일부터 deprecated되어 현재 GitHub.com에서 워크플로우 실행이 실패합니다. v4 이상으로 업그레이드해야 합니다.

주요 마이그레이션 주의사항:

• 버전 일치 필수: upload-artifact@v4는 반드시 download-artifact@v4와 함께 사용 (v1~v3과 호환 불가)
• 아티팩트 이름 고유성: 동일한 아티팩트 이름으로 여러 번 업로드 불가 (matrix 사용 시 이름에 고유 값 추가 필요)
• 아티팩트 덮어쓰기: 기존 동작이 필요한 경우 overwrite: true 옵션 추가 필요
• 현재 v6까지 출시됨

Also applies to: 107-107, 112-112, 118-118, 180-180, 185-185 (및 download-artifact@v2 사용 부분)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-dotnet.yml at line 62, 워크플로에서 사용 중인
actions/upload-artifact@v2 및 actions/download-artifact@v2 를 최신 안정 버전(v4 또는 v6
권장)으로 모두 교체하고 서로 같은 버전을 사용하도록 맞추세요; 파일 내의 모든 `uses: actions/upload-artifact` 및
`uses: actions/download-artifact` 항목(현재 보고된 위치들 포함)을 찾아 각각 `@v4`(또는 프로젝트 정책에 따른
최신 v6)로 변경하고, matrix로 여러 번 업로드하는 경우 아티팩트 이름에 고유 식별자(예: matrix 값) 추가하여 중복 업로드를
방지하며 기존 덮어쓰기가 의도된 동작일 때는 업로드 스텝에 `overwrite: true` 옵션을 설정하세요.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

actions/setup-dotnet deprecated v1 v4 current version

💡 Result:

• actions/setup-dotnet@v1: effectively deprecated/obsolete because it is a JavaScript action that runs on node12 (runs: using: 'node12'), and Node 12 has long been deprecated/removed from GitHub-hosted runners. Use a newer major. [1]
• actions/setup-dotnet@v4: not deprecated, but it runs on node20 (runs: using: 'node20'). GitHub has started the Node 20 deprecation on runners and will move runner defaults to Node 24 on March 4, 2026, with Node 20 planned to be removed later (summer 2026). That means @v4 will eventually stop working once Node 20 is removed. [2][3]
• Current version (recommended): actions/setup-dotnet@v5 (latest release tag shown is v5.0.1) and it runs on node24 (runs: using: 'node24'). [4][5]

Practical guidance: update workflows to uses: actions/setup-dotnet@v5. [4]

References:
[1] https://raw.githubusercontent.com/actions/setup-dotnet/v1/action.yml
[2] https://raw.githubusercontent.com/actions/setup-dotnet/v4/action.yml
[3] https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
[4] https://github.com/actions/setup-dotnet
[5] https://github.com/actions/setup-dotnet/releases

---

🌐 Web query:

.NET Core 3.1 end of support date 2022

💡 Result:

.NET Core 3.1 reached end of support (end of life) on December 13, 2022 (not December 3, 2022). Microsoft’s lifecycle pages list December 13, 2022 as the official end-of-support date. [1], [2]

Sources: Microsoft .NET support policy / releases table [1], Microsoft Learn lifecycle page [2]

---

🏁 Script executed:

cat -n .github/workflows/test-framework-dotnet.yml | sed -n '150,170p'

Repository: Buzzvil/swagger-codegen

Length of output: 1101

---

actions/setup-dotnet@v1을 v5로 업그레이드하세요.

actions/setup-dotnet@v1은 node12에서 실행되는 이전 버전으로 완전히 deprecated되었습니다. 현재 권장 버전은 v5입니다 (v4는 node20에서 실행되지만 node20도 2026년 3월부터 deprecated 예정). 또한 dotnet-version: 3.1.x를 사용하는 경우, .NET Core 3.1은 2022년 12월 13일 지원 종료되었으므로 함께 업데이트를 고려해 주세요.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-dotnet.yml at line 161, Replace the
deprecated runner reference uses:
actions/setup-dotnet@871f041373faaad213a635d9afb62905ec029bbb with the current
major release uses: actions/setup-dotnet@v5; also locate any dotnet-version keys
(e.g., dotnet-version: 3.1.x) in the same job and update them to a supported
SDK/runtime (for example 6.x or 7.x) so the workflow uses the v5 action and a
supported .NET version.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify pinned GitHub Actions SHAs exist and (optionally) match the referenced major tag.
set -euo pipefail

python - <<'PY'
import json, sys, urllib.request

actions = [
  ("actions/checkout", "ee0669bd1cc54295c223e0bb666b733df41de1c5", "v2"),
  ("actions/setup-java", "b6e674f4b717d7b0ae3baee0fbe79f498905dfde", "v1"),
  ("actions/upload-artifact", "82c141cc518b40d92cc801eee768e7aafc9c2fa2", "v2"),
  ("actions/download-artifact", "cbed621e49e4c01b044d60f6c80ea4ed6328b281", "v2"),
  ("actions/setup-go", "bfdd3570ce990073878bf10f6b2d79082de49492", "v2"),
]

def get_json(url):
    req = urllib.request.Request(url, headers={"Accept": "application/vnd.github+json"})
    with urllib.request.urlopen(req) as r:
        return json.load(r)

def resolve_tag(repo, tag):
    ref = get_json(f"https://api.github.com/repos/{repo}/git/refs/tags/{tag}")
    obj = ref["object"]
    if obj["type"] == "tag":
        tag_obj = get_json(obj["url"])
        obj = tag_obj["object"]
    return obj["sha"]

ok = True
for repo, sha, tag in actions:
    try:
        get_json(f"https://api.github.com/repos/{repo}/commits/{sha}")
    except Exception as e:
        ok = False
        print(f"ERROR: {repo}@{sha} not found: {e}")
        continue
    try:
        tag_sha = resolve_tag(repo, tag)
        if tag_sha != sha:
            print(f"WARN: {repo}@{sha} != {tag} (current {tag} -> {tag_sha})")
        else:
            print(f"OK: {repo}@{sha} matches {tag}")
    except Exception as e:
        print(f"WARN: could not resolve tag {repo}@{tag}: {e}")

if not ok:
    sys.exit(1)
PY

Repository: Buzzvil/swagger-codegen

Length of output: 1104

---

🏁 Script executed:

cat -n .github/workflows/test-framework-go.yml | head -200

Repository: Buzzvil/swagger-codegen

Length of output: 8118

---

🌐 Web query:

actions/checkout v2 release commit SHA ee0669bd1cc54295c223e0bb666b733df41de1c5

💡 Result:

Commit ee0669bd1cc54295c223e0bb666b733df41de1c5 in actions/checkout is the commit that the v2.7.0 tag/release points to (tagged Mar 24, 2023). [1][2]

---

🌐 Web query:

actions/setup-java v1 release commit SHA b6e674f4b717d7b0ae3baee0fbe79f498905dfde

💡 Result:

actions/setup-java@v1 points to commit b6e674f4b717d7b0ae3baee0fbe79f498905dfde (short: b6e674f), authored on Mar 29, 2023, with commit message “Update actions/core for releases/v1 (#467)”. [1][2]

---

🌐 Web query:

actions/upload-artifact v2 release commit SHA 82c141cc518b40d92cc801eee768e7aafc9c2fa2

💡 Result:

actions/upload-artifact@v2 is the Git tag v2, and it points to commit 82c141cc518b40d92cc801eee768e7aafc9c2fa2 (short SHA 82c141c) — commit message: “Bump @actions/artifact to version 0.6.1 (#286)”. [1][2]

---

🌐 Web query:

actions/download-artifact v2 release commit SHA cbed621e49e4c01b044d60f6c80ea4ed6328b281

💡 Result:

actions/download-artifact@v2 (the floating major tag) points to commit cbed621e49e4c01b044d60f6c80ea4ed6328b281 — “Upgrade @actions/core to 1.10.0 for v2 (#210)” (authored Mar 8, 2023). [1][2]

This is not the v2.0.2 release commit (that tag points to 381af06). [3]

Sources: [1] commit page, [2] v2 branch commit history, [3] releases page (page 4 showing v2.0.2).

---

🌐 Web query:

actions/setup-go v2 release commit SHA bfdd3570ce990073878bf10f6b2d79082de49492

💡 Result:

Commit bfdd3570ce990073878bf10f6b2d79082de49492 in actions/setup-go is the release/tag v2.2.0 (and the floating major tag v2 points to the same commit). It was tagged on Feb 9, 2022. [1][2]

---

actions/download-artifact의 SHA 핀이 특정 릴리스 버전이 아닌 v2 부동 태그 커밋입니다.

대부분의 액션 핀은 정확하지만(checkout v2.7.0, setup-java v1, upload-artifact v2, setup-go v2.2.0), actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281은 v2.0.2 같은 특정 패치 릴리스가 아니라 v2 부동 태그를 가리킵니다. v2.x.x 형태의 구체적인 릴리스 버전(예: v2.0.2, v2.1.0)으로 핀을 고정하면 재현성과 보안성이 더 강화됩니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-go.yml around lines 40 - 41, The workflow
uses a floating v2 tag for the download artifact action which reduces
reproducibility and security; update the actions/download-artifact reference
(currently actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281)
to a specific released patch tag (e.g., actions/download-artifact@v2.0.2 or the
latest specific v2.x.x release) so the workflow pins to a concrete version;
ensure any other similar floating tags are also replaced with exact release
tags.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, check if the workflow file exists and examine the relevant lines
if [ -f ".github/workflows/test-framework-php.yml" ]; then
    echo "=== File exists, checking content ==="
    wc -l ".github/workflows/test-framework-php.yml"
    echo ""
    echo "=== Lines 40-41 ==="
    sed -n '40,41p' ".github/workflows/test-framework-php.yml"
    echo ""
    echo "=== Checking for shivammathur/setup-php action ==="
    grep -n "shivammathur/setup-php" ".github/workflows/test-framework-php.yml"
else
    echo "File not found"
fi

Repository: Buzzvil/swagger-codegen

Length of output: 468

---

🌐 Web query:

shivammathur setup-php v2 release github tag SHA

💡 Result:

The GitHub rolling tag v2 for shivammathur/setup-php currently points to commit:

44454db4f0199b8b9685a5d763dc37cbf79108e1 (short: 44454db). [1][2]

---

🏁 Script executed:

# Check all instances of shivammathur/setup-php in the file
echo "=== All shivammathur/setup-php instances ==="
grep -n "shivammathur/setup-php" ".github/workflows/test-framework-php.yml" | head -20
echo ""

# Get more context around line 161
echo "=== Context around line 161 ==="
sed -n '155,165p' ".github/workflows/test-framework-php.yml"

Repository: Buzzvil/swagger-codegen

Length of output: 698

---

🌐 Web query:

shivammathur/setup-php d59004228537ca90c8dca680592a08a675bf52b6 commit

💡 Result:

I couldn’t find that SHA in shivammathur/setup-php.

• Opening the GitHub commit URL for d59004228537ca90c8dca680592a08a675bf52b6 returns 404 Not Found. [2]
• The repository itself is accessible, but this specific object doesn’t appear to exist in its current public history. [1]

Most likely causes:

• the SHA is from a different repo (or a fork),
• it’s a typo (one or more characters wrong),
• it was from a branch/history that was later rewritten (force-push) and the commit became unreachable.

If you have the repo checked out locally, you can confirm where it belongs with:

git cat-file -t d59004228537ca90c8dca680592a08a675bf52b6
git branch --contains d59004228537ca90c8dca680592a08a675bf52b6
git remote -v

Sources: [1] [2]

---

🌐 Web query:

shivammathur/setup-php releases history SHA v2 v1

💡 Result:

• Major rolling tag v2 → commit SHA 44454db (tag updated Nov 26, 2025). This is the moving major tag that tracks the latest 2.x release. [1]
• Major rolling tag v1 → commit SHA 28c92ba (tag updated Apr 9, 2022). This is the old major tag (no longer supported per project docs). [2]

Sources: GitHub tags page entries for v2 and v1. [1], [2]

---

shivammathur/setup-php SHA 고정 값이 유효하지 않습니다 - 긴급 수정 필요.

라인 161의 SHA d59004228537ca90c8dca680592a08a675bf52b6는 shivammathur/setup-php 저장소에 존재하지 않습니다(404). 현재 v2 태그는 44454db4f0199b8b9685a5d763dc37cbf79108e1을 가리킵니다. 주석의 "# v2" 표기와 실제 SHA가 일치하지 않으며, 이 워크플로우는 존재하지 않는 커밋으로 고정되어 있어 실행 중 실패할 수 있습니다. SHA를 올바른 버전으로 업데이트하거나 유효한 커밋 SHA로 핀을 수정해야 합니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-php.yml around lines 40 - 41, The workflow
pins for the GitHub Action shivammathur/setup-php are using an invalid commit
SHA (d59004228537ca90c8dca680592a08a675bf52b6) which causes runs to fail; update
the pin in the uses entry that references shivammathur/setup-php to a valid
ref—either replace the bad SHA with the current v2 commit SHA
(44454db4f0199b8b9685a5d763dc37cbf79108e1) or change to the tag form
(shivammathur/setup-php@v2); ensure the comment "# v2" matches the chosen ref
and run a quick workflow lint to verify resolution.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/test-framework-v2-java-okhttp-parcelable.yml | head -100

Repository: Buzzvil/swagger-codegen

Length of output: 4176

---

🏁 Script executed:

cat -n .github/workflows/test-framework-v2-java-okhttp-parcelable.yml | tail -60

Repository: Buzzvil/swagger-codegen

Length of output: 3057

---

🏁 Script executed:

# Verify the SHAs match the claimed versions by checking GitHub API
# We'll use curl to fetch the tag information for each action

echo "=== Verifying GitHub Actions SHAs ==="
echo ""

# Check actions/checkout
echo "actions/checkout v2:"
curl -s https://api.github.com/repos/actions/checkout/git/refs/tags/v2 | grep -o '"sha":"[^"]*"'

echo ""
echo "actions/setup-java v1:"
curl -s https://api.github.com/repos/actions/setup-java/git/refs/tags/v1 | grep -o '"sha":"[^"]*"'

echo ""
echo "actions/upload-artifact v2:"
curl -s https://api.github.com/repos/actions/upload-artifact/git/refs/tags/v2 | grep -o '"sha":"[^"]*"'

echo ""
echo "actions/download-artifact v2:"
curl -s https://api.github.com/repos/actions/download-artifact/git/refs/tags/v2 | grep -o '"sha":"[^"]*"'

Repository: Buzzvil/swagger-codegen

Length of output: 210

---

🏁 Script executed:

# Let's try a different approach - check if we can find release information
# or validate the SHAs by looking at GitHub's public API more directly

echo "=== Checking GitHub Actions Releases ==="
echo ""

# Try with Accept header for GitHub API v3
echo "Checking actions/checkout releases:"
curl -s -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/repos/actions/checkout/releases/tags/v2 \
  | head -50

echo ""
echo "Checking actions/setup-java releases:"
curl -s -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/repos/actions/setup-java/releases/tags/v1 \
  | head -50

Repository: Buzzvil/swagger-codegen

Length of output: 3394

---

🌐 Web query:

actions/checkout v2 commit SHA ee0669bd1cc54295c223e0bb666b733df41de1c5

💡 Result:

ee0669bd1cc54295c223e0bb666b733df41de1c5 is the source commit SHA GitHub Actions resolves for actions/checkout@v2, and it corresponds to actions/checkout version 2.7.0 in the “immutable action package” logs. [1]

That commit is titled “add support for submodules (#173)” and is dated 2020‑03‑05 (per a public mirror of the repository). [2]

Sources: [1] [2]

---

🌐 Web query:

actions/setup-java v1 commit SHA b6e674f4b717d7b0ae3baee0fbe79f498905dfde

💡 Result:

The SHA b6e674f4b717d7b0ae3baee0fbe79f498905dfde is a commit in actions/setup-java titled “Update actions/core for releases/v1 (#467)”, authored by dmitry-shibanov. It updates bundled dependencies (including @actions/core) and regenerates dist/ outputs for the v1 release line. [1]

Source: actions/setup-java@b6e674f commit page. [1]

References

1. actions/setup-java commit b6e674f4b717d7b0ae3baee0fbe79f498905dfde

---

🌐 Web query:

actions/upload-artifact v2 commit SHA 82c141cc518b40d92cc801eee768e7aafc9c2fa2

💡 Result:

actions/upload-artifact@v2 resolves to commit 82c141cc518b40d92cc801eee768e7aafc9c2fa2 (short SHA 82c141c). The commit is titled “Bump @actions/artifact to version 0.6.1 (#286)”. [1] [2]

Sources:
[1] GitHub release/tag “v2” showing tag v2 → 82c141c (full SHA 82c141…)
[2] GitHub commit page for 82c141cc518b40d92cc801eee768e7aafc9c2fa2

---

🌐 Web query:

actions/download-artifact v2 commit SHA cbed621e49e4c01b044d60f6c80ea4ed6328b281

💡 Result:

cbed621e49e4c01b044d60f6c80ea4ed6328b281 is the commit that the v2 tag of actions/download-artifact points to (i.e., what you get when you use actions/download-artifact@v2). It’s titled “Upgrade @actions/core to 1.10.0 for v2 (#210)”. [1], [2]

Note: GitHub deprecated v1 and v2 of the artifact actions effective June 30, 2024 (using them after that date results in workflow failures), so you should migrate to actions/download-artifact@v4. [3]

Sources:
[1] actions/download-artifact@cbed621
[2] https://github.com/actions/download-artifact/releases/tag/v2
[3] https://github.blog/changelog/2024-02-13-deprecation-notice-v1-and-v2-of-the-artifact-actions/

---

아티팩트 액션 버전 업그레이드 필수

GitHub Actions artifact 액션(upload-artifact, download-artifact)의 v2 버전은 2024년 6월 30일에 사용 중단되었으며, 현재 워크플로우가 실행되면 실패합니다. 모든 artifact 액션을 v4로 업그레이드하세요.

• actions/upload-artifact v2 → v4 (영향 범위: 32, 74, 79, 85, 141, 146줄)
• actions/download-artifact v2 → v4 (영향 범위: 57, 110, 115줄)

또한 32-32, 52-53, 57-57, 74-75, 79-79, 85-85, 108-108, 110-110, 115-115, 122-122, 141-141, 146-146줄에서 커밋 SHA 고정은 적절하게 구현되었습니다. 다만 71줄과 138줄의 deprecated set-output 명령도 현대식 출력 형식으로 교체하는 것을 권고합니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-java-okhttp-parcelable.yml around lines
20 - 21, Update the deprecated artifact actions and deprecated output usage:
replace all usages of actions/upload-artifact@v2 with actions/upload-artifact@v4
and actions/download-artifact@v2 with actions/download-artifact@v4 (search for
the action identifiers "actions/upload-artifact" and "actions/download-artifact"
to locate each occurrence), and replace any deprecated set-output steps (search
for "set-output") with the recommended workflow-command file method (write
output lines to the GITHUB_OUTPUT file, e.g., echo "name=value" >>
"$GITHUB_OUTPUT") while keeping commit-SHA pinning for other actions as-is.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

actions/checkout v2 github release SHA commit hash

💡 Result:

actions/checkout@v2.7.0 points to commit:

• ee0669bd1cc54295c223e0bb666b733df41de1c5 (shown as ee0669b on the release list, with the full SHA on the commit page). [1][2]

Note: actions/checkout@v2 is a floating major tag (it can be moved to newer v2.x.y releases), so for deterministic builds you should pin to a full commit SHA like the above. [1]

Sources
[1] https://github.com/actions/checkout/releases?page=3
[2] actions/checkout@ee0669b

---

🌐 Web query:

actions/setup-java v1 github release SHA commit hash

💡 Result:

actions/setup-java@v1 currently points to commit b6e674f4b717d7b0ae3baee0fbe79f498905dfde. [1]

Sources:
[1] actions/setup-java@b6e674f

---

🌐 Web query:

actions/upload-artifact v2 github release SHA commit hash

💡 Result:

actions/upload-artifact@v2 currently resolves to commit:

• 82c141cc518b40d92cc801eee768e7aafc9c2fa2 (tag v2) [1][2]

You can pin it like:

- uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2

Sources: [1][2]

---

🌐 Web query:

actions/download-artifact v2 github release SHA commit hash

💡 Result:

actions/download-artifact@v2 currently points to commit cbed621e49e4c01b044d60f6c80ea4ed6328b281 (tagged on Mar 8, 2023). [1][2]

If you want to pin by SHA:

- uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281

Note: GitHub deprecated v1/v2 of the artifact actions effective June 30, 2024. [3]

Sources:
[1] https://github.com/actions/download-artifact/tags?after=v4.1.1
[2] actions/download-artifact@cbed621
[3] https://github.blog/changelog/2024-02-13-deprecation-notice-v1-and-v2-of-the-artifact-actions/

---

커밋 SHA 고정은 올바르게 적용되었습니다.

모든 GitHub Actions가 정확한 커밋 SHA로 고정되어 있으며, 인라인 주석의 버전 태그와 일치합니다:

• actions/checkout@v2: SHA 일치 ✓
• actions/setup-java@v1: SHA 일치 ✓
• actions/upload-artifact@v2: SHA 일치 ✓
• actions/download-artifact@v2: SHA 일치 ✓

긴급: 사용 중단된 Actions 업그레이드 필요

actions/upload-artifact@v2와 actions/download-artifact@v2는 2024년 6월 30일부로 공식 사용 중단되었습니다. 현재 날짜 기준으로 1년 이상 지난 상태이며, 이러한 deprecated actions 사용은 향후 워크플로우 실패 및 보안 위험을 초래할 수 있습니다. v4로의 즉시 업그레이드를 권장합니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-java-retrofit2-play25.yml around lines
20 - 21, Replace the deprecated actions/upload-artifact@v2 and
actions/download-artifact@v2 uses in the workflow with the current v4 releases
and pin them to their exact commit SHAs (e.g., change uses:
actions/upload-artifact@v2 → uses: actions/upload-artifact@v4@<commit-sha> and
similarly for actions/download-artifact), and verify any input/output names
still match v4 semantics to avoid breaking the job; keep the inline version
comments updated to reflect v4.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/test-framework-v2-ts-angular-v12.yml | head -150

Repository: Buzzvil/swagger-codegen

Length of output: 6785

---

🌐 Web query:

actions/checkout v2 release SHA github

💡 Result:

On GitHub, the actions/checkout major tag v2 currently points to commit SHA:

ee0669bd1cc54295c223e0bb666b733df41de1c5 (short: ee0669b). [1][2]

---

🌐 Web query:

actions/setup-java v1 release SHA github

💡 Result:

The actions/setup-java v1 tag on GitHub points to commit:

• b6e674f4b717d7b0ae3baee0fbe79f498905dfde (short: b6e674f) [1][2]

Sources: [1] Tags page showing v1 → b6e674f (and v1.4.4 also → b6e674f), [2] Commit page with the full 40-char SHA.

---

🌐 Web query:

actions/upload-artifact v2 release SHA github

💡 Result:

actions/upload-artifact@v2 points to commit SHA:

• 82c141cc518b40d92cc801eee768e7aafc9c2fa2 [1]

Sources: GitHub commit page for the v2 tag [1].

---

🌐 Web query:

actions/download-artifact v2 release SHA github

💡 Result:

actions/download-artifact@v2 currently points to commit cbed621e49e4c01b044d60f6c80ea4ed6328b281 (the v2 tag and v2.1.1 tag both reference this same commit). [1][2]

If you want to pin by SHA in your workflow:

- uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281

Note: GitHub announced v1 and v2 artifact actions were deprecated effective June 30, 2024, and that using them after the deprecation date would result in workflow failure. [3]

Sources: [1] [2] [3]

---

🌐 Web query:

actions/setup-node v1 release SHA github

💡 Result:

actions/setup-node@v1 currently points to commit f1f314fca9dfce2769ece7d933488f076716723e. [1]

Sources:
[1] GitHub commit page for actions/setup-node commit f1f314fca9dfce2769ece7d933488f076716723e (tag/branch v1). (github.com)

Citations:

• 1: actions/setup-node@f1f314f

---

액션 버전 폐기로 인한 중요 문제 - 즉시 해결 필요

SHA 핀닝은 올바르게 설정되었으며, 모든 커밋 해시가 주석의 버전 태그와 일치합니다. 다만 중대한 문제가 있습니다:

• actions/download-artifact v2 (라인 60, 114, 119)와 v1 아티팩트 액션들은 2024년 6월 30일자로 공식 폐기되었습니다
• 현재 날짜 기준으로 폐기 기한이 이미 지났으므로 이 워크플로우는 실패합니다
• 업그레이드가 필수입니다:
  • actions/download-artifact@v4로 업데이트
  • actions/upload-artifact@v4로 업데이트
  • actions/checkout@v4로 업데이트
  • actions/setup-java, actions/setup-node도 최신 주요 버전 확인 필요

SHA 핀닝 방식을 유지하되, 지원되는 버전으로 업그레이드하세요.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-ts-angular-v12.yml around lines 20 - 21,
The workflow uses deprecated action versions (e.g., actions/download-artifact,
actions/upload-artifact, actions/checkout, actions/setup-java,
actions/setup-node) and must be upgraded while preserving SHA pinning; replace
the current pinned SHAs for actions/download-artifact with the v4 release SHA
(actions/download-artifact@v4), actions/upload-artifact with the v4 release SHA
(actions/upload-artifact@v4), and actions/checkout with the v4 release SHA
(actions/checkout@v4), and update actions/setup-java and actions/setup-node to
their latest supported major-version SHAs; ensure each replacement keeps the
commit-hash pin (not floating tags), run a quick workflow validation, and update
any references to the old action names (e.g., occurrences of
actions/download-artifact, actions/upload-artifact, actions/checkout,
actions/setup-java, actions/setup-node) to the new pinned SHAs.

---

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's check the workflow file to see the actual versions being used
cat .github/workflows/test-framework-v2-ts-angular-v12.yml | head -150

Repository: Buzzvil/swagger-codegen

Length of output: 5735

---

🌐 Web query:

actions/checkout latest version 2024 2025

💡 Result:

• Latest actions/checkout (as of Feb 23, 2026): v6.0.2 (released Jan 9, 2026) — use actions/checkout@v6 or pin @v6.0.2. [1]
• Latest in 2025: v5.0.0 (released Aug 11, 2025) — use actions/checkout@v5 or pin @v5.0.0. [2]
  • Latest v4.x release in 2025: v4.3.0 (released Aug 11, 2025). [3]
• Latest in 2024: v4.2.2 (released Oct 23, 2024) — use actions/checkout@v4 or pin @v4.2.2. [4]

Sources: [1] (github.com) [2] (github.com) [3] (github.com) [4] (github.com)

Citations:

• 1: https://github.com/actions/checkout/releases
• 2: https://github.com/actions/checkout/releases
• 3: https://github.com/actions/checkout/releases
• 4: https://github.com/actions/checkout/releases

---

🌐 Web query:

actions/setup-java latest version 2024 2025

💡 Result:

• Latest actions/setup-java (current): v5.2.0 (released Jan 22; shown as the Latest release on GitHub) [1]
• v5.0.0 (the v5 major release) was published on Aug 21 [2]

What to use in workflows

• Track the latest v5.x automatically: uses: actions/setup-java@v5 [3]
• Or pin exactly to the current latest: uses: actions/setup-java@v5.2.0 [1]

Sources: [1] https://github.com/actions/setup-java/releases/tag/v5.2.0 , [2] https://github.com/actions/setup-java/releases (see v5.0.0) , [3] https://github.com/actions/setup-java (README examples show @v5)

---

🌐 Web query:

actions/upload-artifact v2 deprecated GitHub 2024

💡 Result:

GitHub deprecated actions/upload-artifact@v1 and @v2 effective June 30, 2024. After that date, workflows that still use actions/upload-artifact@v2 (or @v1) fail even though the tags remain in the repo. GitHub recommends upgrading to actions/upload-artifact@v4. [1][2]

Fix (typical):

- uses: actions/upload-artifact@v4

Notes:

• GitHub later also deprecated @v3 (separately) and directed users to @v4. [3]
• If you’re on GitHub Enterprise Server (GHES), upload-artifact@v4+ may not be supported; the action repo advises using @v3/@v3-node20 for GHES. [2]

Sources:
[1] GitHub Changelog – Deprecation notice: v1 and v2 of the artifact actions (Feb 13, 2024)
[2] actions/upload-artifact README warning / migration guidance
[3] GitHub Changelog – Deprecation notice: v3 of the artifact actions (Apr 16, 2024)

---

🌐 Web query:

actions/download-artifact v2 deprecated GitHub 2024

💡 Result:

GitHub deprecated actions/download-artifact@v1 and @v2 (and the matching upload-artifact versions) with an end-of-support date of June 30, 2024; after that date, workflows attempting to use v1/v2 can fail on GitHub.com. Update workflows to actions/download-artifact@v4 (and actions/upload-artifact@v4). [1][2]

Also noted by GitHub: upload-artifact@v3 / download-artifact@v3 were scheduled for deprecation Nov 30, 2024, with a later cutoff for v3 discussed separately. [2][3]

Fix (example):

- uses: actions/download-artifact@v4
# (and)
- uses: actions/upload-artifact@v4

Sources: GitHub Changelog deprecation notice for v1/v2 [1], artifact action repo warning text [2], GitHub community deprecation reminder for v3 [3].

---

🌐 Web query:

actions/setup-node latest version 2024 2025

💡 Result:

• Latest major release in 2024: actions/setup-node@v4 (latest v4.x shown: v4.1.0, released Oct 24) [1]
• Latest major release in 2025: actions/setup-node@v6 (v6.0.0 released Oct 14, v6.1.0 released Dec 3) [1]
• Current latest (for context): v6.2.0, released Jan 15, 2026 [2]

Sources:
[1] GitHub releases list for actions/setup-node (shows v4.1.0, v5.0.0, v6.0.0, v6.1.0): https://github.com/actions/setup-node/releases
[2] Release page for v6.2.0: https://github.com/actions/setup-node/releases/tag/v6.2.0

---

최신 액션 버전으로 업그레이드하세요.

현재 v1/v2 버전의 액션들이 SHA로 핀닝되어 있습니다. actions/upload-artifact v2와 actions/download-artifact v2는 GitHub에서 2024년 6월 30일 이후 공식적으로 deprecated 되었으며, 이후 이 버전들을 사용하는 워크플로우는 실패할 수 있습니다. 다음 표의 최신 버전으로 업그레이드하세요:

액션	현재 버전	최신 버전
actions/checkout	v2	v6
actions/setup-java	v1	v5
actions/upload-artifact	v2	v4
actions/download-artifact	v2	v4
actions/setup-node	v1	v6

SHA 핀닝을 유지하면서 최신 버전을 사용하면 보안 패치와 개선사항을 확보할 수 있습니다.

Also applies to: 32, 55-56, 60, 77, 82, 88, 112, 114, 119, 126, 145, 150

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-ts-angular-v12.yml around lines 20 - 21,
The workflow pins older action SHAs for actions/checkout and actions/setup-java
(and several other steps) which are deprecated; update the uses entries to the
current major releases while keeping SHA pinning: replace occurrences of uses:
actions/checkout@... (v2) with actions/checkout@v6 (pinned to the corresponding
v6 commit SHA), actions/setup-java@... (v1) with actions/setup-java@v5,
actions/upload-artifact@v2 with actions/upload-artifact@v4,
actions/download-artifact@v2 with actions/download-artifact@v4, and
actions/setup-node@v1 with actions/setup-node@v6 (apply same pattern for all
other listed occurrences such as lines referenced
32,55-56,60,77,82,88,112,114,119,126,145,150), ensuring each uses: entry is
updated to the latest major version and pinned to the appropriate commit SHA for
security.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's find and examine the workflow file
find . -name "test-framework-v2-ts-angular-v4_3.yml" -type f

Repository: Buzzvil/swagger-codegen

Length of output: 124

---

🏁 Script executed:

# Also list workflow files to understand the structure
ls -la .github/workflows/ | head -20

Repository: Buzzvil/swagger-codegen

Length of output: 1450

---

🏁 Script executed:

# Search for the specific workflow file
fd "test-framework-v2-ts-angular-v4" .github/workflows/

Repository: Buzzvil/swagger-codegen

Length of output: 176

---

🌐 Web query:

Node.js 16 end of life support date 2024

💡 Result:

Node.js 16.x reached End-of-Life (end of community security/support) on September 11, 2023 (not in 2024). [1]

Some vendors/platforms ended their own Node 16 support later (e.g., AWS SDK for JavaScript v3: January 6, 2025 [2]), which can make it look like a 2024 EOL, but the official Node.js 16 EOL is 2023-09-11. [1]

Sources: [1] Node.js Release Working Group schedule (nodejs/Release) [2] AWS Developer Tools Blog (AWS SDK v3)

---

🏁 Script executed:

cat -n .github/workflows/test-framework-v2-ts-angular-v4_3.yml | head -150

Repository: Buzzvil/swagger-codegen

Length of output: 6784

---

🌐 Web query:

GitHub actions checkout latest version 2024 2025

💡 Result:

As of the most recent releases (Dec 2, 2025), the latest official actions/checkout is v6.0.1, and the recommended major tag is:

- uses: actions/checkout@v6

This tracks the latest v6.x release (currently v6.0.1). [1][2]

If you’re targeting “latest in 2024 / 2025”

• 2024: the latest major was v4 (e.g., v4.2.x in late 2024). [3]
• 2025: v5.0.0 released Aug 11, 2025, and later v6 released Nov–Dec 2025. [1][3]

Best practice (more secure / reproducible)

Pin to a full commit SHA instead of a moving tag (@v6), especially for high-security workflows (get the SHA from the release page). [1]

Note for GitHub Enterprise Server (GHES)

Your instance may only have older “bundled” action versions unless you sync/connect to GitHub.com actions. [4]

Sources: GitHub actions/checkout releases page and GitHub Marketplace listing. [1][2]

[1] https://github.com/actions/checkout/releases
[2] https://github.com/marketplace/actions/checkout
[3] https://releasealert.dev/github/actions/checkout
[4] https://docs.github.com/en/enterprise-server%403.15/admin/managing-github-actions-for-your-enterprise/managing-access-to-actions-from-githubcom/using-the-latest-version-of-the-official-bundled-actions

---

🌐 Web query:

GitHub actions setup-java latest version 2024 2025

💡 Result:

As of 2026-02-23, the latest major version of actions/setup-java is v5—current latest tag is v5.2.0 (2026-01-22). [1]

Recommended usage (pin to major):

- uses: actions/setup-java@v5
  with:
    distribution: temurin
    java-version: '21'

v5 introduced a breaking change: the action runtime moved node20 → node24, and it requires a GitHub Actions runner v2.327.1+. [2]

If you want to pin to the latest patch (most reproducible):

• actions/setup-java@v5.2.0 [1]

Relevant 2024/2025 context:

• v5.0.0 was released on 2025-08-21 (start of the v5 line). [1]
• Latest v4 line shown is v4.8.0 (2025-12-04). [1]

Sources: [actions/setup-java releases page] [1], [actions/setup-java README (breaking changes in v5)] [2].

[1] (github.com)
[2] (github.com)

Citations:

• 1: https://github.com/actions/setup-java/releases
• 2: https://github.com/actions/setup-java

---

🌐 Web query:

GitHub actions upload-artifact latest version 2024 2025

💡 Result:

• Latest actions/upload-artifact release (as of Feb 23, 2026): actions/upload-artifact@v6.0.0 (major tag: @v6). [1]
• What most people should use: actions/upload-artifact@v4 or newer (v4 is the “Artifacts v4” generation and the long-term replacement for v1–v3). [2][3]
• Deprecations (relevant to 2024–2025):
  • v1/v2 deprecated June 30, 2024. [4]
  • v3: GitHub announced end-of-support starting January 30, 2025 (and the repo warning also references a Nov 30, 2024 deprecation schedule). [5][2]
• 2025 notable change: artifacts v4+ added a SHA-256 digest output/validation feature (only for v4+). [6]
• If you’re on GitHub Enterprise Server (GHES): the repo notes v4+ isn’t supported on GHES (use v3 / v3-node20 there). [2]

Sources: [1] [2] [3] [4] [5] [6]

---

🌐 Web query:

GitHub actions setup-node latest version 2024 2025

💡 Result:

• Current latest major: actions/setup-node@v6 (latest release v6.2.0, published Jan 15, 2026). [1]
• 2025 “latest” major: @v5 (released Sep 4, 2025). [2]
• 2024 commonly used major: @v4 (GitHub’s Node.js CI guide examples use actions/setup-node@v4). [3]
• When v4 started: v4.0.0 was published Oct 23 (older than 2024), and moved the action runtime from node16 → node20. [4]

Recommended today: pin to the latest major tag:

- uses: actions/setup-node@v6

Sources: [1] https://github.com/actions/setup-node/releases (v6.2.0) • [2] https://github.com/actions/setup-node/releases (v5.0.0) • [3] https://docs.github.com/en/actions/guides/building-and-testing-nodejs • [4] https://github.com/actions/setup-node/releases?page=2 (v4.0.0)

---

고정된 액션 버전이 상당히 오래되었습니다.

현재 고정된 버전들(checkout v2, setup-java v1, upload-artifact v2, download-artifact v2, setup-node v1)은 모두 최신 버전(checkout v6, setup-java v5, upload-artifact v6, setup-node v6)보다 여러 메이저 버전 뒤처져 있습니다. 특히 upload-artifact v2는 2024년 6월 30일부로 지원이 중단되었습니다. 오래된 버전은 보안 패치, 버그 수정, 그리고 Node.js 16 런타임 지원 종료(2023년 9월 11일) 이후의 호환성 문제가 있을 수 있습니다.

SHA 고정을 진행하되, 최신 안정 버전의 SHA로 업그레이드하는 것을 권장합니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-ts-angular-v4_3.yml around lines 20 -
21, Update the GitHub Actions "uses" pins to current stable major releases and
pin their corresponding SHAs: replace uses: actions/checkout@ee0669bd1... with
the latest checkout major (e.g., actions/checkout@v6) and its SHA,
actions/setup-java@b6e674f... with setup-java@v5 and its SHA,
actions/upload-artifact@v2 with upload-artifact@v6 and SHA,
actions/download-artifact@v2 with a current download-artifact major and SHA, and
actions/setup-node@v1 with setup-node@v6 and SHA; ensure you update every
occurrence of these action identifiers in the workflow so each "uses:" line
references the new major tag and the exact commit SHA for reproducible runs.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

actions/upload-artifact v2 deprecation

💡 Result:

actions/upload-artifact@v2 is deprecated as of June 30, 2024. After that date, workflows that still use @v2 will fail (the tag remains, but it’s no longer supported). [1]

What to do

• On GitHub.com: update your workflow to v4 or newer:

  - uses: actions/upload-artifact@v4
    with:
      name: my-artifact
      path: path/to/files

  [2]

• If you use GitHub Enterprise Server (GHES): upload-artifact@v4+ is not supported there; you must use v3 / v3-node20 instead. [2]

Sources: GitHub Changelog deprecation notice for v1/v2 [1]; actions/upload-artifact README (deprecation + upgrade guidance) [2].

---

🌐 Web query:

actions/download-artifact v2 deprecation latest version

💡 Result:

• Deprecation of actions/download-artifact@v2: GitHub deprecated v1 and v2 effective June 30, 2024; using them after that date can cause workflow failures. [1]
• Recommended replacement: Upgrade to the v4+ artifact actions (introduced Dec 14, 2023). [1], [2]
• Latest version (as of Feb 23, 2026): actions/download-artifact latest release is v7.0.0 (Dec 12, 2025), so the “latest” major tag is @v7. [3]

Sources
[1] GitHub Changelog – Deprecation notice: v1 and v2 of the artifact actions (Feb 13, 2024) (github.blog)
[2] GitHub Changelog – GitHub Actions: Artifacts v4 is now GA (Dec 14, 2023) (github.blog)
[3] actions/download-artifact repo (Releases section shows v7.0.0 latest, Dec 12, 2025) (github.com)

Citations:

• 1: https://github.blog/changelog/2024-02-13-deprecation-notice-v1-and-v2-of-the-artifact-actions/
• 2: https://github.blog/changelog/2023-12-14-github-actions-artifacts-v4-is-now-generally-available/?utm_source=openai
• 3: https://github.com/actions/download-artifact

---

🌐 Web query:

GitHub Actions checkout setup-java upload-artifact download-artifact setup-node latest versions 2024

💡 Result:

For 2024, the “latest” (current major) GitHub-maintained action tags for these were:

• Checkout: actions/checkout@v4 [1]
• Setup Java: actions/setup-java@v4 (v4.x releases throughout 2024) [2]
• Setup Node: actions/setup-node@v4 [3]
• Upload Artifact: actions/upload-artifact@v4 [4]
• Download Artifact: actions/download-artifact@v4 [5]

Notes relevant to 2024:

• Artifact actions v4 became the supported “new generation” and are not cross-compatible with v3 and earlier. [6]
• Deprecations called out in 2024: artifact v1/v2 scheduled for deprecation June 30, 2024, and v3 scheduled for deprecation November 30, 2024 (move to v4). [4]

Example (2024-style) snippet:

steps:
  - uses: actions/checkout@v4
  - uses: actions/setup-java@v4
    with:
      distribution: temurin
      java-version: '21'
  - uses: actions/setup-node@v4
    with:
      node-version: '20.x'
  - uses: actions/upload-artifact@v4
    with:
      name: build
      path: dist/
# later job:
# - uses: actions/download-artifact@v4

Sources: [1] [2] [3] [4] [5] [6]

---

🏁 Script executed:

# Let's verify the workflow file contents to see the actual lines
cat -n .github/workflows/test-framework-v2-ts-angular-v4.yml | sed -n '15,25p'

Repository: Buzzvil/swagger-codegen

Length of output: 461

---

🏁 Script executed:

# Check all the pinned versions in the file
grep -n "uses: actions/" .github/workflows/test-framework-v2-ts-angular-v4.yml

Repository: Buzzvil/swagger-codegen

Length of output: 1362

---

폐기된(Deprecated) 액션 버전을 즉시 업그레이드해야 합니다.

actions/upload-artifact@v2와 actions/download-artifact@v2는 2024년 6월 30일부로 공식 폐기되었으며, 현재 이 버전들을 사용하는 워크플로우는 실패할 수 있습니다. 현재 시점(2026년 2월)에서 이들 액션은 8개월 이상 지원되지 않는 상태입니다.

다음 액션들을 v4 이상으로 업그레이드하세요:

• actions/checkout → v4
• actions/setup-java → v4
• actions/setup-node → v4
• actions/upload-artifact → v4 (또는 최신 v7)
• actions/download-artifact → v4 (또는 최신 v7)

v1 및 v2 버전은 더 이상 보안 업데이트를 받지 않으며, 워크플로우 실행이 중단될 위험이 있습니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-ts-angular-v4.yml around lines 20 - 21,
The workflow uses deprecated action versions (e.g., actions/checkout,
actions/setup-java, actions/setup-node, actions/upload-artifact,
actions/download-artifact) and must be updated: edit the uses entries (the lines
containing uses: actions/checkout@..., actions/setup-java@...,
actions/setup-node@..., actions/upload-artifact@...,
actions/download-artifact@...) to reference supported major releases (prefer v4
for checkout/setup-java/setup-node and v4 or newer like v7 for
upload/download-artifact) so all occurrences of those symbols are replaced with
their modern stable tags.

[coderabbitai]

Actionable comments posted: 20

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

.github/workflows/test-framework-v2-java-okhttp.yml (1)

52-85: 🛠️ Refactor suggestion | 🟠 Major

GitHub Actions 메이저 버전 업그레이드 필수

현재 워크플로우가 매우 오래된 액션 버전을 사용 중입니다:

• actions/checkout@v2 → 최신: v6 (2026년 1월)
• actions/setup-java@v1 → 최신: v5 (2024년 8월)
• actions/upload-artifact@v2 → 최신: v6 (2025년 12월)
• actions/download-artifact@v2 → 최신: v7 (2025년 12월)

특히 upload-artifact 및 download-artifact의 v3는 2025년 1월 30일부로 이미 deprecated되었습니다. v2를 사용 중이므로 더 이상 보안 업데이트를 받지 못할 위험이 있습니다. 최신 메이저 버전으로 업그레이드한 후 SHA로 다시 고정하기를 권장합니다(입력 스키마 변경 여부 확인 포함).

라인 52-85, 108-146 모두 해당됩니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-java-okhttp.yml around lines 52 - 85,
Update the GitHub Actions usages to current major releases: replace
actions/checkout@... with the latest v6, actions/setup-java@... with v5,
actions/download-artifact@... with v7, and actions/upload-artifact@... with v6;
after changing the versions, pin each action to its recommended commit SHA
instead of a floating tag, run the workflow locally or in a dry run to confirm
there are no breaking input/schema changes (especially for
actions/download-artifact and actions/upload-artifact), and adjust any input
keys (e.g., name/path) to match the new action schemas if the run fails; update
all other occurrences of these action usages in the workflow so they are
consistent.

.github/workflows/test-framework-ruby.yml (1)

160-163: ⚠️ Potential issue | 🟠 Major

ruby/setup-ruby 액션을 SHA로 고정하세요.

이 PR의 목적인 공급망 보안을 위해 모든 GitHub Actions를 SHA로 고정하는 것을 달성하기 위해, ruby/setup-ruby@v1도 다른 모든 액션처럼 SHA로 고정해야 합니다. 현재 상태는 mutable 태그를 사용하고 있어 일관성이 없습니다.

수정 제안

       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd  # v1
         with:
           ruby-version: ${{ matrix.ruby }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-ruby.yml around lines 160 - 163, 현재 mutable
태그를 사용하는 `uses: ruby/setup-ruby@v1` 를 고정된 SHA로 바꿔야 합니다: locate the `uses:
ruby/setup-ruby@v1` entry in the workflow and replace the tag with the
corresponding commit SHA for the `ruby/setup-ruby` action (e.g.,
`ruby/setup-ruby@<full-sha>`), ensuring the rest of the `with:` inputs (like
`ruby-version`) remain unchanged; commit the change so this action is pinned to
an immutable SHA like the other actions in the workflow.

.github/workflows/test-framework-ada.yml (1)

1-1: ⚠️ Potential issue | 🟡 Minor

파일 이름과 워크플로우 이름 불일치 - 수정 필요

파일 이름은 test-framework-ada.yml이지만 워크플로우 이름이 name: Test Framework PHP로 설정되어 있습니다. 이는 복사-붙여넣기 오류로 보이며, Ada 워크플로우에 맞게 이름을 수정해야 합니다.

🔧 워크플로우 이름 수정 제안

-name: Test Framework PHP
+name: Test Framework Ada

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-ada.yml at line 1, The workflow name
declared as "name: Test Framework PHP" doesn't match the file name
test-framework-ada.yml; update the workflow 'name' value (the "name: Test
Framework PHP" line) to reflect Ada, e.g., "name: Test Framework Ada" so the
workflow name and filename are consistent.

.github/workflows/test-framework-v2-ruby.yml (1)

138-141: ⚠️ Potential issue | 🟠 Major

ruby/setup-ruby가 아직 태그(@v1)로 고정되어 있음

이 워크플로우의 다른 모든 외부 액션은 SHA로 핀 처리되어 있는데, ruby/setup-ruby만 @v1 태그 참조가 남아 있어 PR 목표와 불일치합니다. 보안과 재현성을 위해 ruby/setup-ruby@v1도 SHA로 핀 처리해 주세요.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-ruby.yml around lines 138 - 141, 현재
워크플로의 액션 참조 중 ruby/setup-ruby@v1만 태그로 남아 있어 다른 외부 액션들처럼 SHA로 핀하지 않은 상태입니다;
ruby/setup-ruby@v1 참조를 해당 액션의 신뢰할 수 있는 커밋 SHA로 교체하여 태그 핀 대신 고정된 SHA로 사용하도록
업데이트하세요(예: replace "uses: ruby/setup-ruby@v1" with "uses:
ruby/setup-ruby@<COMMIT_SHA>" ensuring the SHA corresponds to the intended
release).

♻️ Duplicate comments (1)

.github/workflows/test-framework-ada.yml (1)

160-163: ada-actions/toolchain이 dev 커밋에 고정됨

ada-actions/toolchain이 개발 브랜치의 커밋(d6c5b8a6e7d5205b96948c84f66a2d3fe3a24707)에 고정되어 있습니다. 안정적인 릴리스 태그(v0.2.0)를 사용하는 것이 권장됩니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-ada.yml around lines 160 - 163, The
workflow currently pins the ada-actions/toolchain action to a specific dev
commit (uses: ada-actions/toolchain@d6c5b8a6e7d5205b96948c84f66a2d3fe3a24707);
update this to the stable release tag by changing the uses reference for
ada-actions/toolchain to the recommended tag (e.g., uses:
ada-actions/toolchain@v0.2.0) in the test-framework-ada.yml workflow so the
action uses the fixed release instead of a dev commit.

🧹 Nitpick comments (7)

.github/workflows/test-framework-v2-java-google-api.yml (1)

20-21: SHA 고정(Pinning)은 올바른 공급망 보안 관행입니다.

액션 참조를 특정 커밋 SHA로 고정하고 버전 주석을 유지한 것은 좋은 접근 방식입니다. 재현 가능한 빌드와 업스트림 변조 방지에 효과적입니다.

다만, 고정된 버전들이 상당히 오래되었습니다:

• actions/checkout v2 (현재 v4)
• actions/setup-java v1 (현재 v4)

후속 PR에서 최신 버전으로 업그레이드하는 것을 고려해 주세요.
,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-java-google-api.yml around lines 20 -
21, The workflow pins obsolete action SHAs; update the GitHub Action references
"actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5" and
"actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde" to current stable
major releases (e.g., actions/checkout@v4 and actions/setup-java@v4) and, to
retain supply-chain safety, replace the tag with the corresponding commit SHA
for those v4 releases while preserving the version comment; run the workflow CI
to verify behavior after the change.

.github/workflows/test-framework-elixir.yml (1)

40-41: SHA 고정(pinning) 방식이 올바르게 적용되었습니다.

공급망 보안을 위해 GitHub Actions를 특정 커밋 SHA로 고정하는 방식은 모범 사례에 부합합니다. 버전 태그를 주석으로 남겨둔 것도 유지보수에 도움이 됩니다.

다만, 고정된 버전들(v1, v2)이 상당히 오래되었습니다. 현재 actions/checkout, actions/setup-java, actions/upload-artifact, actions/download-artifact 모두 v4가 최신 버전입니다. 보안 패치와 성능 개선을 위해 버전 업그레이드를 권장합니다.

,

Also applies to: 62-62, 85-86, 90-90, 107-107, 112-112, 118-118, 138-138, 140-140, 145-145, 171-171, 176-176

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-elixir.yml around lines 40 - 41, Replace
the old pinned SHAs for GitHub Actions with current v4 SHAs: update usages of
actions/checkout, actions/setup-java, actions/upload-artifact, and
actions/download-artifact to the latest v4 commit SHAs (keep the human-readable
version tag like "# v4" as a comment for maintainability); ensure you replace
each occurrence referenced by the review (the lines using actions/checkout,
actions/setup-java, actions/upload-artifact, actions/download-artifact) and
verify the new SHAs from the official action repos before committing so the
workflow remains pinned but upgraded to v4.

.github/workflows/test-framework-v2-ts-angular-v5.yml (2)

126-126: actions/setup-node@v1은 deprecated 상태입니다.

actions/setup-node@v1은 공식적으로 deprecated 되었으며, 현재 v4가 권장됩니다. v1에서는 Node.js 캐싱 기능 등 최신 기능이 지원되지 않습니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-ts-angular-v5.yml at line 126, 현재 워크플로에서
사용 중인 액션 참조 "uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e"
(구버전 v1) 이 deprecated 되어 v4로 업그레이드해야 합니다; 해당 문자열을 "actions/setup-node@v4"로 교체하고
필요하면 최신 버전의 cache 설정 및 입력 파라미터(supplied node-version, cache: 'npm' 등) 문법이
변경되었는지(예: cache: 'npm' 또는 'yarn' 사용) 확인하여 워크플로가 정상 동작하도록 조정하세요.

---

60-60: actions/download-artifact@v2는 deprecated 상태입니다.

actions/download-artifact@v2도 마찬가지로 deprecated 상태이며 v4가 권장됩니다. upload-artifact와 download-artifact는 일반적으로 동일한 메이저 버전을 사용해야 호환성 문제가 없습니다.

Also applies to: 114-114, 119-119

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-ts-angular-v5.yml at line 60, Replace
the deprecated hard-coded download artifact action refs with the supported v4
major version and align artifact action versions: change the occurrences of
"uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281" (and
the similar lines at the other two occurrences) to
"actions/download-artifact@v4" and ensure any corresponding
"actions/upload-artifact@..." usages in the workflow are using the matching
major version (v4) for compatibility.

.github/workflows/test-framework-v2-scala.yml (1)

21-21: actions/setup-java@v1에서 v5로 업그레이드 권장

actions/setup-java@v1은 Node.js 12에서 실행되는데, GitHub는 2023년 6월 14일에 Node.js 12를 폐기하고 Node.js 16을 강제하기 시작했습니다. 현재 SHA 고정 방식은 보안상 적절하지만, 향후 최신 버전인 v5.1.0으로 업그레이드를 강력히 권장합니다. v5는 Node.js 24로 런타임이 업그레이드되었으며 최신 보안 업데이트를 포함합니다.

예:

- uses: actions/setup-java@<FULL_COMMIT_SHA_FOR_v5>
  with:
    distribution: temurin
    java-version: '21'

Also applies to: 56, 126

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-scala.yml at line 21, Replace the pinned
actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde references with the
v5 release (preferably the full commit SHA for v5.1.0) to move from the old v1
runtime to the newer v5 Node.js 24 runtime; update each occurrence of the string
"uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde" (found in
the workflow at the noted locations) to use the v5 commit SHA and ensure the
step includes the required with keys like distribution (temurin) and
java-version ('21').

.github/workflows/test-framework-v2-java-resttemplate-with-xml.yml (1)

71-72: set-output 명령어는 더 이상 사용되지 않습니다.

::set-output 워크플로우 명령어는 GitHub Actions에서 deprecated 되었으며, $GITHUB_OUTPUT 환경 파일 방식으로 대체해야 합니다. 이 PR의 범위를 벗어나지만, 별도 PR에서 처리하는 것을 권장합니다.

♻️ 권장 수정 방법

      - id: outcome
        run: |
-          echo "::set-output name=generate_outcome::${{ steps.generate.outcome }}"
+          echo "generate_outcome=${{ steps.generate.outcome }}" >> $GITHUB_OUTPUT
          echo ${{ steps.generate.outcome }} > generate_outcome_${{ env.JOB_NAME }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-java-resttemplate-with-xml.yml around
lines 71 - 72, Replace the deprecated ::set-output usage with the new GitHub
Actions environment file approach: write the output key/value to the
$GITHUB_OUTPUT file instead of using ::set-output; specifically, stop using
"echo "::set-output name=generate_outcome::${{ steps.generate.outcome }}" and
instead append "generate_outcome=${{ steps.generate.outcome }}" to
$GITHUB_OUTPUT, while keeping the existing separate file write "echo ${{
steps.generate.outcome }} > generate_outcome_${{ env.JOB_NAME }}" (or adapt that
second write if you want a single source of truth); update references to the
output key generate_outcome where needed.

.github/workflows/test-framework-js.yml (1)

142-142: Node.js 12.x는 EOL(End of Life) 상태입니다.

이 PR의 범위를 벗어나지만, Node.js 12.x는 2022년 4월에 지원이 종료되었습니다. 보안 및 호환성을 위해 LTS 버전(예: 18.x 또는 20.x)으로 업그레이드하는 것을 고려해 주세요.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-js.yml at line 142, Update the workflow's
Node.js version from the deprecated "node-version: [12.x]" to a current LTS
(e.g., "18.x" or "20.x") in the GitHub Actions matrix; change the node-version
matrix entry to the chosen LTS value and ensure any job steps that depend on
Node 12 (tooling, npm/node commands) remain compatible or are adjusted
accordingly so CI uses the updated runtime.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/test-framework-elixir.yml:
- Around line 40-41: The workflow is using deprecated pinned SHAs for the
artifact actions; replace usages of actions/upload-artifact@<sha> and
actions/download-artifact@<sha> with the supported major tag
actions/upload-artifact@v4 and actions/download-artifact@v4 (remove the fixed
commit SHAs), and verify any step inputs remain compatible after the upgrade
(adjust step names that reference upload/download artifact steps if needed).

In @.github/workflows/test-framework-lua.yml:
- Line 62: Update all occurrences of the deprecated actions/upload-artifact@v2
usage to a supported major version: replace the action string
"actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2" (and any
other uses of actions/upload-artifact@v2) with a v4-or-later tag (prefer v6 for
GitHub.com). If this repository runs on GitHub Enterprise Server, use
actions/upload-artifact@v3 or actions/upload-artifact@v3-node20 instead. Ensure
you update every occurrence of the action reference in the workflow (all places
using actions/upload-artifact@v2) so the runtime is not tied to the deprecated
Node 12 image.
- Line 90: Replace deprecated GitHub Action versions: update every occurrence of
actions/download-artifact@... (e.g., the instance shown as
actions/download-artifact@cbed621e...) to actions/download-artifact@v4.3.0
(update at the three spots the reviewer noted), and update every occurrence of
actions/upload-artifact@... to the v4 series (actions/upload-artifact@v4) at the
listed locations; ensure you change the version string only and keep the action
names intact so the workflow uses the supported v4 release.
- Around line 40-41: The workflow pins very old action SHAs for actions/checkout
and actions/setup-java; update the pinned SHAs to the latest stable releases
(e.g., actions/checkout v6 and actions/setup-java v5) by replacing the current
commit SHAs used for uses: actions/checkout@... and uses: actions/setup-java@...
with the corresponding SHA or tag for the current v6.x and v5.x releases,
keeping SHA pinning for supply-chain security and verifying the new SHAs match
the official GitHub releases for actions/checkout and actions/setup-java before
committing.

In @.github/workflows/test-framework-php.yml:
- Line 161: 지정된 액션 식별자
shivammathur/setup-php@d59004228537ca90c8dca680592a08a675bf52b6가 존재하지 않아 404가
발생하므로, 해당 문자열을 올바른 태그나 유효한 커밋 SHA로 교체하세요; 예를 들어 shivammathur/setup-php@v2 또는 특정
릴리스 shivammathur/setup-php@v2.36.0로 변경하거나, 만약 커밋 SHA로 고정하려면
shivammathur/setup-php 저장소에서 실제 존재하는 커밋 해시를 확인해 그 SHA로 바꿔 사용하도록 업데이트하십시오.

In @.github/workflows/test-framework-sbt.yml:
- Around line 160-163: The workflow references ${{ matrix.node-version }} inside
the actions/setup-node step which will fail evaluation because the matrix has no
node-version entry; either add a node-version key to the matrix definition
(e.g., matrix.node-version: [14,16]) or replace/remove the reference in the step
to use a concrete version or another intended variable; update the setup step
that uses actions/setup-node@... (the "Use Node.js ${{ matrix.node-version }}"
step) so it no longer refers to an undefined matrix variable.

In @.github/workflows/test-framework-v2-inflector.yml:
- Line 21: The workflow uses the deprecated actions/setup-java v1 (entry: uses:
actions/setup-java@b6e674f4b...) which relies on Node 12; update that uses line
to the v5 release (e.g., actions/setup-java@v5 or actions/setup-java@v5.1.0) so
the job uses the maintained Node 24-based action and avoids runner
compatibility/security issues—locate the uses: actions/setup-java line in the
.github/workflows/test-framework-v2-inflector.yml and replace the pinned v1
reference with the v5 tag.
- Around line 20-21: The workflow uses invalid pinned SHAs and an end-of-life
setup-java version; replace the broken pins for actions/checkout and
actions/setup-java (and any actions/upload-artifact/actions/download-artifact
pins) with valid refs from the official repos — preferably use the supported
major tags instead of deprecated SHAs (e.g., change actions/setup-java@b6e6...
to actions/setup-java@v5 (target v5.2.0) and update actions/checkout to the
current supported tag such as actions/checkout@v4 or a verified commit SHA), and
verify each updated action ref is a valid commit in its official repo so the
workflow will run reliably.

In @.github/workflows/test-framework-v2-java-google-api.yml:
- Line 32: Replace the deprecated actions/upload-artifact v2 references with the
current stable v4 release: locate every occurrence of the uses line that
references actions/upload-artifact (e.g. the existing uses:
actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 SHA-style
reference) and update them to uses: actions/upload-artifact@v4.6.2; make this
change for all six occurrences in the workflow so the job uses the supported v4
action.
- Line 57: Replace all occurrences of the deprecated action references "uses:
actions/download-artifact@..." and "uses: actions/upload-artifact@..." in the
workflow with the v4 releases; specifically locate the lines that reference
actions/download-artifact and actions/upload-artifact and change their version
suffixes to `@v4` (update every occurrence in this workflow file so both
download-artifact and upload-artifact are using v4).

In @.github/workflows/test-framework-v2-java-pkmst.yml:
- Around line 20-21: The workflow pins outdated action SHAs for actions/checkout
and actions/setup-java which target Node 12; update both references to current
major releases (e.g., replace actions/checkout@ee0669b... with
actions/checkout@v4 and actions/setup-java@b6e674f... with
actions/setup-java@v4) and then re-pin to the corresponding commit SHA for those
v4 releases to ensure runners use Node 20-compatible binaries; modify the two
occurrences named actions/checkout and actions/setup-java in the YAML and verify
the new SHAs point to the official v4 tags/releases.

In @.github/workflows/test-framework-v2-java-resttemplate-with-xml.yml:
- Around line 20-21: Update deprecated Actions and workflow commands: replace
uses of actions/upload-artifact@v2 and actions/download-artifact@v2 with their
supported v3 (or v4) releases, and upgrade actions/setup-java@v1 to a current
major (e.g., actions/setup-java@v3/v4) everywhere it is referenced; also remove
all occurrences of the deprecated ::set-output command and replace them with
writing to $GITHUB_OUTPUT (e.g., echo "name=value" >> $GITHUB_OUTPUT) where
output values are set. Ensure you update the specific action references
actions/upload-artifact, actions/download-artifact, and actions/setup-java and
convert every ::set-output instance to the $GITHUB_OUTPUT pattern.

In @.github/workflows/test-framework-v2-java-retrofit2.yml:
- Around line 20-21: The workflow uses deprecated action versions: replace uses:
actions/download-artifact@v2 with uses: actions/download-artifact@v4 to restore
support after 2024-06-30, and while here update actions/checkout@v2 and
actions/setup-java@v1 to their current stable SHAs or tags (e.g.,
actions/checkout@v4 and actions/setup-java@v4 or the org-recommended stable
release) in the same workflow; locate the occurrences of
actions/download-artifact@v2, actions/checkout@v2, and actions/setup-java@v1 and
update their version strings (or pin to current commit SHAs) to supported
versions.

In @.github/workflows/test-framework-v2-java-retrofit2rx2.yml:
- Line 32: The workflow uses the deprecated pinned action string (e.g. the uses:
actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 occurrence)
which will fail; update every uses: actions/upload-artifact@... instance in the
file to the supported release tag actions/upload-artifact@v4 (replace the full
SHA/pinned ref), ensure any inputs/with keys remain compatible, and run the
workflow or act locally to validate the artifact uploads still work.
- Around line 20-21: The workflow pins deprecated action SHAs (e.g., uses:
actions/checkout and uses: actions/setup-java) and still references obsolete
artifact actions; replace the frozen SHAs with current, actively supported major
versions while keeping SHA pinning semantics: update references to
actions/checkout -> use the v6 release SHA, actions/setup-java -> use the v5
release SHA, and replace actions/upload-artifact and actions/download-artifact
with their supported majors (upload-artifact@v6 and download-artifact@v7)
ensuring you use their corresponding release SHAs to maintain supply-chain
security; verify the updated SHAs work in CI and that the action inputs remain
compatible with the newer major versions.

In @.github/workflows/test-framework-v2-python-asyncio.yml:
- Around line 20-21: Update the pinned GitHub Action SHAs to supported,
non-deprecated releases while keeping SHA pinning: replace the current pins for
actions/checkout, actions/setup-java, actions/upload-artifact,
actions/download-artifact, and actions/setup-python with SHAs corresponding to
their latest supported versions (e.g., checkout v6, setup-java v5,
upload-artifact/download-artifact v6+ or v7 as appropriate, setup-python v6.2.0)
so the workflow uses maintained runtimes and non-deprecated actions; ensure you
fetch the official release commit SHAs from each action's GitHub releases and
substitute them in place of the existing pinned SHAs in the workflow.

In @.github/workflows/test-framework-v2-scala.yml:
- Line 20: 워크플로우에서 더 이상 지원되지 않는 actions 버전(예: uses:
actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5) 을 사용하고 있으므로 모든 GitHub
Action 참조를 최신 주요 릴리스로 업그레이드하라; 구체적으로 파일의 uses: actions/checkout@... 을
actions/checkout@v4 이상으로 바꾸고, uses: actions/upload-artifact@... 및 uses:
actions/download-artifact@... 도 각각 actions/upload-artifact@v4 이상,
actions/download-artifact@v4 이상으로 업데이트하도록 수정하라.

In @.github/workflows/test-framework-v2-ts-angular-v4_3.yml:
- Around line 20-21: The workflow pins several deprecated Actions
(actions/checkout, actions/setup-java, actions/upload-artifact,
actions/download-artifact, actions/setup-node) which causes CI failures; update
each action to a supported major (e.g., actions/checkout -> v4.3.1,
actions/setup-java -> v5, upload-artifact/download-artifact -> v4, setup-node ->
latest major), resolve their updated usage if any, and replace the existing SHA
pins with the corresponding commit SHA for the target release so the workflow
uses the newest supported versions while keeping SHA pinning.

In @.github/workflows/test-framework-v2-ts-angular-v5.yml:
- Around line 20-21: Update the GitHub Actions usages that are pinned to old
SHAs to supported major releases: replace actions/checkout@ee0669bd... with
actions/checkout@v6.0.2, actions/setup-java@b6e6... with actions/setup-java@v5,
actions/setup-node@... with actions/setup-node@v4, actions/upload-artifact@...
with actions/upload-artifact@v4 and actions/download-artifact@... with
actions/download-artifact@v4; ensure you update every occurrence (look for the
action identifiers actions/checkout, actions/setup-java, actions/setup-node,
actions/upload-artifact, actions/download-artifact) and, if you must pin for
reproducibility, pin to the corresponding release tag SHA for those modern
versions rather than the deprecated Node.js 12–based SHAs.
- Line 32: The workflow uses actions/upload-artifact@v2 (shown as uses:
actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2) which is
deprecated; update the step to use actions/upload-artifact@v4 and handle the
v2→v4 breaking change for duplicate artifact names by either generating unique
artifact names per upload or adding the overwrite: true option to the
upload-artifact step (i.e., modify the uses reference to v4 and adjust the
corresponding upload-artifact step to include unique naming or overwrite: true).

---

Outside diff comments:
In @.github/workflows/test-framework-ada.yml:
- Line 1: The workflow name declared as "name: Test Framework PHP" doesn't match
the file name test-framework-ada.yml; update the workflow 'name' value (the
"name: Test Framework PHP" line) to reflect Ada, e.g., "name: Test Framework
Ada" so the workflow name and filename are consistent.

In @.github/workflows/test-framework-ruby.yml:
- Around line 160-163: 현재 mutable 태그를 사용하는 `uses: ruby/setup-ruby@v1` 를 고정된 SHA로
바꿔야 합니다: locate the `uses: ruby/setup-ruby@v1` entry in the workflow and replace
the tag with the corresponding commit SHA for the `ruby/setup-ruby` action
(e.g., `ruby/setup-ruby@<full-sha>`), ensuring the rest of the `with:` inputs
(like `ruby-version`) remain unchanged; commit the change so this action is
pinned to an immutable SHA like the other actions in the workflow.

In @.github/workflows/test-framework-v2-java-okhttp.yml:
- Around line 52-85: Update the GitHub Actions usages to current major releases:
replace actions/checkout@... with the latest v6, actions/setup-java@... with v5,
actions/download-artifact@... with v7, and actions/upload-artifact@... with v6;
after changing the versions, pin each action to its recommended commit SHA
instead of a floating tag, run the workflow locally or in a dry run to confirm
there are no breaking input/schema changes (especially for
actions/download-artifact and actions/upload-artifact), and adjust any input
keys (e.g., name/path) to match the new action schemas if the run fails; update
all other occurrences of these action usages in the workflow so they are
consistent.

In @.github/workflows/test-framework-v2-ruby.yml:
- Around line 138-141: 현재 워크플로의 액션 참조 중 ruby/setup-ruby@v1만 태그로 남아 있어 다른 외부
액션들처럼 SHA로 핀하지 않은 상태입니다; ruby/setup-ruby@v1 참조를 해당 액션의 신뢰할 수 있는 커밋 SHA로 교체하여 태그
핀 대신 고정된 SHA로 사용하도록 업데이트하세요(예: replace "uses: ruby/setup-ruby@v1" with "uses:
ruby/setup-ruby@<COMMIT_SHA>" ensuring the SHA corresponds to the intended
release).

---

Duplicate comments:
In @.github/workflows/test-framework-ada.yml:
- Around line 160-163: The workflow currently pins the ada-actions/toolchain
action to a specific dev commit (uses:
ada-actions/toolchain@d6c5b8a6e7d5205b96948c84f66a2d3fe3a24707); update this to
the stable release tag by changing the uses reference for ada-actions/toolchain
to the recommended tag (e.g., uses: ada-actions/toolchain@v0.2.0) in the
test-framework-ada.yml workflow so the action uses the fixed release instead of
a dev commit.

---

Nitpick comments:
In @.github/workflows/test-framework-elixir.yml:
- Around line 40-41: Replace the old pinned SHAs for GitHub Actions with current
v4 SHAs: update usages of actions/checkout, actions/setup-java,
actions/upload-artifact, and actions/download-artifact to the latest v4 commit
SHAs (keep the human-readable version tag like "# v4" as a comment for
maintainability); ensure you replace each occurrence referenced by the review
(the lines using actions/checkout, actions/setup-java, actions/upload-artifact,
actions/download-artifact) and verify the new SHAs from the official action
repos before committing so the workflow remains pinned but upgraded to v4.

In @.github/workflows/test-framework-js.yml:
- Line 142: Update the workflow's Node.js version from the deprecated
"node-version: [12.x]" to a current LTS (e.g., "18.x" or "20.x") in the GitHub
Actions matrix; change the node-version matrix entry to the chosen LTS value and
ensure any job steps that depend on Node 12 (tooling, npm/node commands) remain
compatible or are adjusted accordingly so CI uses the updated runtime.

In @.github/workflows/test-framework-v2-java-google-api.yml:
- Around line 20-21: The workflow pins obsolete action SHAs; update the GitHub
Action references "actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5"
and "actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde" to current
stable major releases (e.g., actions/checkout@v4 and actions/setup-java@v4) and,
to retain supply-chain safety, replace the tag with the corresponding commit SHA
for those v4 releases while preserving the version comment; run the workflow CI
to verify behavior after the change.

In @.github/workflows/test-framework-v2-java-resttemplate-with-xml.yml:
- Around line 71-72: Replace the deprecated ::set-output usage with the new
GitHub Actions environment file approach: write the output key/value to the
$GITHUB_OUTPUT file instead of using ::set-output; specifically, stop using
"echo "::set-output name=generate_outcome::${{ steps.generate.outcome }}" and
instead append "generate_outcome=${{ steps.generate.outcome }}" to
$GITHUB_OUTPUT, while keeping the existing separate file write "echo ${{
steps.generate.outcome }} > generate_outcome_${{ env.JOB_NAME }}" (or adapt that
second write if you want a single source of truth); update references to the
output key generate_outcome where needed.

In @.github/workflows/test-framework-v2-scala.yml:
- Line 21: Replace the pinned
actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde references with the
v5 release (preferably the full commit SHA for v5.1.0) to move from the old v1
runtime to the newer v5 Node.js 24 runtime; update each occurrence of the string
"uses: actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde" (found in
the workflow at the noted locations) to use the v5 commit SHA and ensure the
step includes the required with keys like distribution (temurin) and
java-version ('21').

In @.github/workflows/test-framework-v2-ts-angular-v5.yml:
- Line 126: 현재 워크플로에서 사용 중인 액션 참조 "uses:
actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e" (구버전 v1) 이
deprecated 되어 v4로 업그레이드해야 합니다; 해당 문자열을 "actions/setup-node@v4"로 교체하고 필요하면 최신 버전의
cache 설정 및 입력 파라미터(supplied node-version, cache: 'npm' 등) 문법이 변경되었는지(예: cache:
'npm' 또는 'yarn' 사용) 확인하여 워크플로가 정상 동작하도록 조정하세요.
- Line 60: Replace the deprecated hard-coded download artifact action refs with
the supported v4 major version and align artifact action versions: change the
occurrences of "uses:
actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281" (and the
similar lines at the other two occurrences) to "actions/download-artifact@v4"
and ensure any corresponding "actions/upload-artifact@..." usages in the
workflow are using the matching major version (v4) for compatibility.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 801277d and b4943a1.

📒 Files selected for processing (63)

• .github/workflows/test-framework-ada.yml
• .github/workflows/test-framework-clojure.yml
• .github/workflows/test-framework-dart.yml
• .github/workflows/test-framework-dotnet.yml
• .github/workflows/test-framework-elixir.yml
• .github/workflows/test-framework-go.yml
• .github/workflows/test-framework-java.yml
• .github/workflows/test-framework-js.yml
• .github/workflows/test-framework-lua.yml
• .github/workflows/test-framework-no-build.yml
• .github/workflows/test-framework-php.yml
• .github/workflows/test-framework-python.yml
• .github/workflows/test-framework-ruby.yml
• .github/workflows/test-framework-sbt.yml
• .github/workflows/test-framework-v2-ada.yml
• .github/workflows/test-framework-v2-inflector.yml
• .github/workflows/test-framework-v2-java-8-jersey2.yml
• .github/workflows/test-framework-v2-java-feign.yml
• .github/workflows/test-framework-v2-java-google-api.yml
• .github/workflows/test-framework-v2-java-jersey1.yml
• .github/workflows/test-framework-v2-java-jersey2.yml
• .github/workflows/test-framework-v2-java-okhttp-parcelable.yml
• .github/workflows/test-framework-v2-java-okhttp.yml
• .github/workflows/test-framework-v2-java-pkmst.yml
• .github/workflows/test-framework-v2-java-rest-assured.yml
• .github/workflows/test-framework-v2-java-resteasy.yml
• .github/workflows/test-framework-v2-java-resttemplate-with-xml.yml
• .github/workflows/test-framework-v2-java-resttemplate.yml
• .github/workflows/test-framework-v2-java-retrofit.yml
• .github/workflows/test-framework-v2-java-retrofit2-play24.yml
• .github/workflows/test-framework-v2-java-retrofit2-play25.yml
• .github/workflows/test-framework-v2-java-retrofit2.yml
• .github/workflows/test-framework-v2-java-retrofit2rx.yml
• .github/workflows/test-framework-v2-java-retrofit2rx2.yml
• .github/workflows/test-framework-v2-java-vertx.yml
• .github/workflows/test-framework-v2-javascript.yml
• .github/workflows/test-framework-v2-php.yml
• .github/workflows/test-framework-v2-python-asyncio.yml
• .github/workflows/test-framework-v2-python.yml
• .github/workflows/test-framework-v2-ruby.yml
• .github/workflows/test-framework-v2-scala.yml
• .github/workflows/test-framework-v2-ts-angular-v10.yml
• .github/workflows/test-framework-v2-ts-angular-v11.yml
• .github/workflows/test-framework-v2-ts-angular-v12.yml
• .github/workflows/test-framework-v2-ts-angular-v4.yml
• .github/workflows/test-framework-v2-ts-angular-v4_3.yml
• .github/workflows/test-framework-v2-ts-angular-v5.yml
• .github/workflows/test-framework-v2-ts-angular-v6.yml
• .github/workflows/test-framework-v2-ts-angular-v7.yml
• .github/workflows/test-framework-v2-ts-angular-v8.yml
• .github/workflows/test-framework-v2-ts-angular-v9.yml
• .github/workflows/test-framework-v3-java-feign.yml
• .github/workflows/test-framework-v3-java-inflector.yml
• .github/workflows/test-framework-v3-java-jersey1.yml
• .github/workflows/test-framework-v3-java-jersey2.yml
• .github/workflows/test-framework-v3-java-okhttp-gson.yml
• .github/workflows/test-framework-v3-java-resteasy.yml
• .github/workflows/test-framework-v3-java-resttemplate-withXml.yml
• .github/workflows/test-framework-v3-java-resttemplate.yml
• .github/workflows/test-framework-v3-java-retrofit.yml
• .github/workflows/test-framework-v3-java-retrofit2.yml
• .github/workflows/test-framework-v3-java-retrofit2rx.yml
• .github/workflows/test-generation-v2.yml

✅ Files skipped from review due to trivial changes (8)

• .github/workflows/test-framework-v2-java-okhttp-parcelable.yml
• .github/workflows/test-framework-v3-java-jersey1.yml
• .github/workflows/test-framework-v2-java-retrofit2rx.yml
• .github/workflows/test-framework-v2-ts-angular-v7.yml
• .github/workflows/test-framework-v2-ts-angular-v12.yml
• .github/workflows/test-framework-v2-java-jersey1.yml
• .github/workflows/test-framework-v3-java-okhttp-gson.yml
• .github/workflows/test-framework-java.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/test-framework-v2-ada.yml
• .github/workflows/test-generation-v2.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the workflow file
cat -n .github/workflows/test-framework-elixir.yml | head -50

Repository: Buzzvil/swagger-codegen

Length of output: 1871

---

🏁 Script executed:

# Let's also check what actions are pinned in this file
rg "uses: actions/" .github/workflows/test-framework-elixir.yml -A 0

Repository: Buzzvil/swagger-codegen

Length of output: 1313

---

🏁 Script executed:

#!/bin/bash
# Verify SHAs against version tags using curl to GitHub API

echo "=== Checking actions/checkout v2 ==="
CHECKOUT_V2=$(curl -s https://api.github.com/repos/actions/checkout/git/refs/tags/v2 | grep -o '"sha":"[^"]*' | cut -d'"' -f4)
echo "Repository tag v2 SHA: $CHECKOUT_V2"
echo "Pinned SHA: ee0669bd1cc54295c223e0bb666b733df41de1c5"
echo "Match: $([ "$CHECKOUT_V2" = "ee0669bd1cc54295c223e0bb666b733df41de1c5" ] && echo 'YES' || echo 'NO')"

echo ""
echo "=== Checking actions/setup-java v1 ==="
SETUPJAVA_V1=$(curl -s https://api.github.com/repos/actions/setup-java/git/refs/tags/v1 | grep -o '"sha":"[^"]*' | cut -d'"' -f4)
echo "Repository tag v1 SHA: $SETUPJAVA_V1"
echo "Pinned SHA: b6e674f4b717d7b0ae3baee0fbe79f498905dfde"
echo "Match: $([ "$SETUPJAVA_V1" = "b6e674f4b717d7b0ae3baee0fbe79f498905dfde" ] && echo 'YES' || echo 'NO')"

Repository: Buzzvil/swagger-codegen

Length of output: 317

---

🌐 Web query:

actions/checkout v2 github release ee0669bd1cc54295c223e0bb666b733df41de1c5

💡 Result:

Commit ee0669bd1cc54295c223e0bb666b733df41de1c5 (short ee0669b) in actions/checkout is the change “Add new public key for known_hosts” authored Mar 24, 2023. [1]

That commit is the only commit in the diff v2.6.0...v2.7.0, so actions/checkout@v2 resolving to this SHA corresponds to the v2.7.0 release/tag. [2][3]

Sources: [1] [2] [3]

---

🌐 Web query:

actions/setup-java v1 github release b6e674f4b717d7b0ae3baee0fbe79f498905dfde

💡 Result:

Commit b6e674f4b717d7b0ae3baee0fbe79f498905dfde in actions/setup-java is the commit for the v1.4.4 release (dated March 29, 2023). The moving major tag v1 also points to the same commit. [1]

It’s the commit titled “Update actions/core for releases/v1 (#467)”. [2]

Sources: [1] [2]

---

🌐 Web query:

actions/upload-artifact v2 github release 82c141cc518b40d92cc801eee768e7aafc9c2fa2

💡 Result:

The commit 82c141cc518b40d92cc801eee768e7aafc9c2fa2 corresponds to actions/upload-artifact v2.3.1 (released Dec 15, 2021). The floating major tag v2 also points to the same commit. [1]

Note: GitHub deprecated v1/v2 of the artifact actions effective June 30, 2024, so using actions/upload-artifact@v2 after that date will fail on GitHub.com-hosted Actions. [2]

Sources:
[1] actions/upload-artifact tags page (shows v2.3.1 and v2 at commit 82c141c) (github.com)
[2] GitHub Changelog: “Deprecation notice: v1 and v2 of the artifact actions” (github.blog)

Citations:

• 1: https://github.com/actions/upload-artifact/tags?after=v3.1.3
• 2: https://github.blog/changelog/2024-02-13-deprecation-notice-v1-and-v2-of-the-artifact-actions/?utm_source=openai

---

🌐 Web query:

actions/download-artifact v2 github release cbed621e49e4c01b044d60f6c80ea4ed6328b281

💡 Result:

The commit cbed621e49e4c01b044d60f6c80ea4ed6328b281 in actions/download-artifact is the v2.1.1 release commit, and it’s also what the floating major tag v2 points to. [1], [2]

That commit’s title is “Upgrade @actions/core to 1.10.0 for v2 (#210)”. [1]

Note: GitHub deprecated v1 and v2 of actions/download-artifact effective June 30, 2024 (workflows using them may fail after that date). [3]

---

사용 중인 artifact 액션 버전이 더 이상 지원되지 않습니다.

고정된 SHA는 명시된 버전 태그와 실제로 일치합니다. 그러나 더 중요한 문제가 있습니다:

• actions/upload-artifact@v2 (commit 82c141c): v2.3.1 - 2024년 6월 30일 이후 GitHub 호스팅 러너에서 더 이상 작동하지 않음
• actions/download-artifact@v2 (commit cbed621): v2.1.1 - 2024년 6월 30일 이후 GitHub 호스팅 러너에서 더 이상 작동하지 않음

actions/upload-artifact@v4 및 actions/download-artifact@v4로 업그레이드하세요.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-elixir.yml around lines 40 - 41, The
workflow is using deprecated pinned SHAs for the artifact actions; replace
usages of actions/upload-artifact@<sha> and actions/download-artifact@<sha> with
the supported major tag actions/upload-artifact@v4 and
actions/download-artifact@v4 (remove the fixed commit SHAs), and verify any step
inputs remain compatible after the upgrade (adjust step names that reference
upload/download artifact steps if needed).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd /tmp && cat -n /github/workspace/.github/workflows/test-framework-lua.yml | head -50

Repository: Buzzvil/swagger-codegen

Length of output: 157

---

🏁 Script executed:

# Check the structure of the repository first
ls -la /github/workspace/.github/workflows/ 2>/dev/null || echo "Checking for workflow files..."
find /github/workspace -name "test-framework-lua.yml" -type f 2>/dev/null | head -5

Repository: Buzzvil/swagger-codegen

Length of output: 97

---

🏁 Script executed:

# Query GitHub API to verify SHA commits for the actions mentioned
# Verify actions/checkout v2 SHA
curl -s "https://api.github.com/repos/actions/checkout/git/refs/tags/v2" 2>/dev/null | python3 -c "import sys, json; data=json.load(sys.stdin); print(f'checkout v2 SHA: {data.get(\"object\", {}).get(\"sha\", \"N/A\")}')" || echo "checkout v2: verification attempt"

# Verify actions/setup-java v1 SHA  
curl -s "https://api.github.com/repos/actions/setup-java/git/refs/tags/v1" 2>/dev/null | python3 -c "import sys, json; data=json.load(sys.stdin); print(f'setup-java v1 SHA: {data.get(\"object\", {}).get(\"sha\", \"N/A\")}')" || echo "setup-java v1: verification attempt"

# Check if v3 and v4 exist for actions/checkout
curl -s "https://api.github.com/repos/actions/checkout/git/refs/tags/v3" 2>/dev/null | python3 -c "import sys, json; data=json.load(sys.stdin); print('checkout v3: EXISTS' if 'object' in data else 'checkout v3: NOT FOUND')" || echo "checkout v3: check"

curl -s "https://api.github.com/repos/actions/checkout/git/refs/tags/v4" 2>/dev/null | python3 -c "import sys, json; data=json.load(sys.stdin); print('checkout v4: EXISTS' if 'object' in data else 'checkout v4: NOT FOUND')" || echo "checkout v4: check"

# Check if v3 and v4 exist for actions/setup-java
curl -s "https://api.github.com/repos/actions/setup-java/git/refs/tags/v3" 2>/dev/null | python3 -c "import sys, json; data=json.load(sys.stdin); print('setup-java v3: EXISTS' if 'object' in data else 'setup-java v3: NOT FOUND')" || echo "setup-java v3: check"

curl -s "https://api.github.com/repos/actions/setup-java/git/refs/tags/v4" 2>/dev/null | python3 -c "import sys, json; data=json.load(sys.stdin); print('setup-java v4: EXISTS' if 'object' in data else 'setup-java v4: NOT FOUND')" || echo "setup-java v4: check"

Repository: Buzzvil/swagger-codegen

Length of output: 206

---

🌐 Web query:

actions/checkout GitHub releases current version 2024 2025 2026

💡 Result:

Current (latest) actions/checkout release (as of Feb 23, 2026): v6.0.2 — released Jan 9, 2026. [1][2]

Releases in 2026

• v6.0.2 — Jan 9, 2026 [1][2]

Releases in 2025 (highlights)

• v6.0.1 — Dec 2, 2025 [2]
• v6.0.0 — Nov 20, 2025 [2]
• v5.0.1 — Nov 13, 2025 [2]
• v5.0.0 — Aug 11, 2025 [2]

Releases in 2024 (highlights)

• v4.2.2 — Oct 23, 2024 [2]
• v4.2.1 — Oct 7, 2024 [2]
• v4.2.0 — Sep 25, 2024 [2]
• v4.1.7 — Jun 12, 2024 [2]
• (also: v4.1.6 May 16, v4.1.5 Apr 30, v4.1.4 Apr 24, v4.1.3 Apr 18, v4.1.2 Mar 12) [2]

Recommended workflow pin: uses: actions/checkout@v6 (major tag), or pin a specific version like @v6.0.2. [2]

Sources: GitHub release page for v6.0.2 [1] and a dated release index covering 2024–2026 [2].

---

🌐 Web query:

actions/setup-java GitHub releases current version 2024 2025 2026

💡 Result:

As of Feb 23, 2026, the current (latest) release of actions/setup-java is v5.2.0 (released Jan 22). [1]

Recent release line (for 2024–2026 timeframe context on the repo’s Releases page):

• v5.2.0 — Jan 22 (latest) [1]
• v5.1.0 — Dec 4 [2]
• v5.0.0 — Aug 21 [3]
• v4.8.0 — Dec 4 [3]

Notes:

• The recommended major tag to use in workflows is actions/setup-java@v5 (it will float to the latest v5.x.y). [4]

Sources
[1] https://github.com/actions/setup-java/releases/tag/v5.2.0
[2] https://github.com/actions/setup-java/releases/tag/v5.1.0
[3] https://github.com/actions/setup-java/releases
[4] https://github.com/actions/setup-java

---

🏁 Script executed:

# Let's try to find the workflow file in the repository
find /github/workspace -name "*.yml" -o -name "*.yaml" | grep -i workflow | head -20

Repository: Buzzvil/swagger-codegen

Length of output: 119

---

SHA 고정 방식은 좋으나, 사용 중인 액션 버전이 매우 구식입니다.

SHA 고정은 공급망 보안을 위한 올바른 접근 방식입니다. 다만, 현재 고정하고 있는 버전들이 매우 오래되었습니다:

• actions/checkout v2 → 현재 v6.0.2 사용 가능 (2026년 1월 릴리스)
• actions/setup-java v1 → 현재 v5.2.0 사용 가능 (2026년 1월 릴리스)

구버전 액션은 보안 패치가 누락되었을 수 있으므로, SHA 고정과 함께 최신 버전으로 업그레이드하는 것을 권장합니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-lua.yml around lines 40 - 41, The workflow
pins very old action SHAs for actions/checkout and actions/setup-java; update
the pinned SHAs to the latest stable releases (e.g., actions/checkout v6 and
actions/setup-java v5) by replacing the current commit SHAs used for uses:
actions/checkout@... and uses: actions/setup-java@... with the corresponding SHA
or tag for the current v6.x and v5.x releases, keeping SHA pinning for
supply-chain security and verifying the new SHAs match the official GitHub
releases for actions/checkout and actions/setup-java before committing.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/test-framework-lua.yml | sed -n '60,65p;105,115p;116,120p;169,178p'

Repository: Buzzvil/swagger-codegen

Length of output: 1761

---

🌐 Web query:

actions/upload-artifact v2 Node.js 12 deprecated GitHub

💡 Result:

actions/upload-artifact@v2 is deprecated because it’s one of the older “artifact actions” versions (v1/v2) and it’s part of the broader GitHub Actions move away from Node.js 12–based actions (Node 12 went out of support and GitHub began migrating actions to Node 16 starting in 2022) [3]. GitHub formally deprecated artifact actions v1 and v2 effective June 30, 2024; using them after that date can fail workflow runs [2]. The upload-artifact repo also warns that you should update workflows to the current major version of the artifact actions (v4+) [1].

What to do:

• Update your workflow from:
  • uses: actions/upload-artifact@v2
    to:
  • uses: actions/upload-artifact@v4 (or newer), aligning with the newer artifact backend released as Artifact actions v4 (GA) [4].
• If you’re on GitHub Enterprise Server (GHES), note that v4 support depends on your GHES version; the action repo notes GHES constraints and suggests using v3 in some GHES cases [1].

---

🌐 Web query:

actions/upload-artifact current version v4 available

💡 Result:

Yes—actions/upload-artifact@v4 is available (the repo maintains a floating @v4 tag, currently pointing to the latest v4.x release, e.g. v4.6.2). [1]

However, the current latest major version is v6 (tag v6.0.0 dated Dec 12, 2025, and a floating @v6 tag). [1] The repo README also documents “v6 – What’s new” (Node.js 24) and “v4 – What’s new”. [2]

Typical usage (GitHub.com):

• uses: actions/upload-artifact@v6 (latest major) [1]
• uses: actions/upload-artifact@v4 (stay on v4.x) [1]

Note: upload-artifact@v4+ is not supported on GitHub Enterprise Server (GHES) per the README (use v3/v3-node20 there). [2]

Sources: [1] [2]

---

actions/upload-artifact@v2 업데이트 필수

이 액션은 2024년 6월 30일 이후 GitHub에서 공식 지원 중단되었습니다. v2는 Node.js 12 런타임을 사용하며, 현재는 워크플로우 실패를 유발할 수 있습니다. 현재 사용 가능한 최신 버전은 v6입니다. 모든 참조 라인(62, 107, 112, 118, 171, 176)을 v4 이상으로 업데이트하세요. GitHub Enterprise Server를 사용하는 경우 v3 또는 v3-node20을 사용하세요.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-lua.yml at line 62, Update all occurrences
of the deprecated actions/upload-artifact@v2 usage to a supported major version:
replace the action string
"actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2" (and any
other uses of actions/upload-artifact@v2) with a v4-or-later tag (prefer v6 for
GitHub.com). If this repository runs on GitHub Enterprise Server, use
actions/upload-artifact@v3 or actions/upload-artifact@v3-node20 instead. Ensure
you update every occurrence of the action reference in the workflow (all places
using actions/upload-artifact@v2) so the runtime is not tied to the deprecated
Node 12 image.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Find and examine the workflow file
fd -t f "test-framework-lua.yml" --exec cat -n {} \;

Repository: Buzzvil/swagger-codegen

Length of output: 49

---

🌐 Web query:

actions/download-artifact v2 SHA cbed621e49e4c01b044d60f6c80ea4ed6328b281

💡 Result:

cbed621e49e4c01b044d60f6c80ea4ed6328b281 is a commit in the actions/download-artifact repo (short SHA cbed621) titled “Upgrade @actions/core to 1.10.0 for v2 (#210)”—i.e., a commit associated with the v2 line of the action. [1]

Note: GitHub deprecated v1/v2 of actions/download-artifact effective June 30, 2024 (workflows may fail if still using them after that date). [2]

Sources: [1] [2]

---

🌐 Web query:

actions/download-artifact latest version v4

💡 Result:

For actions/download-artifact, the latest release within major v4 is v4.3.0 (released April 24, 2024). [1]

• Recommended pin (keeps you on latest v4.x.x): uses: actions/download-artifact@v4 (currently resolves to v4.3.0). [1]
• Exact pin: uses: actions/download-artifact@v4.3.0. [1]

Note: the action has newer major versions (the README currently documents up through v7), but those are not v4. [2]

Sources: [1] [2]

---

🏁 Script executed:

# List all files in .github/workflows directory
git ls-files ".github/workflows/" | head -20

Repository: Buzzvil/swagger-codegen

Length of output: 953

---

🏁 Script executed:

# Search for any occurrence of "download-artifact" in the repository
rg "download-artifact" --type yaml

Repository: Buzzvil/swagger-codegen

Length of output: 49

---

🏁 Script executed:

# Read the test-framework-lua.yml file
cat -n ".github/workflows/test-framework-lua.yml"

Repository: Buzzvil/swagger-codegen

Length of output: 8188

---

actions/download-artifact v2 지원 종료 - 즉시 v4로 업그레이드 필요

actions/download-artifact@v2는 2024년 6월 30일부로 지원이 종료되었으며, 워크플로우가 실패할 수 있습니다. 다음 세 위치에서 v4.3.0으로 업그레이드하세요:

• 라인 90
• 라인 140
• 라인 145

또한 같은 파일의 actions/upload-artifact@v2(라인 62, 107, 112, 118, 171, 176)도 동일한 이유로 v4로 업그레이드하세요.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-lua.yml at line 90, Replace deprecated
GitHub Action versions: update every occurrence of actions/download-artifact@...
(e.g., the instance shown as actions/download-artifact@cbed621e...) to
actions/download-artifact@v4.3.0 (update at the three spots the reviewer noted),
and update every occurrence of actions/upload-artifact@... to the v4 series
(actions/upload-artifact@v4) at the listed locations; ensure you change the
version string only and keep the action names intact so the workflow uses the
supported v4 release.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify shivammathur/setup-php v2 tag and SHA

# First, let's search for information about this action version
curl -s https://api.github.com/repos/shivammathur/setup-php/git/refs/tags/v2 | python3 -m json.tool 2>/dev/null || echo "Direct API call failed, trying alternative method..."

# Also check the commit information
echo ""
echo "=== Checking commit hash ==="
curl -s https://api.github.com/repos/shivammathur/setup-php/commits/d59004228537ca90c8dca680592a08a675bf52b6 | python3 -c "import sys, json; data = json.load(sys.stdin); print(f'Commit SHA: {data.get(\"sha\", \"N/A\")}'); print(f'Message: {data.get(\"commit\", {}).get(\"message\", \"N/A\")[:100]}')" 2>/dev/null || echo "Commit not found or API error"

# Check latest tags
echo ""
echo "=== Latest tags for shivammathur/setup-php ==="
curl -s 'https://api.github.com/repos/shivammathur/setup-php/tags?per_page=10' | python3 -c "import sys, json; tags = json.load(sys.stdin); [print(f'{t[\"name\"]}: {t[\"commit\"][\"sha\"][:12]}') for t in tags[:5]]" 2>/dev/null || echo "Unable to fetch tags"

Repository: Buzzvil/swagger-codegen

Length of output: 248

---

🌐 Web query:

shivammathur/setup-php v2 GitHub action release

💡 Result:

shivammathur/setup-php@v2 is a rolling major tag that tracks the latest v2.x release (it’s kept in sync with the newest minor/patch release) [2].

As of the latest GitHub release, the current v2 release is 2.36.0, published 2025-11-26 (“Latest” on the releases page) [1]. Therefore, using uses: shivammathur/setup-php@v2 will currently resolve to v2.36.0 [1][2].

Sources: [1] [2]

---

🌐 Web query:

shivammathur/setup-php d59004228537ca90c8dca680592a08a675bf52b6 commit release

💡 Result:

I couldn’t determine a “release” for commit d59004228537ca90c8dca680592a08a675bf52b6 because that SHA does not appear to exist in the public shivammathur/setup-php repository on GitHub: attempting to open the commit (and tree view) returns 404 Not Found. [1], [2]

This usually means one of these is true:

• the SHA is mistyped / from a different repo or fork
• it’s from a rewritten history (force-push) and no longer exists on GitHub
• it’s from a private/internal mirror

If you paste the workflow line that references this SHA (the uses: shivammathur/setup-php@... line) or confirm the correct SHA (even the short 7–12 chars), I can re-check which tag/release contains it. [3]

Sources: [1] [2] [3]

---

shivammathur/setup-php 액션의 SHA가 유효하지 않습니다.

지정된 SHA d59004228537ca90c8dca680592a08a675bf52b6는 shivammathur/setup-php 공개 저장소에 존재하지 않습니다. 이 커밋을 참조할 때 GitHub이 404 오류를 반환하므로, 워크플로우 실행 시 이 액션을 사용할 수 없습니다.

올바른 SHA를 확인하여 수정하거나, 대신 shivammathur/setup-php@v2 태그를 사용하세요. 현재 v2의 최신 릴리스는 v2.36.0입니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-php.yml at line 161, 지정된 액션 식별자
shivammathur/setup-php@d59004228537ca90c8dca680592a08a675bf52b6가 존재하지 않아 404가
발생하므로, 해당 문자열을 올바른 태그나 유효한 커밋 SHA로 교체하세요; 예를 들어 shivammathur/setup-php@v2 또는 특정
릴리스 shivammathur/setup-php@v2.36.0로 변경하거나, 만약 커밋 SHA로 고정하려면
shivammathur/setup-php 저장소에서 실제 존재하는 커밋 해시를 확인해 그 SHA로 바꿔 사용하도록 업데이트하십시오.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

actions/checkout GitHub Actions latest version 2024 2025

💡 Result:

• Latest release in 2024: actions/checkout@v4.2.2 (published Oct 23, 2024) [1]
• Latest release in 2025: actions/checkout@v6.0.1 (published Dec 2, 2025) [2]
• For reference (current latest overall): actions/checkout@v6.0.2 (published Jan 9, 2026) [3]

Recommended pinning: use the major tag (e.g., uses: actions/checkout@v6) to automatically get compatible minor/patch updates within that major version [3].

Sources:
[1] https://github.com/actions/checkout/releases (v4.2.2)
[2] https://github.com/actions/checkout/releases (v6.0.1)
[3] https://github.com/actions/checkout/releases (v6.0.2 “Latest”)

---

🌐 Web query:

actions/setup-java deprecation status v1 v2 v3 v4

💡 Result:

• actions/setup-java@v1: runs on Node.js 12 (runs.using: node12) → effectively deprecated because Node 12 is long EOL; upgrade. [1]
• actions/setup-java@v2: runs on Node.js 12 (runs.using: node12) → same situation; upgrade. [2]
• actions/setup-java@v3: runs on Node.js 16 (runs.using: node16) → should be upgraded because GitHub Actions has been moving off Node 16 to newer runtimes. [3]
• actions/setup-java@v4: runs on Node.js 20 (runs.using: node20). [4] Node 20 itself is now in GitHub Actions’ deprecation process: runners switch to Node 24 by default on March 4, 2026, with Node 20 only opt-out until it’s removed later in summer 2026. [5]
• Current direction: setup-java v5 upgrades the action runtime from node20 to node24. [6]

Practical takeaway: use actions/setup-java@v5 (or at least @v4) rather than v1/v2/v3. [6]

Sources:
[1] https://raw.githubusercontent.com/actions/setup-java/v1/action.yml
[2] https://raw.githubusercontent.com/actions/setup-java/v2/action.yml
[3] https://raw.githubusercontent.com/actions/setup-java/v3/action.yml
[4] https://raw.githubusercontent.com/actions/setup-java/v4/action.yml
[5] https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
[6] https://github.com/actions/setup-java

---

🌐 Web query:

actions/upload-artifact actions/download-artifact v2 deprecated v3 v4 latest

💡 Result:

• actions/upload-artifact@v1 / @v2: deprecated June 30, 2024 (using them after that date causes workflow failures). [1]
• actions/upload-artifact@v3 and actions/download-artifact@v3: deprecated; GitHub.com stopped supporting them January 30, 2025. [2]
• Use v4+ (recommended): Artifacts v4 became GA Dec 14, 2023, with major behavior/perf changes; v4 is not compatible with artifacts uploaded by v3 and earlier. [3]

Latest major versions (current as of Feb 23, 2026):

• Upload: actions/upload-artifact@v6 (Node.js 24 runtime; see v6.0.0 release). [4]
• Download: actions/download-artifact@v7 (Node.js 24 runtime; see v7.0.0 release). [5]

GHES note: the action READMEs state @v4+ is not supported on GitHub Enterprise Server (GHES) (use the v3 variants there). [4][6]

Sources:
[1] https://github.blog/changelog/2024-02-13-deprecation-notice-v1-and-v2-of-the-artifact-actions/
[2] https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/
[3] https://github.blog/changelog/2023-12-14-github-actions-artifacts-v4-is-now-generally-available/
[4] https://github.com/actions/upload-artifact/releases (v6.0.0)
[5] https://github.com/actions/download-artifact/releases (v7.0.0)
[6] https://github.com/actions/download-artifact (README GHES note)

---

🌐 Web query:

actions/setup-python latest version v4 v5 2024 2025

💡 Result:

• Current latest major (as of Feb 23, 2026): actions/setup-python@v6 — latest release is v6.2.0 (Jan 22, 2026). [1][2]
• Latest v5 line (the “latest” you’d typically use in 2024–2025): actions/setup-python@v5 — v5.x releases include v5.6.0 (Apr 24, 2025). [1]
• v4 line: actions/setup-python@v4 — last v4 release shown is v4.9.1 (Apr 17, 2025). [1]

Notes:

• v6 includes a breaking change: runtime upgrade from Node 20 to Node 24 (runner needs v2.327.1+). [3]

Recommended usage (pin to major):

- uses: actions/setup-python@v6

Sources: GitHub Releases for actions/setup-python [1], mirror activity confirming v6.2.0 publish date [2], repo README “Breaking changes in V6” [3].

---

🏁 Script executed:

#!/bin/bash
# Verify SHA-to-version mapping for pinned GitHub Actions

echo "=== Verifying pinned SHAs match commented versions ==="

# Check actions/checkout v2
echo -e "\n[actions/checkout]"
echo "Pinned SHA: ee0669bd1cc54295c223e0bb666b733df41de1c5 (commented as v2)"
CHECKOUT_V2_SHA=$(curl -s "https://api.github.com/repos/actions/checkout/git/refs/tags/v2" 2>/dev/null | grep -o '"sha":"[^"]*' | cut -d'"' -f4)
echo "v2 SHA from GitHub: ${CHECKOUT_V2_SHA:-unavailable}"
[[ "$CHECKOUT_V2_SHA" == "ee0669bd1cc54295c223e0bb666b733df41de1c5" ]] && echo "✓ SHA matches v2" || echo "✗ SHA mismatch"

# Check latest version
CHECKOUT_LATEST=$(curl -s "https://api.github.com/repos/actions/checkout/releases/latest" 2>/dev/null | grep '"tag_name"' | head -1 | grep -o 'v[0-9]*' | head -1)
echo "Latest version: ${CHECKOUT_LATEST:-unavailable}"

# Check actions/setup-java v1
echo -e "\n[actions/setup-java]"
echo "Pinned SHA: b6e674f4b717d7b0ae3baee0fbe79f498905dfde (commented as v1)"
JAVA_V1_SHA=$(curl -s "https://api.github.com/repos/actions/setup-java/git/refs/tags/v1" 2>/dev/null | grep -o '"sha":"[^"]*' | cut -d'"' -f4)
echo "v1 SHA from GitHub: ${JAVA_V1_SHA:-unavailable}"
[[ "$JAVA_V1_SHA" == "b6e674f4b717d7b0ae3baee0fbe79f498905dfde" ]] && echo "✓ SHA matches v1" || echo "✗ SHA mismatch"

# Check latest version
JAVA_LATEST=$(curl -s "https://api.github.com/repos/actions/setup-java/releases/latest" 2>/dev/null | grep '"tag_name"' | head -1 | grep -o 'v[0-9]*' | head -1)
echo "Latest version: ${JAVA_LATEST:-unavailable}"

# Check actions/upload-artifact v2
echo -e "\n[actions/upload-artifact]"
echo "Pinned SHA: 82c141cc518b40d92cc801eee768e7aafc9c2fa2 (commented as v2)"
UPLOAD_V2_SHA=$(curl -s "https://api.github.com/repos/actions/upload-artifact/git/refs/tags/v2" 2>/dev/null | grep -o '"sha":"[^"]*' | cut -d'"' -f4)
echo "v2 SHA from GitHub: ${UPLOAD_V2_SHA:-unavailable}"
[[ "$UPLOAD_V2_SHA" == "82c141cc518b40d92cc801eee768e7aafc9c2fa2" ]] && echo "✓ SHA matches v2" || echo "✗ SHA mismatch"

# Check latest version
UPLOAD_LATEST=$(curl -s "https://api.github.com/repos/actions/upload-artifact/releases/latest" 2>/dev/null | grep '"tag_name"' | head -1 | grep -o 'v[0-9]*' | head -1)
echo "Latest version: ${UPLOAD_LATEST:-unavailable}"

# Check actions/download-artifact v2
echo -e "\n[actions/download-artifact]"
echo "Pinned SHA: cbed621e49e4c01b044d60f6c80ea4ed6328b281 (commented as v2)"
DOWNLOAD_V2_SHA=$(curl -s "https://api.github.com/repos/actions/download-artifact/git/refs/tags/v2" 2>/dev/null | grep -o '"sha":"[^"]*' | cut -d'"' -f4)
echo "v2 SHA from GitHub: ${DOWNLOAD_V2_SHA:-unavailable}"
[[ "$DOWNLOAD_V2_SHA" == "cbed621e49e4c01b044d60f6c80ea4ed6328b281" ]] && echo "✓ SHA matches v2" || echo "✗ SHA mismatch"

# Check latest version
DOWNLOAD_LATEST=$(curl -s "https://api.github.com/repos/actions/download-artifact/releases/latest" 2>/dev/null | grep '"tag_name"' | head -1 | grep -o 'v[0-9]*' | head -1)
echo "Latest version: ${DOWNLOAD_LATEST:-unavailable}"

# Check actions/setup-python v2
echo -e "\n[actions/setup-python]"
echo "Pinned SHA: e9aba2c848f5ebd159c070c61ea2c4e2b122355e (commented as v2)"
PYTHON_V2_SHA=$(curl -s "https://api.github.com/repos/actions/setup-python/git/refs/tags/v2" 2>/dev/null | grep -o '"sha":"[^"]*' | cut -d'"' -f4)
echo "v2 SHA from GitHub: ${PYTHON_V2_SHA:-unavailable}"
[[ "$PYTHON_V2_SHA" == "e9aba2c848f5ebd159c070c61ea2c4e2b122355e" ]] && echo "✓ SHA matches v2" || echo "✗ SHA mismatch"

# Check latest version
PYTHON_LATEST=$(curl -s "https://api.github.com/repos/actions/setup-python/releases/latest" 2>/dev/null | grep '"tag_name"' | head -1 | grep -o 'v[0-9]*' | head -1)
echo "Latest version: ${PYTHON_LATEST:-unavailable}"

Repository: Buzzvil/swagger-codegen

Length of output: 973

---

SHA 고정(pinning)을 통한 공급망 보안 강화는 좋은 접근입니다.

GitHub Actions를 커밋 SHA로 고정하여 상위 스트림의 예기치 않은 변경이나 공급망 공격으로부터 보호하는 것은 보안 모범 사례입니다.

하지만 더 심각한 문제가 있습니다. 현재 고정된 버전들은 단순히 "오래된" 것을 넘어 지원이 중단되었거나 더 이상 작동하지 않습니다:

• actions/upload-artifact@v2 및 actions/download-artifact@v2: 2024년 6월 30일 이후로 완전히 deprecated되었으며, 이 날짜 이후 워크플로우는 실패합니다. 현재 최신 버전은 v6 및 v7입니다.
• actions/setup-java@v1: Node.js 12에서 실행되는데, Node 12는 2022년 4월부터 종료되었습니다. 현재 권장되는 버전은 v5(Node 24 런타임)입니다.
• actions/checkout@v2: 현재 최신 버전은 v6.0.2(2026년 1월)입니다.
• actions/setup-python@v2: 현재 최신 버전은 v6.2.0(2026년 1월)입니다.

필수 조치: deprecated된 v2 아티팩트 액션과 EOL Node 런타임을 사용하는 액션을 최신 버전의 SHA로 업그레이드하세요. SHA 고정의 보안 이점을 유지하면서 지원되는 버전을 사용해야 합니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-python-asyncio.yml around lines 20 - 21,
Update the pinned GitHub Action SHAs to supported, non-deprecated releases while
keeping SHA pinning: replace the current pins for actions/checkout,
actions/setup-java, actions/upload-artifact, actions/download-artifact, and
actions/setup-python with SHAs corresponding to their latest supported versions
(e.g., checkout v6, setup-java v5, upload-artifact/download-artifact v6+ or v7
as appropriate, setup-python v6.2.0) so the workflow uses maintained runtimes
and non-deprecated actions; ensure you fetch the official release commit SHAs
from each action's GitHub releases and substitute them in place of the existing
pinned SHAs in the workflow.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/test-framework-v2-scala.yml | head -65

Repository: Buzzvil/swagger-codegen

Length of output: 2324

---

🌐 Web query:

actions/checkout v2 github release sha commit hash

💡 Result:

actions/checkout@v2 currently resolves to commit ee0669bd1cc54295c223e0bb666b733df41de1c5 (tag v2, dated Mar 24, 2023). [1][2]

---

🌐 Web query:

actions/upload-artifact v2 github release sha

💡 Result:

For actions/upload-artifact@v2, the v2 tag currently points to commit SHA:

82c141cc518b40d92cc801eee768e7aafc9c2fa2 [1][2]

---

🌐 Web query:

actions/download-artifact v2 github release sha

💡 Result:

actions/download-artifact@v2 currently resolves to commit cbed621e49e4c01b044d60f6c80ea4ed6328b281 (the v2 tag points at the same commit as v2.1.1). [1][2]

To pin by SHA:

- uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281

Note: v2 is deprecated and (on GitHub.com) usage after June 30, 2024 is expected to fail; upgrade to a newer major version instead. [3]

Sources: [1] [2] [3]

---

더 이상 지원되지 않는 deprecated 버전 사용 중

GitHub Actions v2 버전들이 2024년 6월 30일 이후 사용 불가능하도록 설정되었습니다. 현재 워크플로우가 사용 중인 모든 액션을 최신 주요 버전으로 업그레이드해야 합니다:

• actions/checkout@v4 이상
• actions/upload-artifact@v4 이상
• actions/download-artifact@v4 이상

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-scala.yml at line 20, 워크플로우에서 더 이상 지원되지
않는 actions 버전(예: uses:
actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5) 을 사용하고 있으므로 모든 GitHub
Action 참조를 최신 주요 릴리스로 업그레이드하라; 구체적으로 파일의 uses: actions/checkout@... 을
actions/checkout@v4 이상으로 바꾸고, uses: actions/upload-artifact@... 및 uses:
actions/download-artifact@... 도 각각 actions/upload-artifact@v4 이상,
actions/download-artifact@v4 이상으로 업데이트하도록 수정하라.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify SHA corresponds to claimed versions and check latest versions

echo "=== Verifying actions/checkout v2 SHA ==="
curl -s "https://api.github.com/repos/actions/checkout/git/ref/tags/v2" | jq -r '.object.sha' 2>/dev/null || echo "Error fetching"

echo "=== Verifying actions/setup-java v1 SHA ==="
curl -s "https://api.github.com/repos/actions/setup-java/git/ref/tags/v1" | jq -r '.object.sha' 2>/dev/null || echo "Error fetching"

echo "=== Verifying actions/upload-artifact v2 SHA ==="
curl -s "https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v2" | jq -r '.object.sha' 2>/dev/null || echo "Error fetching"

echo ""
echo "=== Verifying actions/download-artifact v2 SHA ==="
curl -s "https://api.github.com/repos/actions/download-artifact/git/ref/tags/v2" | jq -r '.object.sha' 2>/dev/null || echo "Error fetching"

echo ""
echo "=== Verifying actions/setup-node v1 SHA ==="
curl -s "https://api.github.com/repos/actions/setup-node/git/ref/tags/v1" | jq -r '.object.sha' 2>/dev/null || echo "Error fetching"

echo ""
echo "=== Checking latest major versions ==="
echo "Latest checkout:"
curl -s "https://api.github.com/repos/actions/checkout/releases/latest" | jq -r '.tag_name' 2>/dev/null || echo "Error"

echo "Latest setup-java:"
curl -s "https://api.github.com/repos/actions/setup-java/releases/latest" | jq -r '.tag_name' 2>/dev/null || echo "Error"

echo "Latest upload-artifact:"
curl -s "https://api.github.com/repos/actions/upload-artifact/releases/latest" | jq -r '.tag_name' 2>/dev/null || echo "Error"

echo "Latest download-artifact:"
curl -s "https://api.github.com/repos/actions/download-artifact/releases/latest" | jq -r '.tag_name' 2>/dev/null || echo "Error"

echo "Latest setup-node:"
curl -s "https://api.github.com/repos/actions/setup-node/releases/latest" | jq -r '.tag_name' 2>/dev/null || echo "Error"

Repository: Buzzvil/swagger-codegen

Length of output: 493

---

🌐 Web query:

GitHub Actions checkout v4 latest version 2025

💡 Result:

As of Feb 23, 2026, the latest actions/checkout v4 release is v4.3.1 (published Nov 17, 2025). [1]

Recommended usage

• Pin to the major (auto-gets the latest v4 patch): uses: actions/checkout@v4 [2]
• Or pin exactly for full reproducibility: uses: actions/checkout@v4.3.1 [1]

Sources: [1] [2]

---

🌐 Web query:

actions/setup-java v1 deprecated security vulnerabilities 2025

💡 Result:

• actions/setup-java@v1 is legacy/deprecated: the current actions/setup-java documentation describes v1 vs v2 and directs users to newer major versions (today, @v5) with expanded distro support and ongoing maintenance. Using @v1 means you’re missing years of fixes/features. [1]
• Security/maintenance risk: older major versions of Actions commonly shipped on end-of-life Node runtimes. GitHub deprecated Node 12 (EOL April 2022) and enforced Node 16 for Actions starting June 14, 2023; relying on old action majors like @v1 increases the chance you’re stuck on unmaintained code paths or breakages as runtimes are removed. [2]
• 2025 supply-chain context (why “deprecated” matters): CISA warned about active exploitation of compromised third‑party Actions in March 2025 (including a compromise of a mutable @v1 tag in reviewdog/action-setup@v1), reinforcing best practice to avoid floating tags and pin actions to a commit SHA. [3]

Recommended remediation: replace actions/setup-java@v1 with a supported major (typically actions/setup-java@v5) and pin to a commit SHA for high-assurance workflows. [1][3]

Sources: [1] actions/setup-java repo docs, [2] GitHub Changelog (Node12→Node16 enforcement), [3] CISA alert on GitHub Action supply-chain compromise.

---

🌐 Web query:

actions/upload-artifact v2 v4 deprecation schedule

💡 Result:

GitHub Actions actions/upload-artifact deprecation schedule (v2 → v4)

• v1 and v2: deprecated June 30, 2024 (using them after this date causes workflow failures). [1]
• v3: deprecated January 30, 2025 (using it after this date causes workflow failures). [2]
• v4: current/supported replacement (released Dec 14, 2023). [1]

Notes:

• Version tags are not removed, but runs will fail if you use a deprecated major version after its cutoff date. [1][2]
• This does not affect existing GitHub Enterprise Server (GHES) versions. [1][3]

Sources: GitHub Changelog + action repo warning. [1][2][3]

---

사용 중인 GitHub Actions 버전이 이미 deprecated되어 워크플로우가 실패합니다.

SHA 고정은 공급망 보안을 위한 좋은 관행입니다. 하지만 현재 사용 중인 버전들에 심각한 문제가 있습니다:

긴급 해결 필요:

• actions/upload-artifact@v2 및 actions/download-artifact@v2: 2024년 6월 30일 이후 deprecated (현재 2026년 2월) → 워크플로우가 실패합니다. 즉시 v4로 업그레이드 필요
• actions/setup-java@v1: 더 이상 유지보수되지 않는 레거시 버전. 현재 v5로 업그레이드 필요

권장:

• actions/checkout@v2 → v4.3.1로 업그레이드
• actions/setup-node@v1 → 최신 버전으로 업그레이드

SHA 핀을 유지하면서 각 작업을 최신 major 버전으로 업그레이드한 후, 해당 버전의 commit SHA로 핀 설정하세요.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-ts-angular-v4_3.yml around lines 20 -
21, The workflow pins several deprecated Actions (actions/checkout,
actions/setup-java, actions/upload-artifact, actions/download-artifact,
actions/setup-node) which causes CI failures; update each action to a supported
major (e.g., actions/checkout -> v4.3.1, actions/setup-java -> v5,
upload-artifact/download-artifact -> v4, setup-node -> latest major), resolve
their updated usage if any, and replace the existing SHA pins with the
corresponding commit SHA for the target release so the workflow uses the newest
supported versions while keeping SHA pinning.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/test-framework-v2-ts-angular-v5.yml

Repository: Buzzvil/swagger-codegen

Length of output: 7033

---

🌐 Web query:

GitHub Actions actions/checkout v2 deprecated latest version 2026

💡 Result:

• Yes — actions/checkout@v2 is effectively deprecated/obsolete because it’s one of the older GitHub Actions that ran on Node.js 12, and Node.js 12 was removed from GitHub-hosted runners on August 14, 2023 (after the Node12→Node16 enforcement/migration). Using Node12-based actions can lead to warnings or failures depending on runner behavior and policy. [2] [3]
• Latest actions/checkout as of Feb 23, 2026: v6.0.2 (released Jan 9, 2026). [1]

What to use in 2026

- uses: actions/checkout@v6
# or pin:
# - uses: actions/checkout@v6.0.2

Sources: [1] [2] [3]

---

🌐 Web query:

GitHub Actions actions/setup-java v1 v4 deprecation status

💡 Result:

• actions/setup-java@v1: Effectively deprecated/obsolete. It was built on the older Node.js 12 action runtime, which GitHub deprecated and began enforcing migration away from. Workflows using Node12-based actions (including actions/setup-java@v1) surface deprecation warnings / risk breakage. [1], [2]

• actions/setup-java@v4: Not deprecated (as of Feb 23, 2026). It’s simply not the latest major anymore—v5 exists. The project’s README states v5 upgraded the action runtime from Node20 to Node24, which implies v4 runs on Node20. [3]

Recommendation: move off v1 ASAP; use v4 or (preferably) v5. [3], [4]

Sources: [1] https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/ , [2] https://community.sonarsource.com/t/github-actions-warning-for-set-output-command-and-node-js-12-actions/80692 , [3] https://github.com/actions/setup-java , [4] https://github.com/actions/setup-java/releases

---

SHA 고정은 좋은 보안 관행이지만, 사용 중인 모든 버전이 Node.js 12 기반으로 GitHub 러너에서 제거된 구버전입니다.

actions/checkout@v2, actions/setup-java@v1, actions/setup-node@v1, actions/upload-artifact@v2, actions/download-artifact@v2 모두 Node.js 12를 사용하는 deprecated 버전입니다. GitHub는 2023년 8월 14일 이후 Node.js 12 기반 actions 사용을 중단하였으므로 이들 버전은 런타임 경고나 실패를 초래할 수 있습니다.

권장 사항:

• actions/checkout: v6.0.2로 업그레이드 (현재 최신)
• actions/setup-java: v5로 업그레이드 (v4는 더 이상 최신 아님)
• actions/setup-node: v4로 업그레이드
• actions/upload-artifact: v4로 업그레이드
• actions/download-artifact: v4로 업그레이드

SHA 고정과 함께 모든 actions를 최신 메이저 버전으로 업그레이드하세요.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-ts-angular-v5.yml around lines 20 - 21,
Update the GitHub Actions usages that are pinned to old SHAs to supported major
releases: replace actions/checkout@ee0669bd... with actions/checkout@v6.0.2,
actions/setup-java@b6e6... with actions/setup-java@v5, actions/setup-node@...
with actions/setup-node@v4, actions/upload-artifact@... with
actions/upload-artifact@v4 and actions/download-artifact@... with
actions/download-artifact@v4; ensure you update every occurrence (look for the
action identifiers actions/checkout, actions/setup-java, actions/setup-node,
actions/upload-artifact, actions/download-artifact) and, if you must pin for
reproducibility, pin to the corresponding release tag SHA for those modern
versions rather than the deprecated Node.js 12–based SHAs.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

actions/upload-artifact v2 deprecated v4 migration breaking changes

💡 Result:

• Deprecation status (as of Feb 23, 2026): actions/upload-artifact@v1/v2 stopped being supported June 30, 2024 (workflows using them fail). v3 stopped being supported January 30, 2025. Migrate to v4. [1][2]

v2 → v4 migration: key breaking changes

1. Artifacts are immutable in v4 (no “append” uploads to same artifact name)

• In v2/v3, multiple steps/jobs could upload to the same name: and effectively “add” files.
• In v4, uploading again to the same artifact name in the same run errors; you must use unique names (e.g., suffix with matrix values), or upload once. [3][4]

2. Download side changes when you previously relied on “same name”

• If you previously uploaded many artifacts (unique names) and wanted to download a subset, download-artifact@v4 adds:
  • pattern: to match multiple artifact names
  • merge-multiple: true to place multiple artifacts into one directory [4]
• Also: You can’t mix versions—if you upload with upload-artifact@v4, you must download with download-artifact@v4. [3]

3. “Overwrite” is now explicit

• If your old flow depended on later uploads replacing earlier content under the same artifact name, use overwrite: true in upload-artifact@v4 (it deletes and recreates the artifact, producing a new artifact ID). [4]

4. Hidden files behavior changed (v4.4+ default)

• Hidden files are excluded by default in upload-artifact@v4.4 and later; add include-hidden-files: true if needed. [5]

5. Self-hosted runner networking

• On self-hosted runners, additional firewall rules may be required for v4’s backend. [5]

6. Per-job artifact count limit

• Each job in a workflow run has a limit of 500 artifacts. [5]

7. GHES compatibility

• upload-artifact@v4+ is not supported on GitHub Enterprise Server (GHES) (per the action README); GHES users are directed to v3/v3-node20 instead. [5]

Typical YAML updates (minimal)

• uses: actions/upload-artifact@v2 → uses: actions/upload-artifact@v4
• If you previously uploaded to the same name from a matrix, change to unique names and on download use pattern + merge-multiple: true (example shown in MIGRATION.md). [4]

Sources: GitHub Changelog deprecations [1][2], v4 behavior notes [3], MIGRATION.md examples and new inputs [4], upload-artifact README breaking changes list [5].

---

🌐 Web query:

actions/upload-artifact retention-days default value v2 vs v4

💡 Result:

actions/upload-artifact v2 vs v4: the retention-days input has no action-level default value in either version (i.e., it’s unset unless you provide it). If you omit it (or set it to 0), the artifact uses the repository/organization/enterprise retention setting. [1], [2]

Separately, GitHub’s default artifact retention policy is 90 days (unless your repo/org has been configured differently). [3]

So:

• v2: retention-days default → repo/org setting (platform default 90 days) [1], [3]
• v4: retention-days default → repo/org setting (platform default 90 days) [2], [3]

Sources:
[1] actions/upload-artifact v2 action.yml (raw)
[2] actions/upload-artifact v4 action.yml (raw)
[3] GitHub Docs: default retention is 90 days for artifacts/logs

---

actions/upload-artifact@v2는 지원이 중단된 버전입니다.

actions/upload-artifact@v2는 2024년 6월 30일 이후 더 이상 지원되지 않으며, v4로 업그레이드해야 합니다. v2에서 v4로의 마이그레이션 시 주요 breaking change는 아티팩트 이름 중복 처리 방식입니다:

• v2: 동일한 이름으로 여러 번 업로드 시 파일이 추가됨
• v4: 동일 실행 내에서 동일한 이름으로 업로드 시 오류 발생 → 고유한 이름을 사용하거나 overwrite: true 옵션 사용 필요

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-v2-ts-angular-v5.yml at line 32, The
workflow uses actions/upload-artifact@v2 (shown as uses:
actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2) which is
deprecated; update the step to use actions/upload-artifact@v4 and handle the
v2→v4 breaking change for duplicate artifact names by either generating unique
artifact names per upload or adding the overwrite: true option to the
upload-artifact step (i.e., modify the uses reference to v4 and adjust the
corresponding upload-artifact step to include unique naming or overwrite: true).

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/test-framework-ruby.yml (1)

40-62: ⚠️ Potential issue | 🔴 Critical

액션 SHA 검증 결과 및 액션 버전 업그레이드 필요

핀 고정된 세 개의 액션 SHA는 모두 유효한 커밋입니다:

• actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 (v2) ✓
• actions/setup-java@b6e674f4b717d7b0ae3baee0fbe79f498905dfde (v1) ✓
• actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 (v2) ✓

그러나 actions/upload-artifact@v2는 2024년 6월 30일부로 deprecated되었으며, 그 이후의 워크플로우는 실패할 수 있습니다. 현재 날짜(2026년 2월)는 deprecation 기한을 지났으므로 actions/upload-artifact@v4로 즉시 업그레이드하시기 바랍니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-ruby.yml around lines 40 - 62, Replace the
deprecated pinned upload-action with the current major version: change the uses
entry for actions/upload-artifact (currently
actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2) to
actions/upload-artifact@v4; ensure the step name "upload codegen cli" and its
inputs remain unchanged so artifact upload behavior is preserved, run the
workflow locally or via a branch to verify the new action signature and outputs
are compatible.

♻️ Duplicate comments (2)

.github/workflows/test-framework-ruby.yml (2)

85-118: 위 SHA 검증 목록에 download-artifact도 포함해 주세요.

동일한 검증 스크립트에 actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281도 추가해 확인하면 충분합니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-ruby.yml around lines 85 - 118, The SHA
verification list is missing the download-artifact action referenced by the
"Download codegen cli" step (uses:
actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281); update the
verification configuration/script to include this exact identifier so the
workflow validates
actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 alongside the
other pinned SHAs (e.g., the upload-artifact entries) to ensure the
download-artifact usage is checked.

---

147-186: 위 SHA 검증 목록에 ruby/setup-ruby도 포함해 주세요.

동일한 검증 스크립트에 ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd도 추가해 확인하면 충분합니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-framework-ruby.yml around lines 147 - 186, Add the
ruby/setup-ruby pinned release to the SHA verification list by including the
exact identifier ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd in
whatever array or validation map the workflow uses to validate action SHAs (the
same place other pinned actions like actions/checkout and
actions/download-artifact are listed); update the verifier (the script or
variable that enumerates allowed/pinned actions) so it checks this
ruby/setup-ruby entry as well and fails the workflow if the SHA does not match.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/test-framework-ruby.yml:
- Around line 40-62: Replace the deprecated pinned upload-action with the
current major version: change the uses entry for actions/upload-artifact
(currently actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2) to
actions/upload-artifact@v4; ensure the step name "upload codegen cli" and its
inputs remain unchanged so artifact upload behavior is preserved, run the
workflow locally or via a branch to verify the new action signature and outputs
are compatible.

---

Duplicate comments:
In @.github/workflows/test-framework-ruby.yml:
- Around line 85-118: The SHA verification list is missing the download-artifact
action referenced by the "Download codegen cli" step (uses:
actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281); update the
verification configuration/script to include this exact identifier so the
workflow validates
actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 alongside the
other pinned SHAs (e.g., the upload-artifact entries) to ensure the
download-artifact usage is checked.
- Around line 147-186: Add the ruby/setup-ruby pinned release to the SHA
verification list by including the exact identifier
ruby/setup-ruby@09a7688d3b55cf0e976497ff046b70949eeaccfd in whatever array or
validation map the workflow uses to validate action SHAs (the same place other
pinned actions like actions/checkout and actions/download-artifact are listed);
update the verifier (the script or variable that enumerates allowed/pinned
actions) so it checks this ruby/setup-ruby entry as well and fails the workflow
if the SHA does not match.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b4943a1 and 7d66cb9.

📒 Files selected for processing (3)

• .github/workflows/test-framework-ruby.yml
• .github/workflows/test-framework-v2-ruby.yml
• .github/workflows/test-generation-v2.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/test-framework-v2-ruby.yml

[luis-hong]

외부 fork 저장소는 SHA 핀닝 일괄 적용 대상에서 제외합니다.

사유: fork 저장소는 org self-hosted runner 접근 제한 및 private reusable workflow 호출 제한으로 security-check CI가 정상 동작하지 않습니다. 필요 시 개별 대응합니다.