[Security] Remove actions/download-artifact Buffer deprecation warning

[seonghobae]

현재 역할

과업 / O3: default-branch zero-warning stabilization under #194.

Symptom

Post-merge develop OSSF Scorecard run logs a Node deprecation warning while downloading the Scorecard SARIF artifact:

(node:2495) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.

Observed in run: https://github.com/seonghobae/bandscope/actions/runs/25212295544
Step owner: .github/workflows/ossf-scorecard.yml scorecard-sarif-upload job, actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c.

Root-cause hypothesis

actions/download-artifact@v8.0.1 decompresses artifact zips through its bundled Node dependency chain (@actions/artifact -> unzip stack) that still emits new Buffer(...) under Node 24. This is externally owned by the GitHub action dependency stack, but BandScope can avoid the warning-producing decompression path by using skip-decompress: true and a repo-owned safe extractor.

Relationships

• Parent / 업무: [Security] Post-#192 default-branch PR queue stabilization and dependency gate closure #194
• Predecessor: PR Fix Scorecard SARIF upload warnings #198 fixed the invalid Scorecard SARIF URI upload path but exposed this residual action-runtime warning.
• Related historical issue: [Bug] Fix OSSF Scorecard publish failure after PR #185 merge #187
• Adjacent exposure: .github/workflows/build-baseline.yml release artifact download also uses the same action SHA and should be assessed.
• Blocker: none known; if upstream action has no fixed release, repo-owned extraction is the maintained path.

Acceptance criteria

• OSSF Scorecard artifact download no longer emits [DEP0005] Buffer() in default-branch verification.
• Artifact digest validation and SHA-pinned action controls remain intact.
• Safe extraction rejects traversal, absolute paths, unexpected members, malformed zip, and missing results.sarif.
• Supply-chain verifier prevents regression to warning-producing Scorecard artifact decompression.
• PR checks pass and robot reviewer approval/skip evidence is current-head.
• Post-merge develop OSSF Scorecard run is successful and warning evidence is recorded back on [Security] Post-#192 default-branch PR queue stabilization and dependency gate closure #194.

Security Notes

Artifact zip contents are untrusted CI artifacts. The extractor must only accept a narrow expected member, reject path traversal/symlink-like/archive shape anomalies, avoid broad filesystem writes, and fail closed before normalization/upload.

[coderabbitai]

🔗 Related PRs

#21 - chore(deps): consolidate green Dependabot updates [merged]
#58 - fix(ci): remove unverified Syft download in SBOM workflow [merged]
#190 - fix: enforce OSSF Scorecard publish constraints [merged]
#193 - docs: clarify supply-chain warning triage [merged]
#198 - Fix Scorecard SARIF upload warnings [closed]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!

[seonghobae]

PR #200 landed and default-branch OSSF Scorecard validation completed for this warning slice.\n\nEvidence:\n- PR #200 merged: https://github.com/seonghobae/bandscope/pull/200\n- Merge commit on develop: 18a6c312bfa7b593ce41f03001697fc6a575ce0c\n- Post-merge develop OSSF Scorecard run: https://github.com/seonghobae/bandscope/actions/runs/25220530783\n- Run conclusion: success; jobs ossf-scorecard and scorecard-sarif-upload both succeeded.\n- Warning re-check: fetched job log for the post-merge Scorecard SARIF upload path had no matches for DEP0005, Buffer(), DeprecationWarning, Warning, or deprecated.\n\nResult: the OSSF Scorecard actions/download-artifact Buffer deprecation warning is closed on default branch. Adjacent build-baseline artifact-download exposure remains tracked separately.