chore: bump openapi-generator-cli to 7.21.0

[Copilot]

Updates the OpenAPI Generator CLI version from 7.16.0 to 7.21.0 in scripts/openapi-generator-cli.sh. Client regeneration to be run separately via scripts/update_client.sh once this is merged.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates the OpenAPI Generator CLI version in a build script from 7.16.0 to 7.21.0, which changes the JAR artifact downloaded and executed from openapi-generator-cli-7.16.0.jar to openapi-generator-cli-7.21.0.jar. Control flow logic remains unchanged.

Changes

Cohort / File(s)	Summary
Build Script Configuration scripts/openapi-generator-cli.sh	VERSION constant bumped from 7.16.0 to 7.21.0, updating the JAR artifact version.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: bumping the OpenAPI Generator CLI version from 7.16.0 to 7.21.0.
Description check	✅ Passed	The description directly relates to the changeset, explaining the version update in the script and providing context about the next steps.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch copilot/update-version-7-21-0

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

scripts/openapi-generator-cli.sh (2)

6-16: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Add checksum verification before executing the downloaded JAR.

Right now the script downloads a remote artifact and immediately executes it (exec java -jar ...), with no integrity check. Even though the version is pinned, this is still a supply-chain risk (e.g., malicious/accidental tampering upstream). Store an expected SHA256 in the script (or fetch from a trusted source) and fail if the downloaded jar doesn’t match.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/openapi-generator-cli.sh` around lines 6 - 16, Add SHA256 checksum
verification for the downloaded OpenAPI Generator JAR: define an expected
checksum variable (e.g., EXPECTED_SHA256) alongside VERSION/SOURCE/FILENAME,
compute the actual checksum of $VENDOR_DIR/$FILENAME using a portable tool
(sha256sum or shasum -a 256), compare actual vs EXPECTED_SHA256, and if they
differ print an error, remove the downloaded file and exit non‑zero; only
proceed to exec java -jar ... after the checksum validation succeeds. Reference
symbols: VERSION, SOURCE, FILENAME, VENDOR_DIR, and the final exec java -jar
invocation to ensure the check happens before execution.

---

8-16: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Quote shell variables to harden against path/filename edge cases.

Several expansions are unquoted ($SOURCE, $VENDOR_DIR, $FILENAME), including:

• Line 9: basename $SOURCE
• Line 10: mkdir -p $VENDOR_DIR
• Line 12: [ ! -f $VENDOR_DIR/$FILENAME ]
• Line 14: wget $SOURCE -O $VENDOR_DIR/$FILENAME
• Line 16: exec java -jar $VENDOR_DIR/$FILENAME "$@"

This can cause failures if any path contains whitespace or special characters.

🛠️ Proposed hardening diff

-VERSION=7.21.0
-SOURCE=https://repo1.maven.org/maven2/org/openapitools/openapi-generator-cli/${VERSION}/openapi-generator-cli-${VERSION}.jar
-FILENAME=$(basename $SOURCE)
-mkdir -p $VENDOR_DIR
+VERSION=7.21.0
+SOURCE="https://repo1.maven.org/maven2/org/openapitools/openapi-generator-cli/${VERSION}/openapi-generator-cli-${VERSION}.jar"
+FILENAME="$(basename "$SOURCE")"
+mkdir -p "$VENDOR_DIR"
 set -e
-if [ ! -f $VENDOR_DIR/$FILENAME ]; then
+if [ ! -f "$VENDOR_DIR/$FILENAME" ]; then
     echo "Downloading OpenAPI Generator CLI version $VERSION"
-    wget $SOURCE -O $VENDOR_DIR/$FILENAME
+    wget "$SOURCE" -O "$VENDOR_DIR/$FILENAME"
 fi
-exec java -jar $VENDOR_DIR/$FILENAME "$@"
+exec java -jar "$VENDOR_DIR/$FILENAME" "$@"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/openapi-generator-cli.sh` around lines 8 - 16, The script uses
unquoted variable expansions which break on paths with spaces or special chars;
update usages to quote expansions: assign FILENAME with basename "$SOURCE", call
mkdir -p "$VENDOR_DIR", test file existence with [ ! -f "$VENDOR_DIR/$FILENAME"
], pass wget "$SOURCE" -O "$VENDOR_DIR/$FILENAME", and run the jar with exec
java -jar "$VENDOR_DIR/$FILENAME" "$@"; keep the same variable names (SOURCE,
VENDOR_DIR, FILENAME) and commands (basename, wget, exec) so the change is a
straightforward quoting hardening.

🧹 Nitpick comments (1)

scripts/openapi-generator-cli.sh (1)

11-15: ⚡ Quick win

Make the download more reliable (timeouts/retries) and tighten error handling.

The script uses set -e (Line 11) but:

• earlier commands (readlink/dirname) run before set -e
• wget has no explicit timeout/retry, which can make CI flaky on transient network issues

Consider switching to set -euo pipefail near the top and adding wget options like --tries, --timeout, and --retry-connrefused.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/openapi-generator-cli.sh` around lines 11 - 15, Move the shell
strictness to the top and harden the download: replace the top-level "set -e"
with "set -euo pipefail" as the first executable line (so it applies to earlier
readlink/dirname calls), ensure variables like VENDOR_DIR, FILENAME, SOURCE,
VERSION are quoted when referenced, and replace the simple wget call in the
download block with a wget invocation that specifies retries and timeouts (e.g.
use --tries, --timeout, --retry-connrefused and optionally --waitretry) so the
download is more resilient; keep the conditional (if [ ! -f
"$VENDOR_DIR/$FILENAME" ]) and fail-fast behavior, and ensure any wget failure
is surfaced (no silent redirects or swallowing of exit codes).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@scripts/openapi-generator-cli.sh`:
- Around line 6-16: Add SHA256 checksum verification for the downloaded OpenAPI
Generator JAR: define an expected checksum variable (e.g., EXPECTED_SHA256)
alongside VERSION/SOURCE/FILENAME, compute the actual checksum of
$VENDOR_DIR/$FILENAME using a portable tool (sha256sum or shasum -a 256),
compare actual vs EXPECTED_SHA256, and if they differ print an error, remove the
downloaded file and exit non‑zero; only proceed to exec java -jar ... after the
checksum validation succeeds. Reference symbols: VERSION, SOURCE, FILENAME,
VENDOR_DIR, and the final exec java -jar invocation to ensure the check happens
before execution.
- Around line 8-16: The script uses unquoted variable expansions which break on
paths with spaces or special chars; update usages to quote expansions: assign
FILENAME with basename "$SOURCE", call mkdir -p "$VENDOR_DIR", test file
existence with [ ! -f "$VENDOR_DIR/$FILENAME" ], pass wget "$SOURCE" -O
"$VENDOR_DIR/$FILENAME", and run the jar with exec java -jar
"$VENDOR_DIR/$FILENAME" "$@"; keep the same variable names (SOURCE, VENDOR_DIR,
FILENAME) and commands (basename, wget, exec) so the change is a straightforward
quoting hardening.

---

Nitpick comments:
In `@scripts/openapi-generator-cli.sh`:
- Around line 11-15: Move the shell strictness to the top and harden the
download: replace the top-level "set -e" with "set -euo pipefail" as the first
executable line (so it applies to earlier readlink/dirname calls), ensure
variables like VENDOR_DIR, FILENAME, SOURCE, VERSION are quoted when referenced,
and replace the simple wget call in the download block with a wget invocation
that specifies retries and timeouts (e.g. use --tries, --timeout,
--retry-connrefused and optionally --waitretry) so the download is more
resilient; keep the conditional (if [ ! -f "$VENDOR_DIR/$FILENAME" ]) and
fail-fast behavior, and ensure any wget failure is surfaced (no silent redirects
or swallowing of exit codes).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 413648db-d2e8-46d0-b55d-973e9ae1ff8e

📥 Commits

Reviewing files that changed from the base of the PR and between 8d58bfd and d6a4a61.

📒 Files selected for processing (1)

• scripts/openapi-generator-cli.sh

📜 Review details

🔇 Additional comments (1)

scripts/openapi-generator-cli.sh (1)

7-8: Maven artifact URL for version 7.21.0 is valid and reachable.

The artifact openapi-generator-cli-7.21.0.jar at https://repo1.maven.org/maven2/org/openapitools/openapi-generator-cli/7.21.0/openapi-generator-cli-7.21.0.jar returns HTTP 200 and is available. The VERSION and SOURCE variables at lines 7-8 are correctly configured.