snyk

add zizmor static analyzer #1621

	name: snyk
	permissions: {}
	on:
	push:
	branches: [master, v2.dev, v3.dev]

	env:
	DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
	JAVA_VERSION: 21

	jobs:
	snyk:
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write
	container:
	# Incompatible with Harden Runner
	image: snyk/snyk:gradle-jdk21
	env:
	SNYK_INTEGRATION_VERSION: gradle-jdk21
	SNYK_INTEGRATION_NAME: GITHUB_ACTIONS
	FORCE_COLOR: 2
	if: github.event.repository.fork == false
	steps:
	- name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	persist-credentials: false
	- name: Setup Gradle
	uses: ./.github/actions/run-gradle
	with:
	java: ${{ env.JAVA_VERSION }}
	cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
	- name: Run Snyk test
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	continue-on-error: true
	run: snyk test --sarif-file-output=snyk.sarif --all-sub-projects -- --no-configuration-cache
	- name: Check file existence
	id: check_files
	uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0
	with:
	files: snyk.sarif
	- name: Upload result to GitHub Code Scanning
	uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
	if: steps.check_files.outputs.files_exists == 'true'
	with:
	sarif_file: snyk.sarif
	- name: Run Snyk monitor
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	continue-on-error: true
	run: snyk monitor --all-sub-projects -- --no-configuration-cache

Provide feedback