add zizmor static analyzer

.github/actions/run-gradle/action.yml

@@ -30,24 +30,32 @@ runs:
   using: composite
   steps:
     - name: Read Gradle JDK toolchain version
+      id: gradle_toolchain
       shell: bash
       run: |
         toolchainVersion=$(grep -oP '(?<=^toolchainVersion=).*' gradle/gradle-daemon-jvm.properties)
-        echo "toolchainVersion=${toolchainVersion}" >> $GITHUB_ENV
-    - name: Set up JDK ${{ env.toolchainVersion }}
+        echo "version=${toolchainVersion}" >> $GITHUB_OUTPUT
+    - name: Debug toolchain version
+      shell: bash
+      run: echo "Toolchain version is ${{ steps.gradle_toolchain.outputs.version }}"
+    - name: Set up JDK ${{ steps.gradle_toolchain.outputs.version }}
       uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
       with:
-        java-version: ${{ env.toolchainVersion }}
+        java-version: ${{ steps.gradle_toolchain.outputs.version }}
         distribution: temurin
     - name: Prepare JDK toolchain
+      id: java_toolchain
+      env:
+        INPUTS_JAVA: ${{ inputs.java }}
+        INPUTS_GRAAL: ${{ inputs.graal }}
       shell: bash
       run: |
-        if [[ "${{ inputs.java }}" == "GraalVM" ]]; then
-          echo "JAVA_VENDOR=GraalVM Community" >> $GITHUB_ENV
-          echo "JAVA_VERSION=${{ inputs.graal }}" >> $GITHUB_ENV
+        if [[ "$INPUTS_JAVA" == "GraalVM" ]]; then
+          echo "vendor=GraalVM Community" >> $GITHUB_OUTPUT
+          echo "version=$INPUTS_GRAAL" >> $GITHUB_OUTPUT
         else
-          echo "JAVA_VENDOR=Adoptium" >> $GITHUB_ENV
-          echo "JAVA_VERSION=${{ inputs.java }}" >> $GITHUB_ENV
+          echo "vendor=Adoptium" >> $GITHUB_OUTPUT
+          echo "version=$INPUTS_JAVA" >> $GITHUB_OUTPUT
         fi
     - name: Set up JDK
       uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
@@ -57,15 +65,18 @@ runs:
           (inputs.early-access == inputs.java && format('{0}-ea', inputs.java) || inputs.java) }}
         distribution: ${{ inputs.java == 'GraalVM' && 'graalvm' || 'temurin' }}
     - name: Prepare JDK ${{ inputs.java }}
+      id: prepare_java
+      env:
+        INPUTS_JAVA: ${{ inputs.java }}
+        JDK_EA: ${{ inputs.early-access == inputs.java }}
       shell: bash
       run: |
-        if [[ "${{ inputs.java }}" == "GraalVM" ]]; then
-          echo "GRAALVM_HOME=$JAVA_HOME" >> $GITHUB_ENV
+        if [[ "$INPUTS_JAVA" == "GraalVM" ]]; then
+          echo "graalvm_home=$JAVA_HOME" >> $GITHUB_OUTPUT
         fi
-        echo "JDK_CI=$JAVA_HOME" >> $GITHUB_ENV
-        echo "JDK_EA=${{ inputs.early-access == inputs.java }}" >> $GITHUB_ENV
-        echo "JAVA_TOOL_OPTIONS=-Dorg.gradle.workers.max=$((2 * $(nproc)))" >> $GITHUB_ENV
-        echo "ORG_GRADLE_PROJECT_org.gradle.java.installations.auto-download=false" >> $GITHUB_ENV
+        echo "early_access=$JDK_EA" >> $GITHUB_OUTPUT
+        echo "java_home=$JAVA_HOME" >> $GITHUB_OUTPUT
+        echo "tool_options=-Dorg.gradle.workers.max=$((2 * $(nproc)))" >> $GITHUB_OUTPUT
     - name: Setup Gradle
       uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2
       with:
@@ -79,14 +90,25 @@ runs:
         cache-encryption-key: ${{ inputs.cache-encryption-key }}
     - name: Run ${{ inputs.arguments }}
       if: ${{ inputs.arguments != '' }}
+      env:
+        INPUTS_ARGUMENTS: ${{ inputs.arguments }}
+        JDK_CI: ${{ inputs.prepare_java.java_home }}
+        JDK_EA: ${{ inputs.prepare_java.early_access }}
+        INPUTS_ATTEMPT_DELAY: ${{ inputs.attempt-delay }}
+        INPUTS_ATTEMPT_LIMIT: ${{ inputs.attempt-limit }}
+        GRAALVM_HOME: ${{ inputs.prepare_java.graalvm_home }}
+        JAVA_VENDOR: ${{ steps.java_toolchain.outputs.vendor }}
+        JAVA_VERSION: ${{ steps.java_toolchain.outputs.version }}
+        JAVA_TOOL_OPTIONS: ${{ inputs.prepare_java.tool_options }}
+        ORG_GRADLE_PROJECT_org.gradle.java.installations.auto-download: false
       shell: bash
       run: |
         echo "::add-matcher::.github/problem-matcher.json"
-        for ((i=1; i<=${{ inputs.attempt-limit }}; i++)); do
-          ./gradlew --no-problems-report $(echo "${{ inputs.arguments }}" | tr -d '\n') && break
-          if [ $i -lt ${{ inputs.attempt-limit }} ]; then
-            echo "Attempt $i failed. Retrying in ${{ inputs.attempt-delay }} seconds..."
-            sleep ${{ inputs.attempt-delay }}
+        for ((i=1; i<=$INPUTS_ATTEMPT_LIMIT; i++)); do
+          ./gradlew --no-problems-report $(echo "$INPUTS_ARGUMENTS" | tr -d '\n') && break
+          if [ $i -lt $INPUTS_ATTEMPT_LIMIT ]; then
+            echo "Attempt $i failed. Retrying in $INPUTS_ATTEMPT_DELAY seconds..."
+            sleep $INPUTS_ATTEMPT_DELAY
           else
             echo "All attempts failed."
             exit 1

.github/workflows/actionlint.yml

@@ -1,10 +1,12 @@
 name: actionlint
-permissions: read-all
+permissions: {}
 on: [ push, pull_request ]
 
 jobs:
   actionlint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
@@ -14,11 +16,47 @@ jobs:
           allowed-endpoints: >
             api.github.com:443
             github.com:443
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: actionlint
-        uses: reviewdog/action-actionlint@abd537417cf4991e1ba8e21a67b1119f4f53b8e0 # v1.64.1
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Run actionlint
+        uses: reviewdog/action-actionlint@abd537417cf4991e1ba8e21a67b1119f4f53b8e0 # v1.64.4
         env:
           SHELLCHECK_OPTS: -e SC2001 -e SC2035 -e SC2046 -e SC2061 -e SC2086 -e SC2156
         with:
           reporter: github-check
           github_token: ${{ secrets.GITHUB_TOKEN }}
+
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            objects.githubusercontent.com:443
+            pypi.org:443
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Install uv
+        uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1
+      - name: Run zizmor
+        run: uvx zizmor --pedantic --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload SARIF file for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+        with:
+          sarif_file: results.sarif
+          category: zizmor

.github/workflows/analysis.yml

@@ -1,5 +1,5 @@
 name: analysis
-permissions: read-all
+permissions: {}
 on: [ push, pull_request ]
 
 env:
@@ -22,6 +22,8 @@ env:
 jobs:
   forbiddenApis:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       JAVA_VERSION: 23
     steps:
@@ -31,7 +33,10 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Forbidden Apis
         uses: ./.github/actions/run-gradle
         with:
@@ -41,6 +46,8 @@ jobs:
 
   pmd:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       JAVA_VERSION: 23
     steps:
@@ -50,7 +57,10 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Pmd
         uses: ./.github/actions/run-gradle
         with:
@@ -60,6 +70,8 @@ jobs:
 
   spotbugs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       JAVA_VERSION: 23
     steps:
@@ -69,7 +81,10 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Spotbugs
         uses: ./.github/actions/run-gradle
         with:

.github/workflows/benchmarks.yml

@@ -1,5 +1,5 @@
 name: benchmarks
-permissions: read-all
+permissions: {}
 on: [ push, pull_request ]
 
 env:
@@ -9,6 +9,8 @@ env:
 jobs:
   benchmarks:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         java: [ 11, 21, 25, GraalVM ]
@@ -39,7 +41,10 @@ jobs:
             raw.githubusercontent.com:443
             services.gradle.org:443
             www.graalvm.org:443
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Compute JMH Benchmark
         uses: ./.github/actions/run-gradle
         with: