add zizmor static analyzer

.github/workflows/actionlint.yml

@@ -1,10 +1,12 @@
 name: actionlint
-permissions: read-all
+permissions: {}
 on: [ push, pull_request ]
 
 jobs:
   actionlint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
@@ -14,11 +16,47 @@ jobs:
           allowed-endpoints: >
             api.github.com:443
             github.com:443
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: actionlint
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Run actionlint
         uses: reviewdog/action-actionlint@abd537417cf4991e1ba8e21a67b1119f4f53b8e0 # v1.64.1
         env:
           SHELLCHECK_OPTS: -e SC2001 -e SC2035 -e SC2046 -e SC2061 -e SC2086 -e SC2156
         with:
           reporter: github-check
           github_token: ${{ secrets.GITHUB_TOKEN }}
+
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            objects.githubusercontent.com:443
+            pypi.org:443
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Install uv
+        uses: astral-sh/setup-uv@b5f58b2abc5763ade55e4e9d0fe52cd1ff7979ca # v5.2.1
+      - name: Run zizmor
+        run: uvx zizmor --pedantic --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload SARIF file for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+        with:
+          sarif_file: results.sarif
+          category: zizmor

.github/workflows/analysis.yml

@@ -1,5 +1,5 @@
 name: analysis
-permissions: read-all
+permissions: {}
 on: [ push, pull_request ]
 
 env:
@@ -22,6 +22,8 @@ env:
 jobs:
   forbiddenApis:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       JAVA_VERSION: 23
     steps:
@@ -31,7 +33,10 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Forbidden Apis
         uses: ./.github/actions/run-gradle
         with:
@@ -41,6 +46,8 @@ jobs:
 
   pmd:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       JAVA_VERSION: 23
     steps:
@@ -50,7 +57,10 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Pmd
         uses: ./.github/actions/run-gradle
         with:
@@ -60,6 +70,8 @@ jobs:
 
   spotbugs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       JAVA_VERSION: 23
     steps:
@@ -69,7 +81,10 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Spotbugs
         uses: ./.github/actions/run-gradle
         with:

.github/workflows/benchmarks.yml

@@ -1,5 +1,5 @@
 name: benchmarks
-permissions: read-all
+permissions: {}
 on: [ push, pull_request ]
 
 env:
@@ -9,6 +9,8 @@ env:
 jobs:
   benchmarks:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         java: [ 11, 21, 25, GraalVM ]
@@ -39,7 +41,10 @@ jobs:
             raw.githubusercontent.com:443
             services.gradle.org:443
             www.graalvm.org:443
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Compute JMH Benchmark
         uses: ./.github/actions/run-gradle
         with:

.github/workflows/build.yml

@@ -1,9 +1,9 @@
 name: build
+permissions: {}
 on:
   pull_request: {}
   push:
     branches: [master, v2.dev, v3.dev]
-permissions: read-all
 
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
@@ -45,6 +45,8 @@ jobs:
     name: Compile
     timeout-minutes: 15
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         java: [ 11, 23, 25, GraalVM ]
@@ -59,6 +61,8 @@ jobs:
           allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Compile
         uses: ./.github/actions/run-gradle
         with:
@@ -75,6 +79,8 @@ jobs:
     timeout-minutes: 60
     runs-on: ubuntu-latest
     needs: compile
+    permissions:
+      contents: read
     strategy:
       matrix:
         suite:
@@ -173,6 +179,8 @@ jobs:
           allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Run tests (${{ env.JAVA_VERSION }})
         uses: ./.github/actions/run-gradle
         with:
@@ -182,7 +190,7 @@ jobs:
       - name: Format Test Artifact Name
         if: always() && (env.JAVA_VERSION == env.PUBLISH_JDK)
         run: |
-          RAW_NAME=${{ matrix.suite }}-${{ env.JAVA_VERSION }}
+          RAW_NAME=${{ matrix.suite }}-${JAVA_VERSION}
           ARTIFACT_NAME=$(echo $RAW_NAME | sed 's/:/-/g')
           echo "ARTIFACT_NAME=$ARTIFACT_NAME" >> $GITHUB_ENV
       - name: Compress test results
@@ -207,6 +215,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: tests
     if: (github.event_name == 'push') && (github.event.repository.fork == false)
+    permissions:
+      contents: read
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
@@ -232,6 +242,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Download Tests Results
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       - name: Decompress
@@ -284,6 +295,7 @@ jobs:
     needs: tests
     if: github.event_name == 'push'
     permissions:
+      contents: read
       checks: write
     steps:
       - name: Harden Runner
@@ -315,7 +327,7 @@ jobs:
           COLOR: 31c653
           STATUS: ${{ fromJSON(steps.test-results.outputs.json).formatted.stats.runs }}
         continue-on-error: true
-        run: curl -s -f https://badgen.net/badge/${{env.LABEL}}/${{env.STATUS}}/${{env.COLOR}} > badge.svg
+        run: curl -s -f https://badgen.net/badge/${LABEL}/${STATUS}/${COLOR} > badge.svg
       - name: Upload badge to Gist
         uses: popsiclestick/gist-sync-action@88f8633178625914f2a01abf1a765f7272a580fa # v1.2.0
         if: >
@@ -338,6 +350,7 @@ jobs:
       && github.event.repository.fork == false
       && endsWith(github.ref, github.event.repository.default_branch)
     permissions:
+      contents: read
       id-token: write
     steps:
       - name: Harden Runner
@@ -353,7 +366,10 @@ jobs:
             jspecify.dev:443
             lightbend.github.io:443
             oauth2.sigstore.dev:443
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Publish Snapshot
         uses: ./.github/actions/run-gradle
         env:

.github/workflows/codacy.yml

@@ -1,5 +1,5 @@
 name: Codacy
-permissions: read-all
+permissions: {}
 on: [ push, pull_request ]
 
 jobs:
@@ -28,8 +28,10 @@ jobs:
             raw.githubusercontent.com:443
             registry-1.docker.io:443
             *.blob.core.windows.net:443
-      - name: Checkout code
+      - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Run Codacy Analysis
         uses: codacy/codacy-analysis-cli-action@97bf5df3c09e75f5bcd72695998f96ebd701846e # v4.4.5
         continue-on-error: true
@@ -47,7 +49,7 @@ jobs:
         if: steps.check_files.outputs.files_exists == 'true'
         run: jq -c '.runs |= unique_by({tool, invocations, results})' < results.sarif > codacy.sarif
       - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
         if: steps.check_files.outputs.files_exists == 'true'
         continue-on-error: true
         with:

.github/workflows/codeql.yml

@@ -1,5 +1,5 @@
-name: "CodeQL"
-permissions: read-all
+name: CodeQL
+permissions: {}
 
 on:
   push:
@@ -47,22 +47,24 @@ jobs:
             repo1.maven.org:443
             uploads.github.com:443
             services.gradle.org:443
-      - name: Checkout repository
+      - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Setup Gradle
         uses: ./.github/actions/run-gradle
         if: ${{ matrix.language == 'java' }}
         with:
           java: ${{ env.JAVA_VERSION }}
           cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
       - name: Initialize CodeQL (Actions)
-        uses: github/codeql-action/init@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        uses: github/codeql-action/init@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
         if: ${{ matrix.language == 'actions' }}
         with:
           languages: actions
           dependency-caching: true
       - name: Initialize CodeQL (Java)
-        uses: github/codeql-action/init@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        uses: github/codeql-action/init@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
         if: ${{ matrix.language == 'java' }}
         with:
           queries: >
@@ -80,6 +82,6 @@ jobs:
           config: |
             threat-models: local
       - name: Autobuild
-        uses: github/codeql-action/autobuild@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        uses: github/codeql-action/autobuild@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        uses: github/codeql-action/analyze@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5

.github/workflows/dependency-check.yml

@@ -1,10 +1,10 @@
 name: Dependency Check
+permissions: {}
 on:
   push:
   pull_request:
   schedule:
     - cron: '0 0 * * 4'
-permissions: read-all
 
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
@@ -45,7 +45,10 @@ jobs:
             raw.githubusercontent.com:443
             services.gradle.org:443
             www.cisa.gov:443
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Run dependency-check
         uses: ./.github/actions/run-gradle
         continue-on-error: true
@@ -61,7 +64,7 @@ jobs:
         with:
           files: build/reports/dependency-check-report.sarif
       - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
         if: steps.check_files.outputs.files_exists == 'true'
         with:
           sarif_file: build/reports/dependency-check-report.sarif

.github/workflows/dependency-review.yml

@@ -1,5 +1,5 @@
 name: Dependency Review
-permissions: read-all
+permissions: {}
 on: [pull_request]
 
 jobs:
@@ -18,8 +18,10 @@ jobs:
             api.deps.dev:443
             api.github.com:443
             github.com:443
-      - name: Checkout Repository
+      - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Dependency Review
         uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
         with: