add actionlint and trivy analyzers

.github/actions/run-gradle/action.yml

@@ -2,7 +2,7 @@ name: Run Gradle
 description: Sets up Gradle JDKs and runs Gradle
 inputs:
   arguments:
-    required: true
+    required: false
     description: Gradle arguments
   java:
     required: true
@@ -83,6 +83,7 @@ runs:
         gradle-home-cache-cleanup: true
         gradle-home-cache-strict-match: true
     - name: Run ${{ inputs.arguments }}
+      if: ${{ env.arguments != '' }}
       env:
         JAVA_HOME: ${{ steps.setup-gradle-jdk.outputs.path }}
         ORG_GRADLE_PROJECT_org.gradle.java.installations.auto-download: 'false'

.github/workflows/actionlint.yml

@@ -0,0 +1,24 @@
+name: actionlint
+permissions: read-all
+on: [ push, pull_request ]
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: actionlint
+        uses: reviewdog/action-actionlint@c6ee1eb0a5d47b2af53a203652b5dac0b6c4016e # v1.43.0
+        env:
+          SHELLCHECK_OPTS: -e SC2001 -e SC2035 -e SC2046 -e SC2061 -e SC2086 -e SC2156
+        with:
+          reporter: github-check
+          github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/benchmarks.yml

@@ -55,6 +55,7 @@ jobs:
           github.event_name == 'push'
           && github.event.repository.fork == false
           && endsWith(github.ref, github.event.repository.default_branch)
+        continue-on-error: true
         with:
           auth: ${{ secrets.GIST_TOKEN }}
           gist_description: Compute JMH Results
@@ -76,6 +77,7 @@ jobs:
           github.event_name == 'push'
           && github.event.repository.fork == false
           && endsWith(github.ref, github.event.repository.default_branch)
+        continue-on-error: true
         with:
           auth: ${{ secrets.GIST_TOKEN }}
           gist_description: Get/Put JMH Results

.github/workflows/scorecards-analysis.yml

@@ -29,13 +29,13 @@ jobs:
             api.osv.dev:443
             api.securityscorecards.dev:443
             bestpractices.coreinfrastructure.org:443
-            bestpractices.dev:443
             fulcio.sigstore.dev:443
             github.com:443
             oss-fuzz-build-logs.storage.googleapis.com:443
             rekor.sigstore.dev:443
             sigstore-tuf-root.storage.googleapis.com:443
             tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
       - name: Checkout code
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:

.github/workflows/spelling.yml

@@ -3,8 +3,25 @@ permissions: read-all
 on: [ push, pull_request ]
 
 jobs:
-  spellcheck:
-    name: Check spelling
+  misspell:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: Misspell
+        uses: reviewdog/action-misspell@32cdac969bc45951d79b89420a60c9b0102cf6ed # v1.16.0
+        with:
+          reporter: github-check
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+  typos:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
@@ -15,11 +32,6 @@ jobs:
           allowed-endpoints: >
             github.com:443
             objects.githubusercontent.com:443
-            raw.githubusercontent.com:443
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-      - name: Install
-        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b .
-      - name: Spell Check with Misspell
-        run: ./misspell -error .
-      - name: Spell Check with Typos
+      - name: Typos
         uses: crate-ci/typos@bcafd462cb07ef7ba57e34abf458fe20767e808b # v1.19.0

.github/workflows/trivy.yml

@@ -0,0 +1,34 @@
+name: trivy
+permissions: read-all
+on: [ push, pull_request ]
+
+jobs:
+  trivy:
+    runs-on: ubuntu-20.04
+    permissions:
+      checks: write
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            ghcr.io:443
+            github.com:443
+            pkg-containers.githubusercontent.com:443
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0
+        with:
+          scan-type: fs
+          format: sarif
+          output: trivy-results.sarif
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+            sarif_file: trivy-results.sarif

gradle/libs.versions.toml

@@ -1,5 +1,5 @@
 [versions]
-asm = "9.6"
+asm = "9.7"
 auto-value = "1.10.4"
 awaitility = "4.2.1"
 bcel = "6.8.2"
@@ -33,7 +33,7 @@ felix-framework = "7.0.5"
 felix-scr = "2.2.10"
 findsecbugs = "1.13.0"
 flip-tables = "1.1.1"
-forbidden-apis = "3.6"
+forbidden-apis = "3.7"
 google-java-format = "1.21.0"
 guava = "33.1.0-jre"
 guice = "6.0.0"