CI: update GitHub Actions and add zizmor workflow scan

[kothar]

Summary

• Modernize the Maven CI workflow by upgrading actions/checkout and actions/setup-java so runners use a supported Node runtime and Maven caching uses a cache client compatible with GitHub’s API (fixes "Cache service responded with 400" with old setup-java; see actions/setup-java#902).
• Pin actions to immutable release SHAs (actions/checkout v6.0.2, actions/setup-java v5.2.0, zizmorcore/zizmor-action v0.5.2) with version comments.
• Least privilege: Maven job checkout uses persist-credentials: false (zizmor job already had it). Job permissions: contents: read, actions: write for Maven cache with restricted top-level permissions.
• Temurin JDK 11; zizmor with advanced-security: false and annotations: true.

Testing

• YAML validated locally; CI validates the full Maven build.

  

Summary by CodeRabbit

• Chores
  • Upgraded CI workflow components, tightened workflow permissions, and switched the JDK distribution while preserving Java 11 and Maven caching.
  • Added a CI static-analysis workflow that runs on pushes and pull requests to surface workflow configuration/security issues with annotated output.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2b5bf598-921d-404c-8012-7b81d6cbe047

📥 Commits

Reviewing files that changed from the base of the PR and between 809ca9b and c9ef5b0.

📒 Files selected for processing (2)

• .github/workflows/maven.yml
• .github/workflows/zizmor.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/zizmor.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/maven.yml

---

📝 Walkthrough

Walkthrough

Updated Maven CI workflow: upgraded actions/checkout to v6, actions/setup-java to v5.2.0, switched JDK distribution from adopt to temurin, and tightened permissions. Added a new Zizmor workflow to run static analysis of GitHub Actions configs on pushes to develop and PRs to master/develop.

Changes

Cohort / File(s)	Summary
Maven Workflow Updates ​.github/workflows/maven.yml	Upgraded actions/checkout v2 → actions/checkout@v6.0.2, upgraded actions/setup-java v2 → actions/setup-java@v5.2.0, changed java.distribution from adopt → temurin, set top-level permissions: {} and job-level contents: read plus actions: write, enabled persist-credentials: false.
Zizmor Security Workflow ​.github/workflows/zizmor.yml	Added new zizmor workflow running zizmorcore/zizmor-action@v0.5.2 with advanced-security: false, annotations: true; triggers: push to develop and PRs to master/develop; sets top-level permissions: {} and job contents: read, uses persist-credentials: false.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A hop, a tweak, a build in tune,
Temurin rises with the moon,
Zizmor scans each workflow line,
CI hums steady, all is fine,
I nibble logs and hop in time.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: updating GitHub Actions and adding a zizmor workflow scan for security analysis.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/update-actions-zizmor-e68c

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/maven.yml:
- Around line 21-23: Replace the mutable tags for the two GitHub Actions with
their corresponding full 40-character commit SHAs: update the uses entries that
reference actions/checkout@v6 and actions/setup-java@v5 to
actions/checkout@<full-commit-sha> and actions/setup-java@<full-commit-sha>
respectively (obtain the exact SHAs from each action's GitHub repo/releases) so
both actions are pinned to immutable SHAs; ensure the SHAs are full 40-character
values and keep the rest of the workflow unchanged.
- Line 21: The checkout step currently uses "uses: actions/checkout@v6" without
disabling credential persistence; update that checkout step to include
persist-credentials: false so the action does not leave GITHUB_TOKEN in the
workspace for this read-only build workflow, ensuring least-privilege for the
workflow.

In @.github/workflows/zizmor.yml:
- Around line 21-27: Replace the mutable GitHub Action tags with immutable full
40-character commit SHAs: update the actions/checkout@v6 reference to
actions/checkout@<full-commit-sha> and update zizmorcore/zizmor-action@v0.5.2 to
zizmorcore/zizmor-action@<full-commit-sha>; locate the two uses of
actions/checkout and zizmorcore/zizmor-action in the workflow and substitute the
tag versions with their respective pinned commit SHAs (ensure each SHA is the
exact 40-character commit hash from the action's repository).

🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 271b65a7-a4ec-4ed4-b2aa-75f76ec8f701

📥 Commits

Reviewing files that changed from the base of the PR and between 3379203 and 3506b17.

📒 Files selected for processing (2)

• .github/workflows/maven.yml
• .github/workflows/zizmor.yml

[coderabbitai]

♻️ Duplicate comments (2)

.github/workflows/maven.yml (2)

23-23: ⚠️ Potential issue | 🟠 Major

Disable checkout credential persistence for this build job.

For this read-only build flow, add persist-credentials: false on checkout to reduce token exposure surface in subsequent steps/artifacts.

Suggested change

-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v6
+      with:
+        persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/maven.yml at line 23, The checkout step currently uses
"uses: actions/checkout@v6" without disabling credential persistence; update the
checkout step to include "persist-credentials: false" so the Actions token is
not persisted to later steps/artifacts—locate the checkout step (uses:
actions/checkout@v6) in the workflow and add the persist-credentials: false
input under that step.

---

23-25: ⚠️ Potential issue | 🔴 Critical

Pin action references to full 40-char SHAs (still unresolved).

Both actions/checkout@v6 and actions/setup-java@v5.2.0 are mutable tags and still violate the unpinned-actions policy.

Suggested change

-    - uses: actions/checkout@v6
+    - uses: actions/checkout@<FULL_40_CHAR_SHA> # v6.x

@@
-      uses: actions/setup-java@v5.2.0
+      uses: actions/setup-java@<FULL_40_CHAR_SHA> # v5.2.0

Find the full 40-character commit SHAs currently pointed to by:
1) actions/checkout tag v6 (or exact v6.x used)
2) actions/setup-java tag v5.2.0
Use official GitHub release/tag pages only.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/maven.yml around lines 23 - 25, The workflow is using
mutable tags actions/checkout@v6 and actions/setup-java@v5.2.0 which violate the
unpinned-actions policy; replace each tag with its corresponding full
40-character commit SHA from the official GitHub release/tag pages (lookup the
v6 reference for actions/checkout and v5.2.0 for actions/setup-java on their
GitHub repos and copy the exact commit SHA), and update the uses lines to
actions/checkout@<full-sha> and actions/setup-java@<full-sha> so the workflow
references immutable commits; after updating, verify the SHAs by re-checking the
official tag pages to ensure they match.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/maven.yml:
- Line 23: The checkout step currently uses "uses: actions/checkout@v6" without
disabling credential persistence; update the checkout step to include
"persist-credentials: false" so the Actions token is not persisted to later
steps/artifacts—locate the checkout step (uses: actions/checkout@v6) in the
workflow and add the persist-credentials: false input under that step.
- Around line 23-25: The workflow is using mutable tags actions/checkout@v6 and
actions/setup-java@v5.2.0 which violate the unpinned-actions policy; replace
each tag with its corresponding full 40-character commit SHA from the official
GitHub release/tag pages (lookup the v6 reference for actions/checkout and
v5.2.0 for actions/setup-java on their GitHub repos and copy the exact commit
SHA), and update the uses lines to actions/checkout@<full-sha> and
actions/setup-java@<full-sha> so the workflow references immutable commits;
after updating, verify the SHAs by re-checking the official tag pages to ensure
they match.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9981e64e-8f25-45ab-85f8-963d95fbe782

📥 Commits

Reviewing files that changed from the base of the PR and between 3506b17 and 809ca9b.

📒 Files selected for processing (1)

• .github/workflows/maven.yml

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

An unexpected error occurred while generating fixes: Resource not accessible by integration - https://docs.github.com/rest/git/trees#create-a-tree