Holistic review of GitHub Actions (#92)

* Set up Java and Gradle the same way as all the others because we're running Gradle.
* Prettify yaml code:
 * Unify naming
 * Quote names
 * Little spacing
* Explicit permissions for each job
* Review names of jobs

.github/workflows/dependencies.yaml

@@ -0,0 +1,31 @@
+name: "Dependencies"
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  dependency-submission:
+    name: "Submit Dependency Graph"
+    runs-on: ubuntu-latest
+
+    permissions:
+      # The Dependency Submission API requires write permission.
+      contents: write
+
+    steps:
+
+      - name: "Checkout sources"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+
+      - name: "Set up Java"
+        uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4
+        with:
+          distribution: 'temurin'
+          java-version-file: '.java-version'
+
+      - name: "Generate and submit dependency graph"
+        # Note: this `uses: gradle/actions/setup-gradle@v3` under the hood.
+        uses: gradle/actions/dependency-submission@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3

.github/workflows/merge-check.yml

@@ -1,4 +1,4 @@
-name: Merge checks
+name: "Merge Checks"
 
 on:
   push:
@@ -10,33 +10,38 @@ on:
 
 jobs:
   build:
-    name: Build project
+    name: "Build Project"
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
         os: [ macos-latest, ubuntu-latest ]
     if: ${{ !contains(github.event.head_commit.message, 'ci skip') }}
+
+    permissions:
+      contents: read
+
     steps:
-      - name: Checkout Repo
+
+      - name: "Checkout sources"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
-      - name: Set up Java
+      - name: "Set up Java"
         uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4
         with:
           distribution: 'temurin'
           java-version-file: '.java-version'
 
-      - name: Setup gradle
+      - name: "Setup gradle"
         uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3
 
-      - name: Run Gradle tasks
-        run: ./gradlew build 
+      - name: "Run Gradle tasks"
+        run: ./gradlew build
 
-      - name: Upload 'Test Report (${{ matrix.os }})' artifact
+      - name: "Upload 'Test Report (${{ matrix.os }})' artifact"
         uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4
         if: success() || failure()
         with:
-          name: Test Report (${{ matrix.os }})
+          name: 'Test Report (${{ matrix.os }})'
           path: |
             build/reports/tests/allTests/

.github/workflows/publish-snapshot.yml → .github/workflows/release.yml

@@ -1,27 +1,36 @@
-name: Publish snapshot
+name: "Release"
+
 on:
   push:
     branches:
       - main
+
 jobs:
   publish:
+    name: "Publish to Sonatype"
     runs-on: macos-latest
+
+    permissions:
+      contents: read
+
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
-      - name: Set up Java
+      - name: "Checkout sources"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+
+      - name: "Set up Java"
         uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4
         with:
           distribution: 'temurin'
           java-version-file: '.java-version'
 
-      - name: Setup gradle
+      - name: "Setup gradle"
         uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3
 
-      - name: Build
+      - name: "Build"
         run: ./gradlew build
 
-      - name: Publish package
+      - name: "Publish package"
         run: ./gradlew publishToSonatype
         env:
           ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.MAVEN_CENTRAL_USER }}