add more linters

.github/actions/run-gradle/action.yml

@@ -2,7 +2,7 @@ name: Run Gradle
 description: Sets up Gradle JDKs and runs Gradle
 inputs:
   arguments:
-    required: true
+    required: false
     description: Gradle arguments
   java:
     required: true
@@ -83,6 +83,7 @@ runs:
         gradle-home-cache-cleanup: true
         gradle-home-cache-strict-match: true
     - name: Run ${{ inputs.arguments }}
+      if: ${{ env.arguments != '' }}
       env:
         JAVA_HOME: ${{ steps.setup-gradle-jdk.outputs.path }}
         ORG_GRADLE_PROJECT_org.gradle.java.installations.auto-download: 'false'

.github/workflows/reviewdog.yml

@@ -0,0 +1,86 @@
+name: reviewdog
+permissions: read-all
+on: [ push, pull_request ]
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+      - uses: actions/checkout@v3
+      - name: Setup node/npm
+        uses: actions/setup-node@v1
+        with:
+          node-version: '*'
+
+      - name: actionlint
+        uses: reviewdog/action-actionlint@v1
+        with:
+          reporter: github-check
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: alex
+        uses: reviewdog/action-alex@v1
+        with:
+          reporter: github-check
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: detect-secrets
+        uses: reviewdog/action-detect-secrets@master
+        with:
+          reporter: github-check
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: languagetool
+        uses: reviewdog/action-languagetool@v1
+        with:
+          reporter: github-check
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: markdownlint
+        uses: reviewdog/action-markdownlint@v0
+        with:
+          reporter: github-check
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: misspell
+        uses: reviewdog/action-misspell@v1
+        with:
+          locale: US
+          reporter: github-check
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: install remark presets
+        shell: bash
+        run: npm install remark-preset-lint-recommended
+      - name: remark-lint
+        uses: reviewdog/action-remark-lint@v5
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          reporter: github-check
+
+      - name: shellcheck
+        uses: reviewdog/action-shellcheck@v1
+        with:
+          reporter: github-check
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: shfmt
+        uses: reviewdog/action-nimlint@v1
+        with:
+          reporter: github-check
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: textlint
+        uses: tsuyoshicho/action-textlint@v3
+        with:
+          reporter: github-check
+          textlint_flags: "**/*.md"
+          github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scorecards-analysis.yml

@@ -29,13 +29,13 @@ jobs:
             api.osv.dev:443
             api.securityscorecards.dev:443
             bestpractices.coreinfrastructure.org:443
-            bestpractices.dev:443
             fulcio.sigstore.dev:443
             github.com:443
             oss-fuzz-build-logs.storage.googleapis.com:443
             rekor.sigstore.dev:443
             sigstore-tuf-root.storage.googleapis.com:443
             tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
       - name: Checkout code
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:

.github/workflows/spelling.yml

@@ -17,9 +17,5 @@ jobs:
             objects.githubusercontent.com:443
             raw.githubusercontent.com:443
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-      - name: Install
-        run: curl -sfL https://raw.githubusercontent.com/golangci/misspell/master/install-misspell.sh | sh -s -- -b .
-      - name: Spell Check with Misspell
-        run: ./misspell -error .
       - name: Spell Check with Typos
         uses: crate-ci/typos@bcafd462cb07ef7ba57e34abf458fe20767e808b # v1.19.0

.github/workflows/trivy.yml

@@ -0,0 +1,32 @@
+name: trivy
+permissions: read-all
+on: [ push, pull_request ]
+
+jobs:
+  trivy:
+    runs-on: ubuntu-20.04
+    permissions:
+      checks: write
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          format: sarif
+          output: trivy-results.sarif
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: trivy-results.sarif

gradle/libs.versions.toml

@@ -1,5 +1,5 @@
 [versions]
-asm = "9.6"
+asm = "9.7"
 auto-value = "1.10.4"
 awaitility = "4.2.1"
 bcel = "6.8.2"
@@ -33,7 +33,7 @@ felix-framework = "7.0.5"
 felix-scr = "2.2.10"
 findsecbugs = "1.13.0"
 flip-tables = "1.1.1"
-forbidden-apis = "3.6"
+forbidden-apis = "3.7"
 google-java-format = "1.21.0"
 guava = "33.1.0-jre"
 guice = "6.0.0"