Run CodeQL for GitHub Actions & improve workflows

.github/workflows/check-api-compatibility.yml

@@ -3,6 +3,8 @@
 name: Check API compatibility
 
 on: pull_request
+permissions:
+  contents: read #  to fetch code (actions/checkout)
 
 jobs:
   check-api-compatibility:

.github/workflows/cifuzz.yml

@@ -1,25 +1,39 @@
 name: CIFuzz
 on: [pull_request]
+permissions: {}
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
     - name: Build Fuzzers
       id: build
+      # Cannot be pinned to commit because there are no releases, see https://github.com/google/oss-fuzz/issues/6836
       uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
       with:
         oss-fuzz-project-name: 'gson'
         dry-run: false
         language: jvm
     - name: Run Fuzzers
+      # Cannot be pinned to commit because there are no releases, see https://github.com/google/oss-fuzz/issues/6836
       uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
       with:
         oss-fuzz-project-name: 'gson'
         fuzz-seconds: 600
         dry-run: false
+        output-sarif: true
     - name: Upload Crash
       uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
       if: failure() && steps.build.outcome == 'success'
       with:
         name: artifacts
         path: ./out/artifacts
+    - name: Upload Sarif
+      if: always() && steps.build.outcome == 'success'
+      uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841  # v3.28.13
+      with:
+        # Path to SARIF file relative to the root of the repository
+        sarif_file: cifuzz-sarif/results.sarif
+        checkout_path: cifuzz-sarif

.github/workflows/codeql-analysis.yml

@@ -13,21 +13,27 @@ on:
 
 jobs:
   analyze:
-    name: Analyze
+    name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
     permissions:
       security-events: write
 
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'java' ]
+        include:
+        - language: java
+          build-mode: manual
+        # GitHub Actions
+        - language: actions
+          build-mode: none
 
     steps:
     - name: Checkout repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
 
     - name: Set up JDK 17
+      if: ${{ matrix.language == 'java' }}
       uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12  # v4.7.0
       with:
         distribution: 'temurin'
@@ -39,15 +45,19 @@ jobs:
       uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841  # v3.28.13
       with:
         languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
         # Run all security queries and maintainability and reliability queries
         queries: +security-and-quality
 
     # Only compile main sources, but ignore test sources because findings for them might not
     # be that relevant (though GitHub security view also allows filtering by source type)
     # Can replace this with github/codeql-action/autobuild action to run complete build
-    - name: Compile sources
+    - name: Compile sources (Java)
+      if: ${{ matrix.language == 'java' }}
       run: |
         mvn compile --batch-mode --no-transfer-progress
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841  # v3.28.13
+      with:
+        category: "/language:${{ matrix.language }}"