ci: address all zizmor lints (#15258)

Fixes all zizmor lints which are the majority of GH code scan issues:
* Set empty `permissions: {}` for all workflows
* Specify permissions needed explicitly for each job
* Use `name:` keys for all workflows, jobs, and steps
* Use `persist-credentials: false` for all actions/checkout steps
* Remove actions expressions from bash blocks, plumb thru `env:`

Author: rmuir

.github/workflows/label-pull-request.yml

@@ -13,18 +13,22 @@ on:
   # zizmor: ignore[dangerous-triggers]
   - pull_request_target
 
+permissions: {}
+
 jobs:
   labeler:
+    name: Label PRs
     # only run on the main Lucene repository.
     if: (github.repository == 'apache/lucene')
 
     permissions:
-      contents: read
-      pull-requests: write
+      contents: read # likely not needed for public repository
+      pull-requests: write # manipulate existing labels
 
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
+      - name: Run Labeler action
+        uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
           sync-labels: true

.github/workflows/mark-stale-PRs.yml

@@ -10,15 +10,19 @@ on:
   # Or run on demand
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   stale:
+    name: Mark stale PRs
     runs-on: ubuntu-latest
 
     permissions:
-      pull-requests: write
+      pull-requests: write # must comment/label PRs
 
     steps:
-      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+      - name: Run stale PR action
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/run-checks-all.yml

@@ -12,6 +12,8 @@ on:
       - 'main'
       - 'branch_10x'
 
+permissions: {}
+
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
@@ -37,8 +39,13 @@ jobs:
       - name: Correct git autocrlf
         run: git config --global core.autocrlf false
 
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: ./.github/actions/prepare-for-build
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Configure tools
+        uses: ./.github/actions/prepare-for-build
 
       - name: Install eclint
         if: ${{ ! startsWith(matrix.os, 'windows') }}
@@ -72,8 +79,13 @@ jobs:
         if: startsWith(matrix.os, 'windows')
         run: git config --global core.autocrlf false
 
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: ./.github/actions/prepare-for-build
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Configure tools
+        uses: ./.github/actions/prepare-for-build
 
       - name: Run gradle tests
         run: ./gradlew test "-Ptask.times=true" --max-workers 2

.github/workflows/run-checks-mod-analysis-common-hunspell.yml

@@ -19,6 +19,8 @@ on:
       - '.github/workflows/run-checks-mod-analysis-common.yml'
       - 'lucene/analysis/common/**'
 
+permissions: {}
+
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
@@ -30,8 +32,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: ./.github/actions/prepare-for-build
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Configure tools
+        uses: ./.github/actions/prepare-for-build
 
       - name: Run Hunspell regression tests
         run: ./gradlew -p lucene/analysis/common -Ptests.hunspell.regressions=true -Ptests.verbose=true test --tests "TestAllDictionaries"

.github/workflows/run-checks-mod-distribution.tests.yml

@@ -13,11 +13,14 @@ on:
       - 'main'
       - 'branch_10x'
 
+permissions: {}
+
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
 jobs:
   test:
+    name: Run distribution.tests
     timeout-minutes: 15
 
     strategy:
@@ -29,8 +32,13 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: ./.github/actions/prepare-for-build
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Configure tools
+        uses: ./.github/actions/prepare-for-build
 
       - name: Run 'gradlew lucene/distribution.tests test' (on ${{ matrix.os }})
         run: ./gradlew -p lucene/distribution.tests test

.github/workflows/run-checks-python.yml

@@ -19,13 +19,19 @@ on:
       - '.github/workflows/run-checks-python.yml'
       - 'dev-tools/scripts/**'
 
+permissions: {}
+
 jobs:
   lint:
+    name: Lint python scripts
     timeout-minutes: 15
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Setup Python
         uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0

.github/workflows/run-scheduled-hunspell.yml

@@ -7,6 +7,8 @@ on:
     # 4:13 on Mondays
     - cron: '13 4 * * 1'
 
+permissions: {}
+
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
@@ -18,8 +20,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: ./.github/actions/prepare-for-build
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Configure tools
+        uses: ./.github/actions/prepare-for-build
 
       - name: Run Hunspell regression tests against latest commits in dictionary repositories
         run: >

.github/workflows/run-scheduled-spotless-groovy.yml

@@ -7,21 +7,28 @@ on:
     # 3:13 on Mondays
     - cron: '13 4 * * 1'
 
+permissions: {}
+
 env:
   DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
 
 jobs:
   test:
     name: Check groovy/gradle script formatting compliance
     timeout-minutes: 15
-
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: ./.github/actions/prepare-for-build
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Configure tools
+        uses: ./.github/actions/prepare-for-build
 
-      - run: >
+      - name: Run formatter check
+        run: >
           ./gradlew
           -Plucene.spotlessGradleScripts=true
           spotlessGradleScriptsCheck

.github/workflows/run-special-checks-sandbox.yml

@@ -12,6 +12,8 @@ on:
       - 'main'
       - 'branch_10x'
 
+permissions: {}
+
 jobs:
   faiss-tests:
     name: tests for the Faiss codec (v${{ matrix.faiss-version }} with JDK ${{ matrix.java }} on ${{ matrix.os }})
@@ -37,10 +39,14 @@ jobs:
           conda-remove-defaults: 'true'
 
       - name: Install Faiss
-        run: mamba install faiss-cpu=${{ matrix.faiss-version }}
+        run: mamba install faiss-cpu="${FAISS_VERSION}"
+        env:
+          FAISS_VERSION: ${{ matrix.faiss-version }}
 
       - name: Checkout Lucene
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Prepare Lucene workspace
         uses: ./.github/actions/prepare-for-build