Fix potential github action smells

.github/workflows/build.yml

@@ -16,8 +16,8 @@ jobs:
           - java: 21
             # Disable Enforcer check which (intentionally) prevents using JDK 21 for building
             extra-mvn-args: -Denforcer.fail=false
-    runs-on: ubuntu-latest
-
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
       - name: "Set up JDK ${{ matrix.java }}"
@@ -32,8 +32,8 @@ jobs:
 
   native-image-test:
     name: "GraalVM Native Image test"
-    runs-on: ubuntu-latest
-
+    runs-on: ubuntu-22.04
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
       - name: "Set up GraalVM"
@@ -51,8 +51,8 @@ jobs:
 
   verify-reproducible-build:
     name: "Verify reproducible build"
-    runs-on: ubuntu-latest
-
+    runs-on: ubuntu-22.04
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
       - name: "Set up JDK 17"
@@ -65,11 +65,12 @@ jobs:
       - name: "Verify no plugin issues"
         run: mvn artifact:check-buildplan --batch-mode --no-transfer-progress
 
-      - name: "Verify reproducible build"
         # See https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-to-test-my-maven-build-reproducibility
-        run: |
-          mvn clean install --batch-mode --no-transfer-progress -Dproguard.skip -DskipTests
-          # Run with `-Dbuildinfo.attach=false`; otherwise `artifact:compare` fails because it creates a `.buildinfo` file which
-          # erroneously references the existing `.buildinfo` file (respectively because it is overwriting it, a file with size 0)
-          # See https://issues.apache.org/jira/browse/MARTIFACT-57
-          mvn clean verify artifact:compare --batch-mode --no-transfer-progress -Dproguard.skip -DskipTests -Dbuildinfo.attach=false
+      - name: "Build project"
+        run: mvn clean install --batch-mode --no-transfer-progress -Dproguard.skip -DskipTests
+
+      - name: "Verify reproducible build"
+        # Run with `-Dbuildinfo.attach=false`; otherwise `artifact:compare` fails because it creates a `.buildinfo` file which
+        # erroneously references the existing `.buildinfo` file (respectively because it is overwriting it, a file with size 0)
+        # See https://issues.apache.org/jira/browse/MARTIFACT-57
+        run: mvn clean verify artifact:compare --batch-mode --no-transfer-progress -Dproguard.skip -DskipTests -Dbuildinfo.attach=false

.github/workflows/check-android-compatibility.yml

@@ -11,8 +11,8 @@ permissions:
 
 jobs:
   check-android-compatibility:
-    runs-on: ubuntu-latest
-
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
 
@@ -24,6 +24,5 @@ jobs:
           cache: 'maven'
 
       - name: Check Android compatibility
-        run: |
-          # Run 'test' phase because plugin normally expects to be executed after tests have been compiled
-          mvn --batch-mode --no-transfer-progress test animal-sniffer:check@check-android-compatibility -DskipTests
+        # Run 'test' phase because plugin normally expects to be executed after tests have been compiled
+        run: mvn --batch-mode --no-transfer-progress test animal-sniffer:check@check-android-compatibility -DskipTests

.github/workflows/check-api-compatibility.yml

@@ -6,8 +6,8 @@ on: pull_request
 
 jobs:
   check-api-compatibility:
-    runs-on: ubuntu-latest
-
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
     steps:
       - name: Checkout old version
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
@@ -22,21 +22,19 @@ jobs:
           java-version: '11'
           cache: 'maven'
 
-      - name: Build old version
-        run: |
-          cd gson-old-japicmp
-          # Set dummy version
-          mvn --batch-mode --no-transfer-progress org.codehaus.mojo:versions-maven-plugin:2.11.0:set -DnewVersion=JAPICMP-OLD
-          # Install artifacts with dummy version in local repository; used later by Maven plugin for comparison
-          mvn --batch-mode --no-transfer-progress install -DskipTests
+      - name: Set dummy version
+        working-directory: gson-old-japicmp
+        run: mvn --batch-mode --no-transfer-progress org.codehaus.mojo:versions-maven-plugin:2.11.0:set -DnewVersion=JAPICMP-OLD
+      - name: Install artifacts with dummy version
+        working-directory: gson-old-japicmp
+        run: mvn --batch-mode --no-transfer-progress install -DskipTests
 
       - name: Checkout new version
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
 
       - name: Check API compatibility
         id: check-compatibility
-        run: |
-          mvn --batch-mode --fail-at-end --no-transfer-progress package japicmp:cmp -DskipTests
+        run: mvn --batch-mode --fail-at-end --no-transfer-progress package japicmp:cmp -DskipTests
 
       - name: Upload API differences artifacts
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808  # v4.3.3

.github/workflows/cifuzz.yml

@@ -2,7 +2,8 @@ name: CIFuzz
 on: [pull_request]
 jobs:
   Fuzzing:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
     steps:
     - name: Build Fuzzers
       id: build

.github/workflows/codeql-analysis.yml

@@ -14,7 +14,8 @@ on:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
     permissions:
       security-events: write
 
@@ -46,8 +47,7 @@ jobs:
     # be that relevant (though GitHub security view also allows filtering by source type)
     # Can replace this with github/codeql-action/autobuild action to run complete build
     - name: Compile sources
-      run: |
-        mvn compile --batch-mode --no-transfer-progress
+      run: mvn compile --batch-mode --no-transfer-progress
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14  # v3.25.3