✨ feat: add dirty-waters to CI

[randomicecube]

cc @monperrus @Stamp9

Relates to INRIA/spoon#5216, chains-project/dirty-waters#37, chains-project/dirty-waters#58

Key notes:

• x_to_fail parameter: the percentage of a single non-high severity issue present among the dependencies for the CI to break. It defaults to 5%, so what should it be here?
• comment_on_commit: whether the reports are allowed to be pasted as comments in the commits, in the case of high-severity issues breaking CI. Defaults to false, what do we want here?
• allow_pr_comments: whether the reports are allowed to be pasted as comments in pull requests. Defaults to true, what do we want here?
• By default, only static analysis happens. Do we want differential to be performed in certain scenarios too? If so, which ones?
• Gradual reporting is enabled by default -- only one of the reported smells has its table displayed per time, with the higher severity issues showing up first.
• Which maven build commands should be ran before running the dirty-waters action (if any)?

For more information on the action, see the wiki.

[monperrus]

all defaults here to feel how this works.

[monperrus]

@randomicecube how to make progress towards merge here? Thanks!

[LogFlames]

Rebasing to trigger new CI without non-allowlisted actions.

[randomicecube]

Hey @LogFlames @monperrus
Sorry for the late reply; have been working on Eric's feedback for the past few weeks, but now I think I'm fully back and able to help on deploying the action on these projects.
I'll update the action to the most recent version, re-trigger the CI here and check whether everything's solid

[randomicecube]

@LogFlames currently, it's not allowed for the action to post comments (see https://github.com/chains-project/maven-lockfile/actions/runs/13898731122/job/38885195489?pr=1083#step:4:3144); I think you might have to allow this?
Also, after that's done, I'll re-run the action and ignore cache for one run

[LogFlames]

@randomicecube I think it might be because this is a PR from an public repo outside the chains-project (https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).

scope	Maximum access for pull requests from public forked repositories
pull-request	read

Have you been able to create PRs from forks into other projects without this issue? Maybe @algomaster99 has higher access and can find a setting?

Otherwise, do you have access to create a branch on chains-project/maven-lockfile?

[randomicecube]

@LogFlames Ah, that should be it yeah!
I'm not sure (but I think so); after I fix the code signature bug we have talked about, I'll open a new PR from a branch from within this repo

[algomaster99]

Have you been able to create PRs from forks into other projects without this issue? Maybe @algomaster99 has higher access and can find a setting?

You can set permissions for a workflow as documented here.

I'll open a new PR from a branch from within this repo

But try this and then let me know :)

[LogFlames]

Continued in #1134 .