chore: cleanup and refactor ci into reusable jobs

- chore: cleanup file structure for clearer job roles
- chore: remove all direct job hooks in favor of entrypoints
- chore: begin refactoring main build job
- chore: run formatter on `.github/workflows`

Signed-off-by: Sam Gammon <sam@elide.ventures>

Author: sgammon

.github/workflows/codeql.ci.yml .github/workflows/checks.codeql.yml

@@ -1,6 +1,6 @@
 name: "CodeQL"
 
-on:
+"on":
   workflow_dispatch: {}
   workflow_call: {}
   push:
@@ -35,8 +35,8 @@ jobs:
       - name: "Setup: GraalVM (Java 21)"
         uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1
         with:
-          distribution: 'graalvm'
-          java-version: '21'
+          distribution: "graalvm"
+          java-version: "21"
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: "Setup: Initialize CodeQL"
         uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12

.github/workflows/gradle-wrapper-validation.yml .github/workflows/checks.gradle-wrapper.yml

@@ -1,11 +1,8 @@
 name: Validate Gradle Wrapper
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - "*"
+
+"on":
+  workflow_dispatch: {}
+  workflow_call: {}
 
 permissions:
   contents: read
@@ -19,7 +16,6 @@ jobs:
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           egress-policy: audit
-
       - name: Checkout latest code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
       - name: Validate Gradle Wrapper

.github/workflows/model.ci.yml .github/workflows/checks.model.yml

@@ -1,12 +1,8 @@
 name: Model
 
-on:
-  push:
-    branches:
-      - main
-      - stable
-  pull_request:
-    types: [labeled, opened, reopened, synchronize]
+"on":
+  workflow_dispatch: {}
+  workflow_call: {}
 
 permissions:
   contents: read

.github/workflows/qodana.ci.yml .github/workflows/checks.qodana.yml

@@ -1,5 +1,6 @@
 name: Qodana
-on:
+
+"on":
   workflow_dispatch: {}
   workflow_call: {}
 
@@ -20,7 +21,7 @@ jobs:
       - name: "Setup: GraalVM (Java 21)"
         uses: graalvm/setup-graalvm@a1b47fdf04e772fed6b3b46131e226f9aea5e169 # v1
         with:
-          distribution: 'graalvm'
+          distribution: "graalvm"
           java-version: 21
           check-for-updates: false
           github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scorecards.yml .github/workflows/checks.scorecards.yml

@@ -2,17 +2,18 @@
 # by a third-party and are governed by separate terms of service, privacy
 # policy, and support documentation.
 
-name: Scorecard supply-chain security
-on:
+name: Scorecard
+
+"on":
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
-  branch_protection_rule:
+  branch_protection_rule: {}
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
-    - cron: '20 7 * * 2'
-  push:
-    branches: ["v3"]
+    - cron: "20 7 * * 2"
+  workflow_dispatch: {}
+  workflow_call: {}
 
 # Declare default permissions as read only.
 permissions: read-all

.github/workflows/bench.ci.yml .github/workflows/job.bench.yml

@@ -1,11 +1,8 @@
 name: Benchmark
 
-on:
-  push:
-    branches:
-      - stable
-  pull_request:
-    types: [opened, reopened, synchronize]
+"on":
+  workflow_dispatch: {}
+  workflow_call: {}
 
 env:
   BUILDLESS_APIKEY: ${{ secrets.BUILDLESS_APIKEY }}
@@ -68,7 +65,7 @@ jobs:
         if: ${{ matrix.engine == 'graalvm' }}
         with:
           components: "native-image,js,wasm"
-          distribution: 'graalvm'
+          distribution: "graalvm"
           java-version: ${{ matrix.java }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: "Setup: Zulu"