Fix gha smells in other workflows as well:

- Use fixed version for runs-on argument
- Avoid jobs without timeouts
- Steps should only perform a single command

.github/workflows/check-android-compatibility.yml

@@ -11,8 +11,8 @@ permissions:
 
 jobs:
   check-android-compatibility:
-    runs-on: ubuntu-latest
-
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
 
@@ -24,6 +24,5 @@ jobs:
           cache: 'maven'
 
       - name: Check Android compatibility
-        run: |
-          # Run 'test' phase because plugin normally expects to be executed after tests have been compiled
-          mvn --batch-mode --no-transfer-progress test animal-sniffer:check@check-android-compatibility -DskipTests
+        # Run 'test' phase because plugin normally expects to be executed after tests have been compiled
+        run: mvn --batch-mode --no-transfer-progress test animal-sniffer:check@check-android-compatibility -DskipTests

.github/workflows/check-api-compatibility.yml

@@ -6,8 +6,8 @@ on: pull_request
 
 jobs:
   check-api-compatibility:
-    runs-on: ubuntu-latest
-
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
     steps:
       - name: Checkout old version
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
@@ -22,21 +22,19 @@ jobs:
           java-version: '11'
           cache: 'maven'
 
-      - name: Build old version
-        run: |
-          cd gson-old-japicmp
-          # Set dummy version
-          mvn --batch-mode --no-transfer-progress org.codehaus.mojo:versions-maven-plugin:2.11.0:set -DnewVersion=JAPICMP-OLD
-          # Install artifacts with dummy version in local repository; used later by Maven plugin for comparison
-          mvn --batch-mode --no-transfer-progress install -DskipTests
+      - name: Set dummy version
+        working-directory: gson-old-japicmp
+        run: mvn --batch-mode --no-transfer-progress org.codehaus.mojo:versions-maven-plugin:2.11.0:set -DnewVersion=JAPICMP-OLD
+      - name: Install artifacts with dummy version
+        working-directory: gson-old-japicmp
+        run: mvn --batch-mode --no-transfer-progress install -DskipTests
 
       - name: Checkout new version
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b  # v4.1.4
 
       - name: Check API compatibility
         id: check-compatibility
-        run: |
-          mvn --batch-mode --fail-at-end --no-transfer-progress package japicmp:cmp -DskipTests
+        run: mvn --batch-mode --fail-at-end --no-transfer-progress package japicmp:cmp -DskipTests
 
       - name: Upload API differences artifacts
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808  # v4.3.3

.github/workflows/cifuzz.yml

@@ -2,7 +2,8 @@ name: CIFuzz
 on: [pull_request]
 jobs:
   Fuzzing:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
     steps:
     - name: Build Fuzzers
       id: build

.github/workflows/codeql-analysis.yml

@@ -14,7 +14,8 @@ on:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
     permissions:
       security-events: write
 
@@ -46,8 +47,7 @@ jobs:
     # be that relevant (though GitHub security view also allows filtering by source type)
     # Can replace this with github/codeql-action/autobuild action to run complete build
     - name: Compile sources
-      run: |
-        mvn compile --batch-mode --no-transfer-progress
+      run: mvn compile --batch-mode --no-transfer-progress
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14  # v3.25.3