Skip to content

Update valitydev/java-workflow action to v4#102

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/valitydev-java-workflow-4.x
Open

Update valitydev/java-workflow action to v4#102
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/valitydev-java-workflow-4.x

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 12, 2026

This PR contains the following updates:

Package Type Update Change
valitydev/java-workflow action major v3v4

Release Notes

valitydev/java-workflow (valitydev/java-workflow)

v4

Compare Source

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner February 12, 2026 18:34
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 12, 2026
View reviewed changes
.github/workflows/build.yml
jobs:
build:
uses: valitydev/java-workflow/.github/workflows/maven-library-build.yml@v3
uses: valitydev/java-workflow/.github/workflows/maven-library-build.yml@v4

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 1 day ago

Generally, to fix this problem you add a permissions: block either at the top level of the workflow (to apply to all jobs) or within specific jobs, explicitly declaring the least privileges your workflow needs. For a build job that only needs to read the repository contents and possibly packages, a minimal safe default is contents: read. You can expand scopes later if the workflow requires it.

For this specific file, .github/workflows/build.yml, the simplest non-breaking fix is to add a root-level permissions section that applies to the build job which reuses the external workflow. This keeps behavior as close as possible to current behavior while constraining GITHUB_TOKEN to read-only repository contents by default. Concretely, insert:

permissions:
  contents: read

between the on: block and the jobs: block. No imports or additional methods are needed; this is purely a YAML configuration change.

Suggested changeset 1
.github/workflows/build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,6 +5,9 @@
     branches:
       - '*'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: valitydev/java-workflow/.github/workflows/maven-library-build.yml@v4
EOF
@@ -5,6 +5,9 @@
branches:
- '*'

permissions:
contents: read

jobs:
build:
uses: valitydev/java-workflow/.github/workflows/maven-library-build.yml@v4
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants