Update valitydev/java-workflow action to v4

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
valitydev/java-workflow	action	major	v3 → v4

---

Release Notes

valitydev/java-workflow (valitydev/java-workflow)

v4

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

To fix the problem, you should explicitly restrict the GITHUB_TOKEN permissions in this workflow, instead of relying on repository or organization defaults. The minimal safe starting point is usually to set contents: read (and other permissions only if needed) at either the root of the workflow or within the specific job.

The best fix here, without changing existing functionality, is to add a permissions block under the build job so that only this job is affected and so that we avoid making assumptions about other jobs that might exist in this file (we have only seen this one). Since this workflow only calls a reusable Maven build workflow and there is no indication it needs write access, we set contents: read as a conservative, least-privilege default. If the reusable workflow requires additional permissions, they can be added later, but starting with read-only is aligned with the CodeQL recommendation.

Concretely, in .github/workflows/build.yml, under jobs: build:, add:

    permissions:
      contents: read

right before the uses: line. No imports or additional methods are needed, as this is a YAML configuration change only.