Update valitydev/java-workflow action to v4

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
valitydev/java-workflow	action	major	v3 → v4

---

Release Notes

valitydev/java-workflow (valitydev/java-workflow)

v4

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

In general, the fix is to explicitly add a permissions block to the workflow (or to the specific job) that grants only the minimal necessary permissions to GITHUB_TOKEN, instead of relying on repository defaults. For a typical Maven build that only needs to read source and possibly read packages, a safe minimal starting point is contents: read and optionally packages: read.

In this specific workflow, there is a single job build that delegates to a reusable workflow. The least intrusive and clearest fix is to add a root-level permissions block (between name: and on: or between on: and jobs:) so that it applies to all jobs, including the build job that calls the reusable workflow. Since we do not see any evidence that write permissions are needed, we will use the minimal recommended permissions: contents: read and packages: read. This documents the intended scope and restricts GITHUB_TOKEN appropriately without altering any existing build logic.

Concretely, edit .github/workflows/build.yml to insert:

permissions:
  contents: read
  packages: read

near the top of the file (e.g., after name: Maven Build Artifact). No imports or additional methods are needed, since this is pure workflow configuration.