Skip to content

Update valitydev/java-workflow action to v4#81

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/valitydev-java-workflow-4.x
Open

Update valitydev/java-workflow action to v4#81
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/valitydev-java-workflow-4.x

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 12, 2026

This PR contains the following updates:

Package Type Update Change
valitydev/java-workflow action major v3v4

Release Notes

valitydev/java-workflow (valitydev/java-workflow)

v4

Compare Source

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 12, 2026
View reviewed changes
.github/workflows/build.yml
jobs:
build:
uses: valitydev/java-workflow/.github/workflows/maven-service-build.yml@v3
uses: valitydev/java-workflow/.github/workflows/maven-service-build.yml@v4

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 17 days ago

In general, the fix is to add an explicit permissions block that limits the GITHUB_TOKEN to the minimal access required. For simple build workflows that only need to read code and (optionally) read packages, a common baseline is contents: read and possibly packages: read. Since we cannot see any other actions in this job (it only reuses a Maven build workflow), and to avoid accidentally breaking behavior that might rely on write permissions (for example, if the reusable workflow publishes build summaries, comments on PRs, or uploads artifacts needing specific scopes), the safest minimal change is to add a root‑level permissions block with read‑only repo contents. This documents the intended restriction and prevents inheriting unnecessarily broad defaults.

Concretely, in .github/workflows/build.yml, add a permissions section at the top level, between name: and on: (or directly under name:) to apply to all jobs in this workflow. The block should be:

permissions:
  contents: read

This sets the default GITHUB_TOKEN permissions for all jobs (including the reusable build job) to read‑only access to repository contents, which is usually sufficient for a Maven build. No imports or additional definitions are needed, as this is pure YAML configuration for GitHub Actions.

Suggested changeset 1
.github/workflows/build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,5 +1,8 @@
 name: Maven Build Artifact
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:
EOF
@@ -1,5 +1,8 @@
name: Maven Build Artifact

permissions:
contents: read

on:
pull_request:
branches:
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants