Drop dependency-graph step, simplify perms to contents: read

arpitjain099 · arpitjain099 · commit 8cc2c11e565e · 2026-05-13T16:08:35.000Z
Per @jdneo's review: the 'Update dependency graph' step (maven-dependency -submission-action) has been failing in CI; removing it lets the workflow hold to the strict workflow-level contents: read default with no per-job write override needed. Net change vs main: - workflow-level permissions: contents: read (new) - Update dependency graph step: removed - per-job permissions: contents: write override on build: not added Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,10 +16,6 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-    # `Update dependency graph` step uses maven-dependency-submission-action,
-    # which posts to the Dependency submission API and requires `contents: write`.
-    permissions:
-      contents: write
 
     steps:
     - uses: actions/checkout@v4
@@ -45,8 +41,3 @@ jobs:
       with:
        run: >-
            ./mvnw clean verify --batch-mode
-
-    # Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
-    - name: Update dependency graph
-      uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6
-      continue-on-error: true
