build: Add explicit least-privilege permissions to CI workflow (#185)

Declare workflow-level contents: read as the default least-privilege scope,
and override per-job to contents: write for the build job because
maven-dependency-submission-action posts to the Dependency submission API
and that endpoint requires contents: write.

This documents the actual scope needed by each part of the workflow rather
than inheriting the repository default token permissions, which is the
recommended hardening pattern.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

* Drop dependency-graph step, simplify perms to contents: read

Per @jdneo's review: the 'Update dependency graph' step (maven-dependency
-submission-action) has been failing in CI; removing it lets the workflow
hold to the strict workflow-level contents: read default with no per-job
write override needed.

Net change vs main:
- workflow-level permissions: contents: read (new)
- Update dependency graph step: removed
- per-job permissions: contents: write override on build: not added

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>

Author: arpitjain099

.github/workflows/ci.yml

@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ "main" ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
 
@@ -38,8 +41,3 @@ jobs:
       with:
        run: >-
            ./mvnw clean verify --batch-mode
-
-    # Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
-    - name: Update dependency graph
-      uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6
-      continue-on-error: true