ci: fix security-events permission and upgrade codeql-action to v4

Add missing security-events: write permission to job-level permissions
block (which was shadowing the workflow-level setting), and update
codeql-action/upload-sarif from v3 to v4 ahead of v3 deprecation.

Author: fhussonnois

.github/workflows/maven-build.yml

@@ -27,6 +27,7 @@ jobs:
     timeout-minutes: 30
     permissions:
       pull-requests: write
+      security-events: write
     steps:
     - name: 'Checkout code'
       uses: actions/checkout@v4
@@ -76,7 +77,7 @@ jobs:
 
     - name: Upload Trivy scan results to GitHub Security tab
       if: github.event_name == 'push'
-      uses: github/codeql-action/upload-sarif@v3
+      uses: github/codeql-action/upload-sarif@v4
       with:
         sarif_file: 'trivy-results.sarif'