Pin actions and restrict permissions for DeployJavaSnapshot job

[riccardobl]

Motivation

• The DeployJavaSnapshot job ran mutable GitHub Action refs before invoking Gradle with OSSRH and signing secrets, creating a CI/CD supply-chain exposure risk.
• Reduce the risk by pinning upstream action references to immutable commit SHAs and by limiting job permissions to the minimum required.

Description

• Added permissions: contents: read to the DeployJavaSnapshot job in .github/workflows/main.yml to restrict repository access.
• Replaced the mutable refs used inside the DeployJavaSnapshot job with full 40-character commit SHAs for actions/checkout, actions/setup-java, and both actions/download-artifact steps, while retaining version comments for readability.
• Preserved the existing snapshot publication behavior and the Gradle publish invocation including its secret inputs to avoid changing runtime behavior.

Testing

• Parsed the modified workflow with Ruby using YAML.load_file('.github/workflows/main.yml') which succeeded.
• Executed a Python inspection that verifies all uses: actions/...@ refs in the DeployJavaSnapshot block are pinned to full 40-hex SHAs, and the check passed.
• Ran git diff --check to ensure no whitespace or diff-check issues were introduced and it returned clean results.

---

Codex Task

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.