fix(ci): fix CodeQL permissions and ZAP target URL and action version

Add security-events: write at workflow level to allow CodeQL SARIF upload.
Update ZAP action from v0.12.0 to v0.14.0 to fix invalid artifact name error.
Target /actuator/health instead of root path which returns 404.

.github/workflows/notification-service.yml

@@ -12,6 +12,10 @@ on:
       - notification_service/**
       - .github/workflows/notification-service.yml
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   # ── 1. Build & test ──────────────────────────────────────────────────────────
   ci:
@@ -135,19 +139,12 @@ jobs:
           MOCK_MODE: "true"
 
       - name: ZAP Baseline Scan
-        uses: zaproxy/action-baseline@v0.12.0
+        uses: zaproxy/action-baseline@v0.14.0
         with:
-          target: http://localhost:8080
+          target: http://localhost:8080/actuator/health
           fail_action: false
           allow_issue_writing: false
-
-      - name: Upload ZAP report
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: zap-report
-          path: report_html.html
-          retention-days: 14
+          artifact_name: zap-report
 
   # ── 5. Docker build & push ───────────────────────────────────────────────────
   docker: