From 38cec485f866acb9b2633c46b4a4fa6290cc183a Mon Sep 17 00:00:00 2001
From: khalil-bot <khaliloulah7777@gmail.com>
Date: Mon, 1 Jun 2026 12:48:43 +0200
Subject: [PATCH] fix(ci): fix CodeQL permissions and ZAP target URL and action
 version

Add security-events: write at workflow level to allow CodeQL SARIF upload.
Update ZAP action from v0.12.0 to v0.14.0 to fix invalid artifact name error.
Target /actuator/health instead of root path which returns 404.
---
 .github/workflows/notification-service.yml | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/notification-service.yml b/.github/workflows/notification-service.yml
index 85519df..24677b7 100644
--- a/.github/workflows/notification-service.yml
+++ b/.github/workflows/notification-service.yml
@@ -12,6 +12,10 @@ on:
       - notification_service/**
       - .github/workflows/notification-service.yml
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   # ── 1. Build & test ──────────────────────────────────────────────────────────
   ci:
@@ -135,19 +139,12 @@ jobs:
           MOCK_MODE: "true"
 
       - name: ZAP Baseline Scan
-        uses: zaproxy/action-baseline@v0.12.0
+        uses: zaproxy/action-baseline@v0.14.0
         with:
-          target: http://localhost:8080
+          target: http://localhost:8080/actuator/health
           fail_action: false
           allow_issue_writing: false
-
-      - name: Upload ZAP report
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: zap-report
-          path: report_html.html
-          retention-days: 14
+          artifact_name: zap-report
 
   # ── 5. Docker build & push ───────────────────────────────────────────────────
   docker: