security(ci): fix SARIF upload permissions and deprecation

- Add permissions: actions: read for workflow run metadata
- Upgrade to github/codeql-action/upload-sarif@v4
- Guard uploads to skip forked PRs (avoid Resource not accessible by integration)
- Applies to Trivy and Dependency-Check SARIF uploads

Author: ZoneMix

.github/workflows/security.yml

@@ -10,6 +10,7 @@ on:
 permissions:
   contents: read
   security-events: write
+  actions: read
   pull-requests: write
 
 jobs:
@@ -78,8 +79,12 @@ jobs:
           output: 'trivy-results.sarif'
 
       - name: Upload Trivy results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
+        uses: github/codeql-action/upload-sarif@v4
+        if: >
+          always() && (
+            github.event_name != 'pull_request' ||
+            github.event.pull_request.head.repo.full_name == github.repository
+          )
         with:
           sarif_file: 'trivy-results.sarif'
           category: 'trivy'
@@ -178,8 +183,12 @@ jobs:
             --enable-retired
 
       - name: Upload Dependency-Check results
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
+        uses: github/codeql-action/upload-sarif@v4
+        if: >
+          always() && (
+            github.event_name != 'pull_request' ||
+            github.event.pull_request.head.repo.full_name == github.repository
+          )
         with:
           sarif_file: 'dependency-check-report.sarif'
           category: 'dependency-check'