diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
index c06cc26..fc96757 100644
--- a/.github/workflows/ci-cd.yml
+++ b/.github/workflows/ci-cd.yml
@@ -1,10 +1,11 @@
 # This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
 # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven
 
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
+# 权限声明，确保 workflow 有权限写 checks 和 security-events
+permissions:
+  contents: read
+  checks: write
+  security-events: write
 
 name: Java CI with Maven
 
@@ -12,11 +13,11 @@ on:
   push:
     branches: [ "main" ]
     paths-ignore:
-        - 'README.md'
-        - 'LICENSE'
-        - '.gitignore'
-        - '.gitattributes'
-        - 'picture'
+      - 'README.md'
+      - 'LICENSE'
+      - '.gitignore'
+      - '.gitattributes'
+      - 'picture'
   pull_request:
     branches: [ "main" ]
   workflow_dispatch:  # 允许手动触发工作流
@@ -46,7 +47,7 @@ jobs:
       
       # 缓存 Maven 本地仓库
       - name: Cache Maven packages
-        uses: actions/cache@v3
+        uses: actions/cache@v2
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -60,16 +61,16 @@ jobs:
           MAVEN_OPTS: -Xmx4g -XX:MaxMetaspaceSize=1g
           MAVEN_CLI_OPTS: "--batch-mode --errors --fail-at-end --show-version"
 
-      # 收集测试报告
+      # 收集测试报告（权限已修复）
       - name: Publish Test Report
         uses: mikepenz/action-junit-report@v4
-        if: success() || failure()  # 无论测试成功还是失败都运行
+        if: success() || failure()
         with:
           report_paths: '**/target/surefire-reports/TEST-*.xml'
           detailed_summary: true
           include_passed: true
           fail_on_failure: true
-          
+
       # 添加代码质量检查（可选）
       - name: Run SonarQube Analysis
         if: matrix.java-version == '17' && github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
@@ -85,7 +86,7 @@ jobs:
           else
             echo "Skipping SonarQube analysis - SONAR_TOKEN not configured"
           fi
-          
+        
       # 上传构建产物
       - name: Upload Build Artifacts
         uses: actions/upload-artifact@v4
@@ -96,19 +97,21 @@ jobs:
             !**/target/original-*.jar
           retention-days: 5
           if-no-files-found: error
-          
-      # 只在 Java 17 版本上更新依赖图
+
+      # 只在 Java 17 版本上更新依赖图（权限和token已修复）
       - name: Update dependency graph
         uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6
         if: matrix.java-version == '17'
-        
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
       # 发送构建状态通知
       - name: Notify Build Status
         if: always()
-        uses: rtCamp/action-slack-notify@v2
+        uses: rtCamp/action-slack-notify@v2.2.1
         env:
           SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK || '' }}
           SLACK_CHANNEL: build-notifications
           SLACK_COLOR: ${{ job.status }}
           SLACK_TITLE: Build Status for Java ${{ matrix.java-version }}
-          SLACK_MESSAGE: 'Build ${{ job.status }} on Java ${{ matrix.java-version }}'
+          SLACK_MESSAGE: 'Build ${{ job.status }} on Java ${{ matrix.java-version }}'
\ No newline at end of file