From 348d8516f3e157c85d129cf6881461d4db95806b Mon Sep 17 00:00:00 2001
From: Yuta Kasai <yuta.kasai@linecorp.com>
Date: Wed, 26 Mar 2025 22:22:53 +0900
Subject: [PATCH 1/6] NO-ISSUE Grant minimum permission for
 check-eol-newrelease

---
 .github/workflows/check-eol-newrelease.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/check-eol-newrelease.yml b/.github/workflows/check-eol-newrelease.yml
index 1c687ebc..13c9d378 100644
--- a/.github/workflows/check-eol-newrelease.yml
+++ b/.github/workflows/check-eol-newrelease.yml
@@ -9,6 +9,9 @@ on:
 jobs:
   check-eol-newrelease:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     steps:
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

From 73c882bc4188ffafa90f2450d28f794a77772833 Mon Sep 17 00:00:00 2001
From: Yuta Kasai <yuta.kasai@linecorp.com>
Date: Wed, 26 Mar 2025 22:37:58 +0900
Subject: [PATCH 2/6] NO-ISSUE Grant minimum permission for
 create-draft-release

---
 .github/workflows/create-draft-release.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/create-draft-release.yml b/.github/workflows/create-draft-release.yml
index 75165a83..5d4aebf4 100644
--- a/.github/workflows/create-draft-release.yml
+++ b/.github/workflows/create-draft-release.yml
@@ -26,6 +26,7 @@ on:
 jobs:
   validate-input:
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - name: Validate Acknowledgement
         if: ${{ github.event.inputs.acknowledge_draft != 'Yes' }}
@@ -41,7 +42,8 @@ jobs:
   create-draft-release:
     runs-on: ubuntu-latest
     needs: validate-input
-
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Fetch Latest Release

From 6873cb06153637a770d954897d06abf6937c0473 Mon Sep 17 00:00:00 2001
From: Yuta Kasai <yuta.kasai@linecorp.com>
Date: Wed, 26 Mar 2025 22:48:55 +0900
Subject: [PATCH 3/6] NO-ISSUE Grant minimum permission for generate-code

---
 .github/workflows/generate-code.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/generate-code.yml b/.github/workflows/generate-code.yml
index 45630e22..215cdc50 100644
--- a/.github/workflows/generate-code.yml
+++ b/.github/workflows/generate-code.yml
@@ -10,7 +10,9 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Setup
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

From 1f546c0721b2d6f048a926a081edbd737215edd9 Mon Sep 17 00:00:00 2001
From: Yuta Kasai <yuta.kasai@linecorp.com>
Date: Wed, 26 Mar 2025 22:52:30 +0900
Subject: [PATCH 4/6] NO-ISSUE Grant minimum permission for test

---
 .github/workflows/auto-testing.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/auto-testing.yml b/.github/workflows/auto-testing.yml
index c01996d5..fa4a7c1f 100644
--- a/.github/workflows/auto-testing.yml
+++ b/.github/workflows/auto-testing.yml
@@ -11,6 +11,8 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         python-version:
@@ -44,6 +46,8 @@ jobs:
 
   check-import:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         python-version:

From e9cc13f1a336a4e984f4487bd56657cad54396df Mon Sep 17 00:00:00 2001
From: Yuta Kasai <yuta.kasai@linecorp.com>
Date: Wed, 26 Mar 2025 23:30:34 +0900
Subject: [PATCH 5/6] NO-ISSUE update line-openapi

---
 line-openapi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/line-openapi b/line-openapi
index 9dec0f84..cc542e3c 160000
--- a/line-openapi
+++ b/line-openapi
@@ -1 +1 @@
-Subproject commit 9dec0f8428ed1f422e718ed4e51b917d92fb9046
+Subproject commit cc542e3cf99e2f0be68507ef5d5fde47d9fae5f9

From 51a6a5c8474d92b9b82caac35a36a5c49816afc6 Mon Sep 17 00:00:00 2001
From: Yuta Kasai <yuta.kasai@linecorp.com>
Date: Thu, 27 Mar 2025 08:42:45 +0900
Subject: [PATCH 6/6] NO-ISSUE Run cronjob only in original repo

---
 .github/workflows/check-eol-newrelease.yml | 1 +
 .github/workflows/close-issue.yml          | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/check-eol-newrelease.yml b/.github/workflows/check-eol-newrelease.yml
index 13c9d378..a78ad73c 100644
--- a/.github/workflows/check-eol-newrelease.yml
+++ b/.github/workflows/check-eol-newrelease.yml
@@ -12,6 +12,7 @@ jobs:
     permissions:
       contents: read
       issues: write
+    if: github.repository == 'line/line-bot-sdk-python'
     steps:
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/close-issue.yml b/.github/workflows/close-issue.yml
index 31e4ad3a..ac4701ee 100644
--- a/.github/workflows/close-issue.yml
+++ b/.github/workflows/close-issue.yml
@@ -11,6 +11,7 @@ jobs:
     permissions:
       issues: write
       pull-requests: write
+    if: github.repository == 'line/line-bot-sdk-python'
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with: