Grant minimum permissions to github acitons workflow jobs (#1202)

## Changes
Granting the minimum necessary permissions is always a good practice.
There might be cases where permissions are insufficient, but since
errors are very clear, I believe we can add them when a failure occurs.

After merging, I will change the default of the GITHUB_ACTIONS token
from read + write to read only. Then, I will run as many workflows as
possible (including publish) to verify their operation.

reference:
https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#overview

Author: Yang-33

.github/workflows/check-eol-newrelease.yml

@@ -9,6 +9,10 @@ on:
 jobs:
   check-eol-newrelease:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+    if: github.repository == 'line/line-bot-sdk-nodejs'
     steps:
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/close-issue.yml

@@ -11,6 +11,7 @@ jobs:
     permissions:
       issues: write
       pull-requests: write
+    if: github.repository == 'line/line-bot-sdk-nodejs'
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:

.github/workflows/create-draft-release.yml

@@ -26,6 +26,7 @@ on:
 jobs:
   validate-input:
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - name: Validate Acknowledgement
         if: ${{ github.event.inputs.acknowledge_draft != 'Yes' }}
@@ -41,7 +42,8 @@ jobs:
   create-draft-release:
     runs-on: ubuntu-latest
     needs: validate-input
-
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Fetch Latest Release

.github/workflows/deploy-doc.yml

@@ -4,18 +4,17 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
 concurrency:
   group: pages
   cancel-in-progress: false
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pages: write
+      issues: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
@@ -61,6 +60,10 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     needs: [build]
     runs-on: ubuntu-latest
+    permissions:
+      pages: write
+      id-token: write
+      issues: write
     name: Deploy
     steps:
       - name: Deploy to GitHub Pages

.github/workflows/generate-code.yml

@@ -11,7 +11,9 @@ jobs:
   tests:
     name: Generate OpenAPI based code
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       # Setup
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/release.yml

@@ -10,12 +10,11 @@ on:
 
 jobs:
   release-package:
+    runs-on: ubuntu-latest
     permissions:
       contents: read
       id-token: write
       issues: write
-
-    runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     # Setup .npmrc file to publish to GitHub Packages

.github/workflows/test.yml

@@ -7,9 +7,9 @@ on:
 
 jobs:
   build:
-
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
     strategy:
       matrix:
         # https://nodejs.org/en/about/releases/