Refine job-level permissions to enhance supply chain security (#92)

## Changes

This PR specifies minimal permissions on each job to reduce unnecessary
access to repository contents and avoid potential security risks. By
granting only the required scopes (e.g. read-only for repository
contents and write access only for issues to post PR comments), we can
protect the supply chain from unintended privilege escalations.

Author: Yang-33

.github/workflows/ci.yml

@@ -9,7 +9,8 @@ on:
 jobs:
   setup:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Use Node.js
@@ -24,7 +25,8 @@ jobs:
 
   generate-test:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Use Node.js
@@ -44,7 +46,8 @@ jobs:
 
   format-diff:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0

.github/workflows/sdk-testing.yml

@@ -8,7 +8,9 @@ on:
 jobs:
   test-java:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout SDK repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -52,7 +54,9 @@ jobs:
 
   test-python:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout SDK repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -74,7 +78,6 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
         with:
-          distribution: 'temurin'
           python-version: '3.11'
 
       - name: Install dependencies
@@ -96,16 +99,14 @@ jobs:
           language: python
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Update version in linebot/__about__.py
-        run: |
-          sed -i "s/__version__ = '__LINE_BOT_SDK_PYTHON_VERSION__'/__version__ = '12.34.5'/g" linebot/__about__.py
-
       - name: Test with pytest
         run: tox
 
   test-php:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout SDK repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -127,7 +128,6 @@ jobs:
       - name: Setup PHP
         uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # 2.32.0
         with:
-          distribution: 'temurin'
           php-version: '8.2'
 
       - name: Install openapi-generator-cli
@@ -183,7 +183,9 @@ jobs:
 
   test-nodejs:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout SDK repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -202,7 +204,7 @@ jobs:
           PR_REF: ${{ github.event.pull_request.head.ref }}
 
       # https://github.com/line/line-bot-sdk-nodejs/blob/master/.github/workflows/test.yml
-      - name: actions/setup-java@v3
+      - name: Setup Java
         uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         with:
           distribution: 'temurin'
@@ -236,7 +238,9 @@ jobs:
 
   test-go:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout SDK repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -255,7 +259,7 @@ jobs:
           PR_REF: ${{ github.event.pull_request.head.ref }}
 
       # https://github.com/line/line-bot-sdk-go/blob/master/.github/workflows/go.yml
-      - name: actions/setup-java@v3
+      - name: Setup Java
         uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         with:
           distribution: 'temurin'