diff --git a/.github/workflows/check-eol-newrelease.yml b/.github/workflows/check-eol-newrelease.yml
index 6c179faac..568751951 100644
--- a/.github/workflows/check-eol-newrelease.yml
+++ b/.github/workflows/check-eol-newrelease.yml
@@ -9,6 +9,10 @@ on:
 jobs:
   check-eol-newrelease:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+    if: github.repository == 'line/line-bot-sdk-java'
     steps:
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/close-issue.yml b/.github/workflows/close-issue.yml
index 31e4ad3a3..62a119848 100644
--- a/.github/workflows/close-issue.yml
+++ b/.github/workflows/close-issue.yml
@@ -11,6 +11,7 @@ jobs:
     permissions:
       issues: write
       pull-requests: write
+    if: github.repository == 'line/line-bot-sdk-java'
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
diff --git a/.github/workflows/create-draft-release.yml b/.github/workflows/create-draft-release.yml
index 75165a83b..5d4aebf4f 100644
--- a/.github/workflows/create-draft-release.yml
+++ b/.github/workflows/create-draft-release.yml
@@ -26,6 +26,7 @@ on:
 jobs:
   validate-input:
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - name: Validate Acknowledgement
         if: ${{ github.event.inputs.acknowledge_draft != 'Yes' }}
@@ -41,7 +42,8 @@ jobs:
   create-draft-release:
     runs-on: ubuntu-latest
     needs: validate-input
-
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Fetch Latest Release
diff --git a/.github/workflows/generate-code.yml b/.github/workflows/generate-code.yml
index 4df341193..7ed4d9eaa 100644
--- a/.github/workflows/generate-code.yml
+++ b/.github/workflows/generate-code.yml
@@ -10,7 +10,9 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Setup
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
index bd7e9d607..e24c76512 100644
--- a/.github/workflows/gradle.yml
+++ b/.github/workflows/gradle.yml
@@ -19,6 +19,8 @@ jobs:
     name: test (JDK ${{ matrix.java }})
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/pom-validation.yml b/.github/workflows/pom-validation.yml
index 7f38438b3..25e74f652 100644
--- a/.github/workflows/pom-validation.yml
+++ b/.github/workflows/pom-validation.yml
@@ -5,6 +5,8 @@ jobs:
     name: test (JDK ${{ matrix.java }})
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 4f4a7bc2b..fd42bd13e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,6 +12,9 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
diff --git a/line-openapi b/line-openapi
index 9dec0f842..cc542e3cf 160000
--- a/line-openapi
+++ b/line-openapi
@@ -1 +1 @@
-Subproject commit 9dec0f8428ed1f422e718ed4e51b917d92fb9046
+Subproject commit cc542e3cf99e2f0be68507ef5d5fde47d9fae5f9