From 5f56939bfb1a955ae3050ae428760adeed71a068 Mon Sep 17 00:00:00 2001
From: Davide Vacca <134616519+dvacca-onfido@users.noreply.github.com>
Date: Mon, 28 Jul 2025 11:02:47 +0200
Subject: [PATCH 1/3] Update CHANGELOG.md

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1b99162..8bc1048 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 - Release based on Onfido OpenAPI spec version [v5.4.0](https://github.com/onfido/onfido-openapi-spec/releases/tag/v5.4.0):
   - [ENT-26] Add AES document download endpoint
+- Fix dependabot error, add support for python 3.13 (and drop 3.8)
 
 ## v5.3.0 11th July 2025
 

From 67e2115faa74ac4fe0d8b12ef53a95da181c07a6 Mon Sep 17 00:00:00 2001
From: Davide Vacca <davide.vacca@onfido.com>
Date: Mon, 28 Jul 2025 12:11:04 +0200
Subject: [PATCH 2/3] Additional change to CHANGELOG + improvement in CI

---
 .github/workflows/python.yml | 3 ++-
 CHANGELOG.md                 | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
index 7be7c9f..d1fdcd1 100644
--- a/.github/workflows/python.yml
+++ b/.github/workflows/python.yml
@@ -56,7 +56,8 @@ jobs:
           poetry run flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics --exclude onfido
       - name: Test with pytest
         if: ${{ matrix.python-version == '3.13' &&
-          github.repository_owner == 'onfido' }}
+          github.repository_owner == 'onfido' &&
+          (github.event_name == 'pull_request' || github.event_name == 'release') }}
         run: |
           poetry run pytest --show-capture=no
         env:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8bc1048..8f0074e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,10 +5,10 @@
 - Release based on Onfido OpenAPI spec version [v5.4.0](https://github.com/onfido/onfido-openapi-spec/releases/tag/v5.4.0):
   - [ENT-26] Add AES document download endpoint
 - Fix dependabot error, add support for python 3.13 (and drop 3.8)
+- [ENT-26] Add AES documents test
 
 ## v5.3.0 11th July 2025
 
-- Release based on Onfido OpenAPI spec version [v5.3.0](https://github.com/onfido/onfido-openapi-spec/releases/tag/v5.3.0):
 - Release based on Onfido OpenAPI spec version [v5.3.0](https://github.com/onfido/onfido-openapi-spec/releases/tag/v5.3.0):
   - [DEXTV2-9494] Add manual_transmission_restriction to document with driver verification report
 

From 93ad2664108595b8ad5f82dcfa80079923e4fb92 Mon Sep 17 00:00:00 2001
From: Davide Vacca <davide.vacca@onfido.com>
Date: Mon, 28 Jul 2025 14:18:42 +0200
Subject: [PATCH 3/3] Add permissions to workflow to solve security
 vulnerabilities

---
 .github/workflows/python.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
index d1fdcd1..c8cc79f 100644
--- a/.github/workflows/python.yml
+++ b/.github/workflows/python.yml
@@ -19,6 +19,9 @@ on:
   schedule:
     - cron: "0 14 * * 0"   # Every Sunday, 2 hours after midday
 
+permissions:
+  contents: read
+
 jobs:
   integration-tests:
     runs-on: ubuntu-latest
@@ -72,6 +75,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: integration-tests
     environment: delivery
+    permissions:
+      contents: write
     if: github.event_name == 'release'
     steps:
       - uses: actions/checkout@v4