From 80f0bc1834a815c9cae2d9005be6030fb896e459 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Sun, 12 Apr 2026 09:39:03 +0300
Subject: [PATCH] [3.10] Default GHA permissions to `contents: read`
 (GH-148346) (#148391)

(cherry picked from commit 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf)
---
 .github/workflows/build.yml                   | 3 ++-
 .github/workflows/stale.yml                   | 3 ++-
 .github/workflows/verify-ensurepip-wheels.yml | 3 ++-
 .github/workflows/verify-expat.yml            | 3 ++-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8a1d371f2f90..7cbd43da6fc9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,7 +11,8 @@ on:
     - 'main'
     - '3.*'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 8949defda4d1..93d7fcec8811 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,7 +4,8 @@ on:
   schedule:
   - cron: "0 0 * * *"
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   stale:
diff --git a/.github/workflows/verify-ensurepip-wheels.yml b/.github/workflows/verify-ensurepip-wheels.yml
index b18fc92a0499..fe27c4f09319 100644
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -13,7 +13,8 @@ on:
       - '.github/workflows/verify-ensurepip-wheels.yml'
       - 'Tools/scripts/verify_ensurepip_wheels.py'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/verify-expat.yml b/.github/workflows/verify-expat.yml
index e193dfa4603e..472a11db2da5 100644
--- a/.github/workflows/verify-expat.yml
+++ b/.github/workflows/verify-expat.yml
@@ -11,7 +11,8 @@ on:
       - 'Modules/expat/**'
       - '.github/workflows/verify-expat.yml'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
-- 
2.47.3