[3.11] Default GHA permissions to `contents: read` (GH-148346) (#148389)

(cherry picked from commit 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9eedda17d83e75866ce8dc58fb4875dd4bb22adf..87091022c293034d9a9a84641254b8f39ed8f3c9 100644 (file)
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,7 +11,8 @@ on:
     - 'main'
     - '3.*'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}-reusable

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 62e255095c9458a1e7041296f5ada848c88de1d1..20d1477e5084683ad49c4da781f9f635e8b62ad4 100644 (file)
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,7 +2,8 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/new-bugs-announce-notifier.yml b/.github/workflows/new-bugs-announce-notifier.yml
index 311672bb628c0836cc22dad3b710653300d7d3bc..339465f75f169597f0655408754c9b2ff595debd 100644 (file)
--- a/.github/workflows/new-bugs-announce-notifier.yml
+++ b/.github/workflows/new-bugs-announce-notifier.yml
@@ -5,7 +5,8 @@ on:
     types:
       - opened
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   notify-new-bugs-announce:

diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml
index ebc5699d490841767d916b31bd2ddc62110e0d43..206f24cf9d5fb32a054ded61d8f3531f473142c2 100644 (file)
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -4,7 +4,8 @@ on:
   pull_request:
     types: [opened, reopened, labeled, unlabeled, synchronize]
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   label:

diff --git a/.github/workflows/reusable-docs.yml b/.github/workflows/reusable-docs.yml
index 71ba1d97a563704c2a28bbbba2c208062e778155..e99cc1fa5f217dfb0a1ac6bcbc6dde5ee7a82f89 100644 (file)
--- a/.github/workflows/reusable-docs.yml
+++ b/.github/workflows/reusable-docs.yml
@@ -4,7 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml
index fa8d89912bc0d7fed8790b29c097da8cfdfcb1cc..5217a496293934298f450a3653267dc35a1d6856 100644 (file)
--- a/.github/workflows/reusable-macos.yml
+++ b/.github/workflows/reusable-macos.yml
@@ -9,7 +9,8 @@ on:
         type: boolean
         default: false
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   build_macos:

diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml
index c836ff59b060744cec294cc687570ff10b0964b6..7489cddda94bb586210c714fd994de0f93341057 100644 (file)
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@@ -8,7 +8,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-windows.yml b/.github/workflows/reusable-windows.yml
index fad82009fb5166684005f32d76085cdfe602ab19..30c890be201f1251fee859a2978a1e1649500680 100644 (file)
--- a/.github/workflows/reusable-windows.yml
+++ b/.github/workflows/reusable-windows.yml
@@ -6,7 +6,8 @@ on:
         type: boolean
         default: false
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   build_win32:

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 164882460d66d825600e8951f785256754e1d5e4..9884447212647751bf116afb01517f1d9872d0b9 100644 (file)
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,7 +4,8 @@ on:
   schedule:
   - cron: "0 0 * * *"
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   stale:

diff --git a/.github/workflows/verify-ensurepip-wheels.yml b/.github/workflows/verify-ensurepip-wheels.yml
index 018b0463b7f8dc5334902f70adcaee0ce21c785e..2c47fdbc1e12b596532baa576e24bcd63ca5441c 100644 (file)
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -13,7 +13,8 @@ on:
       - '.github/workflows/verify-ensurepip-wheels.yml'
       - 'Tools/scripts/verify_ensurepip_wheels.py'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

diff --git a/.github/workflows/verify-expat.yml b/.github/workflows/verify-expat.yml
index e193dfa4603e8accc554dc3b195c860835ca65ae..472a11db2da5fbf9dd3a6822bc2825c0f3c3a096 100644 (file)
--- a/.github/workflows/verify-expat.yml
+++ b/.github/workflows/verify-expat.yml
@@ -11,7 +11,8 @@ on:
       - 'Modules/expat/**'
       - '.github/workflows/verify-expat.yml'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}