[3.14] Default GHA permissions to `contents: read` (GH-148346) (#148386)

(cherry picked from commit 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf)

diff --git a/.github/workflows/add-issue-header.yml b/.github/workflows/add-issue-header.yml
index 00b7ae50cb99356e34c3c810343f0326802be3a9..4c25976b9c24f7286d2efa4d4fd69a6ff5e948f5 100644 (file)
--- a/.github/workflows/add-issue-header.yml
+++ b/.github/workflows/add-issue-header.yml
@@ -12,7 +12,8 @@ on:
       # Only ever run once
       - opened
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   add-header:

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5cb8307d6cde9fac90892f5496236b829c8f97e4..8f71d8ed99ad4b82654e32320c8453813bae502d 100644 (file)
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,7 +11,8 @@ on:
     - 'main'
     - '3.*'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#concurrency
@@ -637,6 +638,7 @@ jobs:
       needs.build-context.outputs.run-ci-fuzz == 'true'
       || needs.build-context.outputs.run-ci-fuzz-stdlib == 'true'
     permissions:
+      contents: read
       security-events: write
     strategy:
       fail-fast: false

diff --git a/.github/workflows/jit.yml b/.github/workflows/jit.yml
index 1ba060a70c9ce4de8c4aa6f949e03a524604fb41..2678eb9b348d4effce1cfcd2954dbfa6b1e1a46c 100644 (file)
--- a/.github/workflows/jit.yml
+++ b/.github/workflows/jit.yml
@@ -12,7 +12,8 @@ on:
     paths: *paths
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index fb2b94b7362308ea64be4e3ddf7fafbd3c4d881f..e9a4eb2b0808cb720cadecbcea638a6128b8909b 100644 (file)
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,7 +2,8 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
index 59db8dd5a6ea3081d640754d3eea3c732149546b..ae2095690b2d8a9face74d386715d416bde3f156 100644 (file)
--- a/.github/workflows/mypy.yml
+++ b/.github/workflows/mypy.yml
@@ -32,7 +32,8 @@ on:
       - "Tools/requirements-dev.txt"
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   PIP_DISABLE_PIP_VERSION_CHECK: 1

diff --git a/.github/workflows/new-bugs-announce-notifier.yml b/.github/workflows/new-bugs-announce-notifier.yml
index 14860e56600d062e9170c0f4a3c94d0a4ea62666..e585657dde68816c866cd3660edaee0bae3b7ebf 100644 (file)
--- a/.github/workflows/new-bugs-announce-notifier.yml
+++ b/.github/workflows/new-bugs-announce-notifier.yml
@@ -5,7 +5,8 @@ on:
     types:
       - opened
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   notify-new-bugs-announce:

diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml
index 262299fc30f9899c6609fabae27c9e09f66be3dc..f3e2666879530f908d1579deb43e40fb474e2133 100644 (file)
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -4,7 +4,8 @@ on:
   pull_request:
     types: [opened, reopened, labeled, unlabeled, synchronize]
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   label-dnm:

diff --git a/.github/workflows/reusable-cifuzz.yml b/.github/workflows/reusable-cifuzz.yml
index f06b193d3715fba4676d9ea2f94809e1d242560d..9b49e7fd26f00784a4c1eb0e26d654b397d9c8ee 100644 (file)
--- a/.github/workflows/reusable-cifuzz.yml
+++ b/.github/workflows/reusable-cifuzz.yml
@@ -13,7 +13,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   cifuzz:

diff --git a/.github/workflows/reusable-context.yml b/.github/workflows/reusable-context.yml
index cc9841ebf32f27d3f876c0edf02d8f8fe4bdcc96..b8a9e2960eca591f7a937287bfebf24d9b0a2a0d 100644 (file)
--- a/.github/workflows/reusable-context.yml
+++ b/.github/workflows/reusable-context.yml
@@ -54,7 +54,8 @@ on:  # yamllint disable-line rule:truthy
         description: Whether to run the Windows tests
         value: ${{ jobs.compute-changes.outputs.run-windows-tests }}  # bool
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   compute-changes:

diff --git a/.github/workflows/reusable-docs.yml b/.github/workflows/reusable-docs.yml
index e1c35021432ad0127755ea07a88d56c58df5c723..bee44e8df276639684bf9de7344feb02ba8652be 100644 (file)
--- a/.github/workflows/reusable-docs.yml
+++ b/.github/workflows/reusable-docs.yml
@@ -4,7 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

diff --git a/.github/workflows/reusable-emscripten.yml b/.github/workflows/reusable-emscripten.yml
index 300731deb78959e139a03f8725ea06511c5e2f55..69a780a9aebc25e8a20bc947961fa2b794c64bf3 100644 (file)
--- a/.github/workflows/reusable-emscripten.yml
+++ b/.github/workflows/reusable-emscripten.yml
@@ -3,7 +3,8 @@ name: Reusable Emscripten
 on:
   workflow_call:
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml
index a1782302ab55be3a9d60fe96be35d886972fc5df..588c76366eb4c5a957180320d550fdaf509ca010 100644 (file)
--- a/.github/workflows/reusable-macos.yml
+++ b/.github/workflows/reusable-macos.yml
@@ -12,7 +12,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-san.yml b/.github/workflows/reusable-san.yml
index dbc9a995c04d860d0dd0ef8a204d2e068bb52b1d..3b1124d62d3dbeca979549ee9f17a70e961c28fd 100644 (file)
--- a/.github/workflows/reusable-san.yml
+++ b/.github/workflows/reusable-san.yml
@@ -12,7 +12,8 @@ on:
         type: boolean
         default: false
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml
index 36e12b63c1e2b0687bc095476f720a73e8ad438e..40529cc86886f75d4b46876dc17cc42b21b8c203 100644 (file)
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@@ -18,7 +18,8 @@ on:
          required: true
          type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-wasi.yml b/.github/workflows/reusable-wasi.yml
index 1c8dad5546badeac12eaa737fdeac221f548f84f..6a87c37692ed92a54eef00f073ccaad3ed79be58 100644 (file)
--- a/.github/workflows/reusable-wasi.yml
+++ b/.github/workflows/reusable-wasi.yml
@@ -3,7 +3,8 @@ name: Reusable WASI
 on:
   workflow_call:
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-windows-msi.yml b/.github/workflows/reusable-windows-msi.yml
index 5513e5025c6446ce2ccf8850af13ea2f343f1c1f..420c9cd909a5e99c8b0d6a3ad39870f39fba61a0 100644 (file)
--- a/.github/workflows/reusable-windows-msi.yml
+++ b/.github/workflows/reusable-windows-msi.yml
@@ -8,7 +8,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-windows.yml b/.github/workflows/reusable-windows.yml
index df54583d623c31b38b8f11f0306f7c76d4805b10..138e6846cb9039155aa0023047331c4b68f804b0 100644 (file)
--- a/.github/workflows/reusable-windows.yml
+++ b/.github/workflows/reusable-windows.yml
@@ -13,7 +13,8 @@ on:
         type: boolean
         default: false
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 42ddb713c10393deea64bdda0afd841f856b4c7a..1fbc4a20dbc7ddd0f98b83abf0b2897edb730d42 100644 (file)
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,7 +4,8 @@ on:
   schedule:
   - cron: "0 */6 * * *"
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   stale:

diff --git a/.github/workflows/tail-call.yml b/.github/workflows/tail-call.yml
index e0ed179b21e73367f6b01bce7cd86716812ab484..e93bef2adc21fb57b2df2c9cfc995c4e13bde502 100644 (file)
--- a/.github/workflows/tail-call.yml
+++ b/.github/workflows/tail-call.yml
@@ -11,7 +11,8 @@ on:
     paths: *paths
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

diff --git a/.github/workflows/verify-ensurepip-wheels.yml b/.github/workflows/verify-ensurepip-wheels.yml
index 4ac25bc909b13f9ccb38b86fe03310d41f06df32..cb40f6abc0b3b751a60f6e328ba4d1a2eb300d52 100644 (file)
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -13,7 +13,8 @@ on:
       - '.github/workflows/verify-ensurepip-wheels.yml'
       - 'Tools/build/verify_ensurepip_wheels.py'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

diff --git a/.github/workflows/verify-expat.yml b/.github/workflows/verify-expat.yml
index e193dfa4603e8accc554dc3b195c860835ca65ae..472a11db2da5fbf9dd3a6822bc2825c0f3c3a096 100644 (file)
--- a/.github/workflows/verify-expat.yml
+++ b/.github/workflows/verify-expat.yml
@@ -11,7 +11,8 @@ on:
       - 'Modules/expat/**'
       - '.github/workflows/verify-expat.yml'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}