Default GHA permissions to `contents: read` (#148346)

diff --git a/.github/workflows/add-issue-header.yml b/.github/workflows/add-issue-header.yml
index 00b7ae50cb99356e34c3c810343f0326802be3a9..4c25976b9c24f7286d2efa4d4fd69a6ff5e948f5 100644 (file)
--- a/.github/workflows/add-issue-header.yml
+++ b/.github/workflows/add-issue-header.yml
@@ -12,7 +12,8 @@ on:
       # Only ever run once
       - opened
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   add-header:

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c34f8f699d8edb6f42807cd8ffa38bc7ff0e6278..9303190ea6dbba77834282fbe64f0313bea751f3 100644 (file)
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,7 +11,8 @@ on:
     - 'main'
     - '3.*'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#concurrency
@@ -612,6 +613,7 @@ jobs:
       needs.build-context.outputs.run-ci-fuzz == 'true'
       || needs.build-context.outputs.run-ci-fuzz-stdlib == 'true'
     permissions:
+      contents: read
       security-events: write
     strategy:
       fail-fast: false

diff --git a/.github/workflows/jit.yml b/.github/workflows/jit.yml
index 81d75ef18209039088105e40ce47d4aaf7da2d62..e63fe9e1284a012d480554ba49b502ac5374e469 100644 (file)
--- a/.github/workflows/jit.yml
+++ b/.github/workflows/jit.yml
@@ -15,7 +15,8 @@ on:
     paths: *paths
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index fb2b94b7362308ea64be4e3ddf7fafbd3c4d881f..e9a4eb2b0808cb720cadecbcea638a6128b8909b 100644 (file)
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,7 +2,8 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
index 583dc1808dfc35da08fc95f4365ed9b1fd08ed61..e5a5b3939e58e3cb1d49b3a60dc83ce5d642933e 100644 (file)
--- a/.github/workflows/mypy.yml
+++ b/.github/workflows/mypy.yml
@@ -33,7 +33,8 @@ on:
       - "Tools/requirements-dev.txt"
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   PIP_DISABLE_PIP_VERSION_CHECK: 1

diff --git a/.github/workflows/new-bugs-announce-notifier.yml b/.github/workflows/new-bugs-announce-notifier.yml
index be375a970a475cd7fe38738bbe33494f4def5aed..1267361040c81b6ca4707646308b0c3e69c66e53 100644 (file)
--- a/.github/workflows/new-bugs-announce-notifier.yml
+++ b/.github/workflows/new-bugs-announce-notifier.yml
@@ -5,7 +5,8 @@ on:
     types:
       - opened
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   notify-new-bugs-announce:

diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml
index 262299fc30f9899c6609fabae27c9e09f66be3dc..f3e2666879530f908d1579deb43e40fb474e2133 100644 (file)
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -4,7 +4,8 @@ on:
   pull_request:
     types: [opened, reopened, labeled, unlabeled, synchronize]
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   label-dnm:

diff --git a/.github/workflows/reusable-check-c-api-docs.yml b/.github/workflows/reusable-check-c-api-docs.yml
index 5fae57a1dbda36279b08d2f0c589e299166b2d34..49e5ef7f768b79958938b2e2a63b2908a3ff4530 100644 (file)
--- a/.github/workflows/reusable-check-c-api-docs.yml
+++ b/.github/workflows/reusable-check-c-api-docs.yml
@@ -3,7 +3,8 @@ name: Reusable C API Docs Check
 on:
   workflow_call:
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-check-html-ids.yml b/.github/workflows/reusable-check-html-ids.yml
index 03ed714ca585fe9efa45a0ba8c33133e4c71f18d..4f827c55cacd06713b684e1e07705b319bf8cb73 100644 (file)
--- a/.github/workflows/reusable-check-html-ids.yml
+++ b/.github/workflows/reusable-check-html-ids.yml
@@ -3,7 +3,8 @@ name: Reusable check HTML IDs
 on:
   workflow_call:
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-cifuzz.yml b/.github/workflows/reusable-cifuzz.yml
index 093b2c859eff7b40451bdb6fed3fd54c89982ac3..0d02232686339bf9b80cccfaa72f879aa33d7139 100644 (file)
--- a/.github/workflows/reusable-cifuzz.yml
+++ b/.github/workflows/reusable-cifuzz.yml
@@ -13,7 +13,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   cifuzz:

diff --git a/.github/workflows/reusable-context.yml b/.github/workflows/reusable-context.yml
index cc9841ebf32f27d3f876c0edf02d8f8fe4bdcc96..b8a9e2960eca591f7a937287bfebf24d9b0a2a0d 100644 (file)
--- a/.github/workflows/reusable-context.yml
+++ b/.github/workflows/reusable-context.yml
@@ -54,7 +54,8 @@ on:  # yamllint disable-line rule:truthy
         description: Whether to run the Windows tests
         value: ${{ jobs.compute-changes.outputs.run-windows-tests }}  # bool
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   compute-changes:

diff --git a/.github/workflows/reusable-docs.yml b/.github/workflows/reusable-docs.yml
index 3d534feb2ed3ea36a191c830ce598d205866c6c1..0453b6ab5550480f68a4b143ef710830366f9d83 100644 (file)
--- a/.github/workflows/reusable-docs.yml
+++ b/.github/workflows/reusable-docs.yml
@@ -4,7 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

diff --git a/.github/workflows/reusable-emscripten.yml b/.github/workflows/reusable-emscripten.yml
index 300731deb78959e139a03f8725ea06511c5e2f55..69a780a9aebc25e8a20bc947961fa2b794c64bf3 100644 (file)
--- a/.github/workflows/reusable-emscripten.yml
+++ b/.github/workflows/reusable-emscripten.yml
@@ -3,7 +3,8 @@ name: Reusable Emscripten
 on:
   workflow_call:
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml
index a372d5715290db0d0a79c2b8bc8b6c32c4f5a26e..f10503055b2259ad59bee98c54369dc310b75476 100644 (file)
--- a/.github/workflows/reusable-macos.yml
+++ b/.github/workflows/reusable-macos.yml
@@ -12,7 +12,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-san.yml b/.github/workflows/reusable-san.yml
index c55fad77ff0398a5127a550ed411feaf391ff79d..9d4f412cfcf6f7a6851b22012c36bf0b7b0d81ac 100644 (file)
--- a/.github/workflows/reusable-san.yml
+++ b/.github/workflows/reusable-san.yml
@@ -12,7 +12,8 @@ on:
         type: boolean
         default: false
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml
index b2ab525c976330ca04d72f0316c227a48d2c37a1..87fba6221fb917f4cd0a2943d2be85facfbec57c 100644 (file)
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@@ -23,7 +23,8 @@ on:
          type: string
          default: ''
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-wasi.yml b/.github/workflows/reusable-wasi.yml
index 83f9d2399ce1006e89cb628c1c006096b7b1e88a..48fb70cbff8009554967839db2aa22d8a5bad481 100644 (file)
--- a/.github/workflows/reusable-wasi.yml
+++ b/.github/workflows/reusable-wasi.yml
@@ -3,7 +3,8 @@ name: Reusable WASI
 on:
   workflow_call:
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-windows-msi.yml b/.github/workflows/reusable-windows-msi.yml
index 7c724f184f3ef668360a9696b8e4469f661e2054..a74724323ec15f816b34cd85c7d30901ca8f2fc8 100644 (file)
--- a/.github/workflows/reusable-windows-msi.yml
+++ b/.github/workflows/reusable-windows-msi.yml
@@ -8,7 +8,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-windows.yml b/.github/workflows/reusable-windows.yml
index 2cfe338a6525e60adfc0c7d8e1ec8860ac2a1cf4..4c8d0c8a2f984fce7cfd44f044d0034b6a6a189a 100644 (file)
--- a/.github/workflows/reusable-windows.yml
+++ b/.github/workflows/reusable-windows.yml
@@ -17,7 +17,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index a862fde5e14eb49684421428b41ee35732859334..01fe5ba8fda8bcb5b6cca59075e768dd22ee8c9f 100644 (file)
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,7 +4,8 @@ on:
   schedule:
   - cron: "0 */6 * * *"
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   stale:

diff --git a/.github/workflows/tail-call.yml b/.github/workflows/tail-call.yml
index 35c62acb28b761f0807fdb316af4973c2d9e0ee3..656a14906b3cb79dbfa7e31aae117229692aef05 100644 (file)
--- a/.github/workflows/tail-call.yml
+++ b/.github/workflows/tail-call.yml
@@ -11,7 +11,8 @@ on:
     paths: *paths
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

diff --git a/.github/workflows/verify-ensurepip-wheels.yml b/.github/workflows/verify-ensurepip-wheels.yml
index 4ac25bc909b13f9ccb38b86fe03310d41f06df32..cb40f6abc0b3b751a60f6e328ba4d1a2eb300d52 100644 (file)
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -13,7 +13,8 @@ on:
       - '.github/workflows/verify-ensurepip-wheels.yml'
       - 'Tools/build/verify_ensurepip_wheels.py'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

diff --git a/.github/workflows/verify-expat.yml b/.github/workflows/verify-expat.yml
index e193dfa4603e8accc554dc3b195c860835ca65ae..472a11db2da5fbf9dd3a6822bc2825c0f3c3a096 100644 (file)
--- a/.github/workflows/verify-expat.yml
+++ b/.github/workflows/verify-expat.yml
@@ -11,7 +11,8 @@ on:
       - 'Modules/expat/**'
       - '.github/workflows/verify-expat.yml'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}