From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Sun, 12 Apr 2026 06:38:51 +0000 (+0300) Subject: [3.11] Default GHA permissions to `contents: read` (GH-148346) (#148389) X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=776d39f2be6310ebd5c9093286f9cee8e8ec6c14;p=thirdparty%2FPython%2Fcpython.git [3.11] Default GHA permissions to `contents: read` (GH-148346) (#148389) (cherry picked from commit 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf) --- diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9eedda17d83e..87091022c293 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -11,7 +11,8 @@ on: - 'main' - '3.*' -permissions: {} +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}-reusable diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 62e255095c94..20d1477e5084 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,7 +2,8 @@ name: Lint on: [push, pull_request, workflow_dispatch] -permissions: {} +permissions: + contents: read env: FORCE_COLOR: 1 diff --git a/.github/workflows/new-bugs-announce-notifier.yml b/.github/workflows/new-bugs-announce-notifier.yml index 311672bb628c..339465f75f16 100644 --- a/.github/workflows/new-bugs-announce-notifier.yml +++ b/.github/workflows/new-bugs-announce-notifier.yml @@ -5,7 +5,8 @@ on: types: - opened -permissions: {} +permissions: + contents: read jobs: notify-new-bugs-announce: diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml index ebc5699d4908..206f24cf9d5f 100644 --- a/.github/workflows/require-pr-label.yml +++ b/.github/workflows/require-pr-label.yml @@ -4,7 +4,8 @@ on: pull_request: types: [opened, reopened, labeled, unlabeled, synchronize] -permissions: {} +permissions: + contents: read jobs: label: diff --git a/.github/workflows/reusable-docs.yml b/.github/workflows/reusable-docs.yml index 71ba1d97a563..e99cc1fa5f21 100644 --- a/.github/workflows/reusable-docs.yml +++ b/.github/workflows/reusable-docs.yml @@ -4,7 +4,8 @@ on: workflow_call: workflow_dispatch: -permissions: {} +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml index fa8d89912bc0..5217a4962939 100644 --- a/.github/workflows/reusable-macos.yml +++ b/.github/workflows/reusable-macos.yml @@ -9,7 +9,8 @@ on: type: boolean default: false -permissions: {} +permissions: + contents: read jobs: build_macos: diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml index c836ff59b060..7489cddda94b 100644 --- a/.github/workflows/reusable-ubuntu.yml +++ b/.github/workflows/reusable-ubuntu.yml @@ -8,7 +8,8 @@ on: required: true type: string -permissions: {} +permissions: + contents: read env: FORCE_COLOR: 1 diff --git a/.github/workflows/reusable-windows.yml b/.github/workflows/reusable-windows.yml index fad82009fb51..30c890be201f 100644 --- a/.github/workflows/reusable-windows.yml +++ b/.github/workflows/reusable-windows.yml @@ -6,7 +6,8 @@ on: type: boolean default: false -permissions: {} +permissions: + contents: read jobs: build_win32: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 164882460d66..988444721264 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,7 +4,8 @@ on: schedule: - cron: "0 0 * * *" -permissions: {} +permissions: + contents: read jobs: stale: diff --git a/.github/workflows/verify-ensurepip-wheels.yml b/.github/workflows/verify-ensurepip-wheels.yml index 018b0463b7f8..2c47fdbc1e12 100644 --- a/.github/workflows/verify-ensurepip-wheels.yml +++ b/.github/workflows/verify-ensurepip-wheels.yml @@ -13,7 +13,8 @@ on: - '.github/workflows/verify-ensurepip-wheels.yml' - 'Tools/scripts/verify_ensurepip_wheels.py' -permissions: {} +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} diff --git a/.github/workflows/verify-expat.yml b/.github/workflows/verify-expat.yml index e193dfa4603e..472a11db2da5 100644 --- a/.github/workflows/verify-expat.yml +++ b/.github/workflows/verify-expat.yml @@ -11,7 +11,8 @@ on: - 'Modules/expat/**' - '.github/workflows/verify-expat.yml' -permissions: {} +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}