From 2fcd2830b72b318035bd81b207de7c46e486a137 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Mon, 6 Apr 2026 01:12:40 +0300
Subject: [PATCH] [3.10] gh-145098: Add `permissions: {}` to all workflows
 (GH-148126) (#148139)

* [3.10] gh-145098: Use `macos-15-intel` instead of unstable `macos-26-intel` in `{jit,tail-call}.yml` (GH-148126)
(cherry picked from commit bce96a181350f348560fe0623361f39a6d5c6361)

Co-authored-by: Stan Ulbrych <stan@python.org>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

* Add 'permissions: {}' to all workflows

---------

Co-authored-by: Stan Ulbrych <stan@python.org>
---
 .github/workflows/build.yml                   | 3 +--
 .github/workflows/stale.yml                   | 8 +++++---
 .github/workflows/verify-ensurepip-wheels.yml | 3 +--
 .github/workflows/verify-expat.yml            | 3 +--
 4 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7cbd43da6fc9..8a1d371f2f90 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,8 +11,7 @@ on:
     - 'main'
     - '3.*'
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 5bbb6f0cb414..8949defda4d1 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,13 +4,15 @@ on:
   schedule:
   - cron: "0 0 * * *"
 
-permissions:
-  pull-requests: write
+permissions: {}
 
 jobs:
   stale:
-
+    if: github.repository_owner == 'python'
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    timeout-minutes: 10
 
     steps:
     - name: "Check PRs"
diff --git a/.github/workflows/verify-ensurepip-wheels.yml b/.github/workflows/verify-ensurepip-wheels.yml
index fe27c4f09319..b18fc92a0499 100644
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -13,8 +13,7 @@ on:
       - '.github/workflows/verify-ensurepip-wheels.yml'
       - 'Tools/scripts/verify_ensurepip_wheels.py'
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/verify-expat.yml b/.github/workflows/verify-expat.yml
index 472a11db2da5..e193dfa4603e 100644
--- a/.github/workflows/verify-expat.yml
+++ b/.github/workflows/verify-expat.yml
@@ -11,8 +11,7 @@ on:
       - 'Modules/expat/**'
       - '.github/workflows/verify-expat.yml'
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
-- 
2.47.3