From a3347aaab90ce7f71d77038fdc18040a99aaec40 Mon Sep 17 00:00:00 2001
From: Ezio Melotti <ezio.melotti@gmail.com>
Date: Sun, 5 Apr 2026 22:41:39 +0800
Subject: [PATCH] [3.11] Add `permissions: {}` to all reusable workflows
 (#148114) (#148123)

---
 .github/workflows/reusable-docs.yml    | 3 +--
 .github/workflows/reusable-macos.yml   | 2 ++
 .github/workflows/reusable-ubuntu.yml  | 2 ++
 .github/workflows/reusable-windows.yml | 2 ++
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/reusable-docs.yml b/.github/workflows/reusable-docs.yml
index e99cc1fa5f21..71ba1d97a563 100644
--- a/.github/workflows/reusable-docs.yml
+++ b/.github/workflows/reusable-docs.yml
@@ -4,8 +4,7 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml
index c4cbe180430f..d3e9defd1109 100644
--- a/.github/workflows/reusable-macos.yml
+++ b/.github/workflows/reusable-macos.yml
@@ -9,6 +9,8 @@ on:
         type: boolean
         default: false
 
+permissions: {}
+
 jobs:
   build_macos:
     name: 'build and test'
diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml
index bc62521b6b91..c836ff59b060 100644
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@@ -8,6 +8,8 @@ on:
         required: true
         type: string
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
diff --git a/.github/workflows/reusable-windows.yml b/.github/workflows/reusable-windows.yml
index 851f501dbf42..fad82009fb51 100644
--- a/.github/workflows/reusable-windows.yml
+++ b/.github/workflows/reusable-windows.yml
@@ -6,6 +6,8 @@ on:
         type: boolean
         default: false
 
+permissions: {}
+
 jobs:
   build_win32:
     name: 'build and test (x86)'
-- 
2.47.3