From f74e2ee2d3eb38f87cb20414c16afa0ab8d0b864 Mon Sep 17 00:00:00 2001
From: Ezio Melotti <ezio.melotti@gmail.com>
Date: Sun, 5 Apr 2026 07:46:39 +0800
Subject: [PATCH] [3.14] Add `permissions: {}` to all reusable workflows
 (#148114) (#148115)

Add `permissions: {}` to all reusable workflows (#148114)

Add permissions: {} to all reusable workflows

(cherry picked from commit 1f36a510a2a16e8ff15572f44090c7db43bb7935)
---
 .github/workflows/reusable-cifuzz.yml      | 2 ++
 .github/workflows/reusable-context.yml     | 2 ++
 .github/workflows/reusable-docs.yml        | 3 +--
 .github/workflows/reusable-emscripten.yml  | 2 ++
 .github/workflows/reusable-macos.yml       | 2 ++
 .github/workflows/reusable-san.yml         | 2 ++
 .github/workflows/reusable-ubuntu.yml      | 2 ++
 .github/workflows/reusable-wasi.yml        | 2 ++
 .github/workflows/reusable-windows-msi.yml | 3 +--
 .github/workflows/reusable-windows.yml     | 2 ++
 10 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/reusable-cifuzz.yml b/.github/workflows/reusable-cifuzz.yml
index ecb5000ee6bb..f06b193d3715 100644
--- a/.github/workflows/reusable-cifuzz.yml
+++ b/.github/workflows/reusable-cifuzz.yml
@@ -13,6 +13,8 @@ on:
         required: true
         type: string
 
+permissions: {}
+
 jobs:
   cifuzz:
     name: ${{ inputs.oss-fuzz-project-name }} (${{ inputs.sanitizer }})
diff --git a/.github/workflows/reusable-context.yml b/.github/workflows/reusable-context.yml
index 0f0ca3475b32..cc9841ebf32f 100644
--- a/.github/workflows/reusable-context.yml
+++ b/.github/workflows/reusable-context.yml
@@ -54,6 +54,8 @@ on:  # yamllint disable-line rule:truthy
         description: Whether to run the Windows tests
         value: ${{ jobs.compute-changes.outputs.run-windows-tests }}  # bool
 
+permissions: {}
+
 jobs:
   compute-changes:
     name: Create context from changed files
diff --git a/.github/workflows/reusable-docs.yml b/.github/workflows/reusable-docs.yml
index bee44e8df276..e1c35021432a 100644
--- a/.github/workflows/reusable-docs.yml
+++ b/.github/workflows/reusable-docs.yml
@@ -4,8 +4,7 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/reusable-emscripten.yml b/.github/workflows/reusable-emscripten.yml
index ce3e65f11a32..300731deb789 100644
--- a/.github/workflows/reusable-emscripten.yml
+++ b/.github/workflows/reusable-emscripten.yml
@@ -3,6 +3,8 @@ name: Reusable Emscripten
 on:
   workflow_call:
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml
index 3dd03e1ba0f1..a1782302ab55 100644
--- a/.github/workflows/reusable-macos.yml
+++ b/.github/workflows/reusable-macos.yml
@@ -12,6 +12,8 @@ on:
         required: true
         type: string
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
diff --git a/.github/workflows/reusable-san.yml b/.github/workflows/reusable-san.yml
index ec4c51064a2c..dbc9a995c04d 100644
--- a/.github/workflows/reusable-san.yml
+++ b/.github/workflows/reusable-san.yml
@@ -12,6 +12,8 @@ on:
         type: boolean
         default: false
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml
index 5784da694899..36e12b63c1e2 100644
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@@ -18,6 +18,8 @@ on:
          required: true
          type: string
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
diff --git a/.github/workflows/reusable-wasi.yml b/.github/workflows/reusable-wasi.yml
index c32710a411fd..1c8dad5546ba 100644
--- a/.github/workflows/reusable-wasi.yml
+++ b/.github/workflows/reusable-wasi.yml
@@ -3,6 +3,8 @@ name: Reusable WASI
 on:
   workflow_call:
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
diff --git a/.github/workflows/reusable-windows-msi.yml b/.github/workflows/reusable-windows-msi.yml
index 420c9cd909a5..5513e5025c64 100644
--- a/.github/workflows/reusable-windows-msi.yml
+++ b/.github/workflows/reusable-windows-msi.yml
@@ -8,8 +8,7 @@ on:
         required: true
         type: string
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-windows.yml b/.github/workflows/reusable-windows.yml
index 7a88562239b6..df54583d623c 100644
--- a/.github/workflows/reusable-windows.yml
+++ b/.github/workflows/reusable-windows.yml
@@ -13,6 +13,8 @@ on:
         type: boolean
         default: false
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
   IncludeUwp: >-
-- 
2.47.3