[3.12] Default GHA permissions to `contents: read` (GH-148346) (#148388)

author Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>

Sun, 12 Apr 2026 06:38:15 +0000 (09:38 +0300)

committer GitHub <noreply@github.com>

Sun, 12 Apr 2026 06:38:15 +0000 (09:38 +0300)
author Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Sun, 12 Apr 2026 06:38:15 +0000 (09:38 +0300)
committer GitHub <noreply@github.com>
Sun, 12 Apr 2026 06:38:15 +0000 (09:38 +0300)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml

index d76d0315c0011aa5f90e481b4155cffa11fb52bf..36db96a61b451b7646debdfb9c3bbfe2c028e436 100644 (file)
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,7 +11,8 @@ on:
      - 'main'
      - '3.*'
  
-permissions: {}
+permissions:
+  contents: read
  
  concurrency:
    group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}-reusable
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml

index ad6bd7ef696f322876811b274cb2c29ef8c4d80a..201e94a888af2765537f295aaee7ad29da3b1e07 100644 (file)
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,7 +2,8 @@ name: Lint
  
  on: [push, pull_request, workflow_dispatch]
  
-permissions: {}
+permissions:
+  contents: read
  
  env:
    FORCE_COLOR: 1
diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml

index ef8d12b2a0fe95b894e6fb9357127afb5548df4a..cfb8d5c60d5ce1c35f17b3d6358a91790dadbbaa 100644 (file)
--- a/.github/workflows/mypy.yml
+++ b/.github/workflows/mypy.yml
@@ -12,7 +12,8 @@ on:
        - ".github/workflows/mypy.yml"
    workflow_dispatch:
  
-permissions: {}
+permissions:
+  contents: read
  
  env:
    PIP_DISABLE_PIP_VERSION_CHECK: 1
diff --git a/.github/workflows/new-bugs-announce-notifier.yml b/.github/workflows/new-bugs-announce-notifier.yml

index 17e697926dabe2a9d1f3ab10afa355abcf3e93f7..bbcb9b401758d6ad7dac4e1935272c5967c0f0fb 100644 (file)
--- a/.github/workflows/new-bugs-announce-notifier.yml
+++ b/.github/workflows/new-bugs-announce-notifier.yml
@@ -5,7 +5,8 @@ on:
      types:
        - opened
  
-permissions: {}
+permissions:
+  contents: read
  
  jobs:
    notify-new-bugs-announce:
diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml

index ebc5699d490841767d916b31bd2ddc62110e0d43..206f24cf9d5fb32a054ded61d8f3531f473142c2 100644 (file)
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -4,7 +4,8 @@ on:
    pull_request:
      types: [opened, reopened, labeled, unlabeled, synchronize]
  
-permissions: {}
+permissions:
+  contents: read
  
  jobs:
    label:
diff --git a/.github/workflows/reusable-context.yml b/.github/workflows/reusable-context.yml

index b433ac8de594d9e4fa09cb68d82423cc9f038baf..7561f49e8715b297958575dce368222772dad8ae 100644 (file)
--- a/.github/workflows/reusable-context.yml
+++ b/.github/workflows/reusable-context.yml
@@ -33,7 +33,8 @@ on:  # yamllint disable-line rule:truthy
          description: Whether to run the CIFuzz job
          value: ${{ jobs.compute-changes.outputs.run-ci-fuzz }}  # bool
  
-permissions: {}
+permissions:
+  contents: read
  
  jobs:
    compute-changes:
diff --git a/.github/workflows/reusable-docs.yml b/.github/workflows/reusable-docs.yml

index 69c9b5422adef0e79f0e844abbbb0a9fdba3d05e..89d5f18c55739054855b9f4f6f842440b3f844b3 100644 (file)
--- a/.github/workflows/reusable-docs.yml
+++ b/.github/workflows/reusable-docs.yml
@@ -4,7 +4,8 @@ on:
    workflow_call:
    workflow_dispatch:
  
-permissions: {}
+permissions:
+  contents: read
  
  concurrency:
    group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml

index 6cdfd36b2f1d4d712b6231f6d11393839fcf4454..9c94aec4ce0d22c8dcd9040aa8e5c69a8b8ef496 100644 (file)
--- a/.github/workflows/reusable-macos.yml
+++ b/.github/workflows/reusable-macos.yml
@@ -15,7 +15,8 @@ on:
          required: true
          type: string
  
-permissions: {}
+permissions:
+  contents: read
  
  env:
    FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-tsan.yml b/.github/workflows/reusable-tsan.yml

index 0a3a6f1825ef7541d2a8f3a298d363bbc56a10ff..e11cc58f815c412d564f0d6f4c2c3c2ada476d20 100644 (file)
--- a/.github/workflows/reusable-tsan.yml
+++ b/.github/workflows/reusable-tsan.yml
@@ -12,7 +12,8 @@ on:
          type: boolean
          default: false
  
-permissions: {}
+permissions:
+  contents: read
  
  env:
    FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml

index 5b4aa2c7abcfff526096b48d0dcbcdbe601c0ab9..61afb38e77d917032ebf0b6e91298a409a36b326 100644 (file)
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@@ -12,7 +12,8 @@ on:
          type: boolean
          default: false
  
-permissions: {}
+permissions:
+  contents: read
  
  env:
    FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-windows.yml b/.github/workflows/reusable-windows.yml

index 3f2a4d8211713db6355ac5c8ee660e001e11d2d4..6c2b016a2c61c0daea74dd7c8e45e0c0f89f5aab 100644 (file)
--- a/.github/workflows/reusable-windows.yml
+++ b/.github/workflows/reusable-windows.yml
@@ -13,7 +13,8 @@ on:
          type: boolean
          default: false
  
-permissions: {}
+permissions:
+  contents: read
  
  env:
    FORCE_COLOR: 1
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml

index 164882460d66d825600e8951f785256754e1d5e4..9884447212647751bf116afb01517f1d9872d0b9 100644 (file)
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,7 +4,8 @@ on:
    schedule:
    - cron: "0 0 * * *"
  
-permissions: {}
+permissions:
+  contents: read
  
  jobs:
    stale:
diff --git a/.github/workflows/verify-ensurepip-wheels.yml b/.github/workflows/verify-ensurepip-wheels.yml

index 4ac25bc909b13f9ccb38b86fe03310d41f06df32..cb40f6abc0b3b751a60f6e328ba4d1a2eb300d52 100644 (file)
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -13,7 +13,8 @@ on:
        - '.github/workflows/verify-ensurepip-wheels.yml'
        - 'Tools/build/verify_ensurepip_wheels.py'
  
-permissions: {}
+permissions:
+  contents: read
  
  concurrency:
    group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/verify-expat.yml b/.github/workflows/verify-expat.yml

index e193dfa4603e8accc554dc3b195c860835ca65ae..472a11db2da5fbf9dd3a6822bc2825c0f3c3a096 100644 (file)
--- a/.github/workflows/verify-expat.yml
+++ b/.github/workflows/verify-expat.yml
@@ -11,7 +11,8 @@ on:
        - 'Modules/expat/**'
        - '.github/workflows/verify-expat.yml'
  
-permissions: {}
+permissions:
+  contents: read
  
  concurrency:
    group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
author	Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
	Sun, 12 Apr 2026 06:38:15 +0000 (09:38 +0300)
committer	GitHub <noreply@github.com>
	Sun, 12 Apr 2026 06:38:15 +0000 (09:38 +0300)
.github/workflows/build.yml		patch \| blob \| blame \| history
.github/workflows/lint.yml		patch \| blob \| blame \| history
.github/workflows/mypy.yml		patch \| blob \| blame \| history
.github/workflows/new-bugs-announce-notifier.yml		patch \| blob \| blame \| history
.github/workflows/require-pr-label.yml		patch \| blob \| blame \| history
.github/workflows/reusable-context.yml		patch \| blob \| blame \| history
.github/workflows/reusable-docs.yml		patch \| blob \| blame \| history
.github/workflows/reusable-macos.yml		patch \| blob \| blame \| history
.github/workflows/reusable-tsan.yml		patch \| blob \| blame \| history
.github/workflows/reusable-ubuntu.yml		patch \| blob \| blame \| history
.github/workflows/reusable-windows.yml		patch \| blob \| blame \| history
.github/workflows/stale.yml		patch \| blob \| blame \| history
.github/workflows/verify-ensurepip-wheels.yml		patch \| blob \| blame \| history
.github/workflows/verify-expat.yml		patch \| blob \| blame \| history