[3.13] Default GHA permissions to `contents: read` (GH-148346) (#148387)

(cherry picked from commit 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf)

diff --git a/.github/workflows/add-issue-header.yml b/.github/workflows/add-issue-header.yml
index 00b7ae50cb99356e34c3c810343f0326802be3a9..4c25976b9c24f7286d2efa4d4fd69a6ff5e948f5 100644 (file)
--- a/.github/workflows/add-issue-header.yml
+++ b/.github/workflows/add-issue-header.yml
@@ -12,7 +12,8 @@ on:
       # Only ever run once
       - opened
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   add-header:

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a45f2c069a755d7c858d58562a06b0afd5658ae1..c50d060051bc4cd2d763e80939175f680fbb3e65 100644 (file)
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,7 +11,8 @@ on:
     - 'main'
     - '3.*'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#concurrency
@@ -540,6 +541,7 @@ jobs:
       needs.build-context.outputs.run-ci-fuzz == 'true'
       || needs.build-context.outputs.run-ci-fuzz-stdlib == 'true'
     permissions:
+      contents: read
       security-events: write
     strategy:
       fail-fast: false

diff --git a/.github/workflows/jit.yml b/.github/workflows/jit.yml
index f19394227d090c7c0dc2a10f68fb0156fd9bbab6..a9e9b8e3a4cd8af5b7e58e7a1ceb3e49066f9a08 100644 (file)
--- a/.github/workflows/jit.yml
+++ b/.github/workflows/jit.yml
@@ -18,7 +18,8 @@ on:
       - '!**/*.ini'
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index fb2b94b7362308ea64be4e3ddf7fafbd3c4d881f..e9a4eb2b0808cb720cadecbcea638a6128b8909b 100644 (file)
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,7 +2,8 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
index 61c8562a338a01aed2485866488e18b57cd0a8af..0c97ba4861dbc24ee77ee86763d4fc8fffc28c6d 100644 (file)
--- a/.github/workflows/mypy.yml
+++ b/.github/workflows/mypy.yml
@@ -30,7 +30,8 @@ on:
       - "Tools/requirements-dev.txt"
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   PIP_DISABLE_PIP_VERSION_CHECK: 1

diff --git a/.github/workflows/new-bugs-announce-notifier.yml b/.github/workflows/new-bugs-announce-notifier.yml
index 14860e56600d062e9170c0f4a3c94d0a4ea62666..e585657dde68816c866cd3660edaee0bae3b7ebf 100644 (file)
--- a/.github/workflows/new-bugs-announce-notifier.yml
+++ b/.github/workflows/new-bugs-announce-notifier.yml
@@ -5,7 +5,8 @@ on:
     types:
       - opened
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   notify-new-bugs-announce:

diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml
index ebc5699d490841767d916b31bd2ddc62110e0d43..206f24cf9d5fb32a054ded61d8f3531f473142c2 100644 (file)
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -4,7 +4,8 @@ on:
   pull_request:
     types: [opened, reopened, labeled, unlabeled, synchronize]
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   label:

diff --git a/.github/workflows/reusable-cifuzz.yml b/.github/workflows/reusable-cifuzz.yml
index f06b193d3715fba4676d9ea2f94809e1d242560d..9b49e7fd26f00784a4c1eb0e26d654b397d9c8ee 100644 (file)
--- a/.github/workflows/reusable-cifuzz.yml
+++ b/.github/workflows/reusable-cifuzz.yml
@@ -13,7 +13,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   cifuzz:

diff --git a/.github/workflows/reusable-context.yml b/.github/workflows/reusable-context.yml
index 6416115b1de0582869576640904ab746afe26a35..8ed6873104db7be86c0450fa834b7a10eec88ebc 100644 (file)
--- a/.github/workflows/reusable-context.yml
+++ b/.github/workflows/reusable-context.yml
@@ -48,7 +48,8 @@ on:  # yamllint disable-line rule:truthy
         description: Whether to run the Windows tests
         value: ${{ jobs.compute-changes.outputs.run-windows-tests }}  # bool
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   compute-changes:

diff --git a/.github/workflows/reusable-docs.yml b/.github/workflows/reusable-docs.yml
index e1c35021432ad0127755ea07a88d56c58df5c723..bee44e8df276639684bf9de7344feb02ba8652be 100644 (file)
--- a/.github/workflows/reusable-docs.yml
+++ b/.github/workflows/reusable-docs.yml
@@ -4,7 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml
index dbc6fd3774a5baf3a827c7d85737e96708e076d4..e7e2a0afd341f71256731392d1d38dbc026118d8 100644 (file)
--- a/.github/workflows/reusable-macos.yml
+++ b/.github/workflows/reusable-macos.yml
@@ -12,7 +12,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-san.yml b/.github/workflows/reusable-san.yml
index f5e7f48b860b2f1214d296737952fc3d1c7e0a39..82d6759b6347e3f486b6e65913a097230afb2a64 100644 (file)
--- a/.github/workflows/reusable-san.yml
+++ b/.github/workflows/reusable-san.yml
@@ -12,7 +12,8 @@ on:
         type: boolean
         default: false
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml
index 3f1abce25c96847cf74c5452fb777d08a52d46da..f03908afc14b835d8828c76445678d869d33f43d 100644 (file)
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@@ -9,7 +9,8 @@ on:
         type: boolean
         default: false
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-wasi.yml b/.github/workflows/reusable-wasi.yml
index e9c032f93bbf2d36b1407ca202108af58c50197c..2e5d4b8dd566180aaa5377fd5824c1c82079961f 100644 (file)
--- a/.github/workflows/reusable-wasi.yml
+++ b/.github/workflows/reusable-wasi.yml
@@ -3,7 +3,8 @@ name: Reusable WASI
 on:
   workflow_call:
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-windows-msi.yml b/.github/workflows/reusable-windows-msi.yml
index e836944f465bb3d145231d9bbd422ee24a987870..e690224f35537b8c724ab3f8eb63a9a417050aef 100644 (file)
--- a/.github/workflows/reusable-windows-msi.yml
+++ b/.github/workflows/reusable-windows-msi.yml
@@ -8,7 +8,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/reusable-windows.yml b/.github/workflows/reusable-windows.yml
index 41ba50d8665d809ab6369a37805315b35e6efc05..919ab4a4fb33b7c1922c13b769080a1673d4ecf4 100644 (file)
--- a/.github/workflows/reusable-windows.yml
+++ b/.github/workflows/reusable-windows.yml
@@ -17,7 +17,8 @@ on:
         type: boolean
         default: false
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 42ddb713c10393deea64bdda0afd841f856b4c7a..1fbc4a20dbc7ddd0f98b83abf0b2897edb730d42 100644 (file)
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,7 +4,8 @@ on:
   schedule:
   - cron: "0 */6 * * *"
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   stale:

diff --git a/.github/workflows/verify-ensurepip-wheels.yml b/.github/workflows/verify-ensurepip-wheels.yml
index 4ac25bc909b13f9ccb38b86fe03310d41f06df32..cb40f6abc0b3b751a60f6e328ba4d1a2eb300d52 100644 (file)
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -13,7 +13,8 @@ on:
       - '.github/workflows/verify-ensurepip-wheels.yml'
       - 'Tools/build/verify_ensurepip_wheels.py'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

diff --git a/.github/workflows/verify-expat.yml b/.github/workflows/verify-expat.yml
index e193dfa4603e8accc554dc3b195c860835ca65ae..472a11db2da5fbf9dd3a6822bc2825c0f3c3a096 100644 (file)
--- a/.github/workflows/verify-expat.yml
+++ b/.github/workflows/verify-expat.yml
@@ -11,7 +11,8 @@ on:
       - 'Modules/expat/**'
       - '.github/workflows/verify-expat.yml'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}