From 44d5746145ecfd8cddf66809cf324fd1cf250640 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Sat, 11 Apr 2026 18:37:12 +0300 Subject: [PATCH] [3.12] Default GHA permissions to `contents: read` (GH-148346) (cherry picked from commit 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf) Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- .github/workflows/build.yml | 3 ++- .github/workflows/lint.yml | 3 ++- .github/workflows/mypy.yml | 3 ++- .github/workflows/new-bugs-announce-notifier.yml | 3 ++- .github/workflows/require-pr-label.yml | 3 ++- .github/workflows/reusable-context.yml | 3 ++- .github/workflows/reusable-docs.yml | 3 ++- .github/workflows/reusable-macos.yml | 3 ++- .github/workflows/reusable-tsan.yml | 3 ++- .github/workflows/reusable-ubuntu.yml | 3 ++- .github/workflows/reusable-windows.yml | 3 ++- .github/workflows/stale.yml | 3 ++- .github/workflows/verify-ensurepip-wheels.yml | 3 ++- .github/workflows/verify-expat.yml | 3 ++- 14 files changed, 28 insertions(+), 14 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d76d0315c0011a..36db96a61b451b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -11,7 +11,8 @@ on: - 'main' - '3.*' -permissions: {} +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}-reusable diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index ad6bd7ef696f32..201e94a888af27 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,7 +2,8 @@ name: Lint on: [push, pull_request, workflow_dispatch] -permissions: {} +permissions: + contents: read env: FORCE_COLOR: 1 diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml index ef8d12b2a0fe95..cfb8d5c60d5ce1 100644 --- a/.github/workflows/mypy.yml +++ b/.github/workflows/mypy.yml @@ -12,7 +12,8 @@ on: - ".github/workflows/mypy.yml" workflow_dispatch: -permissions: {} +permissions: + contents: read env: PIP_DISABLE_PIP_VERSION_CHECK: 1 diff --git a/.github/workflows/new-bugs-announce-notifier.yml b/.github/workflows/new-bugs-announce-notifier.yml index 17e697926dabe2..bbcb9b401758d6 100644 --- a/.github/workflows/new-bugs-announce-notifier.yml +++ b/.github/workflows/new-bugs-announce-notifier.yml @@ -5,7 +5,8 @@ on: types: - opened -permissions: {} +permissions: + contents: read jobs: notify-new-bugs-announce: diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml index ebc5699d490841..206f24cf9d5fb3 100644 --- a/.github/workflows/require-pr-label.yml +++ b/.github/workflows/require-pr-label.yml @@ -4,7 +4,8 @@ on: pull_request: types: [opened, reopened, labeled, unlabeled, synchronize] -permissions: {} +permissions: + contents: read jobs: label: diff --git a/.github/workflows/reusable-context.yml b/.github/workflows/reusable-context.yml index b433ac8de594d9..7561f49e8715b2 100644 --- a/.github/workflows/reusable-context.yml +++ b/.github/workflows/reusable-context.yml @@ -33,7 +33,8 @@ on: # yamllint disable-line rule:truthy description: Whether to run the CIFuzz job value: ${{ jobs.compute-changes.outputs.run-ci-fuzz }} # bool -permissions: {} +permissions: + contents: read jobs: compute-changes: diff --git a/.github/workflows/reusable-docs.yml b/.github/workflows/reusable-docs.yml index 69c9b5422adef0..89d5f18c557390 100644 --- a/.github/workflows/reusable-docs.yml +++ b/.github/workflows/reusable-docs.yml @@ -4,7 +4,8 @@ on: workflow_call: workflow_dispatch: -permissions: {} +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml index 6cdfd36b2f1d4d..9c94aec4ce0d22 100644 --- a/.github/workflows/reusable-macos.yml +++ b/.github/workflows/reusable-macos.yml @@ -15,7 +15,8 @@ on: required: true type: string -permissions: {} +permissions: + contents: read env: FORCE_COLOR: 1 diff --git a/.github/workflows/reusable-tsan.yml b/.github/workflows/reusable-tsan.yml index 0a3a6f1825ef75..e11cc58f815c41 100644 --- a/.github/workflows/reusable-tsan.yml +++ b/.github/workflows/reusable-tsan.yml @@ -12,7 +12,8 @@ on: type: boolean default: false -permissions: {} +permissions: + contents: read env: FORCE_COLOR: 1 diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml index 5b4aa2c7abcfff..61afb38e77d917 100644 --- a/.github/workflows/reusable-ubuntu.yml +++ b/.github/workflows/reusable-ubuntu.yml @@ -12,7 +12,8 @@ on: type: boolean default: false -permissions: {} +permissions: + contents: read env: FORCE_COLOR: 1 diff --git a/.github/workflows/reusable-windows.yml b/.github/workflows/reusable-windows.yml index 3f2a4d8211713d..6c2b016a2c61c0 100644 --- a/.github/workflows/reusable-windows.yml +++ b/.github/workflows/reusable-windows.yml @@ -13,7 +13,8 @@ on: type: boolean default: false -permissions: {} +permissions: + contents: read env: FORCE_COLOR: 1 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 164882460d66d8..98844472126477 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,7 +4,8 @@ on: schedule: - cron: "0 0 * * *" -permissions: {} +permissions: + contents: read jobs: stale: diff --git a/.github/workflows/verify-ensurepip-wheels.yml b/.github/workflows/verify-ensurepip-wheels.yml index 4ac25bc909b13f..cb40f6abc0b3b7 100644 --- a/.github/workflows/verify-ensurepip-wheels.yml +++ b/.github/workflows/verify-ensurepip-wheels.yml @@ -13,7 +13,8 @@ on: - '.github/workflows/verify-ensurepip-wheels.yml' - 'Tools/build/verify_ensurepip_wheels.py' -permissions: {} +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} diff --git a/.github/workflows/verify-expat.yml b/.github/workflows/verify-expat.yml index e193dfa4603e8a..472a11db2da5fb 100644 --- a/.github/workflows/verify-expat.yml +++ b/.github/workflows/verify-expat.yml @@ -11,7 +11,8 @@ on: - 'Modules/expat/**' - '.github/workflows/verify-expat.yml' -permissions: {} +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}