[3.14] Default GHA permissions to contents: read (GH-148346) (#148386)

hugovk · web-flow · commit 838c6028287c · 2026-04-11T17:06:34.000-07:00
(cherry picked from commit 9c9df8a)
diff --git a/.github/workflows/add-issue-header.yml b/.github/workflows/add-issue-header.yml
@@ -12,7 +12,8 @@ on:
       # Only ever run once
       - opened
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   add-header:
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -11,7 +11,8 @@ on:
     - 'main'
     - '3.*'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#concurrency
@@ -637,6 +638,7 @@ jobs:
       needs.build-context.outputs.run-ci-fuzz == 'true'
       || needs.build-context.outputs.run-ci-fuzz-stdlib == 'true'
     permissions:
+      contents: read
       security-events: write
     strategy:
       fail-fast: false
diff --git a/.github/workflows/jit.yml b/.github/workflows/jit.yml
@@ -12,7 +12,8 @@ on:
     paths: *paths
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -2,7 +2,8 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1
diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
@@ -32,7 +32,8 @@ on:
       - "Tools/requirements-dev.txt"
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   PIP_DISABLE_PIP_VERSION_CHECK: 1
diff --git a/.github/workflows/new-bugs-announce-notifier.yml b/.github/workflows/new-bugs-announce-notifier.yml
@@ -5,7 +5,8 @@ on:
     types:
       - opened
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   notify-new-bugs-announce:
diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml
@@ -4,7 +4,8 @@ on:
   pull_request:
     types: [opened, reopened, labeled, unlabeled, synchronize]
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   label-dnm:
diff --git a/.github/workflows/reusable-cifuzz.yml b/.github/workflows/reusable-cifuzz.yml
@@ -13,7 +13,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   cifuzz:
diff --git a/.github/workflows/reusable-context.yml b/.github/workflows/reusable-context.yml
@@ -54,7 +54,8 @@ on:  # yamllint disable-line rule:truthy
         description: Whether to run the Windows tests
         value: ${{ jobs.compute-changes.outputs.run-windows-tests }}  # bool
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   compute-changes:
diff --git a/.github/workflows/reusable-docs.yml b/.github/workflows/reusable-docs.yml
@@ -4,7 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/reusable-emscripten.yml b/.github/workflows/reusable-emscripten.yml
@@ -3,7 +3,8 @@ name: Reusable Emscripten
 on:
   workflow_call:
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml
@@ -12,7 +12,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-san.yml b/.github/workflows/reusable-san.yml
@@ -12,7 +12,8 @@ on:
         type: boolean
         default: false
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml
@@ -18,7 +18,8 @@ on:
          required: true
          type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-wasi.yml b/.github/workflows/reusable-wasi.yml
@@ -3,7 +3,8 @@ name: Reusable WASI
 on:
   workflow_call:
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-windows-msi.yml b/.github/workflows/reusable-windows-msi.yml
@@ -8,7 +8,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-windows.yml b/.github/workflows/reusable-windows.yml
@@ -13,7 +13,8 @@ on:
         type: boolean
         default: false
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -4,7 +4,8 @@ on:
   schedule:
   - cron: "0 */6 * * *"
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   stale:
diff --git a/.github/workflows/tail-call.yml b/.github/workflows/tail-call.yml
@@ -11,7 +11,8 @@ on:
     paths: *paths
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/verify-ensurepip-wheels.yml b/.github/workflows/verify-ensurepip-wheels.yml
@@ -13,7 +13,8 @@ on:
       - '.github/workflows/verify-ensurepip-wheels.yml'
       - 'Tools/build/verify_ensurepip_wheels.py'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/verify-expat.yml b/.github/workflows/verify-expat.yml
@@ -11,7 +11,8 @@ on:
       - 'Modules/expat/**'
       - '.github/workflows/verify-expat.yml'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
