[Python-checkins] [3.10] gh-145098: Add `permissions: {}` to all workflows (GH-148126) (#148139)

[hugovk]

https://github.com/python/cpython/commit/2fcd2830b72b318035bd81b207de7c46e486a137
commit: 2fcd2830b72b318035bd81b207de7c46e486a137
branch: 3.10
author: Hugo van Kemenade <1324225+hug...@users.noreply.github.com>
committer: hugovk <1324225+hug...@users.noreply.github.com>
date: 2026-04-06T01:12:40+03:00
summary:

[3.10] gh-145098: Add `permissions: {}` to all workflows (GH-148126) (#148139)

* [3.10] gh-145098: Use `macos-15-intel` instead of unstable `macos-26-intel` 
in `{jit,tail-call}.yml` (GH-148126)
(cherry picked from commit bce96a181350f348560fe0623361f39a6d5c6361)

Co-authored-by: Stan Ulbrych <s...@python.org>
Co-authored-by: Hugo van Kemenade <1324225+hug...@users.noreply.github.com>

* Add 'permissions: {}' to all workflows

---------

Co-authored-by: Stan Ulbrych <s...@python.org>

files:
M .github/workflows/build.yml
M .github/workflows/stale.yml
M .github/workflows/verify-ensurepip-wheels.yml
M .github/workflows/verify-expat.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7cbd43da6fc94a..8a1d371f2f9048 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,8 +11,7 @@ on:
     - 'main'
     - '3.*'
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 5bbb6f0cb414ee..8949defda4d15c 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,13 +4,15 @@ on:
   schedule:
   - cron: "0 0 * * *"
 
-permissions:
-  pull-requests: write
+permissions: {}
 
 jobs:
   stale:
-
+    if: github.repository_owner == 'python'
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    timeout-minutes: 10
 
     steps:
     - name: "Check PRs"
diff --git a/.github/workflows/verify-ensurepip-wheels.yml 
b/.github/workflows/verify-ensurepip-wheels.yml
index fe27c4f09319ec..b18fc92a0499d1 100644
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -13,8 +13,7 @@ on:
       - '.github/workflows/verify-ensurepip-wheels.yml'
       - 'Tools/scripts/verify_ensurepip_wheels.py'
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/verify-expat.yml 
b/.github/workflows/verify-expat.yml
index 472a11db2da5fb..e193dfa4603e8a 100644
--- a/.github/workflows/verify-expat.yml
+++ b/.github/workflows/verify-expat.yml
@@ -11,8 +11,7 @@ on:
       - 'Modules/expat/**'
       - '.github/workflows/verify-expat.yml'
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

_______________________________________________
Python-checkins mailing list -- python-checkins@python.org
To unsubscribe send an email to python-checkins-le...@python.org
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: arch...@mail-archive.com