https://github.com/python/cpython/commit/9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf
commit: 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf
branch: main
author: Hugo van Kemenade <[email protected]>
committer: hugovk <[email protected]>
date: 2026-04-11T18:37:12+03:00
summary:
Default GHA permissions to `contents: read` (#148346)
files:
M .github/workflows/add-issue-header.yml
M .github/workflows/build.yml
M .github/workflows/jit.yml
M .github/workflows/lint.yml
M .github/workflows/mypy.yml
M .github/workflows/new-bugs-announce-notifier.yml
M .github/workflows/require-pr-label.yml
M .github/workflows/reusable-check-c-api-docs.yml
M .github/workflows/reusable-check-html-ids.yml
M .github/workflows/reusable-cifuzz.yml
M .github/workflows/reusable-context.yml
M .github/workflows/reusable-docs.yml
M .github/workflows/reusable-emscripten.yml
M .github/workflows/reusable-macos.yml
M .github/workflows/reusable-san.yml
M .github/workflows/reusable-ubuntu.yml
M .github/workflows/reusable-wasi.yml
M .github/workflows/reusable-windows-msi.yml
M .github/workflows/reusable-windows.yml
M .github/workflows/stale.yml
M .github/workflows/tail-call.yml
M .github/workflows/verify-ensurepip-wheels.yml
M .github/workflows/verify-expat.yml
diff --git a/.github/workflows/add-issue-header.yml
b/.github/workflows/add-issue-header.yml
index 00b7ae50cb9935..4c25976b9c24f7 100644
--- a/.github/workflows/add-issue-header.yml
+++ b/.github/workflows/add-issue-header.yml
@@ -12,7 +12,8 @@ on:
# Only ever run once
- opened
-permissions: {}
+permissions:
+ contents: read
jobs:
add-header:
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c34f8f699d8edb..9303190ea6dbba 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,7 +11,8 @@ on:
- 'main'
- '3.*'
-permissions: {}
+permissions:
+ contents: read
concurrency:
#
https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#concurrency
@@ -612,6 +613,7 @@ jobs:
needs.build-context.outputs.run-ci-fuzz == 'true'
|| needs.build-context.outputs.run-ci-fuzz-stdlib == 'true'
permissions:
+ contents: read
security-events: write
strategy:
fail-fast: false
diff --git a/.github/workflows/jit.yml b/.github/workflows/jit.yml
index 81d75ef1820903..e63fe9e1284a01 100644
--- a/.github/workflows/jit.yml
+++ b/.github/workflows/jit.yml
@@ -15,7 +15,8 @@ on:
paths: *paths
workflow_dispatch:
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index fb2b94b7362308..e9a4eb2b0808cb 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,7 +2,8 @@ name: Lint
on: [push, pull_request, workflow_dispatch]
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
index 583dc1808dfc35..e5a5b3939e58e3 100644
--- a/.github/workflows/mypy.yml
+++ b/.github/workflows/mypy.yml
@@ -33,7 +33,8 @@ on:
- "Tools/requirements-dev.txt"
workflow_dispatch:
-permissions: {}
+permissions:
+ contents: read
env:
PIP_DISABLE_PIP_VERSION_CHECK: 1
diff --git a/.github/workflows/new-bugs-announce-notifier.yml
b/.github/workflows/new-bugs-announce-notifier.yml
index be375a970a475c..1267361040c81b 100644
--- a/.github/workflows/new-bugs-announce-notifier.yml
+++ b/.github/workflows/new-bugs-announce-notifier.yml
@@ -5,7 +5,8 @@ on:
types:
- opened
-permissions: {}
+permissions:
+ contents: read
jobs:
notify-new-bugs-announce:
diff --git a/.github/workflows/require-pr-label.yml
b/.github/workflows/require-pr-label.yml
index 262299fc30f989..f3e2666879530f 100644
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -4,7 +4,8 @@ on:
pull_request:
types: [opened, reopened, labeled, unlabeled, synchronize]
-permissions: {}
+permissions:
+ contents: read
jobs:
label-dnm:
diff --git a/.github/workflows/reusable-check-c-api-docs.yml
b/.github/workflows/reusable-check-c-api-docs.yml
index 5fae57a1dbda36..49e5ef7f768b79 100644
--- a/.github/workflows/reusable-check-c-api-docs.yml
+++ b/.github/workflows/reusable-check-c-api-docs.yml
@@ -3,7 +3,8 @@ name: Reusable C API Docs Check
on:
workflow_call:
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-check-html-ids.yml
b/.github/workflows/reusable-check-html-ids.yml
index 03ed714ca585fe..4f827c55cacd06 100644
--- a/.github/workflows/reusable-check-html-ids.yml
+++ b/.github/workflows/reusable-check-html-ids.yml
@@ -3,7 +3,8 @@ name: Reusable check HTML IDs
on:
workflow_call:
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-cifuzz.yml
b/.github/workflows/reusable-cifuzz.yml
index 093b2c859eff7b..0d02232686339b 100644
--- a/.github/workflows/reusable-cifuzz.yml
+++ b/.github/workflows/reusable-cifuzz.yml
@@ -13,7 +13,8 @@ on:
required: true
type: string
-permissions: {}
+permissions:
+ contents: read
jobs:
cifuzz:
diff --git a/.github/workflows/reusable-context.yml
b/.github/workflows/reusable-context.yml
index cc9841ebf32f27..b8a9e2960eca59 100644
--- a/.github/workflows/reusable-context.yml
+++ b/.github/workflows/reusable-context.yml
@@ -54,7 +54,8 @@ on: # yamllint disable-line rule:truthy
description: Whether to run the Windows tests
value: ${{ jobs.compute-changes.outputs.run-windows-tests }} # bool
-permissions: {}
+permissions:
+ contents: read
jobs:
compute-changes:
diff --git a/.github/workflows/reusable-docs.yml
b/.github/workflows/reusable-docs.yml
index 3d534feb2ed3ea..0453b6ab555048 100644
--- a/.github/workflows/reusable-docs.yml
+++ b/.github/workflows/reusable-docs.yml
@@ -4,7 +4,8 @@ on:
workflow_call:
workflow_dispatch:
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/reusable-emscripten.yml
b/.github/workflows/reusable-emscripten.yml
index 300731deb78959..69a780a9aebc25 100644
--- a/.github/workflows/reusable-emscripten.yml
+++ b/.github/workflows/reusable-emscripten.yml
@@ -3,7 +3,8 @@ name: Reusable Emscripten
on:
workflow_call:
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-macos.yml
b/.github/workflows/reusable-macos.yml
index a372d5715290db..f10503055b2259 100644
--- a/.github/workflows/reusable-macos.yml
+++ b/.github/workflows/reusable-macos.yml
@@ -12,7 +12,8 @@ on:
required: true
type: string
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-san.yml
b/.github/workflows/reusable-san.yml
index c55fad77ff0398..9d4f412cfcf6f7 100644
--- a/.github/workflows/reusable-san.yml
+++ b/.github/workflows/reusable-san.yml
@@ -12,7 +12,8 @@ on:
type: boolean
default: false
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-ubuntu.yml
b/.github/workflows/reusable-ubuntu.yml
index b2ab525c976330..87fba6221fb917 100644
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@@ -23,7 +23,8 @@ on:
type: string
default: ''
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-wasi.yml
b/.github/workflows/reusable-wasi.yml
index 83f9d2399ce100..48fb70cbff8009 100644
--- a/.github/workflows/reusable-wasi.yml
+++ b/.github/workflows/reusable-wasi.yml
@@ -3,7 +3,8 @@ name: Reusable WASI
on:
workflow_call:
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-windows-msi.yml
b/.github/workflows/reusable-windows-msi.yml
index 7c724f184f3ef6..a74724323ec15f 100644
--- a/.github/workflows/reusable-windows-msi.yml
+++ b/.github/workflows/reusable-windows-msi.yml
@@ -8,7 +8,8 @@ on:
required: true
type: string
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-windows.yml
b/.github/workflows/reusable-windows.yml
index 2cfe338a6525e6..4c8d0c8a2f984f 100644
--- a/.github/workflows/reusable-windows.yml
+++ b/.github/workflows/reusable-windows.yml
@@ -17,7 +17,8 @@ on:
required: true
type: string
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index a862fde5e14eb4..01fe5ba8fda8bc 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,7 +4,8 @@ on:
schedule:
- cron: "0 */6 * * *"
-permissions: {}
+permissions:
+ contents: read
jobs:
stale:
diff --git a/.github/workflows/tail-call.yml b/.github/workflows/tail-call.yml
index 35c62acb28b761..656a14906b3cb7 100644
--- a/.github/workflows/tail-call.yml
+++ b/.github/workflows/tail-call.yml
@@ -11,7 +11,8 @@ on:
paths: *paths
workflow_dispatch:
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/verify-ensurepip-wheels.yml
b/.github/workflows/verify-ensurepip-wheels.yml
index 4ac25bc909b13f..cb40f6abc0b3b7 100644
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -13,7 +13,8 @@ on:
- '.github/workflows/verify-ensurepip-wheels.yml'
- 'Tools/build/verify_ensurepip_wheels.py'
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/verify-expat.yml
b/.github/workflows/verify-expat.yml
index e193dfa4603e8a..472a11db2da5fb 100644
--- a/.github/workflows/verify-expat.yml
+++ b/.github/workflows/verify-expat.yml
@@ -11,7 +11,8 @@ on:
- 'Modules/expat/**'
- '.github/workflows/verify-expat.yml'
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
