https://github.com/python/cpython/commit/838c6028287c9078b798489681c35c23adccf203
commit: 838c6028287c9078b798489681c35c23adccf203
branch: 3.14
author: Hugo van Kemenade <[email protected]>
committer: gpshead <[email protected]>
date: 2026-04-11T17:06:34-07:00
summary:
[3.14] Default GHA permissions to `contents: read` (GH-148346) (#148386)
(cherry picked from commit 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf)
files:
M .github/workflows/add-issue-header.yml
M .github/workflows/build.yml
M .github/workflows/jit.yml
M .github/workflows/lint.yml
M .github/workflows/mypy.yml
M .github/workflows/new-bugs-announce-notifier.yml
M .github/workflows/require-pr-label.yml
M .github/workflows/reusable-cifuzz.yml
M .github/workflows/reusable-context.yml
M .github/workflows/reusable-docs.yml
M .github/workflows/reusable-emscripten.yml
M .github/workflows/reusable-macos.yml
M .github/workflows/reusable-san.yml
M .github/workflows/reusable-ubuntu.yml
M .github/workflows/reusable-wasi.yml
M .github/workflows/reusable-windows-msi.yml
M .github/workflows/reusable-windows.yml
M .github/workflows/stale.yml
M .github/workflows/tail-call.yml
M .github/workflows/verify-ensurepip-wheels.yml
M .github/workflows/verify-expat.yml
diff --git a/.github/workflows/add-issue-header.yml
b/.github/workflows/add-issue-header.yml
index 00b7ae50cb9935..4c25976b9c24f7 100644
--- a/.github/workflows/add-issue-header.yml
+++ b/.github/workflows/add-issue-header.yml
@@ -12,7 +12,8 @@ on:
# Only ever run once
- opened
-permissions: {}
+permissions:
+ contents: read
jobs:
add-header:
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5cb8307d6cde9f..8f71d8ed99ad4b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,7 +11,8 @@ on:
- 'main'
- '3.*'
-permissions: {}
+permissions:
+ contents: read
concurrency:
#
https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#concurrency
@@ -637,6 +638,7 @@ jobs:
needs.build-context.outputs.run-ci-fuzz == 'true'
|| needs.build-context.outputs.run-ci-fuzz-stdlib == 'true'
permissions:
+ contents: read
security-events: write
strategy:
fail-fast: false
diff --git a/.github/workflows/jit.yml b/.github/workflows/jit.yml
index 1ba060a70c9ce4..2678eb9b348d4e 100644
--- a/.github/workflows/jit.yml
+++ b/.github/workflows/jit.yml
@@ -12,7 +12,8 @@ on:
paths: *paths
workflow_dispatch:
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index fb2b94b7362308..e9a4eb2b0808cb 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,7 +2,8 @@ name: Lint
on: [push, pull_request, workflow_dispatch]
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
index 59db8dd5a6ea30..ae2095690b2d8a 100644
--- a/.github/workflows/mypy.yml
+++ b/.github/workflows/mypy.yml
@@ -32,7 +32,8 @@ on:
- "Tools/requirements-dev.txt"
workflow_dispatch:
-permissions: {}
+permissions:
+ contents: read
env:
PIP_DISABLE_PIP_VERSION_CHECK: 1
diff --git a/.github/workflows/new-bugs-announce-notifier.yml
b/.github/workflows/new-bugs-announce-notifier.yml
index 14860e56600d06..e585657dde6881 100644
--- a/.github/workflows/new-bugs-announce-notifier.yml
+++ b/.github/workflows/new-bugs-announce-notifier.yml
@@ -5,7 +5,8 @@ on:
types:
- opened
-permissions: {}
+permissions:
+ contents: read
jobs:
notify-new-bugs-announce:
diff --git a/.github/workflows/require-pr-label.yml
b/.github/workflows/require-pr-label.yml
index 262299fc30f989..f3e2666879530f 100644
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -4,7 +4,8 @@ on:
pull_request:
types: [opened, reopened, labeled, unlabeled, synchronize]
-permissions: {}
+permissions:
+ contents: read
jobs:
label-dnm:
diff --git a/.github/workflows/reusable-cifuzz.yml
b/.github/workflows/reusable-cifuzz.yml
index f06b193d3715fb..9b49e7fd26f007 100644
--- a/.github/workflows/reusable-cifuzz.yml
+++ b/.github/workflows/reusable-cifuzz.yml
@@ -13,7 +13,8 @@ on:
required: true
type: string
-permissions: {}
+permissions:
+ contents: read
jobs:
cifuzz:
diff --git a/.github/workflows/reusable-context.yml
b/.github/workflows/reusable-context.yml
index cc9841ebf32f27..b8a9e2960eca59 100644
--- a/.github/workflows/reusable-context.yml
+++ b/.github/workflows/reusable-context.yml
@@ -54,7 +54,8 @@ on: # yamllint disable-line rule:truthy
description: Whether to run the Windows tests
value: ${{ jobs.compute-changes.outputs.run-windows-tests }} # bool
-permissions: {}
+permissions:
+ contents: read
jobs:
compute-changes:
diff --git a/.github/workflows/reusable-docs.yml
b/.github/workflows/reusable-docs.yml
index e1c35021432ad0..bee44e8df27663 100644
--- a/.github/workflows/reusable-docs.yml
+++ b/.github/workflows/reusable-docs.yml
@@ -4,7 +4,8 @@ on:
workflow_call:
workflow_dispatch:
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/reusable-emscripten.yml
b/.github/workflows/reusable-emscripten.yml
index 300731deb78959..69a780a9aebc25 100644
--- a/.github/workflows/reusable-emscripten.yml
+++ b/.github/workflows/reusable-emscripten.yml
@@ -3,7 +3,8 @@ name: Reusable Emscripten
on:
workflow_call:
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-macos.yml
b/.github/workflows/reusable-macos.yml
index a1782302ab55be..588c76366eb4c5 100644
--- a/.github/workflows/reusable-macos.yml
+++ b/.github/workflows/reusable-macos.yml
@@ -12,7 +12,8 @@ on:
required: true
type: string
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-san.yml
b/.github/workflows/reusable-san.yml
index dbc9a995c04d86..3b1124d62d3dbe 100644
--- a/.github/workflows/reusable-san.yml
+++ b/.github/workflows/reusable-san.yml
@@ -12,7 +12,8 @@ on:
type: boolean
default: false
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-ubuntu.yml
b/.github/workflows/reusable-ubuntu.yml
index 36e12b63c1e2b0..40529cc86886f7 100644
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@@ -18,7 +18,8 @@ on:
required: true
type: string
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-wasi.yml
b/.github/workflows/reusable-wasi.yml
index 1c8dad5546bade..6a87c37692ed92 100644
--- a/.github/workflows/reusable-wasi.yml
+++ b/.github/workflows/reusable-wasi.yml
@@ -3,7 +3,8 @@ name: Reusable WASI
on:
workflow_call:
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-windows-msi.yml
b/.github/workflows/reusable-windows-msi.yml
index 5513e5025c6446..420c9cd909a5e9 100644
--- a/.github/workflows/reusable-windows-msi.yml
+++ b/.github/workflows/reusable-windows-msi.yml
@@ -8,7 +8,8 @@ on:
required: true
type: string
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-windows.yml
b/.github/workflows/reusable-windows.yml
index df54583d623c31..138e6846cb9039 100644
--- a/.github/workflows/reusable-windows.yml
+++ b/.github/workflows/reusable-windows.yml
@@ -13,7 +13,8 @@ on:
type: boolean
default: false
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 42ddb713c10393..1fbc4a20dbc7dd 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,7 +4,8 @@ on:
schedule:
- cron: "0 */6 * * *"
-permissions: {}
+permissions:
+ contents: read
jobs:
stale:
diff --git a/.github/workflows/tail-call.yml b/.github/workflows/tail-call.yml
index e0ed179b21e733..e93bef2adc21fb 100644
--- a/.github/workflows/tail-call.yml
+++ b/.github/workflows/tail-call.yml
@@ -11,7 +11,8 @@ on:
paths: *paths
workflow_dispatch:
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/verify-ensurepip-wheels.yml
b/.github/workflows/verify-ensurepip-wheels.yml
index 4ac25bc909b13f..cb40f6abc0b3b7 100644
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -13,7 +13,8 @@ on:
- '.github/workflows/verify-ensurepip-wheels.yml'
- 'Tools/build/verify_ensurepip_wheels.py'
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/verify-expat.yml
b/.github/workflows/verify-expat.yml
index e193dfa4603e8a..472a11db2da5fb 100644
--- a/.github/workflows/verify-expat.yml
+++ b/.github/workflows/verify-expat.yml
@@ -11,7 +11,8 @@ on:
- 'Modules/expat/**'
- '.github/workflows/verify-expat.yml'
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
