https://github.com/python/cpython/commit/776d39f2be6310ebd5c9093286f9cee8e8ec6c14
commit: 776d39f2be6310ebd5c9093286f9cee8e8ec6c14
branch: 3.11
author: Hugo van Kemenade <[email protected]>
committer: hugovk <[email protected]>
date: 2026-04-12T09:38:51+03:00
summary:
[3.11] Default GHA permissions to `contents: read` (GH-148346) (#148389)
(cherry picked from commit 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf)
files:
M .github/workflows/build.yml
M .github/workflows/lint.yml
M .github/workflows/new-bugs-announce-notifier.yml
M .github/workflows/require-pr-label.yml
M .github/workflows/reusable-docs.yml
M .github/workflows/reusable-macos.yml
M .github/workflows/reusable-ubuntu.yml
M .github/workflows/reusable-windows.yml
M .github/workflows/stale.yml
M .github/workflows/verify-ensurepip-wheels.yml
M .github/workflows/verify-expat.yml
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9eedda17d83e75..87091022c29303 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,7 +11,8 @@ on:
- 'main'
- '3.*'
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id
}}-reusable
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 62e255095c9458..20d1477e508468 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,7 +2,8 @@ name: Lint
on: [push, pull_request, workflow_dispatch]
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/new-bugs-announce-notifier.yml
b/.github/workflows/new-bugs-announce-notifier.yml
index 311672bb628c08..339465f75f1695 100644
--- a/.github/workflows/new-bugs-announce-notifier.yml
+++ b/.github/workflows/new-bugs-announce-notifier.yml
@@ -5,7 +5,8 @@ on:
types:
- opened
-permissions: {}
+permissions:
+ contents: read
jobs:
notify-new-bugs-announce:
diff --git a/.github/workflows/require-pr-label.yml
b/.github/workflows/require-pr-label.yml
index ebc5699d490841..206f24cf9d5fb3 100644
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -4,7 +4,8 @@ on:
pull_request:
types: [opened, reopened, labeled, unlabeled, synchronize]
-permissions: {}
+permissions:
+ contents: read
jobs:
label:
diff --git a/.github/workflows/reusable-docs.yml
b/.github/workflows/reusable-docs.yml
index 71ba1d97a56370..e99cc1fa5f217d 100644
--- a/.github/workflows/reusable-docs.yml
+++ b/.github/workflows/reusable-docs.yml
@@ -4,7 +4,8 @@ on:
workflow_call:
workflow_dispatch:
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/reusable-macos.yml
b/.github/workflows/reusable-macos.yml
index fa8d89912bc0d7..5217a496293934 100644
--- a/.github/workflows/reusable-macos.yml
+++ b/.github/workflows/reusable-macos.yml
@@ -9,7 +9,8 @@ on:
type: boolean
default: false
-permissions: {}
+permissions:
+ contents: read
jobs:
build_macos:
diff --git a/.github/workflows/reusable-ubuntu.yml
b/.github/workflows/reusable-ubuntu.yml
index c836ff59b06074..7489cddda94bb5 100644
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@@ -8,7 +8,8 @@ on:
required: true
type: string
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-windows.yml
b/.github/workflows/reusable-windows.yml
index fad82009fb5166..30c890be201f12 100644
--- a/.github/workflows/reusable-windows.yml
+++ b/.github/workflows/reusable-windows.yml
@@ -6,7 +6,8 @@ on:
type: boolean
default: false
-permissions: {}
+permissions:
+ contents: read
jobs:
build_win32:
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 164882460d66d8..98844472126477 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,7 +4,8 @@ on:
schedule:
- cron: "0 0 * * *"
-permissions: {}
+permissions:
+ contents: read
jobs:
stale:
diff --git a/.github/workflows/verify-ensurepip-wheels.yml
b/.github/workflows/verify-ensurepip-wheels.yml
index 018b0463b7f8dc..2c47fdbc1e12b5 100644
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -13,7 +13,8 @@ on:
- '.github/workflows/verify-ensurepip-wheels.yml'
- 'Tools/scripts/verify_ensurepip_wheels.py'
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/verify-expat.yml
b/.github/workflows/verify-expat.yml
index e193dfa4603e8a..472a11db2da5fb 100644
--- a/.github/workflows/verify-expat.yml
+++ b/.github/workflows/verify-expat.yml
@@ -11,7 +11,8 @@ on:
- 'Modules/expat/**'
- '.github/workflows/verify-expat.yml'
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
