https://github.com/python/cpython/commit/82b53a619eda570120d7f17351b25c813a61325d
commit: 82b53a619eda570120d7f17351b25c813a61325d
branch: 3.12
author: Hugo van Kemenade <[email protected]>
committer: hugovk <[email protected]>
date: 2026-04-12T09:38:15+03:00
summary:
[3.12] Default GHA permissions to `contents: read` (GH-148346) (#148388)
(cherry picked from commit 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf)
files:
M .github/workflows/build.yml
M .github/workflows/lint.yml
M .github/workflows/mypy.yml
M .github/workflows/new-bugs-announce-notifier.yml
M .github/workflows/require-pr-label.yml
M .github/workflows/reusable-context.yml
M .github/workflows/reusable-docs.yml
M .github/workflows/reusable-macos.yml
M .github/workflows/reusable-tsan.yml
M .github/workflows/reusable-ubuntu.yml
M .github/workflows/reusable-windows.yml
M .github/workflows/stale.yml
M .github/workflows/verify-ensurepip-wheels.yml
M .github/workflows/verify-expat.yml
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d76d0315c0011a..36db96a61b451b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,7 +11,8 @@ on:
- 'main'
- '3.*'
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id
}}-reusable
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index ad6bd7ef696f32..201e94a888af27 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,7 +2,8 @@ name: Lint
on: [push, pull_request, workflow_dispatch]
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
index ef8d12b2a0fe95..cfb8d5c60d5ce1 100644
--- a/.github/workflows/mypy.yml
+++ b/.github/workflows/mypy.yml
@@ -12,7 +12,8 @@ on:
- ".github/workflows/mypy.yml"
workflow_dispatch:
-permissions: {}
+permissions:
+ contents: read
env:
PIP_DISABLE_PIP_VERSION_CHECK: 1
diff --git a/.github/workflows/new-bugs-announce-notifier.yml
b/.github/workflows/new-bugs-announce-notifier.yml
index 17e697926dabe2..bbcb9b401758d6 100644
--- a/.github/workflows/new-bugs-announce-notifier.yml
+++ b/.github/workflows/new-bugs-announce-notifier.yml
@@ -5,7 +5,8 @@ on:
types:
- opened
-permissions: {}
+permissions:
+ contents: read
jobs:
notify-new-bugs-announce:
diff --git a/.github/workflows/require-pr-label.yml
b/.github/workflows/require-pr-label.yml
index ebc5699d490841..206f24cf9d5fb3 100644
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -4,7 +4,8 @@ on:
pull_request:
types: [opened, reopened, labeled, unlabeled, synchronize]
-permissions: {}
+permissions:
+ contents: read
jobs:
label:
diff --git a/.github/workflows/reusable-context.yml
b/.github/workflows/reusable-context.yml
index b433ac8de594d9..7561f49e8715b2 100644
--- a/.github/workflows/reusable-context.yml
+++ b/.github/workflows/reusable-context.yml
@@ -33,7 +33,8 @@ on: # yamllint disable-line rule:truthy
description: Whether to run the CIFuzz job
value: ${{ jobs.compute-changes.outputs.run-ci-fuzz }} # bool
-permissions: {}
+permissions:
+ contents: read
jobs:
compute-changes:
diff --git a/.github/workflows/reusable-docs.yml
b/.github/workflows/reusable-docs.yml
index 69c9b5422adef0..89d5f18c557390 100644
--- a/.github/workflows/reusable-docs.yml
+++ b/.github/workflows/reusable-docs.yml
@@ -4,7 +4,8 @@ on:
workflow_call:
workflow_dispatch:
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/reusable-macos.yml
b/.github/workflows/reusable-macos.yml
index 6cdfd36b2f1d4d..9c94aec4ce0d22 100644
--- a/.github/workflows/reusable-macos.yml
+++ b/.github/workflows/reusable-macos.yml
@@ -15,7 +15,8 @@ on:
required: true
type: string
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-tsan.yml
b/.github/workflows/reusable-tsan.yml
index 0a3a6f1825ef75..e11cc58f815c41 100644
--- a/.github/workflows/reusable-tsan.yml
+++ b/.github/workflows/reusable-tsan.yml
@@ -12,7 +12,8 @@ on:
type: boolean
default: false
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-ubuntu.yml
b/.github/workflows/reusable-ubuntu.yml
index 5b4aa2c7abcfff..61afb38e77d917 100644
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@@ -12,7 +12,8 @@ on:
type: boolean
default: false
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/reusable-windows.yml
b/.github/workflows/reusable-windows.yml
index 3f2a4d8211713d..6c2b016a2c61c0 100644
--- a/.github/workflows/reusable-windows.yml
+++ b/.github/workflows/reusable-windows.yml
@@ -13,7 +13,8 @@ on:
type: boolean
default: false
-permissions: {}
+permissions:
+ contents: read
env:
FORCE_COLOR: 1
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 164882460d66d8..98844472126477 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,7 +4,8 @@ on:
schedule:
- cron: "0 0 * * *"
-permissions: {}
+permissions:
+ contents: read
jobs:
stale:
diff --git a/.github/workflows/verify-ensurepip-wheels.yml
b/.github/workflows/verify-ensurepip-wheels.yml
index 4ac25bc909b13f..cb40f6abc0b3b7 100644
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -13,7 +13,8 @@ on:
- '.github/workflows/verify-ensurepip-wheels.yml'
- 'Tools/build/verify_ensurepip_wheels.py'
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/verify-expat.yml
b/.github/workflows/verify-expat.yml
index e193dfa4603e8a..472a11db2da5fb 100644
--- a/.github/workflows/verify-expat.yml
+++ b/.github/workflows/verify-expat.yml
@@ -11,7 +11,8 @@ on:
- 'Modules/expat/**'
- '.github/workflows/verify-expat.yml'
-permissions: {}
+permissions:
+ contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
