Skip to content

Commit 82b53a6

Browse files
hugovkhugovk
authored
[3.12] Default GHA permissions to contents: read (GH-148346) (#148388)
(cherry picked from commit 9c9df8a)
1 parent 20b4393 commit 82b53a6

14 files changed

+28
-14
lines changed

.github/workflows/build.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,8 @@ on:
1111
- 'main'
1212
- '3.*'
1313

14-
permissions: {}
14+
permissions:
15+
contents: read
1516

1617
concurrency:
1718
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}-reusable

.github/workflows/lint.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,8 @@ name: Lint
22

33
on: [push, pull_request, workflow_dispatch]
44

5-
permissions: {}
5+
permissions:
6+
contents: read
67

78
env:
89
FORCE_COLOR: 1

.github/workflows/mypy.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,8 @@ on:
1212
- ".github/workflows/mypy.yml"
1313
workflow_dispatch:
1414

15-
permissions: {}
15+
permissions:
16+
contents: read
1617

1718
env:
1819
PIP_DISABLE_PIP_VERSION_CHECK: 1

.github/workflows/new-bugs-announce-notifier.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,8 @@ on:
55
types:
66
- opened
77

8-
permissions: {}
8+
permissions:
9+
contents: read
910

1011
jobs:
1112
notify-new-bugs-announce:

.github/workflows/require-pr-label.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,8 @@ on:
44
pull_request:
55
types: [opened, reopened, labeled, unlabeled, synchronize]
66

7-
permissions: {}
7+
permissions:
8+
contents: read
89

910
jobs:
1011
label:

.github/workflows/reusable-context.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,8 @@ on: # yamllint disable-line rule:truthy
3333
description: Whether to run the CIFuzz job
3434
value: ${{ jobs.compute-changes.outputs.run-ci-fuzz }} # bool
3535

36-
permissions: {}
36+
permissions:
37+
contents: read
3738

3839
jobs:
3940
compute-changes:

.github/workflows/reusable-docs.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,8 @@ on:
44
workflow_call:
55
workflow_dispatch:
66

7-
permissions: {}
7+
permissions:
8+
contents: read
89

910
concurrency:
1011
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

.github/workflows/reusable-macos.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,8 @@ on:
1515
required: true
1616
type: string
1717

18-
permissions: {}
18+
permissions:
19+
contents: read
1920

2021
env:
2122
FORCE_COLOR: 1

.github/workflows/reusable-tsan.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,8 @@ on:
1212
type: boolean
1313
default: false
1414

15-
permissions: {}
15+
permissions:
16+
contents: read
1617

1718
env:
1819
FORCE_COLOR: 1

.github/workflows/reusable-ubuntu.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,8 @@ on:
1212
type: boolean
1313
default: false
1414

15-
permissions: {}
15+
permissions:
16+
contents: read
1617

1718
env:
1819
FORCE_COLOR: 1

0 commit comments

Comments
 (0)