From 3b2bbe3dd47fc7293e55442486f7416fd38f6de9 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Sat, 11 Apr 2026 18:37:12 +0300
Subject: [PATCH] [3.10] Default GHA permissions to `contents: read`
 (GH-148346) (cherry picked from commit
 9c9df8ac8cbb8f539b3f342d01e40b7a0a57dcbf)

Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
---
 .github/workflows/build.yml                   | 3 ++-
 .github/workflows/stale.yml                   | 3 ++-
 .github/workflows/verify-ensurepip-wheels.yml | 3 ++-
 .github/workflows/verify-expat.yml            | 3 ++-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8a1d371f2f9048..7cbd43da6fc94a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,7 +11,8 @@ on:
     - 'main'
     - '3.*'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 8949defda4d15c..93d7fcec881105 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,7 +4,8 @@ on:
   schedule:
   - cron: "0 0 * * *"
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   stale:
diff --git a/.github/workflows/verify-ensurepip-wheels.yml b/.github/workflows/verify-ensurepip-wheels.yml
index b18fc92a0499d1..fe27c4f09319ec 100644
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -13,7 +13,8 @@ on:
       - '.github/workflows/verify-ensurepip-wheels.yml'
       - 'Tools/scripts/verify_ensurepip_wheels.py'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/verify-expat.yml b/.github/workflows/verify-expat.yml
index e193dfa4603e8a..472a11db2da5fb 100644
--- a/.github/workflows/verify-expat.yml
+++ b/.github/workflows/verify-expat.yml
@@ -11,7 +11,8 @@ on:
       - 'Modules/expat/**'
       - '.github/workflows/verify-expat.yml'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}