From 5ef8c48367bf4c44f4258b2c1769aff4875f8927 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Sun, 5 Apr 2026 15:27:15 +0100
Subject: [PATCH 1/2] Use `macos-15-intel` instead of unstable `macos-26-intel`
 in `{jit,tail-call}.yml`

This partially reverts 4240c7dd7499c9024bae73a31fb25697203ae615.
---
 .github/actionlint.yaml         | 5 -----
 .github/workflows/jit.yml       | 4 ++--
 .github/workflows/tail-call.yml | 4 ++--
 3 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml
index 3004466b80e91c..eacfff24889021 100644
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@@ -1,8 +1,3 @@
-self-hosted-runner:
-  # Pending release of actionlint > 1.7.11 for macos-26-intel support
-  # https://github.com/rhysd/actionlint/pull/629
-  labels: ["macos-26-intel"]
-
 config-variables: null
 
 paths:
diff --git a/.github/workflows/jit.yml b/.github/workflows/jit.yml
index 483ace25554205..e63fe9e1284a01 100644
--- a/.github/workflows/jit.yml
+++ b/.github/workflows/jit.yml
@@ -99,9 +99,9 @@ jobs:
           - false
         include:
           - target: x86_64-apple-darwin/clang
-            runner: macos-26-intel
+            runner: macos-15-intel
           - target: aarch64-apple-darwin/clang
-            runner: macos-26
+            runner: macos-15
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
diff --git a/.github/workflows/tail-call.yml b/.github/workflows/tail-call.yml
index a86a313524605b..656a14906b3cb7 100644
--- a/.github/workflows/tail-call.yml
+++ b/.github/workflows/tail-call.yml
@@ -32,9 +32,9 @@ jobs:
       matrix:
         include:
           - target: x86_64-apple-darwin/clang
-            runner: macos-26-intel
+            runner: macos-15-intel
           - target: aarch64-apple-darwin/clang
-            runner: macos-26
+            runner: macos-15
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

From c49536fd3f79b3f7332d3562e127a5195927406a Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Sun, 5 Apr 2026 17:28:41 +0300
Subject: [PATCH 2/2] Add 'permissions: {}' to all workflows

---
 .github/workflows/add-issue-header.yml           | 1 +
 .github/workflows/build.yml                      | 3 +--
 .github/workflows/jit.yml                        | 3 +--
 .github/workflows/lint.yml                       | 3 +--
 .github/workflows/mypy.yml                       | 3 +--
 .github/workflows/new-bugs-announce-notifier.yml | 5 +++--
 .github/workflows/require-pr-label.yml           | 2 ++
 .github/workflows/stale.yml                      | 2 ++
 .github/workflows/tail-call.yml                  | 3 +--
 .github/workflows/verify-ensurepip-wheels.yml    | 3 +--
 .github/workflows/verify-expat.yml               | 3 +--
 11 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/add-issue-header.yml b/.github/workflows/add-issue-header.yml
index 8a8571eedd1c77..00b7ae50cb9935 100644
--- a/.github/workflows/add-issue-header.yml
+++ b/.github/workflows/add-issue-header.yml
@@ -12,6 +12,7 @@ on:
       # Only ever run once
       - opened
 
+permissions: {}
 
 jobs:
   add-header:
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a80262e3c0243c..c34f8f699d8edb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,8 +11,7 @@ on:
     - 'main'
     - '3.*'
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#concurrency
diff --git a/.github/workflows/jit.yml b/.github/workflows/jit.yml
index e63fe9e1284a01..81d75ef1820903 100644
--- a/.github/workflows/jit.yml
+++ b/.github/workflows/jit.yml
@@ -15,8 +15,7 @@ on:
     paths: *paths
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index e9a4eb2b0808cb..fb2b94b7362308 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,8 +2,7 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   FORCE_COLOR: 1
diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml
index e5a5b3939e58e3..583dc1808dfc35 100644
--- a/.github/workflows/mypy.yml
+++ b/.github/workflows/mypy.yml
@@ -33,8 +33,7 @@ on:
       - "Tools/requirements-dev.txt"
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   PIP_DISABLE_PIP_VERSION_CHECK: 1
diff --git a/.github/workflows/new-bugs-announce-notifier.yml b/.github/workflows/new-bugs-announce-notifier.yml
index 1f28b9befb4e13..be375a970a475c 100644
--- a/.github/workflows/new-bugs-announce-notifier.yml
+++ b/.github/workflows/new-bugs-announce-notifier.yml
@@ -5,12 +5,13 @@ on:
     types:
       - opened
 
-permissions:
-  issues: read
+permissions: {}
 
 jobs:
   notify-new-bugs-announce:
     runs-on: ubuntu-latest
+    permissions:
+      issues: read
     timeout-minutes: 10
     steps:
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml
index 94cb219aeeeb1f..262299fc30f989 100644
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [opened, reopened, labeled, unlabeled, synchronize]
 
+permissions: {}
+
 jobs:
   label-dnm:
     name: DO-NOT-MERGE
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 37220783f9cf61..2c73d10350f69f 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,6 +4,8 @@ on:
   schedule:
   - cron: "0 */6 * * *"
 
+permissions: {}
+
 jobs:
   stale:
     if: github.repository_owner == 'python'
diff --git a/.github/workflows/tail-call.yml b/.github/workflows/tail-call.yml
index 656a14906b3cb7..35c62acb28b761 100644
--- a/.github/workflows/tail-call.yml
+++ b/.github/workflows/tail-call.yml
@@ -11,8 +11,7 @@ on:
     paths: *paths
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/verify-ensurepip-wheels.yml b/.github/workflows/verify-ensurepip-wheels.yml
index cb40f6abc0b3b7..4ac25bc909b13f 100644
--- a/.github/workflows/verify-ensurepip-wheels.yml
+++ b/.github/workflows/verify-ensurepip-wheels.yml
@@ -13,8 +13,7 @@ on:
       - '.github/workflows/verify-ensurepip-wheels.yml'
       - 'Tools/build/verify_ensurepip_wheels.py'
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/verify-expat.yml b/.github/workflows/verify-expat.yml
index 472a11db2da5fb..e193dfa4603e8a 100644
--- a/.github/workflows/verify-expat.yml
+++ b/.github/workflows/verify-expat.yml
@@ -11,8 +11,7 @@ on:
       - 'Modules/expat/**'
       - '.github/workflows/verify-expat.yml'
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}