Bump hypothesis from 6.155.0 to 6.155.1 in /Tools

.gitattributes

@@ -33,6 +33,9 @@ Lib/test/xmltestdata/*                     noeol
 Lib/venv/scripts/common/activate text eol=lf
 Lib/venv/scripts/posix/* text eol=lf
 
+# Prevent GitHub's web conflict editor from converting LF to CRLF
+*.rst text eol=lf
+
 # CRLF files
 [attr]dos text eol=crlf
 

.github/workflows/add-issue-header.yml

@@ -12,7 +12,8 @@ on:
       # Only ever run once
       - opened
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   add-header:

.github/workflows/build.yml

@@ -11,7 +11,8 @@ on:
     - 'main'
     - '3.*'
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#concurrency
@@ -290,7 +291,7 @@ jobs:
         # Keep 1.1.1w in our list despite it being upstream EOL and otherwise
         # unsupported as it most resembles other 1.1.1-work-a-like ssl APIs
         # supported by important vendors such as AWS-LC.
-        openssl_ver: [1.1.1w, 3.0.19, 3.3.6, 3.4.4, 3.5.5, 3.6.1]
+        openssl_ver: [1.1.1w, 3.0.21, 3.4.6, 3.5.7, 3.6.3]
         # See Tools/ssl/make_ssl_data.py for notes on adding a new version
     env:
       OPENSSL_VER: ${{ matrix.openssl_ver }}
@@ -365,7 +366,7 @@ jobs:
     needs: build-context
     if: needs.build-context.outputs.run-ubuntu == 'true'
     env:
-      OPENSSL_VER: 3.0.18
+      OPENSSL_VER: 3.0.21
       PYTHONSTRICTEXTENSIONBUILD: 1
     steps:
     - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
@@ -472,7 +473,7 @@ jobs:
       matrix:
         os: [ubuntu-24.04]
     env:
-      OPENSSL_VER: 3.0.18
+      OPENSSL_VER: 3.0.21
       PYTHONSTRICTEXTENSIONBUILD: 1
       ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0
     steps:
@@ -540,6 +541,7 @@ jobs:
       needs.build-context.outputs.run-ci-fuzz == 'true'
       || needs.build-context.outputs.run-ci-fuzz-stdlib == 'true'
     permissions:
+      contents: read
       security-events: write
     strategy:
       fail-fast: false

.github/workflows/jit.yml

@@ -18,7 +18,8 @@ on:
       - '!**/*.ini'
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

.github/workflows/lint.yml

@@ -2,7 +2,8 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

.github/workflows/mypy.yml

@@ -30,7 +30,8 @@ on:
       - "Tools/requirements-dev.txt"
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   PIP_DISABLE_PIP_VERSION_CHECK: 1
@@ -64,11 +65,11 @@ jobs:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
         with:
           python-version: "3.13"
-          cache: pip
-          cache-dependency-path: Tools/requirements-dev.txt
-      - run: pip install -r Tools/requirements-dev.txt
+          activate-environment: true
+          cache-dependency-glob: Tools/requirements-dev.txt
+      - run: uv pip install -r Tools/requirements-dev.txt
       - run: python3 Misc/mypy/make_symlinks.py --symlink
-      - run: mypy --config-file ${{ matrix.target }}/mypy.ini
+      - run: mypy --num-workers 4 --config-file ${{ matrix.target }}/mypy.ini

.github/workflows/new-bugs-announce-notifier.yml

@@ -5,7 +5,8 @@ on:
     types:
       - opened
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   notify-new-bugs-announce:

.github/workflows/regen.yml

@@ -3,12 +3,17 @@ name: Regenerate CPython3 Android Artifacts
 on:
   workflow_dispatch: # Allows manual trigger from the GitHub Actions UI
 
+permissions:
+  contents: read
+
 jobs:
   regen-linux-x86_64:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Install Dependencies
         run: |
@@ -58,7 +63,9 @@ jobs:
     runs-on: macos-14 # Native Apple Silicon ARM64 runner
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Install Dependencies
         run: |
@@ -91,7 +98,9 @@ jobs:
     runs-on: ubuntu-24.04-arm # Native ARM64 runner
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Install Dependencies
         run: |
@@ -126,12 +135,10 @@ jobs:
           git config core.sparseCheckout true
           echo "sysroots/*" >> .git/info/sparse-checkout
           git pull --depth=1 origin main
-
       - name: Run Regeneration
         run: |
           # Inject -static into LDFLAGS (targets only the linux_arm64 musl target LDFLAGS line)
           sed -i "s/unwindlib=none/unwindlib=none -static/g" android/regen.sh
-
           # Prepend Google prebuilt compiler path to PATH
           export PATH="/home/runner/prebuilts/clang/host/linux-arm64/clang-r596125/bin:$PATH"
           ./android/regen.sh
@@ -149,7 +156,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
 
       - name: Download and Merge All Artifacts
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
@@ -162,8 +171,7 @@ jobs:
         run: |
           mkdir -p dist/
           cp -r android dist/
-          cp *.bp dist/
-
+          cp ./*.bp dist/
           echo "Verified files inside staging folder (dist/):"
           ls -R dist/
 

.github/workflows/require-pr-label.yml

@@ -4,7 +4,8 @@ on:
   pull_request:
     types: [opened, reopened, labeled, unlabeled, synchronize]
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   label:

.github/workflows/reusable-cifuzz.yml

@@ -13,7 +13,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   cifuzz:
@@ -23,12 +24,12 @@ jobs:
     steps:
       - name: Build fuzzers (${{ inputs.sanitizer }})
         id: build
-        uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@53a5831aa1a7651c2484877b7c4325e07e262779 # master
+        uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@2dd789c49ecc2baa41fc0409a86928e61d85315f # master
         with:
           oss-fuzz-project-name: ${{ inputs.oss-fuzz-project-name }}
           sanitizer: ${{ inputs.sanitizer }}
       - name: Run fuzzers (${{ inputs.sanitizer }})
-        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@53a5831aa1a7651c2484877b7c4325e07e262779 # master
+        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@2dd789c49ecc2baa41fc0409a86928e61d85315f # master
         with:
           fuzz-seconds: 600
           oss-fuzz-project-name: ${{ inputs.oss-fuzz-project-name }}
@@ -42,7 +43,7 @@ jobs:
           path: ./out/artifacts
       - name: Upload SARIF
         if: always() && steps.build.outcome == 'success'
-        uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
         with:
           sarif_file: cifuzz-sarif/results.sarif
           checkout_path: cifuzz-sarif

.github/workflows/reusable-context.yml

@@ -48,7 +48,8 @@ on:  # yamllint disable-line rule:truthy
         description: Whether to run the Windows tests
         value: ${{ jobs.compute-changes.outputs.run-windows-tests }}  # bool
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   compute-changes:

.github/workflows/reusable-docs.yml

@@ -4,7 +4,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions: {}
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}

.github/workflows/reusable-macos.yml

@@ -12,7 +12,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1
@@ -37,7 +38,7 @@ jobs:
       run: echo "IMAGE_OS_VERSION=${ImageOS}-${ImageVersion}" >> "$GITHUB_ENV"
     - name: Install Homebrew dependencies
       run: |
-        brew install pkg-config openssl@3.0 xz gdbm tcl-tk@8
+        brew bundle --file=Misc/Brewfile
         # Because alternate versions are not symlinked into place by default:
         brew link --overwrite tcl-tk@8
     - name: Configure CPython

.github/workflows/reusable-san.yml

@@ -12,7 +12,8 @@ on:
         type: boolean
         default: false
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1
@@ -39,17 +40,15 @@ jobs:
         # Install clang
         wget https://apt.llvm.org/llvm.sh
         chmod +x llvm.sh
+        sudo ./llvm.sh 20
+        sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-20 100
+        sudo update-alternatives --set clang /usr/bin/clang-20
+        sudo update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-20 100
+        sudo update-alternatives --set clang++ /usr/bin/clang++-20
 
         if [ "${SANITIZER}" = "TSan" ]; then
-          sudo ./llvm.sh 17  # gh-121946: llvm-18 package is temporarily broken
-          sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-17 100
-          sudo update-alternatives --set clang /usr/bin/clang-17
-          sudo update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-17 100
-          sudo update-alternatives --set clang++ /usr/bin/clang++-17
           # Reduce ASLR to avoid TSan crashing
           sudo sysctl -w vm.mmap_rnd_bits=28
-        else
-          sudo ./llvm.sh 20
         fi
 
     - name: Sanitizer option setup

.github/workflows/reusable-ubuntu.yml

@@ -9,7 +9,8 @@ on:
         type: boolean
         default: false
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1
@@ -24,7 +25,7 @@ jobs:
       matrix:
         os: [ubuntu-24.04, ubuntu-24.04-arm]
     env:
-      OPENSSL_VER: 3.0.18
+      OPENSSL_VER: 3.0.21
       PYTHONSTRICTEXTENSIONBUILD: 1
       TERM: linux
     steps:

.github/workflows/reusable-wasi.yml

@@ -3,7 +3,8 @@ name: Reusable WASI
 on:
   workflow_call:
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

.github/workflows/reusable-windows-msi.yml

@@ -8,7 +8,8 @@ on:
         required: true
         type: string
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1

.github/workflows/reusable-windows.yml

@@ -17,7 +17,8 @@ on:
         type: boolean
         default: false
 
-permissions: {}
+permissions:
+  contents: read
 
 env:
   FORCE_COLOR: 1