From b8d83a052b687014d077648d86c8e53623b8147b Mon Sep 17 00:00:00 2001 From: Jonathan Desrosiers <359867+desrosj@users.noreply.github.com> Date: Thu, 14 May 2026 17:29:48 -0400 Subject: [PATCH 1/2] chore(workflows): scope GitHub Actions permissions Co-authored-by: Cursor --- .github/workflows/brand-plugin-test.yml | 15 +++++++++++++++ .github/workflows/codecoverage-main.yml | 7 +++++++ .github/workflows/satis-webhook.yml | 5 +++++ 3 files changed, 27 insertions(+) diff --git a/.github/workflows/brand-plugin-test.yml b/.github/workflows/brand-plugin-test.yml index ec5883c..402a27d 100644 --- a/.github/workflows/brand-plugin-test.yml +++ b/.github/workflows/brand-plugin-test.yml @@ -10,10 +10,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: setup: name: Setup runs-on: ubuntu-latest + permissions: {} # No checkout or GitHub API use; extracts branch metadata for reusable workflow inputs only outputs: branch: ${{ steps.extract_branch.outputs.branch }} steps: @@ -27,6 +32,8 @@ jobs: name: Bluehost Build and Test needs: setup uses: newfold-labs/workflows/.github/workflows/module-plugin-test.yml@main + permissions: + contents: read # Matches downstream reusable workflow; required for checkout/composer/GitHub-hosted actions using GITHUB_TOKEN on private repos with: module-repo: ${{ github.repository }} module-branch: ${{ needs.setup.outputs.branch }} @@ -37,6 +44,8 @@ jobs: name: HostGator Build and Test needs: setup uses: newfold-labs/workflows/.github/workflows/module-plugin-test.yml@main + permissions: + contents: read # Matches downstream reusable workflow; required for checkout/composer/GitHub-hosted actions using GITHUB_TOKEN on private repos with: module-repo: ${{ github.repository }} module-branch: ${{ needs.setup.outputs.branch }} @@ -47,6 +56,8 @@ jobs: name: Web.com Build and Test needs: setup uses: newfold-labs/workflows/.github/workflows/module-plugin-test.yml@main + permissions: + contents: read # Matches downstream reusable workflow; required for checkout/composer/GitHub-hosted actions using GITHUB_TOKEN on private repos with: module-repo: ${{ github.repository }} module-branch: ${{ needs.setup.outputs.branch }} @@ -57,6 +68,8 @@ jobs: name: Crazy Domains Build and Test needs: setup uses: newfold-labs/workflows/.github/workflows/module-plugin-test.yml@main + permissions: + contents: read # Matches downstream reusable workflow; required for checkout/composer/GitHub-hosted actions using GITHUB_TOKEN on private repos with: module-repo: ${{ github.repository }} module-branch: ${{ needs.setup.outputs.branch }} @@ -67,6 +80,8 @@ jobs: name: Mojo Build and Test needs: setup uses: newfold-labs/workflows/.github/workflows/module-plugin-test.yml@main + permissions: + contents: read # Matches downstream reusable workflow; required for checkout/composer/GitHub-hosted actions using GITHUB_TOKEN on private repos with: module-repo: ${{ github.repository }} module-branch: ${{ needs.setup.outputs.branch }} diff --git a/.github/workflows/codecoverage-main.yml b/.github/workflows/codecoverage-main.yml index 51d2163..daca1c5 100644 --- a/.github/workflows/codecoverage-main.yml +++ b/.github/workflows/codecoverage-main.yml @@ -13,10 +13,17 @@ on: - master workflow_dispatch: +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: codecoverage: runs-on: ubuntu-latest + permissions: + contents: write # Required to clone and push to gh-pages via git-auto-commit-action with GITHUB_TOKEN + pull-requests: write # Required to post coverage comments via mshick/add-pr-comment on pull requests services: mysql: diff --git a/.github/workflows/satis-webhook.yml b/.github/workflows/satis-webhook.yml index d3051e2..d633b00 100644 --- a/.github/workflows/satis-webhook.yml +++ b/.github/workflows/satis-webhook.yml @@ -5,10 +5,15 @@ on: types: - created +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: webhook: name: Send Webhook runs-on: ubuntu-latest + permissions: {} # Steps only use ${{ secrets.WEBHOOK_TOKEN }} for repository_dispatch; no GITHUB_TOKEN usage steps: - name: Set Package From 0b1323d8c62317ad8fbba69a28843bc318df54e5 Mon Sep 17 00:00:00 2001 From: Jonathan Desrosiers <359867+desrosj@users.noreply.github.com> Date: Thu, 14 May 2026 17:33:40 -0400 Subject: [PATCH 2/2] chore(workflows): add timeout-minutes to jobs Co-authored-by: Cursor --- .github/workflows/brand-plugin-test.yml | 6 ++++++ .github/workflows/codecoverage-main.yml | 2 +- .github/workflows/satis-webhook.yml | 1 + 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/brand-plugin-test.yml b/.github/workflows/brand-plugin-test.yml index 402a27d..9b0c07f 100644 --- a/.github/workflows/brand-plugin-test.yml +++ b/.github/workflows/brand-plugin-test.yml @@ -19,6 +19,7 @@ jobs: name: Setup runs-on: ubuntu-latest permissions: {} # No checkout or GitHub API use; extracts branch metadata for reusable workflow inputs only + timeout-minutes: 10 outputs: branch: ${{ steps.extract_branch.outputs.branch }} steps: @@ -34,6 +35,7 @@ jobs: uses: newfold-labs/workflows/.github/workflows/module-plugin-test.yml@main permissions: contents: read # Matches downstream reusable workflow; required for checkout/composer/GitHub-hosted actions using GITHUB_TOKEN on private repos + timeout-minutes: 45 with: module-repo: ${{ github.repository }} module-branch: ${{ needs.setup.outputs.branch }} @@ -46,6 +48,7 @@ jobs: uses: newfold-labs/workflows/.github/workflows/module-plugin-test.yml@main permissions: contents: read # Matches downstream reusable workflow; required for checkout/composer/GitHub-hosted actions using GITHUB_TOKEN on private repos + timeout-minutes: 45 with: module-repo: ${{ github.repository }} module-branch: ${{ needs.setup.outputs.branch }} @@ -58,6 +61,7 @@ jobs: uses: newfold-labs/workflows/.github/workflows/module-plugin-test.yml@main permissions: contents: read # Matches downstream reusable workflow; required for checkout/composer/GitHub-hosted actions using GITHUB_TOKEN on private repos + timeout-minutes: 45 with: module-repo: ${{ github.repository }} module-branch: ${{ needs.setup.outputs.branch }} @@ -70,6 +74,7 @@ jobs: uses: newfold-labs/workflows/.github/workflows/module-plugin-test.yml@main permissions: contents: read # Matches downstream reusable workflow; required for checkout/composer/GitHub-hosted actions using GITHUB_TOKEN on private repos + timeout-minutes: 45 with: module-repo: ${{ github.repository }} module-branch: ${{ needs.setup.outputs.branch }} @@ -82,6 +87,7 @@ jobs: uses: newfold-labs/workflows/.github/workflows/module-plugin-test.yml@main permissions: contents: read # Matches downstream reusable workflow; required for checkout/composer/GitHub-hosted actions using GITHUB_TOKEN on private repos + timeout-minutes: 45 with: module-repo: ${{ github.repository }} module-branch: ${{ needs.setup.outputs.branch }} diff --git a/.github/workflows/codecoverage-main.yml b/.github/workflows/codecoverage-main.yml index daca1c5..9ad8429 100644 --- a/.github/workflows/codecoverage-main.yml +++ b/.github/workflows/codecoverage-main.yml @@ -24,7 +24,7 @@ jobs: permissions: contents: write # Required to clone and push to gh-pages via git-auto-commit-action with GITHUB_TOKEN pull-requests: write # Required to post coverage comments via mshick/add-pr-comment on pull requests - + timeout-minutes: 60 services: mysql: image: mysql:5.7 # Password auth did not work on 8.0 on PHP 7.3, it did seem to work for PHP 7.4+ diff --git a/.github/workflows/satis-webhook.yml b/.github/workflows/satis-webhook.yml index d633b00..7c7942d 100644 --- a/.github/workflows/satis-webhook.yml +++ b/.github/workflows/satis-webhook.yml @@ -14,6 +14,7 @@ jobs: name: Send Webhook runs-on: ubuntu-latest permissions: {} # Steps only use ${{ secrets.WEBHOOK_TOKEN }} for repository_dispatch; no GITHUB_TOKEN usage + timeout-minutes: 30 steps: - name: Set Package