diff --git a/.github/workflows/auto-translate.yml b/.github/workflows/auto-translate.yml index f3ee13b7..4f6181e9 100644 --- a/.github/workflows/auto-translate.yml +++ b/.github/workflows/auto-translate.yml @@ -12,14 +12,17 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref_name }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. permissions: {} jobs: translate: name: 'Check and update translations' + timeout-minutes: 120 permissions: - contents: write - pull-requests: write + contents: write # Required for the reusable translations workflow to push the auto-translate branch and commits. + pull-requests: write # Required for gh pr list/update/create flows inside the reusable workflow (GITHUB_TOKEN). uses: newfold-labs/workflows/.github/workflows/reusable-translations.yml@main with: text_domain: 'wp-module-data' diff --git a/.github/workflows/brand-plugin-test-playwright.yml b/.github/workflows/brand-plugin-test-playwright.yml index 7e8d439c..4cb5a018 100644 --- a/.github/workflows/brand-plugin-test-playwright.yml +++ b/.github/workflows/brand-plugin-test-playwright.yml @@ -6,19 +6,20 @@ on: - main workflow_dispatch: -permissions: - contents: read - concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: setup: name: Setup runs-on: ubuntu-latest - permissions: - contents: read + timeout-minutes: 10 + permissions: {} # No checkout or GitHub API usage; only derives the branch name from workflow ref env vars. outputs: branch: ${{ steps.extract_branch.outputs.branch }} steps: @@ -31,8 +32,9 @@ jobs: bluehost: name: Bluehost Build and Test Playwright needs: setup + timeout-minutes: 120 permissions: - contents: read + contents: read # Required for the reusable workflow to clone this module and the brand plugin (GITHUB_TOKEN). uses: newfold-labs/workflows/.github/workflows/module-plugin-test-playwright.yml@main with: module-repo: ${{ github.repository }} @@ -43,8 +45,9 @@ jobs: bluehost-dev: name: Bluehost Dev Build and Test Playwright needs: setup + timeout-minutes: 120 permissions: - contents: read + contents: read # Required for the reusable workflow to clone this module and the brand plugin (GITHUB_TOKEN). uses: newfold-labs/workflows/.github/workflows/module-plugin-test-playwright.yml@main with: module-repo: ${{ github.repository }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 22db78fb..6657863f 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -15,10 +15,17 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: phpcs: name: Run PHP Code Sniffer runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: write # Required to checkout the repo and push PHPCBF fixes on main via git-auto-commit-action (github.token). steps: - name: Checkout diff --git a/.github/workflows/newfold-prep-release.yml b/.github/workflows/newfold-prep-release.yml index 352081a9..0ffbbf94 100644 --- a/.github/workflows/newfold-prep-release.yml +++ b/.github/workflows/newfold-prep-release.yml @@ -21,9 +21,10 @@ jobs: # This job runs the newfold module-prep-release workflow for this module. prep-release: name: Prepare Release + timeout-minutes: 60 permissions: - contents: write - pull-requests: write + contents: write # Required for the reusable prep-release workflow to push the release branch and file bumps. + pull-requests: write # Required for gh pr list and opening the release pull request (GITHUB_TOKEN in reusable job). uses: newfold-labs/workflows/.github/workflows/reusable-module-prep-release.yml@main with: module-repo: ${{ github.repository }} diff --git a/.github/workflows/satis-webhook.yml b/.github/workflows/satis-webhook.yml index 61a22a50..59839035 100644 --- a/.github/workflows/satis-webhook.yml +++ b/.github/workflows/satis-webhook.yml @@ -8,10 +8,17 @@ on: env: VERSION: ${GITHUB_REF#refs/tags/*} +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: webhook: name: Send Webhook runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read # Required to checkout the repository (actions/checkout with GITHUB_TOKEN). steps: - name: Checkout diff --git a/.github/workflows/unit-tests-and-coverage-report.yml b/.github/workflows/unit-tests-and-coverage-report.yml index d5b81cc3..8eeba109 100644 --- a/.github/workflows/unit-tests-and-coverage-report.yml +++ b/.github/workflows/unit-tests-and-coverage-report.yml @@ -18,9 +18,15 @@ concurrency: group: ${{ github.workflow }}-${{ (github.event_name == 'pull_request' && github.head_ref) || github.sha }} cancel-in-progress: true +# Disable permissions for all available scopes by default. +# Any needed permissions should be configured at the job level. +permissions: {} + jobs: get-repo-name: runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: {} # No checkout or GitHub API usage; only derives the repo name from github.repository. outputs: repository-name: ${{ steps.repo-name.outputs.name }} steps: @@ -32,9 +38,10 @@ jobs: unit-tests: needs: get-repo-name + timeout-minutes: 120 permissions: - contents: write - pull-requests: write + contents: write # Required for the reusable codecoverage workflow to push coverage HTML to gh-pages. + pull-requests: write # Required for the reusable workflow to add PR comments (coverage via mshick/add-pr-comment). uses: newfold-labs/workflows/.github/workflows/reusable-codecoverage.yml@main with: php-versions: '["7.4", "8.0", "8.1", "8.2", "8.3"]'