GitHub Actions workflow updates

[johnbillion]

This updates the GitHub Actions workflow files to:

• Grant minimally-scoped permissions to each job to adhere to the principle of least privilege
• Specify a timeout on each job to prevent runaway processes consuming too many minutes (the default is 360)

Once this PR is merged, the Settings -> Actions -> Workflow permissions setting can be changed by a repo admin to "Read repository contents and packages permissions".

References

• https://docs.github.com/en/actions/reference/security/secure-use
• https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idtimeout-minutes

Use of AI

Claude Code was used to create the initial changes. All permissions and timeouts changes were reviewed and adjusted by me where necessary.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates GitHub Actions workflows to follow least-privilege permissions and to add explicit job-level timeouts to prevent runaway jobs.

Changes:

• Set workflow-level default token permissions to none (permissions: {}) and add job-level permissions as needed.
• Add timeout-minutes to jobs across workflows.
• Document rationale for permissions/timeouts inline within workflow files.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
.github/workflows/update-changelog.yml	Disables default permissions; adds job timeout and contents: write for changelog updates.
.github/workflows/refresh-wordpress-nightly.yml	Disables default permissions; adds timeout and contents: write for scheduled refresh pushes.
.github/workflows/refresh-wordpress-major-and-beta.yml	Disables default permissions; sets job permissions for repo writes and workflow dispatch.
.github/workflows/refresh-sqlite-integration.yml	Disables default permissions; adds timeout and permissions for repo writes + workflow dispatch.
.github/workflows/publish-self-hosted-package-release.yml	Disables default permissions; adds timeout and contents: write for tagging/version bumps.
.github/workflows/publish-npm-packages.yml	Moves permissions from workflow-level to job-level; adds timeout and OIDC permissions.
.github/workflows/publish-github-release.yml	Moves permissions from workflow-level to job-level; adds timeout and contents: write.
.github/workflows/publish-devtools-extension.yml	Disables default permissions; adds timeout and clarifies contents: write usage.
.github/workflows/deploy-website.yml	Disables default permissions; adds timeouts and job-level contents: read where needed.
.github/workflows/deploy-my-wordpress-net.yml	Disables default permissions; adds timeouts and job-level contents: read where needed.
.github/workflows/deploy-cors-proxy.yml	Disables default permissions; adds timeouts and job-level contents: read where needed.
.github/workflows/dependabot-lockfile.yml	Moves permissions from workflow-level to job-level; adds timeout and contents: write.
.github/workflows/ci.yml	Disables default permissions; adds job timeouts and contents: read across CI jobs; adjusts Pages deploy permissions.
.github/workflows/auto-label-prs.yml	Moves permissions from workflow-level to job-level; adds timeouts and least-privilege permissions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.