GitHub Actions workflow updates

.github/workflows/auto-label-prs.yml

@@ -30,14 +30,18 @@ on:
     pull_request_target:
         types: [opened, synchronize, reopened, ready_for_review]
 
-permissions:
-    contents: read
-    pull-requests: write
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
 
 jobs:
     paths:
         if: github.repository == 'WordPress/wordpress-playground'
         runs-on: ubuntu-latest
+        timeout-minutes: 10
+        permissions:
+            contents: read       # Required for actions/labeler to read the configuration file.
+            pull-requests: write # Required to apply labels to pull requests.
         steps:
             # Pinned to a commit SHA, not a tag: this job runs with
             # pull-requests:write, so a moved tag would be a supply-chain
@@ -50,6 +54,9 @@ jobs:
     package-and-type:
         if: github.repository == 'WordPress/wordpress-playground'
         runs-on: ubuntu-latest
+        timeout-minutes: 10
+        permissions:
+            pull-requests: write # Required to apply labels to pull requests.
         steps:
             - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
               with:

.github/workflows/ci.yml

@@ -5,6 +5,10 @@ on:
             - trunk
     pull_request:
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
     # This step:
     # * Warms up the node_modules cache
@@ -18,6 +22,9 @@ jobs:
         name: 'Lint and typecheck'
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         steps:
             - uses: actions/checkout@v4
               with:
@@ -30,6 +37,9 @@ jobs:
     test-unit-asyncify:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         strategy:
             fail-fast: false
             matrix:
@@ -79,6 +89,9 @@ jobs:
     test-unit-jspi:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         strategy:
             fail-fast: false
             matrix:
@@ -130,6 +143,9 @@ jobs:
                 os: [ubuntu-latest, windows-latest, macos-latest]
         continue-on-error: true
         runs-on: ${{ matrix.os }}
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         name: 'test-playground-cli (${{ matrix.os }})'
         steps:
             - uses: actions/checkout@v4
@@ -148,6 +164,9 @@ jobs:
                 async-strategy: [asyncify, jspi]
         continue-on-error: true
         runs-on: ${{ matrix.os }}
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         name: 'test-file-locking-${{ matrix.async-strategy }} (${{ matrix.os }})'
         steps:
             - uses: actions/checkout@v4
@@ -161,6 +180,9 @@ jobs:
     test-e2e-php-wasm-web-jspi:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         steps:
             - uses: actions/checkout@v4
               with:
@@ -171,6 +193,9 @@ jobs:
     test-e2e-php-wasm-web-asyncify:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         steps:
             - uses: actions/checkout@v4
               with:
@@ -181,6 +206,9 @@ jobs:
     test-e2e:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         # Run as root to allow node to bind to port 80
         steps:
             - uses: actions/checkout@v4
@@ -201,6 +229,9 @@ jobs:
     test-e2e-playwright:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         strategy:
             fail-fast: false
             matrix:
@@ -282,6 +313,9 @@ jobs:
 
     test-e2e-personal-wp:
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         steps:
             - uses: actions/checkout@v4
               with:
@@ -301,6 +335,9 @@ jobs:
     test-e2e-components:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         steps:
             - uses: actions/checkout@v4
               with:
@@ -320,6 +357,9 @@ jobs:
     # Run MCP e2e tests independently from other tests because running a local version of the MCP server from TypeScript files requires Node 22+
     test-e2e-mcp:
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         steps:
             - uses: actions/checkout@v4
               with:
@@ -341,6 +381,9 @@ jobs:
     test-docs-api-reference:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         steps:
             - uses: actions/checkout@v4
               with:
@@ -360,6 +403,9 @@ jobs:
     test-built-npm-packages:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         steps:
             - uses: actions/checkout@v4
               with:
@@ -373,6 +419,9 @@ jobs:
     test-playground-client-types-rollup:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         steps:
             - uses: actions/checkout@v4
               with:
@@ -388,6 +437,9 @@ jobs:
     test-running-unbuilt-playground-cli:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         steps:
             - uses: actions/checkout@v4
               with:
@@ -400,6 +452,9 @@ jobs:
     test-php-wasm-cli-smoke:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         steps:
             - uses: actions/checkout@v4
               with:
@@ -412,6 +467,9 @@ jobs:
     detect-compile-extension-helper-changes:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo and fetch commit history.
         outputs:
             changed: ${{ steps.changed.outputs.changed }}
         steps:
@@ -447,6 +505,9 @@ jobs:
         needs: detect-compile-extension-helper-changes
         if: (github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request') && needs.detect-compile-extension-helper-changes.outputs.changed == 'true'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         steps:
             - name: Free up runner disk space
               shell: bash
@@ -481,6 +542,8 @@ jobs:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
         timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         steps:
             - uses: actions/checkout@v4
               with:
@@ -511,6 +574,9 @@ jobs:
     test-redis-extension:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         services:
             redis:
                 image: redis:7-alpine
@@ -539,6 +605,9 @@ jobs:
     test-memcached-extension:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         services:
             memcached:
                 image: memcached:1.6-alpine
@@ -562,6 +631,9 @@ jobs:
     build:
         if: github.repository == 'WordPress/wordpress-playground' || github.event_name == 'pull_request'
         runs-on: ubuntu-latest
+        timeout-minutes: 30
+        permissions:
+            contents: read # Required to clone the repo.
         steps:
             - uses: actions/checkout@v4
               with:
@@ -592,8 +664,9 @@ jobs:
 
         # Grant GITHUB_TOKEN the permissions required to make a Pages deployment
         permissions:
-            pages: write # to deploy to Pages
-            id-token: write # to verify the deployment originates from an appropriate source
+            contents: read  # Required to clone the repo.
+            pages: write    # Required to deploy to GitHub Pages.
+            id-token: write # Required to verify the deployment originates from an appropriate source.
 
         # Deploy to the github-pages environment
         environment:
@@ -602,6 +675,7 @@ jobs:
 
         # Specify runner + deployment step
         runs-on: ubuntu-latest
+        timeout-minutes: 30
         steps:
             - uses: actions/checkout@v4
               with:

.github/workflows/dependabot-lockfile.yml

@@ -4,14 +4,17 @@ on:
     pull_request:
         types: [opened, synchronize]
 
-permissions:
-    contents: write
-    pull-requests: write
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
 
 jobs:
     fix-lock:
         if: github.actor == 'dependabot[bot]'
         runs-on: ubuntu-latest
+        timeout-minutes: 10
+        permissions:
+            contents: write # Required to push the updated lockfile commit back to the branch.
         steps:
             - uses: actions/checkout@v4
               with:

.github/workflows/deploy-cors-proxy.yml

@@ -6,6 +6,10 @@ on:
 concurrency:
     group: cors-proxy-deployment
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
     # Check preconditions in a separate job because secrets aren't
     # available in job-level `if` conditions.
@@ -27,6 +31,8 @@ jobs:
                 github.actor == 'ashfame'
             )
         runs-on: ubuntu-latest
+        timeout-minutes: 20
+        permissions: {}
         environment:
             name: cors-proxy-wp-cloud
         outputs:
@@ -56,6 +62,9 @@ jobs:
 
         # Specify runner + deployment step
         runs-on: ubuntu-latest
+        timeout-minutes: 20
+        permissions:
+            contents: read # Required to clone the repo.
         environment:
             name: cors-proxy-wp-cloud
         steps:

.github/workflows/deploy-my-wordpress-net.yml

@@ -9,6 +9,10 @@ on:
 concurrency:
     group: my-wordpress-net-deployment
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
     # Check preconditions in a separate job because secrets aren't
     # available in job-level `if` conditions.
@@ -29,6 +33,8 @@ jobs:
                 github.actor == 'ashfame'
             )
         runs-on: ubuntu-latest
+        timeout-minutes: 20
+        permissions: {}
         environment:
             name: my-wordpress-net-wp-cloud
         outputs:
@@ -57,6 +63,9 @@ jobs:
         if: needs.check_preconditions.outputs.meets_deploy_preconditions == 'true'
 
         runs-on: ubuntu-latest
+        timeout-minutes: 20
+        permissions:
+            contents: read # Required to clone the repo.
         environment:
             name: my-wordpress-net-wp-cloud
         steps: