From e753585e28bbedd2acb4a75d7e7f82899543e0f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=81ngel=20Guzm=C3=A1n=20Maeso?= <angel@guzmanmaeso.com>
Date: Thu, 4 Dec 2025 02:00:45 +0100
Subject: [PATCH] feat(github-workflows): improve specs with concurrency,
 permissions, and timeouts

---
 .github/workflows/coding-standards.yml            |  8 ++++++++
 .github/workflows/composer-lint.yml               |  8 ++++++++
 .github/workflows/continuous-integration.yml      | 12 ++++++++++++
 .github/workflows/documentation.yml               |  7 +++++++
 .github/workflows/release-on-milestone-closed.yml |  6 ++++++
 .github/workflows/static-analysis.yml             |  8 ++++++++
 .github/workflows/test-dev-stability.yml          |  8 ++++++++
 .github/workflows/website-schema.yml              |  7 +++++++
 8 files changed, 64 insertions(+)

diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml
index 8e159f1d5..3ceee7575 100644
--- a/.github/workflows/coding-standards.yml
+++ b/.github/workflows/coding-standards.yml
@@ -23,6 +23,14 @@ on:
       - src/**
       - tests/**
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   coding-standards:
     name: "Coding Standards"
diff --git a/.github/workflows/composer-lint.yml b/.github/workflows/composer-lint.yml
index a9876185a..842993e8a 100644
--- a/.github/workflows/composer-lint.yml
+++ b/.github/workflows/composer-lint.yml
@@ -13,6 +13,14 @@ on:
     paths:
       - .github/workflows/composer-lint.yml
       - "composer.json"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
 
 jobs:
   composer-lint:
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index 6254c7602..bb2fedcc8 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -25,10 +25,20 @@ on:
       - templates/**
       - tests/**
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  checks: write
+  pull-requests: write
+
 jobs:
   phpunit:
     name: "PHPUnit"
     runs-on: "ubuntu-latest"
+    timeout-minutes: 10
     env:
       SYMFONY_REQUIRE: ${{matrix.symfony-require}}
       SYMFONY_DEPRECATIONS_HELPER: weak
@@ -131,6 +141,7 @@ jobs:
   upload_coverage:
     name: "Upload coverage to Codecov"
     runs-on: "ubuntu-latest"
+    timeout-minutes: 5
     # Only run on PRs from forks or PRs from branches that do not match `*.x`
     if: "github.event.pull_request.head.repo.full_name != github.repository || !contains(github.event.pull_request.head.ref, '.x')"
     needs:
@@ -151,5 +162,6 @@ jobs:
         uses: "codecov/codecov-action@v5"
         with:
           directory: reports
+          fail_ci_if_error: false
         env:
           CODECOV_TOKEN: "${{ secrets.CODECOV_TOKEN }}"
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index 7722f764f..59cd72c4e 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -14,6 +14,13 @@ on:
       - ".github/workflows/documentation.yml"
       - "docs/**"
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
 jobs:
   documentation:
     name: "Documentation"
diff --git a/.github/workflows/release-on-milestone-closed.yml b/.github/workflows/release-on-milestone-closed.yml
index 634210120..163668b9a 100644
--- a/.github/workflows/release-on-milestone-closed.yml
+++ b/.github/workflows/release-on-milestone-closed.yml
@@ -4,6 +4,12 @@ on:
   milestone:
     types:
       - "closed"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
 
 jobs:
   release:
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
index 19cd93448..c8bac79d2 100644
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -23,6 +23,14 @@ on:
       - src/**
       - tests/**
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  checks: write
+
 jobs:
   static-analysis:
     name: "Static Analysis"
diff --git a/.github/workflows/test-dev-stability.yml b/.github/workflows/test-dev-stability.yml
index 82b919db6..67bfafee2 100644
--- a/.github/workflows/test-dev-stability.yml
+++ b/.github/workflows/test-dev-stability.yml
@@ -5,10 +5,18 @@ on:
   schedule:
     - cron: "0 0 * * 0"
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
 jobs:
   phpunit:
     name: "PHPUnit"
     runs-on: "ubuntu-latest"
+    timeout-minutes: 10
     env:
       SYMFONY_REQUIRE: ${{matrix.symfony-require}}
 
diff --git a/.github/workflows/website-schema.yml b/.github/workflows/website-schema.yml
index 80312010a..d00d9c349 100644
--- a/.github/workflows/website-schema.yml
+++ b/.github/workflows/website-schema.yml
@@ -15,6 +15,13 @@ on:
       - ".doctrine-project.json"
       - ".github/workflows/website-schema.yml"
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
 jobs:
   json-validate:
     name: "Validate JSON schema"