fix: improve workflow security, reliability, and documentation

sjnims · claude · sjnims · commit be56227abb1c · 2025-12-13T13:54:52.000-05:00
HIGH PRIORITY - Security: - Add explicit permissions to links.yml (contents: read, issues: write) - Add explicit permissions to markdownlint.yml (contents: read) - Add explicit permissions to validate-workflows.yml (contents: read) MEDIUM PRIORITY - Reliability: - Add timeout-minutes to all Claude-powered workflows to prevent runaway jobs - ci-failure-analysis: 10min - claude-pr-review: 10min - claude.yml: 15min - component-validation: 10min - semantic-labeler: 5min (both jobs) - version-check: 5min - weekly-maintenance: 15min - Add duplicate issue check to weekly-maintenance.yml (closes old reports) - Add bot exclusion to greet.yml (skip dependabot and claude bots) LOW PRIORITY - Operational: - Add operations-per-run and enable-statistics to stale.yml - Add clarifying comments for issues:write permission scopes - Add documentation header to links.yml explaining lychee flags 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/.github/workflows/ci-failure-analysis.yml b/.github/workflows/ci-failure-analysis.yml
@@ -27,6 +27,7 @@ jobs:
       github.event.workflow_run.actor.login != 'dependabot[bot]' &&
       github.event.workflow_run.actor.login != 'claude[bot]'
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       pull-requests: write
diff --git a/.github/workflows/claude-pr-review.yml b/.github/workflows/claude-pr-review.yml
@@ -20,10 +20,11 @@ jobs:
       github.actor != 'claude[bot]' &&
       github.event.pull_request.draft == false
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       pull-requests: write
-      issues: write
+      issues: write  # Required by claude-code-action for PR comments (GitHub API treats PR comments as issue comments)
       id-token: write
       actions: read
     steps:
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -38,6 +38,7 @@ jobs:
          contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association))
       )
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       contents: write  # Write access for pushing branches
       pull-requests: write
diff --git a/.github/workflows/component-validation.yml b/.github/workflows/component-validation.yml
@@ -22,10 +22,11 @@ jobs:
       github.actor != 'claude[bot]' &&
       github.event.pull_request.draft == false
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: read
       pull-requests: write
-      issues: write
+      issues: write  # Recommended by claude-code-action docs for full functionality
       id-token: write
       actions: read
     steps:
diff --git a/.github/workflows/greet.yml b/.github/workflows/greet.yml
@@ -14,6 +14,8 @@ concurrency:
 
 jobs:
   greeting:
+    # Skip bot accounts to avoid greeting automated tools
+    if: github.actor != 'dependabot[bot]' && github.actor != 'claude[bot]'
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml
@@ -1,5 +1,12 @@
 name: Check Links
 
+# Checks all markdown files for broken links using lychee
+# Key flags:
+#   --cache: Cache results to speed up subsequent runs
+#   --exclude-link-local: Skip localhost/127.0.0.1 links (not reachable in CI)
+#   --exclude-file: Use .lycheeignore for links that shouldn't be checked (e.g., rate-limited sites)
+# Creates a GitHub issue on failure for visibility
+
 on:
   pull_request:
     paths:
@@ -12,6 +19,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  issues: write  # Required by peter-evans/create-issue-from-file on failure
+
 jobs:
   linkChecker:
     name: Check Markdown Links
diff --git a/.github/workflows/markdownlint.yml b/.github/workflows/markdownlint.yml
@@ -14,6 +14,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint Markdown Files
diff --git a/.github/workflows/semantic-labeler.yml b/.github/workflows/semantic-labeler.yml
@@ -23,6 +23,7 @@ jobs:
       github.actor != 'dependabot[bot]' &&
       github.actor != 'claude[bot]'
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     permissions:
       contents: read
       issues: write
@@ -117,6 +118,7 @@ jobs:
       github.actor != 'claude[bot]' &&
       github.event.pull_request.draft == false
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     permissions:
       contents: read
       pull-requests: write
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -29,3 +29,5 @@ jobs:
           stale-pr-label: 'stale'
           exempt-issue-labels: 'pinned,security,roadmap'
           exempt-pr-labels: 'pinned,security'
+          operations-per-run: 100  # Limit API calls per run to avoid rate limiting
+          enable-statistics: true  # Log statistics for monitoring
diff --git a/.github/workflows/validate-workflows.yml b/.github/workflows/validate-workflows.yml
@@ -14,6 +14,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   actionlint:
     name: Lint GitHub Actions Workflows
diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml
@@ -20,6 +20,7 @@ jobs:
       github.actor != 'dependabot[bot]' &&
       github.actor != 'claude[bot]'
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     permissions:
       contents: read
       id-token: write
diff --git a/.github/workflows/weekly-maintenance.yml b/.github/workflows/weekly-maintenance.yml
@@ -16,6 +16,7 @@ concurrency:
 jobs:
   maintenance-report:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     permissions:
       contents: read
       issues: write
@@ -27,6 +28,25 @@ jobs:
         with:
           fetch-depth: 1
 
+      - name: Close previous maintenance issues
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          # Find and close any existing open maintenance report issues
+          # This prevents accumulation of stale maintenance reports
+          existing_issues=$(gh issue list --label "automation" --state open --json number,title \
+            --jq '.[] | select(.title | startswith("Weekly Maintenance Report")) | .number')
+
+          if [ -n "$existing_issues" ]; then
+            echo "Found existing maintenance issues to close:"
+            echo "$existing_issues" | while read -r issue_num; do
+              echo "  Closing issue #$issue_num"
+              gh issue close "$issue_num" --comment "Superseded by new weekly maintenance report."
+            done
+          else
+            echo "No existing maintenance issues found"
+          fi
+
       - name: Generate maintenance report
         uses: anthropics/claude-code-action@f0c8eb29807907de7f5412d04afceb5e24817127 # v1.0.23
         with:

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,7 @@ jobs:`
`38`	`38`	`contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association))`
`39`	`39`	`)`
`40`	`40`	`runs-on: ubuntu-latest`
	`41`	`+ timeout-minutes: 15`
`41`	`42`	`permissions:`
`42`	`43`	`contents: write # Write access for pushing branches`
`43`	`44`	`pull-requests: write`