From a988527d7e9a19440e766bca17a16ea5b8d5cdee Mon Sep 17 00:00:00 2001
From: merlin <limenglin5911@gmail.com>
Date: Wed, 20 May 2026 00:22:58 +0800
Subject: [PATCH] chore(workflows): apply best-practice hardening across all
 reusable workflows

Fixes found during full audit of .github reusable workflows:

permissions:
- issue-welcome.yml: add missing top-level permissions: {}
- octo-ci-status.yml: move actions:read from top-level to job level;
  top-level now permissions: {}
- workflow-sanity.yml: move contents:read from top-level to job level;
  top-level now permissions: {}

timeout-minutes (all were unbounded):
- reusable-pr-labeler.yml label job: 10 min
- reusable-release-drafter.yml draft job: 10 min
- reusable-release-publish.yml publish job: 15 min
- reusable-stale.yml all 3 jobs: 30 min each
- workflow-sanity.yml no-tabs: 5 min, actionlint: 10 min

No behavioral changes. All external actions remain SHA-pinned.
---
 .github/workflows/issue-welcome.yml            | 2 ++
 .github/workflows/octo-ci-status.yml           | 5 +++--
 .github/workflows/reusable-pr-labeler.yml      | 1 +
 .github/workflows/reusable-release-drafter.yml | 1 +
 .github/workflows/reusable-release-publish.yml | 1 +
 .github/workflows/reusable-stale.yml           | 3 +++
 .github/workflows/workflow-sanity.yml          | 9 +++++++--
 7 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/issue-welcome.yml b/.github/workflows/issue-welcome.yml
index 16e2651..b99b96c 100644
--- a/.github/workflows/issue-welcome.yml
+++ b/.github/workflows/issue-welcome.yml
@@ -3,6 +3,8 @@ name: Issue Welcome (Reusable)
 on:
   workflow_call:
 
+permissions: {}
+
 jobs:
   welcome:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/octo-ci-status.yml b/.github/workflows/octo-ci-status.yml
index 96df0ac..2e76a3e 100644
--- a/.github/workflows/octo-ci-status.yml
+++ b/.github/workflows/octo-ci-status.yml
@@ -37,13 +37,14 @@ on:
       OCTO_BOT_TOKEN:
         required: true
 
-permissions:
-  actions: read
+permissions: {}
 
 jobs:
   notify:
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      actions: read
     steps:
       - name: Notify Octo IM
         env:
diff --git a/.github/workflows/reusable-pr-labeler.yml b/.github/workflows/reusable-pr-labeler.yml
index a5efae7..9d1571f 100644
--- a/.github/workflows/reusable-pr-labeler.yml
+++ b/.github/workflows/reusable-pr-labeler.yml
@@ -21,6 +21,7 @@ permissions: {}
 jobs:
   label:
     name: Label PR size and detect dependency changes
+    timeout-minutes: 10
     permissions:
       issues: write
       pull-requests: write
diff --git a/.github/workflows/reusable-release-drafter.yml b/.github/workflows/reusable-release-drafter.yml
index f406704..27b3bcf 100644
--- a/.github/workflows/reusable-release-drafter.yml
+++ b/.github/workflows/reusable-release-drafter.yml
@@ -14,6 +14,7 @@ permissions: {}
 jobs:
   draft:
     name: Update Release Draft
+    timeout-minutes: 10
     permissions:
       contents: write
       pull-requests: read
diff --git a/.github/workflows/reusable-release-publish.yml b/.github/workflows/reusable-release-publish.yml
index 3d46165..9912119 100644
--- a/.github/workflows/reusable-release-publish.yml
+++ b/.github/workflows/reusable-release-publish.yml
@@ -27,6 +27,7 @@ permissions: {}
 jobs:
   publish:
     name: Publish GitHub Release (${{ inputs.tag }})
+    timeout-minutes: 15
     permissions:
       contents: write
       actions: read  # required to query workflow run status and head SHA
diff --git a/.github/workflows/reusable-stale.yml b/.github/workflows/reusable-stale.yml
index 55379a9..30ef1ea 100644
--- a/.github/workflows/reusable-stale.yml
+++ b/.github/workflows/reusable-stale.yml
@@ -29,6 +29,7 @@ jobs:
       issues: write
       pull-requests: write
     runs-on: ubuntu-24.04
+    timeout-minutes: 30
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
         with:
@@ -65,6 +66,7 @@ jobs:
       issues: write
       pull-requests: write
     runs-on: ubuntu-24.04
+    timeout-minutes: 30
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
         with:
@@ -92,6 +94,7 @@ jobs:
       issues: write
       pull-requests: write
     runs-on: ubuntu-24.04
+    timeout-minutes: 30
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
         with:
diff --git a/.github/workflows/workflow-sanity.yml b/.github/workflows/workflow-sanity.yml
index 7c917cc..fba074b 100644
--- a/.github/workflows/workflow-sanity.yml
+++ b/.github/workflows/workflow-sanity.yml
@@ -15,8 +15,7 @@ on:
       - '.github/actions/**'
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: workflow-sanity-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -26,6 +25,9 @@ jobs:
   no-tabs:
     name: No tabs in workflow files
     runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -61,6 +63,9 @@ jobs:
   actionlint:
     name: actionlint
     runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4