Merge pull request #179 from WordPress/workflow-updates

desrosj · web-flow · commit d0ac08053125 · 2026-05-13T20:37:37.000+05:30
GitHub Actions workflow updates
diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
@@ -1,5 +1,9 @@
 name: 'Copilot Setup Steps'
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 # Automatically run the setup steps when they are changed to allow for easy validation, and
 # allow manual testing through the repository's "Actions" tab
 on:
@@ -15,9 +19,10 @@ jobs:
   # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
   copilot-setup-steps:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
 
     permissions:
-      contents: read
+      contents: read # Required to clone the repo.
 
     steps:
       - name: Checkout repository
diff --git a/.github/workflows/props-bot.yml b/.github/workflows/props-bot.yml
@@ -50,9 +50,8 @@ jobs:
     name: Generate a list of props
     runs-on: ubuntu-24.04
     permissions:
-      # The action needs permission `write` permission for PRs in order to add a comment.
-      pull-requests: write
-      contents: read
+      pull-requests: write # Required by props-bot-action to comment on the PR.
+      contents: read       # Required by props-bot-action to read repository contents.
     timeout-minutes: 20
     # The job will run when pull requests are open, ready for review and:
     #
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,5 +1,9 @@
 name: Upload Package on Release
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 # Cancels all previous workflow runs for pull requests that have not completed.
 concurrency:
   # The concurrency group contains the workflow name and the branch name for pull requests
@@ -15,6 +19,9 @@ jobs:
   tag:
     name: Upload New Release
     runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    permissions:
+      contents: write # Required to clone the repo and to upload the release asset.
 
     steps:
       - name: Checkout repository
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -1,5 +1,9 @@
 name: Test
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 on:
   workflow_dispatch:
   push:
@@ -33,7 +37,7 @@ jobs:
     name: Run PHPCS coding standards checks
     runs-on: ubuntu-24.04
     permissions:
-      contents: read
+      contents: read # Required to clone the repo.
     timeout-minutes: 20
 
     steps:
@@ -92,7 +96,7 @@ jobs:
     name: Run PHP static analysis
     runs-on: ubuntu-24.04
     permissions:
-      contents: read
+      contents: read # Required to clone the repo.
     timeout-minutes: 20
 
     steps:
@@ -171,6 +175,9 @@ jobs:
   phpunit:
     name: Test PHP ${{ matrix.php }} WP ${{ matrix.wp }}${{ matrix.coverage && ' with coverage' || '' }}
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read # Required to clone the repo.
+    timeout-minutes: 20
     strategy:
       fail-fast: false
       matrix:
