From 80b1a48903b93c63065625c913651e4c18102756 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kim=20Harjam=C3=A4ki?= Date: Fri, 3 Jul 2026 20:04:11 +0300 Subject: [PATCH] chore: add codeowners and harden workflow permissions Enterprise governance hardening: - Add explicit /.github/ ownership to CODEOWNERS where missing. - Add top-level least-privilege permissions (default contents: read) to workflows lacking one, granting only the scopes each needs. - Add timeout-minutes to jobs missing one. YAML hardening only; no build logic, scripts, or step contents changed. Co-Authored-By: Claude Opus 4.8 --- .github/CODEOWNERS | 1 + .github/workflows/autopilot-create-issue.yml | 1 + .github/workflows/autopilot-failure-intake.yml | 1 + .github/workflows/ci.yml | 4 ++++ .github/workflows/codeql.yml | 4 ++++ .github/workflows/pages.yml | 2 ++ .github/workflows/pr-lint.yml | 5 +++++ .github/workflows/runner-health.yml | 1 + .github/workflows/runner-smoke-test.yml | 3 +++ .github/workflows/stale.yml | 6 ++++++ 10 files changed, 28 insertions(+) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 2ad92cf..9aebb81 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1,2 @@ * @Coding-Autopilot-System/core +/.github/ @Coding-Autopilot-System/core diff --git a/.github/workflows/autopilot-create-issue.yml b/.github/workflows/autopilot-create-issue.yml index 3ab49ab..e1e7cda 100644 --- a/.github/workflows/autopilot-create-issue.yml +++ b/.github/workflows/autopilot-create-issue.yml @@ -15,6 +15,7 @@ jobs: create-issue: if: ${{ github.event.workflow_run.conclusion == 'failure' }} runs-on: ubuntu-latest + timeout-minutes: 10 steps: - name: Create or update issue uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 diff --git a/.github/workflows/autopilot-failure-intake.yml b/.github/workflows/autopilot-failure-intake.yml index 42bb023..1410bf0 100644 --- a/.github/workflows/autopilot-failure-intake.yml +++ b/.github/workflows/autopilot-failure-intake.yml @@ -14,6 +14,7 @@ jobs: create-issue: if: ${{ github.event.workflow_run.conclusion == 'failure' }} runs-on: ubuntu-latest + timeout-minutes: 10 env: GH_TOKEN: ${{ github.token }} steps: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3c3a12e..88c9a9d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,9 +6,13 @@ on: pull_request: branches: [main] +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8beec42..c33c38f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -4,10 +4,14 @@ on: branches: [ "main", "master" ] pull_request: branches: [ "main", "master" ] +permissions: + contents: read + jobs: analyze: name: Analyze runs-on: ubuntu-latest + timeout-minutes: 15 permissions: actions: read contents: read diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index 6c1d78d..b7bf3d2 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -14,6 +14,7 @@ concurrency: jobs: build: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 @@ -29,6 +30,7 @@ jobs: name: github-pages url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-latest + timeout-minutes: 10 needs: build steps: - name: Deploy to GitHub Pages diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index 2f71474..afc713b 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -3,9 +3,14 @@ on: pull_request: types: ['opened', 'edited', 'reopened', 'synchronize'] +permissions: + contents: read + pull-requests: read + jobs: main: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - uses: amannn/action-semantic-pull-request@v5 env: diff --git a/.github/workflows/runner-health.yml b/.github/workflows/runner-health.yml index e713e58..3c2af2e 100644 --- a/.github/workflows/runner-health.yml +++ b/.github/workflows/runner-health.yml @@ -13,6 +13,7 @@ permissions: jobs: check-runner: runs-on: ubuntu-latest + timeout-minutes: 15 env: GH_TOKEN: ${{ secrets.RUNNER_PAT || github.token }} RUNNER_NAME: MyLocalPC diff --git a/.github/workflows/runner-smoke-test.yml b/.github/workflows/runner-smoke-test.yml index 84b613f..3001899 100644 --- a/.github/workflows/runner-smoke-test.yml +++ b/.github/workflows/runner-smoke-test.yml @@ -3,6 +3,9 @@ name: Runner Smoke Test on: workflow_dispatch: +permissions: + contents: read + jobs: smoke-test: runs-on: [self-hosted, Windows] diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 987cba1..6d4fb1b 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -3,9 +3,15 @@ on: schedule: - cron: '30 1 * * *' +permissions: + contents: read + issues: write + pull-requests: write + jobs: stale: runs-on: ubuntu-latest + timeout-minutes: 10 steps: - uses: actions/stale@v8 with: