From 8675af6205fdda5d9831b80da83628520833d2a8 Mon Sep 17 00:00:00 2001
From: Pigbibi <20649888+Pigbibi@users.noreply.github.com>
Date: Wed, 10 Jun 2026 20:49:36 +0800
Subject: [PATCH] Apply audit remediation

---
 .github/workflows/ci.yml                      | 5 ++++-
 .github/workflows/cross_repo_smoke.yml        | 8 ++++++++
 .github/workflows/monthly_advisory_review.yml | 7 +++++++
 .github/workflows/publish_advisory_site.yml   | 5 +++++
 .github/workflows/weekly_advisory_review.yml  | 7 +++++++
 5 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 521cec1..d5af255 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,9 +4,13 @@ on:
   push:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-python@v6
@@ -16,4 +20,3 @@ jobs:
         run: python -m pip install -e ".[test]"
       - name: Run tests
         run: python -m pytest -q
-
diff --git a/.github/workflows/cross_repo_smoke.yml b/.github/workflows/cross_repo_smoke.yml
index 3e02289..87f7693 100644
--- a/.github/workflows/cross_repo_smoke.yml
+++ b/.github/workflows/cross_repo_smoke.yml
@@ -10,9 +10,17 @@ on:
   schedule:
     - cron: "45 11 * * 6"
 
+permissions:
+  contents: read
+
+concurrency:
+  group: cross-repo-advisory-smoke-${{ github.ref_name }}
+  cancel-in-progress: false
+
 jobs:
   cross-repo-smoke:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
       - name: Checkout advisor repository
         uses: actions/checkout@v6
diff --git a/.github/workflows/monthly_advisory_review.yml b/.github/workflows/monthly_advisory_review.yml
index 0e0e642..6a7b790 100644
--- a/.github/workflows/monthly_advisory_review.yml
+++ b/.github/workflows/monthly_advisory_review.yml
@@ -50,10 +50,17 @@ on:
   schedule:
     - cron: "20 13 1 * *"
 
+permissions:
+  contents: read
+
+concurrency:
+  group: monthly-advisory-review-${{ github.ref_name }}
+  cancel-in-progress: false
 
 jobs:
   build-monthly-review:
     runs-on: ubuntu-latest
+    timeout-minutes: 45
     steps:
       - name: Checkout advisor repository
         uses: actions/checkout@v6
diff --git a/.github/workflows/publish_advisory_site.yml b/.github/workflows/publish_advisory_site.yml
index 5e7e0c2..03feb3a 100644
--- a/.github/workflows/publish_advisory_site.yml
+++ b/.github/workflows/publish_advisory_site.yml
@@ -56,9 +56,14 @@ permissions:
   id-token: write
 
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: false
+
 jobs:
   build-site:
     runs-on: ubuntu-latest
+    timeout-minutes: 60
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
diff --git a/.github/workflows/weekly_advisory_review.yml b/.github/workflows/weekly_advisory_review.yml
index 234cf38..79cf647 100644
--- a/.github/workflows/weekly_advisory_review.yml
+++ b/.github/workflows/weekly_advisory_review.yml
@@ -45,10 +45,17 @@ on:
   schedule:
     - cron: "30 12 * * 6"
 
+permissions:
+  contents: read
+
+concurrency:
+  group: weekly-advisory-review-${{ github.ref_name }}
+  cancel-in-progress: false
 
 jobs:
   build-review:
     runs-on: ubuntu-latest
+    timeout-minutes: 45
     steps:
       - name: Checkout advisor repository
         uses: actions/checkout@v6