From 988228682c10cebd1dcbc5c8cbe93b22e3c18b07 Mon Sep 17 00:00:00 2001
From: XhmikosR <xhmikosr@gmail.com>
Date: Tue, 12 May 2026 13:54:09 +0300
Subject: [PATCH] Harden CI workflows: permissions, concurrency, and timeouts

- Limit branches that trigger CI to `main`
- Add `permissions: contents: read` at workflow level to lint and test
- Add `permissions: checks: write` at job level in test (required by Coveralls)
- Add `concurrency` groups to cancel superseded runs
- Add `timeout-minutes` to all jobs to prevent runaway hangs
---
 .github/workflows/codeql.yml |  1 +
 .github/workflows/lint.yml   | 15 ++++++++++++++-
 .github/workflows/test.yml   | 18 +++++++++++++++++-
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index fa30aca..852ded1 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -17,6 +17,7 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     permissions:
       actions: read
       contents: read
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 51b71e2..ff8eaf7 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,6 +1,18 @@
 name: Lint
 
-on: [push, pull_request, workflow_dispatch]
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 env:
   FORCE_COLOR: 2
@@ -10,6 +22,7 @@ jobs:
   run:
     name: Lint
     runs-on: ubuntu-latest
+    timeout-minutes: 30
 
     steps:
       - name: Clone repository
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 544c1d7..54dc608 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,6 +1,18 @@
 name: Tests
 
-on: [push, pull_request, workflow_dispatch]
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name != 'pull_request' }}
 
 env:
   FORCE_COLOR: 2
@@ -10,6 +22,10 @@ jobs:
   test:
     name: Node ${{ matrix.node }} - ${{ matrix.architecture }} on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      checks: write # needed by coverallsapp/github-action to post check run status
 
     strategy:
       fail-fast: false