From dafdf556a2d3a7c27527bc196369829aadc02d4f Mon Sep 17 00:00:00 2001
From: John Blackbourn <john@johnblackbourn.com>
Date: Wed, 13 May 2026 14:52:04 +0100
Subject: [PATCH 1/2] Grant minimally-scoped permissions.

---
 .github/workflows/deploy.yml    |  6 ++++++
 .github/workflows/props-bot.yml |  5 ++---
 .github/workflows/test.yml      | 12 ++++++++++++
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index b89dfc83..2424eea5 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -8,11 +8,17 @@ on:
       # For readme and asset updates.
       - master
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
 
   deploy:
     name: Deploy to WordPress.org
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write # Required to upload assets to the GitHub release.
     steps:
       - name: Checkout
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
diff --git a/.github/workflows/props-bot.yml b/.github/workflows/props-bot.yml
index 8c72d604..33674128 100644
--- a/.github/workflows/props-bot.yml
+++ b/.github/workflows/props-bot.yml
@@ -50,9 +50,8 @@ jobs:
     name: Generate a list of props
     runs-on: ubuntu-24.04
     permissions:
-      # The action needs permission `write` permission for PRs in order to add a comment.
-      pull-requests: write
-      contents: read
+      pull-requests: write # Required to post the props comment on the pull request.
+      issues: write        # Required to remove the props-bot label.
     timeout-minutes: 20
     # The job will run when pull requests are open, ready for review and:
     #
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 6b604bf3..a079e858 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -9,10 +9,16 @@ concurrency:
     group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
     cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
     lint-js-css:
         name: Lint JS & CSS
         runs-on: ubuntu-24.04
+        permissions:
+          contents: read # Required to clone the repo.
         steps:
             - name: Checkout
               uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
@@ -35,6 +41,8 @@ jobs:
     lint-php-and-compatibility:
         name: Lint PHP & PHP Compatibility checks.
         runs-on: ubuntu-24.04
+        permissions:
+          contents: read # Required to clone the repo.
         steps:
             - name: Checkout
               uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
@@ -65,6 +73,8 @@ jobs:
     test-php:
         name: Test PHP ${{ matrix.php }} ${{ matrix.wp != '' && format( ' (WP {0}) ', matrix.wp ) || '' }}
         runs-on: ubuntu-24.04
+        permissions:
+          contents: read # Required to clone the repo.
         strategy:
             matrix:
                 php:
@@ -144,6 +154,8 @@ jobs:
     build:
         name: Build
         runs-on: ubuntu-24.04
+        permissions:
+          contents: read # Required to clone the repo.
         steps:
             - name: Checkout
               uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

From 4627ba39fb769ad406e5e63a7422f92c74c14b66 Mon Sep 17 00:00:00 2001
From: John Blackbourn <john@johnblackbourn.com>
Date: Wed, 13 May 2026 14:53:04 +0100
Subject: [PATCH 2/2] Set timeouts on all jobs.

---
 .github/workflows/deploy.yml | 1 +
 .github/workflows/test.yml   | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 2424eea5..12fe2bed 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -17,6 +17,7 @@ jobs:
   deploy:
     name: Deploy to WordPress.org
     runs-on: ubuntu-24.04
+    timeout-minutes: 10
     permissions:
       contents: write # Required to upload assets to the GitHub release.
     steps:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a079e858..308a2620 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,6 +17,7 @@ jobs:
     lint-js-css:
         name: Lint JS & CSS
         runs-on: ubuntu-24.04
+        timeout-minutes: 20
         permissions:
           contents: read # Required to clone the repo.
         steps:
@@ -41,6 +42,7 @@ jobs:
     lint-php-and-compatibility:
         name: Lint PHP & PHP Compatibility checks.
         runs-on: ubuntu-24.04
+        timeout-minutes: 20
         permissions:
           contents: read # Required to clone the repo.
         steps:
@@ -73,6 +75,7 @@ jobs:
     test-php:
         name: Test PHP ${{ matrix.php }} ${{ matrix.wp != '' && format( ' (WP {0}) ', matrix.wp ) || '' }}
         runs-on: ubuntu-24.04
+        timeout-minutes: 20
         permissions:
           contents: read # Required to clone the repo.
         strategy:
@@ -154,6 +157,7 @@ jobs:
     build:
         name: Build
         runs-on: ubuntu-24.04
+        timeout-minutes: 20
         permissions:
           contents: read # Required to clone the repo.
         steps: