GitHub Actions workflow updates

[johnbillion]

This updates the GitHub Actions workflow files to:

• Grant minimally-scoped permissions to each job to adhere to the principle of least privilege
• Specify a timeout on each job to prevent runaway processes consuming too many minutes (the default is 360)

Once this PR is merged, the Settings -> Actions -> Workflow permissions setting can be changed by a repo admin to "Read repository contents and packages permissions".

References

• https://docs.github.com/en/actions/reference/security/secure-use
• https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idtimeout-minutes

[Copilot]

Pull request overview

This PR tightens GitHub Actions security posture across the repository by defaulting workflows to no token permissions and then granting only the minimal permissions needed per job, while also adding per-job timeouts to avoid runaway runs consuming excessive minutes.

Changes:

• Set workflow-level permissions: {} to disable all scopes by default across workflows.
• Add job-level permissions scoped to the minimum required (e.g., issues: write, contents: read/write, projects: write).
• Add timeout-minutes to jobs to cap execution time (typically 10–30 minutes depending on the workflow).

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.github/workflows/self-assign-issue.yml	Defaults token permissions to none; adds job timeout and issues: write for issue assignment/labeling.
.github/workflows/review-instructions.yml	Defaults token permissions to none; adds job timeout and issues: write to post review-instruction comments.
.github/workflows/published-content.yml	Defaults token permissions to none; adds job timeout and issues: write for labeling/closing via gh.
.github/workflows/linters.yml	Defaults token permissions to none; adds job timeout and contents: read for checkout and linting.
.github/workflows/label-feedback-from-issue.yml	Defaults token permissions to none; adds job timeout and issues: write for labeling via github-script.
.github/workflows/label-feedback-from-comment.yml	Defaults token permissions to none; adds job timeout and issues: write for labeling via github-script.
.github/workflows/incomplete-workflows/automate-review-documentation.yml	Defaults token permissions to none; adds job timeout and issues: write to post a “Ready for Review” comment.
.github/workflows/incomplete-workflows/add-to-project-when-labeled.yml	Defaults token permissions to none; adds job timeouts and issues: read/projects: write for adding items to projects.
.github/workflows/i18n.yml	Defaults token permissions to none; adds job timeout and contents: write for committing/pushing updated translation strings.
.github/workflows/content-checklist-from-issue.yml	Defaults token permissions to none; sets issues: write on reusable-workflow call jobs for checklist commenting/labeling.
.github/workflows/content-checklist-from-comment.yml	Defaults token permissions to none; sets issues: write on reusable-workflow call jobs for checklist commenting/labeling.
.github/workflows/comment-with-checklist.yml	Defaults token permissions to none; adds job timeout and issues: write for reusable workflow that comments/adds labels.
.github/workflows/build.yml	Defaults token permissions to none; adds job timeout and contents: write for pushing to the build branch.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[desrosj]

Once this PR is merged, the Settings -> Actions -> Workflow permissions setting can be changed by a repo admin to "Read repository contents and packages permissions".

Setting has been updated.