GitHub Actions workflow updates

[johnbillion]

This updates the GitHub Actions workflow files to:

• Grant minimally-scoped permissions to each job to adhere to the principle of least privilege
• Specify a timeout on each job to prevent runaway processes consuming too many minutes (the default is 360)

Once this PR is merged, the Settings -> Actions -> Workflow permissions setting can be changed by a repo admin to "Read repository contents and packages permissions".

References

• https://docs.github.com/en/actions/reference/security/secure-use
• https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idtimeout-minutes

Use of AI

Claude Code was used to create the initial changes. All permissions and timeouts changes were reviewed and adjusted by me where necessary.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Unlinked Accounts

The following contributors have not linked their GitHub and WordPress.org accounts: @felixarntz.

Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Unlinked contributors: felixarntz.

Co-authored-by: johnbillion <johnbillion@git.wordpress.org>
Co-authored-by: jeffpaul <jeffpaul@git.wordpress.org>
Co-authored-by: desrosj <desrosj@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.12%. Comparing base (6317042) to head (2616b8d).

Additional details and impacted files

@@            Coverage Diff            @@
##              trunk     #235   +/-   ##
=========================================
  Coverage     88.12%   88.12%           
  Complexity     1213     1213           
=========================================
  Files            60       60           
  Lines          3934     3934           
=========================================
  Hits           3467     3467           
  Misses          467      467           

Flag	Coverage Δ
unit	88.12% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Updates GitHub Actions workflows to follow least-privilege permissions and add per-job timeouts to prevent runaway executions.

Changes:

• Disable default workflow token permissions (permissions: {}) and move required permissions to the job level.
• Add timeout-minutes: 20 to PHP lint/test jobs and the props-bot job.
• Clarify permission intent with inline comments in workflow YAML.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/props-bot.yml	Refines job-level permissions and keeps a job timeout for the props-bot workflow.
.github/workflows/php-test.yml	Disables default permissions, adds a job timeout, and grants contents: read for checkout.
.github/workflows/php-lint.yml	Disables default permissions, adds a job timeout, and grants contents: read for checkout.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[desrosj]

Gah, forgot the props.

Unprops desrosj.

Once this PR is merged, the Settings -> Actions -> Workflow permissions setting can be changed by a repo admin to "Read repository contents and packages permissions".

This setting has been adjusted.