GitHub Actions workflow updates

[johnbillion]

This updates the GitHub Actions workflow files to:

• Grant minimally-scoped permissions to each job to adhere to the principle of least privilege
• Specify a timeout on each job to prevent runaway processes consuming too many minutes (the default is 360)

Once this PR is merged, the Settings -> Actions -> Workflow permissions setting can be changed by a repo admin to "Read repository contents and packages permissions".

References

• https://docs.github.com/en/actions/reference/security/secure-use
• https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idtimeout-minutes

Use of AI

Claude Code was used to create the initial changes. All permissions and timeouts changes were reviewed and adjusted by me where necessary.

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: johnbillion <johnbillion@git.wordpress.org>
Co-authored-by: masteradhoc <masteradhoc@git.wordpress.org>
Co-authored-by: desrosj <desrosj@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[Copilot]

Pull request overview

This PR updates the repository’s GitHub Actions workflows to follow least-privilege by default (disabling all GITHUB_TOKEN scopes at the workflow level) and then granting only the required permissions per job, while also adding explicit job timeouts to prevent runaway runs.

Changes:

• Set workflow-level permissions: {} and add job-level permissions blocks scoped to each job’s needs.
• Add timeout-minutes to each job (generally 20 minutes; deploy is 10 minutes).
• Adjust the Props Bot job permissions to include issues: write for label removal.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
.github/workflows/test.yml	Disables default token permissions and adds per-job contents: read plus 20-minute job timeouts.
.github/workflows/props-bot.yml	Updates job permissions for least-privilege, including issues: write to remove labels.
.github/workflows/deploy.yml	Disables default token permissions; sets deploy job timeout and grants contents: write for release asset upload.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[masteradhoc]

Thanks @johnbillion that looks good. Im not able to change the repository settings here as i checked so i'll leave the merge up to someone with this access.

[desrosj]

Once this PR is merged, the Settings -> Actions -> Workflow permissions setting can be changed by a repo admin to "Read repository contents and packages permissions".

Setting updated. Thanks all!