Summary
No workflow job sets timeout-minutes. A wedged make check or stuck attestation call burns the default six-hour budget; in release.yml it holds the release-${{ github.ref }} concurrency group (cancel-in-progress: false), blocking every subsequent release dispatch.
Scope
Per-job timeout-minutes: guards 5, lint/markdownlint/llms-full-check/goreleaser-check 10, test/coverage/BDD 15, build matrix/security/CodeQL 20, benchstat-regression-guard 25, release verify/goreleaser/proxy-warm 30.
Acceptance criteria
- Every
runs-on: has a sibling timeout-minutes: in the same job.
- A deliberate
sleep 3600 in a test branch fails with a clear timeout.
Source: security-reviewer + devops agents.
Summary
No workflow job sets
timeout-minutes. A wedgedmake checkor stuck attestation call burns the default six-hour budget; inrelease.ymlit holds therelease-${{ github.ref }}concurrency group (cancel-in-progress: false), blocking every subsequent release dispatch.Scope
Per-job
timeout-minutes: guards 5, lint/markdownlint/llms-full-check/goreleaser-check 10, test/coverage/BDD 15, build matrix/security/CodeQL 20, benchstat-regression-guard 25, release verify/goreleaser/proxy-warm 30.Acceptance criteria
runs-on:has a siblingtimeout-minutes:in the same job.sleep 3600in a test branch fails with a clear timeout.Source: security-reviewer + devops agents.