Failure type
echidna has many workflow jobs without explicit timeout-minutes.
Evidence
On 2026-06-06, echidna has 44 open Hypatia alerts under hypatia/workflow_audit/missing_timeout_minutes.
Local workflow scan shows many jobs under .github/workflows/ with no explicit timeout, while a few already declare one, e.g. hypatia-scan.yml, codeql.yml, and part of container-ci.yml.
Expected behavior
This should be a workflow-security/control hygiene bucket, suitable for mechanical PRs after canary validation.
Route
Suggested route: rhodibot or robot-repo-automaton PR-only. Use a conservative timeout matrix based on workflow class:
- quick lint/governance: 5-10 minutes;
- build/test: 20-60 minutes;
- formal/prover/live jobs: explicit longer values with rationale.
Safety notes
Do not blindly set every job to 10 minutes. Some echidna jobs are formal verification, live provers, container builds, or fuzzing and need proportional limits.
Acceptance criteria
- Every workflow job has explicit
timeout-minutes.
- Long-running jobs document why their timeout is high.
- Hypatia stops reporting the 44 timeout findings after scan rerun.
- The fix is delivered as a PR, not direct mass mutation.
Failure type
echidnahas many workflow jobs without explicittimeout-minutes.Evidence
On 2026-06-06,
echidnahas 44 open Hypatia alerts underhypatia/workflow_audit/missing_timeout_minutes.Local workflow scan shows many jobs under
.github/workflows/with no explicit timeout, while a few already declare one, e.g.hypatia-scan.yml,codeql.yml, and part ofcontainer-ci.yml.Expected behavior
This should be a workflow-security/control hygiene bucket, suitable for mechanical PRs after canary validation.
Route
Suggested route:
rhodibotorrobot-repo-automatonPR-only. Use a conservative timeout matrix based on workflow class:Safety notes
Do not blindly set every job to 10 minutes. Some
echidnajobs are formal verification, live provers, container builds, or fuzzing and need proportional limits.Acceptance criteria
timeout-minutes.