chore(ci): harden security

[gabrielmfern]

Summary by cubic

Hardened GitHub Actions by enforcing least-privilege permissions, adding job timeouts, and gating secrets to safe contexts. Addresses DEV-652 (0 high / 2 med / 12 low) and reduces risk on forked PRs.

• Refactors
  • Added top-level read permissions; kept write permissions only where needed. Normalized concurrency blocks.
  • Gated SPAM_ASSASSIN_* and TURBO_* envs to pushes and same-repo PRs; forks get empty values.
  • Added timeouts across CI jobs (10–45 min) to prevent hangs.

^{Written for commit 080ae45. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
react-email	Ready	Preview, Comment	May 13, 2026 5:44pm
react-email-demo	Ready	Preview, Comment	May 13, 2026 5:44pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 080ae45

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cubic-dev-ai]

cubic analysis

No issues found across 9 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

Linked issue analysis

Linked issue: DEV-652: [react-email] GH Actions hardening — 0 HIGH / 2 MED / 12 LOW

Status	Acceptance criteria	Notes
✅	Add top-level permissions to release.yml	release.yml now includes a top-level permissions block.
✅	Add top-level permissions to e2e.yml	e2e.yml contains a top-level permissions block (contents: read, pull-requests: read) in the PR.
✅	Add timeout-minutes to the 9 jobs missing timeouts	timeout-minutes was added to the workflow jobs that previously lacked it across the repo.
✅	Prevent PR-triggered workflows from exposing TURBO_TOKEN / SPAM_ASSASSIN_* secrets to fork PRs (guard secrets for same-repo only)	Environment values for SPAM_ASSASSIN_* and TURBO_* are now conditionally set to the secret only for non-pull_request or same-repo PRs, otherwise set to empty.

_{Auto-approved: These CI security hardening changes are purely operational and add timeouts and least-privilege permissions without altering any application logic, so they carry minimal risk.}