From 351249cf687657250cdec60f4f6744d8444c8485 Mon Sep 17 00:00:00 2001
From: Casey Hoover <casey.w.hoover@icloud.com>
Date: Fri, 8 May 2026 02:39:42 +0000
Subject: [PATCH] ci: cap every workflow job at 10 minutes

Adds `timeout-minutes: 10` to every job in `.github/workflows/`. The
platform default is 6 hours, which means a wedged step can burn runner
minutes and block PR checks until someone manually cancels. Recent
Playwright-install stalls on PRs ran for up to 2h50m before being
cancelled by hand; this cap fails fast and surfaces logs so the next
hang can be diagnosed.

Closes #101

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yaml                    | 1 +
 .github/workflows/codeql.yaml                | 1 +
 .github/workflows/dependabot-auto-merge.yaml | 1 +
 .github/workflows/dependency-review.yaml     | 1 +
 .github/workflows/pr-title.yaml              | 1 +
 .github/workflows/release.yaml               | 1 +
 6 files changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index e872f45..0dd2e5a 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -13,6 +13,7 @@ jobs:
   ci:
     name: CI
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index 9e4169b..a475378 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -12,6 +12,7 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       security-events: write
       packages: read
diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
index 2d6f62f..f829bd9 100644
--- a/.github/workflows/dependabot-auto-merge.yaml
+++ b/.github/workflows/dependabot-auto-merge.yaml
@@ -18,6 +18,7 @@ jobs:
     # Only act on PRs opened by Dependabot.
     if: github.event.pull_request.user.login == 'dependabot[bot]'
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       # Parses the PR to expose update metadata (ecosystem, dependency names,
       # update-type, etc.) as step outputs we can gate on below.
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
index 57b6b95..8812b93 100644
--- a/.github/workflows/dependency-review.yaml
+++ b/.github/workflows/dependency-review.yaml
@@ -15,6 +15,7 @@ jobs:
   dependency-review:
     name: Dependency Review
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
diff --git a/.github/workflows/pr-title.yaml b/.github/workflows/pr-title.yaml
index 9699c79..00b1901 100644
--- a/.github/workflows/pr-title.yaml
+++ b/.github/workflows/pr-title.yaml
@@ -11,6 +11,7 @@ jobs:
   lint:
     name: Validate conventional commit format
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         env:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 04248ba..81aa9e2 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -13,6 +13,7 @@ jobs:
   release:
     name: Semantic Release
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: