From 8f534d6de1510553fa214848380f169981d49880 Mon Sep 17 00:00:00 2001
From: Pigbibi <20649888+Pigbibi@users.noreply.github.com>
Date: Wed, 10 Jun 2026 20:49:36 +0800
Subject: [PATCH] Apply audit remediation

---
 .github/workflows/ci.yml                    | 4 ++++
 .github/workflows/dependabot_auto_merge.yml | 1 +
 .github/workflows/monthly_publish.yml       | 5 +++++
 3 files changed, 10 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ca815f6..649af0e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,9 +6,13 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
       - name: Checkout
         uses: actions/checkout@v6
diff --git a/.github/workflows/dependabot_auto_merge.yml b/.github/workflows/dependabot_auto_merge.yml
index f3f9f1a..a3a4988 100644
--- a/.github/workflows/dependabot_auto_merge.yml
+++ b/.github/workflows/dependabot_auto_merge.yml
@@ -9,6 +9,7 @@ jobs:
   auto-merge:
     if: github.event.workflow_run.conclusion == 'success' && startsWith(github.event.workflow_run.head_branch, 'dependabot/')
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/monthly_publish.yml b/.github/workflows/monthly_publish.yml
index 36f217d..05cf853 100644
--- a/.github/workflows/monthly_publish.yml
+++ b/.github/workflows/monthly_publish.yml
@@ -5,10 +5,15 @@ name: Monthly Publish
     - cron: "15 3 1 * *"
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: false
+
 jobs:
   monthly-publish:
     if: github.ref_name != 'logs'
     runs-on:
+    timeout-minutes: 60
       - self-hosted
       - Linux
       - X64