From ae163ade7ba9d4f052eb92d7f21eadcde98f18ca Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Fri, 9 Jan 2026 09:28:23 +0100
Subject: [PATCH 1/3] gha: set "read" permissions as default

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 .github/workflows/build.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ec74c5af..9a4ac0ac 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,5 +1,14 @@
 name: build
 
+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -136,6 +145,9 @@ jobs:
 
   build:
     runs-on: ubuntu-24.04
+    permissions:
+      # required to create GitHub release
+      contents: write
     steps:
       -
         name: Checkout

From f5fd80af0ff2d2f75fbfb3e1b300cd84d90d453c Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Fri, 9 Jan 2026 09:35:19 +0100
Subject: [PATCH 2/3] gha: add guardrails timeouts to jobs

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 .github/workflows/build.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9a4ac0ac..440d659a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -29,6 +29,7 @@ env:
 jobs:
   validate:
     runs-on: ubuntu-24.04
+    timeout-minutes: 30 # guardrails timeout for the whole job
     strategy:
       fail-fast: false
       matrix:
@@ -49,6 +50,7 @@ jobs:
 
   test:
     runs-on: ${{ matrix.os }}
+    timeout-minutes: 30 # guardrails timeout for the whole job
     strategy:
       fail-fast: false
       matrix:
@@ -124,6 +126,7 @@ jobs:
 
   test-sandboxed:
     runs-on: ubuntu-24.04
+    timeout-minutes: 30 # guardrails timeout for the whole job
     steps:
       -
         name: Set up Docker Buildx
@@ -145,6 +148,7 @@ jobs:
 
   build:
     runs-on: ubuntu-24.04
+    timeout-minutes: 30 # guardrails timeout for the whole job
     permissions:
       # required to create GitHub release
       contents: write
@@ -194,6 +198,7 @@ jobs:
 
   build-deb:
     runs-on: ubuntu-24.04
+    timeout-minutes: 30 # guardrails timeout for the whole job
     steps:
       -
         name: Checkout

From 178a3a4e5773c0ae60b9b050f540313167533a1e Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Fri, 9 Jan 2026 09:43:50 +0100
Subject: [PATCH 3/3] gha: update master branch to main

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 440d659a..3902186c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -17,7 +17,7 @@ on:
   workflow_dispatch:
   push:
     branches:
-      - 'master'
+      - 'main'
     tags:
       - 'v*'
   pull_request: