Check for timeout-minutes in jobs and steps
#1347
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zizmorcore#1023 feat: add basic timeout-minutes audit for GitHub Actions jobs Implements a new audit rule that detects missing timeout-minutes property on GitHub Actions jobs to prevent runaway jobs from consuming runner minutes. What's implemented: - Basic audit structure following existing patterns (unpinned-images) - Detection of missing timeout-minutes on normal jobs - Proper finding generation with medium severity - Integration with pedantic persona - Registration in audit registry What's still needed (for future iterations): - Handle reusable workflows (jobs with 'uses' don't support timeout-minutes directly) - Check step-level timeout-minutes and transitive coverage by job timeouts - Add comprehensive test coverage - Consider different severity levels?
woodruffw
reviewed
Nov 18, 2025
| Ok(Self) | ||
| } | ||
|
|
||
| async fn audit_normal_job<'doc>( |
Member
There was a problem hiding this comment.
The logic here seems pretty deeply nested 🙂 -- maybe we could do this in a "bubble up" style instead, i.e. use audit_step and then check the step's parent (the job) if a timeout is missing?
Contributor
Author
There was a problem hiding this comment.
Good suggestion. I separated out audit_step in f9a4803 but the logic is still quite complex. I wanted to make sure that we don't get reports for both the job and the step when neither set timeout-minutes. Is there a simpler way?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pre-submission checks
Please check these boxes:
Mandatory: This PR corresponds to an issue (if not, please create
one first).
I hereby disclose the use of an LLM or other AI coding assistant in the
creation of this PR. PRs will not be rejected for using AI tools, but
will be rejected for undisclosed use.
If a checkbox is not applicable, you can leave it unchecked.
Summary
Fixes #1023
Towards #1225
This PR builds on the work of @EmmanuelBerkowicz in #1067 and gets the
timeout-minutescheck working.I'm still quite new to Rust so I reimplemented it using what I did in #1227 as a template.
I've included checks for steps as well as jobs. There's an initial check whether any of the steps in a job set
timeout-minutes. If so, we check the other steps to ensure they do, too. If not, we check if the job itself setstimeout-minutes.Test Plan
A test workflow is provided and the test data and snapshots are updated for the existing tests.