There is a sin of omission as well as of commission.
I recommend to use timeout-minutes
together with as easy fool proof.
Below is a typical usecase.
name: Description of the workflow
on: pull_request
permissions:
contents: write
pull-requests: write
# checks: read # For private repositories
# actions: read # For private repositories
jobs:
example-of-my-new-action:
runs-on: ubuntu-24.04
if: ${{ github.actor == 'dependabot[bot]' }}
steps:
- uses: actions/checkout@v3
- uses: kachick/my-new-action@v1
timeout-minutes: 15
actions/typescript-action is the official template.
However, it does not seem to be updated often.
And applied my favorite environment preparations.