From 193993d312225cd9d1354a2f77fa9f18e3fea2a8 Mon Sep 17 00:00:00 2001
From: Pigbibi <20649888+Pigbibi@users.noreply.github.com>
Date: Wed, 10 Jun 2026 20:49:36 +0800
Subject: [PATCH] Apply audit remediation

---
 .github/workflows/capture-screen.yml        | 4 ++++
 .github/workflows/ci.yml                    | 4 ++++
 .github/workflows/dependabot_auto_merge.yml | 1 +
 .github/workflows/diagnose.yml              | 4 ++++
 .github/workflows/main.yml                  | 5 +++++
 .github/workflows/remote-maintenance.yml    | 4 ++++
 6 files changed, 22 insertions(+)

diff --git a/.github/workflows/capture-screen.yml b/.github/workflows/capture-screen.yml
index f877608..9695647 100644
--- a/.github/workflows/capture-screen.yml
+++ b/.github/workflows/capture-screen.yml
@@ -24,6 +24,10 @@ env:
   GCP_WORKLOAD_IDENTITY_PROVIDER: projects/303168642265/locations/global/workloadIdentityPools/github-actions/providers/github-ibkr-gateway-main
   GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT: ibkr-gateway-deploy@interactivebrokersquant.iam.gserviceaccount.com
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: false
+
 jobs:
   capture:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9963ed9..79014cc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,9 +5,13 @@ on:
     branches: [ main ]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout
         uses: actions/checkout@v6
diff --git a/.github/workflows/dependabot_auto_merge.yml b/.github/workflows/dependabot_auto_merge.yml
index bf7a789..9d605e8 100644
--- a/.github/workflows/dependabot_auto_merge.yml
+++ b/.github/workflows/dependabot_auto_merge.yml
@@ -9,6 +9,7 @@ jobs:
   auto-merge:
     if: github.event.workflow_run.conclusion == 'success' && startsWith(github.event.workflow_run.head_branch, 'dependabot/')
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     permissions:
       contents: write
       pull-requests: write
diff --git a/.github/workflows/diagnose.yml b/.github/workflows/diagnose.yml
index f48170f..4c593a8 100644
--- a/.github/workflows/diagnose.yml
+++ b/.github/workflows/diagnose.yml
@@ -12,6 +12,10 @@ env:
   GCP_WORKLOAD_IDENTITY_PROVIDER: projects/303168642265/locations/global/workloadIdentityPools/github-actions/providers/github-ibkr-gateway-main
   GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT: ibkr-gateway-deploy@interactivebrokersquant.iam.gserviceaccount.com
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: false
+
 jobs:
   diagnose:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 1eccff4..d5ba28e 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -34,9 +34,14 @@ on:
         default: false
         type: boolean
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: false
+
 jobs:
   select-targets:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     outputs:
       matrix: ${{ steps.targets.outputs.matrix }}
     env:
diff --git a/.github/workflows/remote-maintenance.yml b/.github/workflows/remote-maintenance.yml
index 49bbe5f..7d23717 100644
--- a/.github/workflows/remote-maintenance.yml
+++ b/.github/workflows/remote-maintenance.yml
@@ -20,6 +20,10 @@ env:
   GCP_WORKLOAD_IDENTITY_PROVIDER: projects/303168642265/locations/global/workloadIdentityPools/github-actions/providers/github-ibkr-gateway-main
   GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT: ibkr-gateway-deploy@interactivebrokersquant.iam.gserviceaccount.com
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: false
+
 jobs:
   maintenance:
     runs-on: ubuntu-latest