Fix potential github action smells

[ceddy4395]

Hey! 🙂
I've made the following changes to your workflow:

• Avoid jobs without timeouts
  • Jobs without a timeout can cause runners to be occupied when some process falls into an infinite loop or has multiple retries to perform a certain task, which will inevitably fail. Furthermore, it is also useful to be notified when a test-suite all of a sudden takes a lot longer than it used to, considering keeping tests fast is a good practice.
• Use commit hash instead of tags for action versions
  • When using a tag as version, the code related to the tag can be changed after the tag is created, whereas when using the commit hash this cannot. Therefore, for consistency and security a commit hash should be used.
• Define permissions for workflows with external actions
  • Permissions should be used when running actions written by other developers because there may be security leaks exposed through these actions.

(These changes are part of a research Study at TU Delft looking at GitHub Action Smells. Find out more)

Closes: #

• Docs
• Tests

Testing Strategy:

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0bafdae

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[remix-cla-bot]

Hi @ceddy4395,

Welcome, and thank you for contributing to Remix!

Before we consider your pull request, we ask that you sign our Contributor License Agreement (CLA). We require this only once.

You may review the CLA and sign it by adding your name to contributors.yml.

Once the CLA is signed, the CLA Signed label will be added to the pull request.

If you have already signed the CLA and received this response in error, or if you have any questions, please contact us at [email protected].

Thanks!

- The Remix team

[remix-cla-bot]

Thank you for signing the Contributor License Agreement. Let's get this merged! 🥳

[alcpereira]

This action is maintained by Github, there should not be any security/breaking changes issues. By pinning to a specific commit hash, you're limiting yourself from potential improvements to the current major version.

This is the same for pnpm and changesets, both are maintained by their respective organization.

[brophdawg11]

I agree, I think we're fine keeping the numerical versions for these jobs

[alcpereira]

For this job, I don't think 2 minutes is enough, but core maintainers can confirm.
Releases are probably closely monitored, so I don't think there is a real use case to this limit.

[brophdawg11]

I agree - a quick peek at past runs shows we've had a few jobs in the 3-5 minute range so I wouldn't go lower than 10-15m here if it's just intended to catch true runaway/hung jobs. Anything under that could result in false positives if github's infra is slowed down.

[brophdawg11]

Do you have links to what these are doing versus what the default permissions are? Is this more restrictive? Or just more explicit?