ci: fix ignored and missing job-level timeout-minutes

[SuyashJain17]

Proposed change

Resolves #3279

This PR fixes incorrectly defined and missing timeout-minutes settings in the run-ci-cd.yaml workflow.

What was fixed

• Moved existing timeout-minutes definitions to the job level, where GitHub Actions enforces them correctly
• Replaced a step-level timeout with a job-level timeout
• Added job-level timeouts only to long-running and high-risk jobs (tests, scans, Docker builds, and deployments)

What was NOT changed

• No job logic or execution flow was modified
• No steps were added, removed, or reordered
• No CI tooling, scan configuration, or deployment behavior was altered
• Low-risk, short-running jobs remain unchanged

This change strictly improves CI reliability by ensuring stuck or runaway jobs are terminated instead of running until GitHub Actions’ default limit.

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my changes resolve the issue as described
• Required: I ran make check-test locally and all checks passed
• I used AI for review and communication assistance related to this PR

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Updated CI/CD pipeline timeouts: several jobs now have a 5-minute timeout (including steps that previously had none or longer timeouts) and one job’s final image update timeout set to 15 minutes to better align runtimes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

Reduced or added timeout-minutes entries across CI workflows: most GitHub Actions steps/jobs set explicit timeout-minutes: 5, several other workflows gain timeout-minutes: 5, and one job (update-nest-test-images) sets timeout-minutes: 15. No other workflow logic changed.

Changes

Cohort / File(s)	Summary
Primary CI workflow .github/workflows/run-ci-cd.yaml	Multiple job/step timeout-minutes values changed or added (mostly set to 5 minutes). No other command, step ordering, or control-flow edits.
Auxiliary workflows — add 5m timeouts .github/workflows/check-pr-issue.yaml, .github/workflows/label-issues.yaml, .github/workflows/label-pull-requests.yaml, .github/workflows/run-code-ql.yaml	Each workflow gained timeout-minutes: 5 on affected steps/jobs (new or adjusted). No behavioral changes.
Image update job .github/workflows/update-nest-test-images.yaml	Added timeout-minutes: 15 to the final docker image update step/job. No other changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ci: move permissions to job level #3118: Modifies the same GitHub Actions workflow files and adjusts per-job timeout-minutes settings.
• ci: Add timeout to multiple CI jobs for improved reliability #2867: Also updates .github/workflows/run-ci-cd.yaml to add/adjust timeout-minutes entries.

Suggested reviewers

• kasya

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately describes the main change: fixing ignored and missing job-level timeout-minutes in CI workflows.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining what was fixed and what was not changed.
Linked Issues check	✅ Passed	The PR successfully addresses all objectives from issue #3279: moves timeout-minutes to job level, adds timeouts to long-running/high-risk jobs, and preserves job behavior.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing timeout-minutes placement across workflow files; no out-of-scope modifications to job logic, steps, or CI tooling were introduced.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[arkid15r]

I explained it to you in your previous PR how we want the attributes sorted.

[SuyashJain17]

I misunderstood it earlier, but I’ve now updated the workflow as requested.
Please let me know if there’s anything else you’d like adjusted.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/run-code-ql.yaml:
- Line 61: The workflow timeout is set too low—update the CodeQL job's
timeout-minutes setting (the YAML key "timeout-minutes") from 5 to at least 360
(or minimum 120 for optimized cases) so the CodeQL analysis has enough time to
complete; locate the "timeout-minutes" entry in the run-code-ql.yaml workflow
and change its value accordingly.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cc7ebdc and dfcde6b.

📒 Files selected for processing (6)

• .github/workflows/check-pr-issue.yaml
• .github/workflows/label-issues.yaml
• .github/workflows/label-pull-requests.yaml
• .github/workflows/run-ci-cd.yaml
• .github/workflows/run-code-ql.yaml
• .github/workflows/update-nest-test-images.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/run-ci-cd.yaml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-21T19:03:59.068Z

Learnt from: ahmedxgouda
Repo: OWASP/Nest PR: 1139
File: .github/workflows/setup-backend-environment/action.yaml:16-27
Timestamp: 2025-12-21T19:03:59.068Z
Learning: Composite actions (runs: using: composite) execute as steps within the calling job's context and can access the job context, including job.services.* properties (e.g., job.services.<service_id>.id, job.services.<service_id>.ports). Service containers must be defined at the job level, but a composite action's steps can reference them via the job context.

Applied to files:

• .github/workflows/label-pull-requests.yaml
• .github/workflows/update-nest-test-images.yaml
• .github/workflows/label-issues.yaml
• .github/workflows/run-code-ql.yaml
• .github/workflows/check-pr-issue.yaml

🔇 Additional comments (4)

.github/workflows/label-issues.yaml (1)

45-45: LGTM!

The timeout-minutes: 5 is correctly placed at the job level and is appropriate for this lightweight labeling operation.

.github/workflows/label-pull-requests.yaml (1)

19-19: LGTM!

The timeout-minutes: 5 is correctly placed at the job level and is appropriate for this lightweight labeling operation.

.github/workflows/update-nest-test-images.yaml (1)

77-77: LGTM!

The timeout-minutes: 15 is correctly placed at the job level. This should be sufficient for building three Docker images with the configured cache layers. If you observe timeouts during cache misses, consider increasing to 20–25 minutes.

.github/workflows/check-pr-issue.yaml (1)

32-32: LGTM!

The timeout-minutes: 5 is correctly placed at the job level and is appropriate for this PR validation workflow.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}