From 4341a1d9d666b33470dfa73772ee74b2ab66fb77 Mon Sep 17 00:00:00 2001
From: Molecule AI Infra-SRE <infra-sre@agents.moleculesai.app>
Date: Sat, 16 May 2026 00:08:17 +0000
Subject: [PATCH] fix(ci): add 10m timeout to secret-scan job (mc#1099
 follow-up)

Frozen runner holding a runner slot indefinitely blocks all CI.
// Key: infra-sre
---
 .gitea/workflows/secret-scan.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.gitea/workflows/secret-scan.yml b/.gitea/workflows/secret-scan.yml
index 6f1583f4e..bf552b50b 100644
--- a/.gitea/workflows/secret-scan.yml
+++ b/.gitea/workflows/secret-scan.yml
@@ -30,6 +30,11 @@ jobs:
   scan:
     name: Scan diff for credential-shaped strings
     runs-on: ubuntu-latest
+    # Hard CI gate — must complete or the PR is unmergable. 10-minute ceiling
+    # is generous for a diff-scan against a single SHA. If this times out, the
+    # runner is frozen and holding a slot — the step timeout triggers clean
+    # failure, releasing the runner for the next job.
+    timeout-minutes: 10
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-- 
2.52.0