diff --git a/.github/policy.rego b/.github/policy.rego
index ef5149aa869dc..2dff0bc887109 100644
--- a/.github/policy.rego
+++ b/.github/policy.rego
@@ -35,6 +35,13 @@ deny_unnecessary_github_token[msg] {
     msg := "Unnecessary use of github-token for actions/github-script."
 }
 
+deny_jobs_without_timeout[msg] {
+    jobs_without_timeout := get_jobs_without_timeout(input.jobs)
+    count(jobs_without_timeout) > 0
+    msg := sprintf("The following jobs are missing timeout-minutes: %s",
+        [concat(", ", jobs_without_timeout)])
+}
+
 ###########################   RULE HELPERS   ##################################
 get_jobs_without_permissions(jobs) = jobs_without_permissions {
     jobs_without_permissions := { job_id |
@@ -42,3 +49,10 @@ get_jobs_without_permissions(jobs) = jobs_without_permissions {
         not job["permissions"]
     }
 }
+
+get_jobs_without_timeout(jobs) = jobs_without_timeout {
+    jobs_without_timeout := { job_id |
+        job := jobs[job_id]
+        not job["timeout-minutes"]
+    }
+}
diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml
index 153f763f420a0..d18857ccb517b 100644
--- a/.github/workflows/devcontainer.yml
+++ b/.github/workflows/devcontainer.yml
@@ -100,6 +100,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: devcontainer
     if: github.event_name == 'push'
+    timeout-minutes: 60
     permissions:
       packages: write # to push to ghcr.io
     steps:
diff --git a/.github/workflows/js.yml b/.github/workflows/js.yml
index 59cb565cc802d..fb3229311274d 100644
--- a/.github/workflows/js.yml
+++ b/.github/workflows/js.yml
@@ -26,6 +26,7 @@ jobs:
   js:
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     permissions: {}
+    timeout-minutes: 30
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/maintainer-approval.yml b/.github/workflows/maintainer-approval.yml
index 083cff6cef1a8..6bd5816f5104e 100644
--- a/.github/workflows/maintainer-approval.yml
+++ b/.github/workflows/maintainer-approval.yml
@@ -6,6 +6,7 @@ on:
 jobs:
   check:
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     permissions:
       pull-requests: read
     steps:
diff --git a/.github/workflows/recipe-template.yml b/.github/workflows/recipe-template.yml
index 8a6545b42eeb6..a8421968be2a1 100644
--- a/.github/workflows/recipe-template.yml
+++ b/.github/workflows/recipe-template.yml
@@ -87,6 +87,7 @@ jobs:
           cd ${{ github.event.inputs.repository }} && pytest tests --rootdir .
   recipe-windows:
     runs-on: windows-latest
+    timeout-minutes: 120
     permissions: {}
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/recipe.yml b/.github/workflows/recipe.yml
index c6256dee662fe..91ef381e7ff8e 100644
--- a/.github/workflows/recipe.yml
+++ b/.github/workflows/recipe.yml
@@ -54,6 +54,7 @@ jobs:
   recipes-windows:
     if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
     runs-on: windows-latest
+    timeout-minutes: 120
     permissions: {}
     strategy:
       fail-fast: false
diff --git a/.github/workflows/team-review.yml b/.github/workflows/team-review.yml
index 571b6cfd9a341..def1a9675900b 100644
--- a/.github/workflows/team-review.yml
+++ b/.github/workflows/team-review.yml
@@ -8,6 +8,7 @@ jobs:
   review:
     runs-on: ubuntu-latest
     if: ${{ github.event.requested_reviewer.login == 'mlflow-automation'}}
+    timeout-minutes: 5
     permissions:
       pull-requests: write
     steps: