Merge branch 'main' into ni/atlas-search

Author: nirinchev

.github/workflows/accuracy-tests.yml

@@ -29,6 +29,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
@@ -39,7 +41,7 @@ jobs:
         run: npm run test:accuracy
       - name: Upload accuracy test summary
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: accuracy-test-summary
           path: .accuracy/test-summary.html

.github/workflows/check.yml

@@ -17,6 +17,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
@@ -31,6 +33,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
@@ -45,6 +49,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json

.github/workflows/cleanup-atlas-env.yml

@@ -13,6 +13,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json

.github/workflows/code-health-fork.yml

@@ -1,18 +1,17 @@
 ---
 name: Code Health (fork)
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - main
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   run-tests:
     name: Run MongoDB tests
-    # Code health disabled on forks for now
-    # if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
-    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
@@ -22,6 +21,8 @@ jobs:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
         if: matrix.os == 'ubuntu-latest'
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: docker/setup-docker-action@v4
         if: matrix.os == 'ubuntu-latest'
         name: Setup Docker Environment
@@ -35,9 +36,12 @@ jobs:
         run: npm ci
       - name: Run tests
         run: npm test
+        env:
+          SKIP_ATLAS_TESTS: "true"
+          SKIP_ATLAS_LOCAL_TESTS: "true"
       - name: Upload test results
         if: always() && matrix.os == 'ubuntu-latest'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: test-results
           path: coverage/lcov.info

.github/workflows/code-health-long-running.yml

@@ -11,11 +11,12 @@ permissions: {}
 jobs:
   run-long-running-tests:
     name: Run long running tests
-    if: github.event_name == 'push' || (github.event.pull_request.user.login != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository)
     runs-on: ubuntu-latest
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
@@ -29,7 +30,7 @@ jobs:
           MDB_MCP_API_BASE_URL: ${{ vars.TEST_ATLAS_BASE_URL }}
         run: npm test -- tests/integration/tools/atlas --project=long-running-tests
       - name: Upload test results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         if: always()
         with:
           name: atlas-test-results

.github/workflows/code-health.yml

@@ -6,7 +6,8 @@ on:
       - main
   pull_request:
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   run-tests:
@@ -21,6 +22,8 @@ jobs:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
         if: matrix.os == 'ubuntu-latest'
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: docker/setup-docker-action@v4
         if: matrix.os == 'ubuntu-latest'
         name: Setup Docker Environment
@@ -39,7 +42,7 @@ jobs:
           SKIP_ATLAS_LOCAL_TESTS: "true"
       - name: Upload test results
         if: always() && matrix.os == 'ubuntu-latest'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: test-results
           path: coverage/lcov.info
@@ -51,6 +54,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
@@ -64,7 +69,7 @@ jobs:
           MDB_MCP_API_BASE_URL: ${{ vars.TEST_ATLAS_BASE_URL }}
         run: npm test -- tests/integration/tools/atlas/
       - name: Upload test results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         if: always()
         with:
           name: atlas-test-results
@@ -77,7 +82,9 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
           cache: "npm"
@@ -86,7 +93,7 @@ jobs:
       - name: Run tests
         run: npm test -- tests/integration/tools/atlas-local/
       - name: Upload test results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         if: always()
         with:
           name: atlas-local-test-results
@@ -99,6 +106,8 @@ jobs:
     needs: [run-tests, run-atlas-tests, run-atlas-local-tests]
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json

.github/workflows/codeql.yml

@@ -24,6 +24,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v4
         with:

.github/workflows/docker.yml

@@ -15,6 +15,8 @@ jobs:
           config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Check out code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          persist-credentials: false
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
       - name: Login to Docker Hub

.github/workflows/publish.yml

@@ -82,6 +82,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json

.gitignore

@@ -13,3 +13,5 @@ tests/tmp
 coverage
 # Generated assets by accuracy runs
 .accuracy
+
+.DS_Store