chore: revamp gha workflows

.github/dependabot.yml

@@ -1,10 +1,10 @@
 version: 2
 updates:
-    - package-ecosystem: "npm"
-      directory: "/"
-      schedule:
-          interval: "weekly"
-    - package-ecosystem: "github-actions"
-      directory: "/"
-      schedule:
-          interval: "weekly"
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/code_health.yaml

@@ -5,35 +5,13 @@ on:
     branches:
       - main
   pull_request:
-jobs:
-  check-style:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: package.json
-          cache: "npm"
-      - name: Install dependencies
-        run: npm ci
-      - name: Run style check
-        run: npm run check
 
-  check-generate:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: package.json
-          cache: "npm"
-      - name: Install dependencies
-        run: npm ci
-      - run: npm run generate
+permissions: {}
 
+jobs:
   run-tests:
+    name: Run MongoDB tests
+    if: github.event.pull_request.user.login != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
@@ -59,6 +37,8 @@ jobs:
           path: coverage/lcov.info
 
   run-atlas-tests:
+    name: Run Atlas tests
+    if: github.event.pull_request.user.login != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
@@ -81,10 +61,12 @@ jobs:
         with:
           name: atlas-test-results
           path: coverage/lcov.info
+
   coverage:
+    name: Run MongoDB tests
+    if: always() && github.event.pull_request.user.login != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     needs: [run-tests, run-atlas-tests]
-    if: always()
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4

.github/workflows/code_health_fork.yaml

@@ -0,0 +1,106 @@
+---
+name: Code Health (fork)
+on:
+  pull_request_target:
+    branches:
+      - main
+
+permissions: {}
+
+jobs:
+  run-tests:
+    name: Run MongoDB tests
+    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+      - name: Install dependencies
+        run: npm ci
+      - name: Run tests
+        run: npm test
+      - name: Upload test results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: test-results
+          path: coverage/lcov.info
+
+  run-atlas-tests:
+    name: Run Atlas tests
+    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+      - name: Install dependencies
+        run: npm ci
+      - name: Run tests
+        env:
+          MDB_MCP_API_CLIENT_ID: ${{ secrets.TEST_ATLAS_CLIENT_ID }}
+          MDB_MCP_API_CLIENT_SECRET: ${{ secrets.TEST_ATLAS_CLIENT_SECRET }}
+          MDB_MCP_API_BASE_URL: ${{ vars.TEST_ATLAS_BASE_URL }}
+        run: npm test -- --testPathIgnorePatterns "tests/integration/tools/mongodb" --testPathIgnorePatterns "tests/integration/[^/]+\.ts"
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: atlas-test-results
+          path: coverage/lcov.info
+
+  coverage:
+    name: Report Coverage
+    if: always() && github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
+    runs-on: ubuntu-latest
+    needs: [run-tests, run-atlas-tests]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+      - name: Install dependencies
+        run: npm ci
+      - name: Download test results
+        uses: actions/download-artifact@v4
+        with:
+          name: test-results
+          path: coverage/mongodb
+      - name: Download atlas test results
+        uses: actions/download-artifact@v4
+        with:
+          name: atlas-test-results
+          path: coverage/atlas
+      - name: Merge coverage reports
+        run: |
+          npx -y [email protected] "coverage/*/lcov.info" "coverage/lcov.info"
+      - name: Coveralls GitHub Action
+        uses: coverallsapp/[email protected]
+        with:
+          file: coverage/lcov.info
+          git-branch: ${{ github.head_ref || github.ref_name }}
+          git-commit: ${{ github.event.pull_request.head.sha || github.sha }}
+
+  merge-dependabot-pr:
+    name: Merge Dependabot PR
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
+    needs:
+      - coverage
+    steps:
+      - name: Enable auto-merge for Dependabot PRs
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/codeql.yml

@@ -1,37 +1,34 @@
 name: "CodeQL Advanced"
 
 on:
-    push:
-        branches: ["main"]
-    pull_request:
-        branches: ["main"]
-    schedule:
-        - cron: "35 4 * * 4"
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "35 4 * * 4"
 
 jobs:
-    analyze:
-        name: Analyze (${{ matrix.language }})
-        runs-on: ubuntu-latest
-        permissions:
-            security-events: write
-            packages: read
-            actions: read
-            contents: read
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
 
-        strategy:
-            fail-fast: false
-            matrix:
-                language:
-                    - actions
-                    - javascript-typescript
-        steps:
-            - name: Checkout repository
-              uses: actions/checkout@v4
-            - name: Initialize CodeQL
-              uses: github/codeql-action/init@v3
-              with:
-                  languages: ${{ matrix.language }}
-            - name: Perform CodeQL Analysis
-              uses: github/codeql-action/analyze@v3
-              with:
-                  category: "/language:${{matrix.language}}"
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - actions
+          - javascript-typescript
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/lint.yml

@@ -0,0 +1,37 @@
+---
+name: Lint
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions: {}
+
+jobs:
+  check-style:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+      - name: Install dependencies
+        run: npm ci
+      - name: Run style check
+        run: npm run check
+
+  check-generate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+      - name: Install dependencies
+        run: npm ci
+      - run: npm run generate

.github/workflows/prepare_release.yaml

@@ -10,6 +10,8 @@ on:
         required: true
         default: "patch"
 
+permissions: {}
+
 jobs:
   create-pr:
     runs-on: ubuntu-latest

.github/workflows/publish.yaml

@@ -4,11 +4,11 @@ on:
   push:
     branches:
       - main
-permissions:
-  contents: write
+
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions: {}
     outputs:
       VERSION_EXISTS: ${{ steps.check-version.outputs.VERSION_EXISTS }}
       VERSION: ${{ steps.get-version.outputs.VERSION }}
@@ -45,7 +45,10 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     environment: Production
-    needs: check
+    permissions:
+      contents: write
+    needs:
+      - check
     if: needs.check.outputs.VERSION_EXISTS == 'false'
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1

.prettierrc.json

@@ -27,7 +27,7 @@
       }
     },
     {
-      "files": "*.yaml",
+      "files": ["*.yaml", "*.yml"],
       "options": {
         "tabWidth": 2,
         "printWidth": 80