diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 13f2c2e6..782a0ad7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,10 +1,10 @@ version: 2 updates: - - package-ecosystem: "npm" - directory: "/" - schedule: - interval: "weekly" - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "weekly" + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/code_health.yaml b/.github/workflows/code_health.yaml index 25d81b74..265d1050 100644 --- a/.github/workflows/code_health.yaml +++ b/.github/workflows/code_health.yaml @@ -5,35 +5,13 @@ on: branches: - main pull_request: -jobs: - check-style: - runs-on: ubuntu-latest - steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 - with: - node-version-file: package.json - cache: "npm" - - name: Install dependencies - run: npm ci - - name: Run style check - run: npm run check - check-generate: - runs-on: ubuntu-latest - steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 - with: - node-version-file: package.json - cache: "npm" - - name: Install dependencies - run: npm ci - - run: npm run generate +permissions: {} +jobs: run-tests: + name: Run MongoDB tests + if: github.event.pull_request.user.login != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository strategy: matrix: os: [ubuntu-latest, macos-latest, windows-latest] @@ -59,6 +37,8 @@ jobs: path: coverage/lcov.info run-atlas-tests: + name: Run Atlas tests + if: github.event.pull_request.user.login != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest steps: - uses: GitHubSecurityLab/actions-permissions/monitor@v1 @@ -81,10 +61,12 @@ jobs: with: name: atlas-test-results path: coverage/lcov.info + coverage: + name: Run MongoDB tests + if: always() && github.event.pull_request.user.login != 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest needs: [run-tests, run-atlas-tests] - if: always() steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 diff --git a/.github/workflows/code_health_fork.yaml b/.github/workflows/code_health_fork.yaml new file mode 100644 index 00000000..bf8c408e --- /dev/null +++ b/.github/workflows/code_health_fork.yaml @@ -0,0 +1,106 @@ +--- +name: Code Health (fork) +on: + pull_request_target: + branches: + - main + +permissions: {} + +jobs: + run-tests: + name: Run MongoDB tests + if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository + runs-on: ubuntu-latest + steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version-file: package.json + cache: "npm" + - name: Install dependencies + run: npm ci + - name: Run tests + run: npm test + - name: Upload test results + if: always() + uses: actions/upload-artifact@v4 + with: + name: test-results + path: coverage/lcov.info + + run-atlas-tests: + name: Run Atlas tests + if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository + runs-on: ubuntu-latest + steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version-file: package.json + cache: "npm" + - name: Install dependencies + run: npm ci + - name: Run tests + env: + MDB_MCP_API_CLIENT_ID: ${{ secrets.TEST_ATLAS_CLIENT_ID }} + MDB_MCP_API_CLIENT_SECRET: ${{ secrets.TEST_ATLAS_CLIENT_SECRET }} + MDB_MCP_API_BASE_URL: ${{ vars.TEST_ATLAS_BASE_URL }} + run: npm test -- --testPathIgnorePatterns "tests/integration/tools/mongodb" --testPathIgnorePatterns "tests/integration/[^/]+\.ts" + - name: Upload test results + uses: actions/upload-artifact@v4 + if: always() + with: + name: atlas-test-results + path: coverage/lcov.info + + coverage: + name: Report Coverage + if: always() && github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository + runs-on: ubuntu-latest + needs: [run-tests, run-atlas-tests] + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version-file: package.json + cache: "npm" + - name: Install dependencies + run: npm ci + - name: Download test results + uses: actions/download-artifact@v4 + with: + name: test-results + path: coverage/mongodb + - name: Download atlas test results + uses: actions/download-artifact@v4 + with: + name: atlas-test-results + path: coverage/atlas + - name: Merge coverage reports + run: | + npx -y lcov-result-merger@5.0.1 "coverage/*/lcov.info" "coverage/lcov.info" + - name: Coveralls GitHub Action + uses: coverallsapp/github-action@v2.3.6 + with: + file: coverage/lcov.info + git-branch: ${{ github.head_ref || github.ref_name }} + git-commit: ${{ github.event.pull_request.head.sha || github.sha }} + + merge-dependabot-pr: + name: Merge Dependabot PR + if: github.event.pull_request.user.login == 'dependabot[bot]' + runs-on: ubuntu-latest + permissions: + pull-requests: write + contents: write + needs: + - coverage + steps: + - name: Enable auto-merge for Dependabot PRs + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 14fa4c3e..34549e44 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,37 +1,34 @@ name: "CodeQL Advanced" on: - push: - branches: ["main"] - pull_request: - branches: ["main"] - schedule: - - cron: "35 4 * * 4" + push: + branches: ["main"] + pull_request: + branches: ["main"] + schedule: + - cron: "35 4 * * 4" jobs: - analyze: - name: Analyze (${{ matrix.language }}) - runs-on: ubuntu-latest - permissions: - security-events: write - packages: read - actions: read - contents: read + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + permissions: + security-events: write - strategy: - fail-fast: false - matrix: - language: - - actions - - javascript-typescript - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" + strategy: + fail-fast: false + matrix: + language: + - actions + - javascript-typescript + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 00000000..c40fb689 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,37 @@ +--- +name: Lint +on: + push: + branches: + - main + pull_request: + +permissions: {} + +jobs: + check-style: + runs-on: ubuntu-latest + steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version-file: package.json + cache: "npm" + - name: Install dependencies + run: npm ci + - name: Run style check + run: npm run check + + check-generate: + runs-on: ubuntu-latest + steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version-file: package.json + cache: "npm" + - name: Install dependencies + run: npm ci + - run: npm run generate diff --git a/.github/workflows/prepare_release.yaml b/.github/workflows/prepare_release.yaml index 4dbed70b..c08ff47c 100644 --- a/.github/workflows/prepare_release.yaml +++ b/.github/workflows/prepare_release.yaml @@ -10,6 +10,8 @@ on: required: true default: "patch" +permissions: {} + jobs: create-pr: runs-on: ubuntu-latest diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 2742c649..e8964fa8 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -4,11 +4,11 @@ on: push: branches: - main -permissions: - contents: write + jobs: check: runs-on: ubuntu-latest + permissions: {} outputs: VERSION_EXISTS: ${{ steps.check-version.outputs.VERSION_EXISTS }} VERSION: ${{ steps.get-version.outputs.VERSION }} @@ -45,7 +45,10 @@ jobs: publish: runs-on: ubuntu-latest environment: Production - needs: check + permissions: + contents: write + needs: + - check if: needs.check.outputs.VERSION_EXISTS == 'false' steps: - uses: GitHubSecurityLab/actions-permissions/monitor@v1 diff --git a/.prettierrc.json b/.prettierrc.json index a8d4dcc3..1afbde18 100644 --- a/.prettierrc.json +++ b/.prettierrc.json @@ -27,7 +27,7 @@ } }, { - "files": "*.yaml", + "files": ["*.yaml", "*.yml"], "options": { "tabWidth": 2, "printWidth": 80