chore: reconfigure permission model for Github actions

himanshusinghs · himanshusinghs · commit 59b53721b704 · 2025-11-04T14:59:50.000+01:00
diff --git a/.github/workflows/code-health-fork.yml b/.github/workflows/code-health-fork.yml
@@ -1,18 +1,17 @@
 ---
 name: Code Health (fork)
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - main
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   run-tests:
     name: Run MongoDB tests
-    # Code health disabled on forks for now
-    # if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
-    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
@@ -22,6 +21,8 @@ jobs:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
         if: matrix.os == 'ubuntu-latest'
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: docker/setup-docker-action@v4
         if: matrix.os == 'ubuntu-latest'
         name: Setup Docker Environment
diff --git a/.github/workflows/code-health.yml b/.github/workflows/code-health.yml
@@ -6,7 +6,8 @@ on:
       - main
   pull_request:
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   run-tests:
@@ -21,6 +22,8 @@ jobs:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
         if: matrix.os == 'ubuntu-latest'
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: docker/setup-docker-action@v4
         if: matrix.os == 'ubuntu-latest'
         name: Setup Docker Environment
@@ -51,6 +54,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
@@ -77,6 +82,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version-file: package.json
@@ -99,6 +106,8 @@ jobs:
     needs: [run-tests, run-atlas-tests, run-atlas-local-tests]
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
