From 0569695327594763212ff346003acc6bf3ca4ca5 Mon Sep 17 00:00:00 2001
From: Himanshu Singh <himanshu.singhs@outlook.in>
Date: Tue, 4 Nov 2025 14:54:31 +0100
Subject: [PATCH 1/2] chore: reconfigure permission model for Github actions

---
 .github/workflows/code-health-fork.yml | 11 ++++++-----
 .github/workflows/code-health.yml      | 11 ++++++++++-
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/code-health-fork.yml b/.github/workflows/code-health-fork.yml
index be028cb7..9231a02d 100644
--- a/.github/workflows/code-health-fork.yml
+++ b/.github/workflows/code-health-fork.yml
@@ -1,18 +1,17 @@
 ---
 name: Code Health (fork)
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - main
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   run-tests:
     name: Run MongoDB tests
-    # Code health disabled on forks for now
-    # if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
-    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
@@ -22,6 +21,8 @@ jobs:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
         if: matrix.os == 'ubuntu-latest'
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: docker/setup-docker-action@v4
         if: matrix.os == 'ubuntu-latest'
         name: Setup Docker Environment
diff --git a/.github/workflows/code-health.yml b/.github/workflows/code-health.yml
index e12bf29a..21cda066 100644
--- a/.github/workflows/code-health.yml
+++ b/.github/workflows/code-health.yml
@@ -6,7 +6,8 @@ on:
       - main
   pull_request:
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   run-tests:
@@ -21,6 +22,8 @@ jobs:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
         if: matrix.os == 'ubuntu-latest'
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: docker/setup-docker-action@v4
         if: matrix.os == 'ubuntu-latest'
         name: Setup Docker Environment
@@ -51,6 +54,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
@@ -77,6 +82,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version-file: package.json
@@ -99,6 +106,8 @@ jobs:
     needs: [run-tests, run-atlas-tests, run-atlas-local-tests]
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json

From 366f53d272347c73fa7b11ded5b1127ee3e4fe2b Mon Sep 17 00:00:00 2001
From: Himanshu Singh <himanshu.singhs@outlook.in>
Date: Wed, 5 Nov 2025 18:24:01 +0100
Subject: [PATCH 2/2] chore: do not persist creds when not necessary

---
 .github/workflows/accuracy-tests.yml           | 2 ++
 .github/workflows/check.yml                    | 6 ++++++
 .github/workflows/cleanup-atlas-env.yml        | 2 ++
 .github/workflows/code-health-long-running.yml | 2 ++
 .github/workflows/codeql.yml                   | 2 ++
 .github/workflows/docker.yml                   | 2 ++
 .github/workflows/publish.yml                  | 2 ++
 7 files changed, 18 insertions(+)

diff --git a/.github/workflows/accuracy-tests.yml b/.github/workflows/accuracy-tests.yml
index b9e2d430..70afb95f 100644
--- a/.github/workflows/accuracy-tests.yml
+++ b/.github/workflows/accuracy-tests.yml
@@ -29,6 +29,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index 57516d44..f8248ca1 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -17,6 +17,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
@@ -31,6 +33,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
@@ -45,6 +49,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
diff --git a/.github/workflows/cleanup-atlas-env.yml b/.github/workflows/cleanup-atlas-env.yml
index 34fe1e70..6744fbd0 100644
--- a/.github/workflows/cleanup-atlas-env.yml
+++ b/.github/workflows/cleanup-atlas-env.yml
@@ -13,6 +13,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
diff --git a/.github/workflows/code-health-long-running.yml b/.github/workflows/code-health-long-running.yml
index fb930807..de3cc649 100644
--- a/.github/workflows/code-health-long-running.yml
+++ b/.github/workflows/code-health-long-running.yml
@@ -15,6 +15,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 40a0b0a9..1e12c69b 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -24,6 +24,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v4
         with:
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 65f24f71..5d32b7be 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -15,6 +15,8 @@ jobs:
           config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Check out code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          persist-credentials: false
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
       - name: Login to Docker Hub
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 92033588..9ac843a9 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -82,6 +82,8 @@ jobs:
     steps:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v6
         with:
           node-version-file: package.json