From ae499234c1a1f120f11bc581529f6f775f553581 Mon Sep 17 00:00:00 2001
From: Himanshu Singh <himanshu.singhs@outlook.in>
Date: Thu, 16 Oct 2025 11:56:10 +0200
Subject: [PATCH 1/3] chore: disable PR runs on fork

---
 .github/workflows/test-and-build-from-fork.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/test-and-build-from-fork.yaml b/.github/workflows/test-and-build-from-fork.yaml
index 91bb7345b..6693faba8 100644
--- a/.github/workflows/test-and-build-from-fork.yaml
+++ b/.github/workflows/test-and-build-from-fork.yaml
@@ -10,7 +10,9 @@ permissions:
 jobs:
   test-and-build:
     name: Test and Build
-    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
+    # Code health disabled on forks for now
+    # if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
 
     strategy:
       matrix:

From 3ac739149f8419a26452acab1cb0f91362fb9035 Mon Sep 17 00:00:00 2001
From: Himanshu Singh <himanshu.singhs@outlook.in>
Date: Mon, 3 Nov 2025 13:24:25 +0100
Subject: [PATCH 2/3] chore: dependabot cooldown

---
 .github/dependabot.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 2d2a1e881..9504c55fa 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,6 +6,10 @@ updates:
     directory: /
     schedule:
       interval: daily
+    cooldown:
+      default-days: 7
+      include:
+        - "*"
     allow:
       - dependency-name: mongodb
       - dependency-name: bson

From 2874bdfd69ffc37c907723bf764e7e1247c788e1 Mon Sep 17 00:00:00 2001
From: Himanshu Singh <himanshu.singhs@outlook.in>
Date: Wed, 5 Nov 2025 10:01:17 +0100
Subject: [PATCH 3/3] chore: fix overpermitted workflow for forks

1. Removes excessive permissions from workflow expected to run on forked
   and dependabot PRs
2. Change the trigger of workflow intended for forked PRs to use
   pull_request instead of pull_request_trigger, aiming to not
   un-intentionally expose secrets.
3. Split the auto-merge step for dependabot PRs that require
   pull_request_target trigger into a separate workflow.
---
 .github/workflows/dependabot-pr.yml           | 22 +++++++++++++++
 .../workflows/test-and-build-from-fork.yaml   | 28 +++----------------
 2 files changed, 26 insertions(+), 24 deletions(-)
 create mode 100644 .github/workflows/dependabot-pr.yml

diff --git a/.github/workflows/dependabot-pr.yml b/.github/workflows/dependabot-pr.yml
new file mode 100644
index 000000000..e682ce8c7
--- /dev/null
+++ b/.github/workflows/dependabot-pr.yml
@@ -0,0 +1,22 @@
+---
+name: Dependabot PR
+on:
+  pull_request_target:
+    types: [opened]
+    branches:
+      - main
+
+permissions:
+  pull-requests: write
+
+jobs:
+  enable-auto-merge-on-dependabot-pr:
+    name: Enable auto-merge for Dependabot PRs
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Enable auto-merge for Dependabot PRs
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/test-and-build-from-fork.yaml b/.github/workflows/test-and-build-from-fork.yaml
index 6693faba8..44aad4fe1 100644
--- a/.github/workflows/test-and-build-from-fork.yaml
+++ b/.github/workflows/test-and-build-from-fork.yaml
@@ -1,18 +1,15 @@
 name: Test and Build (from fork)
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - main
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   test-and-build:
     name: Test and Build
-    # Code health disabled on forks for now
-    # if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
-    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.full_name != github.repository
 
     strategy:
       matrix:
@@ -24,10 +21,6 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          ref: ${{github.event.pull_request.head.ref}}
-          repository: ${{github.event.pull_request.head.repo.full_name}}
 
       - name: Setup Node.js Environment
         uses: actions/setup-node@v4
@@ -46,18 +39,5 @@ jobs:
       - name: Run Tests
         env:
           NODE_OPTIONS: "--max_old_space_size=4096"
-          SEGMENT_KEY: ${{ secrets.SEGMENT_KEY_DEV }}
+          SEGMENT_KEY: "test-segment-key"
         run: npm run test
-
-  merge-dependabot-pr:
-    name: Merge Dependabot PR
-    runs-on: ubuntu-latest
-    needs:
-      - test-and-build
-    if: github.event.pull_request.user.login == 'dependabot[bot]'
-    steps:
-      - name: Enable auto-merge for Dependabot PRs
-        run: gh pr merge --auto --squash "$PR_URL"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}