chore(ci): add security scans, pr build check and dependency upgrades

fyzanshaik-atlan · fyzanshaik-atlan · commit 046c3172808f · 2026-02-13T17:16:34.000+05:30
diff --git a/.github/workflows/mcp-build.yml b/.github/workflows/mcp-build.yml
@@ -0,0 +1,30 @@
+name: MCP Build Check
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches: [main]
+    paths:
+      - "modelcontextprotocol/**"
+      - ".github/workflows/mcp-server-release.yml"
+      - ".github/workflows/mcp-build.yml"
+
+jobs:
+  build-mcp-image:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build MCP image
+        uses: docker/build-push-action@v5
+        with:
+          context: ./modelcontextprotocol/
+          file: ./modelcontextprotocol/Dockerfile
+          push: false
+          load: true
+          tags: mcp-build-check:latest
diff --git a/.github/workflows/mcp-scheduled-scan.yml b/.github/workflows/mcp-scheduled-scan.yml
@@ -0,0 +1,22 @@
+name: MCP Scheduled Security Scan
+
+on:
+  schedule:
+    # Every Monday at 09:00 UTC
+    - cron: '0 9 * * 1'
+  workflow_dispatch: # Allow manual trigger
+
+jobs:
+  scan:
+    uses: atlanhq/.github/.github/workflows/reusable-trivy-scan-scheduled.yml@main
+    with:
+      image_context: './modelcontextprotocol/'
+      dockerfile: './modelcontextprotocol/Dockerfile'
+      image_tag: 'mcp-scheduled-scan:latest'
+      scan_uv_lock: true
+      uv_lock_path: 'modelcontextprotocol/uv.lock'
+      service_name: 'MCP Server'
+      linear_team_id: ${{ vars.LINEAR_TEAM_ID }}
+      linear_priority: 2
+    secrets:
+      LINEAR_API_KEY: ${{ secrets.LINEAR_API_KEY }}
diff --git a/.github/workflows/mcp-trivy.yml b/.github/workflows/mcp-trivy.yml
@@ -0,0 +1,27 @@
+name: MCP Trivy Scan
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches: [main]
+    paths:
+      - "modelcontextprotocol/**"
+      - ".github/workflows/mcp-trivy.yml"
+
+permissions:
+  contents: read
+  pull-requests: write
+  actions: read
+  security-events: write
+
+jobs:
+  trivy:
+    uses: atlanhq/.github/.github/workflows/reusable-trivy-scan.yml@main
+    with:
+      image_context: './modelcontextprotocol/'
+      dockerfile: './modelcontextprotocol/Dockerfile'
+      image_tag: 'mcp-trivy:latest'
+      scan_uv_lock: true
+      uv_lock_path: 'modelcontextprotocol/uv.lock'
+      add_pr_comment: true
+      comment_title: 'MCP Trivy Scan Results'
diff --git a/.github/workflows/verify-snyk-status.yml b/.github/workflows/verify-snyk-status.yml
@@ -0,0 +1,11 @@
+name: Verify Snyk Status
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches: [main]
+
+jobs:
+  verify-snyk:
+    uses: atlanhq/.github/.github/workflows/verify-snyk-status.yml@main
+    secrets: inherit
