ci(mcp): MCP-tests workflow (T2 #649)

[DvirDukhan]

Closes #649.

Stacked on #675 (T17). Adds .github/workflows/mcp-tests.yml so every PR that touches MCP code runs pytest tests/mcp/ against a real FalkorDB service container.

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

Summary by CodeRabbit

• Chores
  • Added continuous integration workflow for automated testing of MCP components on code changes and pull requests.

[coderabbitai]

📝 Walkthrough

Walkthrough

New GitHub Actions workflow runs MCP tests on pull requests to MCP-related code. The workflow provisions a FalkorDB service container, configures Python and the uv package manager, verifies database connectivity, and executes the MCP test suite with comprehensive health checks and dependency management.

Changes

MCP Test CI Workflow

Layer / File(s)	Summary
Workflow triggers and security configuration .github/workflows/mcp-tests.yml	Workflow is triggered on pushes and pull requests to api/mcp/**, tests/mcp/**, and core dependency files; uses minimal contents: read permissions and configures concurrency to cancel in-progress runs for the same PR/ref.
FalkorDB service provisioning and test execution .github/workflows/mcp-tests.yml	Job starts a falkordb/falkordb service container on port 6379 with redis-cli ping health checks, sets FALKORDB_HOST and FALKORDB_PORT environment variables, syncs Python dependencies with uv, verifies the database endpoint is reachable, and runs pytest tests/mcp/ -v under uv.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• FalkorDB/code-graph#666: Adds the MCP scaffold module that this workflow executes and validates via pytest tests/mcp/.

Suggested reviewers

• gkorland
• galshubeli

Poem

🐰 A workflow takes shape, so neat and so bright,
With FalkorDB spinning through the CI night,
Each MCP test passes with health checks in place,
This rabbit's delighted by concurrency's grace! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci(mcp): MCP-tests workflow (T2 #649)' clearly and concisely describes the main change—adding a CI workflow for MCP tests—and includes the relevant issue reference.
Linked Issues check	✅ Passed	The pull request meets all coding-related requirements from issue #649: creates mcp-tests.yml workflow, triggers on specified paths, configures FalkorDB service container with healthcheck, sets environment variables, uses setup-uv pattern, configures uv caching, and implements concurrency cancellation without requiring secrets.
Out of Scope Changes check	✅ Passed	All changes are within scope of issue #649: only the mcp-tests.yml workflow file is added, matching the ticket's stated objective of creating a new GitHub Actions workflow without modifying existing workflows or adding new tests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dvirdukhan/mcp-t2-ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

The base branch was changed.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/mcp-tests.yml (2)

52-53: ⚡ Quick win

Set persist-credentials: false for defense in depth.

The checkout step doesn't explicitly disable credential persistence. Setting persist-credentials: false reduces the attack surface by preventing subsequent steps from accessing the persisted GITHUB_TOKEN if they are compromised.

🔒 Proposed fix to disable credential persistence

       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/mcp-tests.yml around lines 52 - 53, The Checkout step
using actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should
explicitly disable credential persistence; update the "Checkout" step (the step
with name "Checkout" and uses: actions/checkout@...) to include
persist-credentials: false under its with: block so the GITHUB_TOKEN is not
persisted to subsequent steps.

---

38-38: ⚡ Quick win

Consider pinning the FalkorDB image to a specific version.

The service container uses falkordb/falkordb:latest, which can lead to non-deterministic CI behavior if the upstream image changes. Pinning to a specific version or digest (e.g., falkordb/falkordb:v4.2.5 or @sha256:...) improves test reproducibility.

If testing against the latest release is intentional to catch regressions early, document that intent with a comment and establish a process to periodically review breaking changes.

📌 Proposed fix to pin the image version

-        image: falkordb/falkordb:latest
+        image: falkordb/falkordb:v4.2.5  # or use `@sha256`:... for stronger pinning

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/mcp-tests.yml at line 38, The CI service image is
currently using an unstable tag `falkordb/falkordb:latest`; update the workflow
to pin the image to a specific version or digest (e.g., replace `image:
falkordb/falkordb:latest` with a concrete tag like `falkordb/falkordb:vX.Y.Z` or
`falkordb/falkordb@sha256:...`) to ensure reproducible tests, or if you
intentionally want to track latest, add an inline comment near the `image:`
entry stating that intent and add a cadence/process note for reviewing upstream
changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/mcp-tests.yml:
- Around line 52-53: The Checkout step using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should explicitly
disable credential persistence; update the "Checkout" step (the step with name
"Checkout" and uses: actions/checkout@...) to include persist-credentials: false
under its with: block so the GITHUB_TOKEN is not persisted to subsequent steps.
- Line 38: The CI service image is currently using an unstable tag
`falkordb/falkordb:latest`; update the workflow to pin the image to a specific
version or digest (e.g., replace `image: falkordb/falkordb:latest` with a
concrete tag like `falkordb/falkordb:vX.Y.Z` or `falkordb/falkordb@sha256:...`)
to ensure reproducible tests, or if you intentionally want to track latest, add
an inline comment near the `image:` entry stating that intent and add a
cadence/process note for reviewing upstream changes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ba5e92f5-8335-49ca-96f1-2fef3e2d1ce7

📥 Commits

Reviewing files that changed from the base of the PR and between cc18c62 and 6419aac.

📒 Files selected for processing (1)

• .github/workflows/mcp-tests.yml