This is an automated email from the ASF dual-hosted git repository.
hainenber pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git
The following commit(s) were added to refs/heads/master by this push:
new 2e7bec3646c chore(ci): harden GitHub Actions workflows per static
analysis (#40545)
2e7bec3646c is described below
commit 2e7bec3646c1ea026634ce2b32dcd9a374051b1b
Author: Evan Rusackas <[email protected]>
AuthorDate: Fri May 29 23:13:43 2026 -0700
chore(ci): harden GitHub Actions workflows per static analysis (#40545)
Co-authored-by: Claude Code <[email protected]>
---
.github/actions/setup-backend/action.yml | 2 +-
.github/actions/setup-supersetbot/action.yml | 1 +
.github/dependabot.yml | 60 +++++++++++-----------
.github/workflows/cancel_duplicates.yml | 2 +
.github/workflows/check_db_migration_confict.yml | 2 +
.github/workflows/claude.yml | 4 ++
.github/workflows/codeql-analysis.yml | 2 +
.github/workflows/dependency-review.yml | 4 ++
.github/workflows/embedded-sdk-release.yml | 2 +
.github/workflows/embedded-sdk-test.yml | 2 +
.github/workflows/ephemeral-env-pr-close.yml | 5 +-
.github/workflows/ephemeral-env.yml | 7 ++-
.github/workflows/labeler.yml | 2 +-
.github/workflows/release.yml | 6 +++
.github/workflows/superset-docs-deploy.yml | 3 ++
.github/workflows/superset-docs-verify.yml | 5 ++
.github/workflows/superset-extensions-cli.yml | 2 +-
.github/workflows/superset-frontend.yml | 5 +-
.../workflows/superset-python-integrationtest.yml | 6 +--
.github/workflows/superset-python-presto-hive.yml | 4 +-
.github/workflows/superset-python-unittest.yml | 2 +-
.github/workflows/tag-release.yml | 7 +++
.github/workflows/tech-debt.yml | 2 +
.github/workflows/welcome-new-users.yml | 2 +-
24 files changed, 95 insertions(+), 44 deletions(-)
diff --git a/.github/actions/setup-backend/action.yml
b/.github/actions/setup-backend/action.yml
index 73345481d94..c4f2e787eb1 100644
--- a/.github/actions/setup-backend/action.yml
+++ b/.github/actions/setup-backend/action.yml
@@ -36,7 +36,7 @@ runs:
echo "PYTHON_VERSION=${{ inputs.python-version }}" >> $GITHUB_ENV
fi
- name: Set up Python ${{ env.PYTHON_VERSION }}
- uses: actions/setup-python@v5
+ uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: ${{ inputs.cache }}
diff --git a/.github/actions/setup-supersetbot/action.yml
b/.github/actions/setup-supersetbot/action.yml
index 9ae360bf930..b6aca8c91ba 100644
--- a/.github/actions/setup-supersetbot/action.yml
+++ b/.github/actions/setup-supersetbot/action.yml
@@ -23,6 +23,7 @@ runs:
if: ${{ inputs.from-npm == 'false' }}
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
+ persist-credentials: false
repository: apache-superset/supersetbot
path: supersetbot
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index eb3e9eb80dc..fc0ffbd8561 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -10,7 +10,7 @@ updates:
schedule:
interval: "daily"
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
ignore:
@@ -59,7 +59,7 @@ updates:
open-pull-requests-limit: 30
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "pip"
@@ -76,7 +76,7 @@ updates:
- pip
- dependabot
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: ".github/actions"
@@ -85,7 +85,7 @@ updates:
open-pull-requests-limit: 10
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/docs/"
@@ -110,7 +110,7 @@ updates:
open-pull-requests-limit: 10
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-websocket/"
@@ -121,7 +121,7 @@ updates:
- dependabot
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-websocket/utils/client-ws-app/"
@@ -133,7 +133,7 @@ updates:
open-pull-requests-limit: 10
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
# Now for all of our plugins and packages!
@@ -147,7 +147,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/legacy-plugin-chart-partition/"
@@ -159,7 +159,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/legacy-plugin-chart-world-map/"
@@ -171,7 +171,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/plugin-chart-pivot-table/"
@@ -186,7 +186,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/legacy-plugin-chart-chord/"
@@ -198,7 +198,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/legacy-plugin-chart-horizon/"
@@ -210,7 +210,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/legacy-plugin-chart-rose/"
@@ -222,7 +222,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/legacy-preset-chart-deckgl/"
@@ -234,7 +234,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/plugin-chart-table/"
@@ -249,7 +249,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/legacy-plugin-chart-country-map/"
@@ -261,7 +261,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/legacy-plugin-chart-map-box/"
@@ -273,7 +273,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/legacy-preset-chart-nvd3/"
@@ -285,7 +285,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/plugin-chart-word-cloud/"
@@ -297,7 +297,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/legacy-plugin-chart-paired-t-test/"
@@ -309,7 +309,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/plugin-chart-echarts/"
@@ -321,7 +321,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/plugin-chart-ag-grid-table/"
@@ -333,7 +333,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/plugin-chart-cartodiagram/"
@@ -345,7 +345,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory:
"/superset-frontend/plugins/legacy-plugin-chart-parallel-coordinates/"
@@ -357,7 +357,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/plugins/plugin-chart-handlebars/"
@@ -373,7 +373,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/packages/generator-superset/"
@@ -385,7 +385,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/packages/superset-ui-chart-controls/"
@@ -397,7 +397,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/packages/superset-ui-core/"
@@ -414,7 +414,7 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
- package-ecosystem: "npm"
directory: "/superset-frontend/packages/superset-ui-switchboard/"
@@ -426,4 +426,4 @@ updates:
open-pull-requests-limit: 5
versioning-strategy: increase
cooldown:
- default-days: 5
+ default-days: 7
diff --git a/.github/workflows/cancel_duplicates.yml
b/.github/workflows/cancel_duplicates.yml
index 76525767ad0..0c017b52915 100644
--- a/.github/workflows/cancel_duplicates.yml
+++ b/.github/workflows/cancel_duplicates.yml
@@ -32,6 +32,8 @@ jobs:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
if: steps.check_queued.outputs.count >= 20
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- name: Cancel duplicate workflow runs
if: steps.check_queued.outputs.count >= 20
diff --git a/.github/workflows/check_db_migration_confict.yml
b/.github/workflows/check_db_migration_confict.yml
index fe82cee28dd..88953d505d3 100644
--- a/.github/workflows/check_db_migration_confict.yml
+++ b/.github/workflows/check_db_migration_confict.yml
@@ -26,6 +26,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- name: Check and notify
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 #
v9.0.0
with:
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index 987eac5b73b..b6355915362 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -6,6 +6,9 @@ on:
pull_request_review_comment:
types: [created]
+permissions:
+ contents: read
+
jobs:
check-permissions:
if: |
@@ -75,6 +78,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
+ persist-credentials: false
fetch-depth: 1
- name: Run Claude PR Action
diff --git a/.github/workflows/codeql-analysis.yml
b/.github/workflows/codeql-analysis.yml
index e882c0a04c7..58121e3a581 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -32,6 +32,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- name: Check for file changes
id: check
diff --git a/.github/workflows/dependency-review.yml
b/.github/workflows/dependency-review.yml
index dc66ffc48ba..ab8777b3762 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -28,6 +28,8 @@ jobs:
steps:
- name: "Checkout Repository"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- name: "Dependency Review"
uses:
actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 #
v5.0.0
continue-on-error: true
@@ -50,6 +52,8 @@ jobs:
steps:
- name: "Checkout Repository"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- name: Setup Python
uses: ./.github/actions/setup-backend/
diff --git a/.github/workflows/embedded-sdk-release.yml
b/.github/workflows/embedded-sdk-release.yml
index 0d4296e84f6..1373a72d650 100644
--- a/.github/workflows/embedded-sdk-release.yml
+++ b/.github/workflows/embedded-sdk-release.yml
@@ -34,6 +34,8 @@ jobs:
working-directory: superset-embedded-sdk
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version-file: './superset-embedded-sdk/.nvmrc'
diff --git a/.github/workflows/embedded-sdk-test.yml
b/.github/workflows/embedded-sdk-test.yml
index b5be1cbdf81..d59254423b5 100644
--- a/.github/workflows/embedded-sdk-test.yml
+++ b/.github/workflows/embedded-sdk-test.yml
@@ -22,6 +22,8 @@ jobs:
working-directory: superset-embedded-sdk
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version-file: './superset-embedded-sdk/.nvmrc'
diff --git a/.github/workflows/ephemeral-env-pr-close.yml
b/.github/workflows/ephemeral-env-pr-close.yml
index b7f79c69283..d1d5b9b2f40 100644
--- a/.github/workflows/ephemeral-env-pr-close.yml
+++ b/.github/workflows/ephemeral-env-pr-close.yml
@@ -10,6 +10,9 @@ on:
pull_request_target:
types: [closed]
+permissions:
+ contents: read
+
jobs:
config:
runs-on: ubuntu-24.04
@@ -35,7 +38,7 @@ jobs:
pull-requests: write
steps:
- name: Configure AWS credentials
- uses:
aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
# v6
+ uses:
aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
# v6.0.0
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
diff --git a/.github/workflows/ephemeral-env.yml
b/.github/workflows/ephemeral-env.yml
index 8dd91b80c98..896d268416d 100644
--- a/.github/workflows/ephemeral-env.yml
+++ b/.github/workflows/ephemeral-env.yml
@@ -25,6 +25,9 @@ on:
description: 'Issue or PR number'
required: true
+permissions:
+ contents: read
+
jobs:
ephemeral-env-label:
concurrency:
@@ -191,7 +194,7 @@ jobs:
--extra-flags "--build-arg INCLUDE_CHROMIUM=false"
- name: Configure AWS credentials
- uses:
aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
# v6
+ uses:
aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
# v6.0.0
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -227,7 +230,7 @@ jobs:
persist-credentials: false
- name: Configure AWS credentials
- uses:
aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
# v6
+ uses:
aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
# v6.0.0
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 3b85cecc030..09c5cf0eacf 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -9,7 +9,7 @@ jobs:
pull-requests: write
runs-on: ubuntu-24.04
steps:
- - uses: actions/labeler@v6
+ - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6
with:
sync-labels: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 23e2c0175d3..28f81cd2c08 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,9 @@ on:
- "master"
- "[0-9].[0-9]*"
+permissions:
+ contents: read
+
jobs:
config:
runs-on: ubuntu-24.04
@@ -27,9 +30,12 @@ jobs:
if: needs.config.outputs.has-secrets
name: Bump version and publish package(s)
runs-on: ubuntu-24.04
+ permissions:
+ contents: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
+ persist-credentials: false
# pulls all commits (needed for lerna / semantic release to
correctly version)
fetch-depth: 0
- name: Get tags and filter trigger tags
diff --git a/.github/workflows/superset-docs-deploy.yml
b/.github/workflows/superset-docs-deploy.yml
index d4dd52651f2..380841228f9 100644
--- a/.github/workflows/superset-docs-deploy.yml
+++ b/.github/workflows/superset-docs-deploy.yml
@@ -27,6 +27,9 @@ concurrency:
group: docs-deploy-asf-site
cancel-in-progress: true
+permissions:
+ contents: read
+
jobs:
config:
runs-on: ubuntu-24.04
diff --git a/.github/workflows/superset-docs-verify.yml
b/.github/workflows/superset-docs-verify.yml
index 0ad9a2458f9..1a2fda92f16 100644
--- a/.github/workflows/superset-docs-verify.yml
+++ b/.github/workflows/superset-docs-verify.yml
@@ -16,6 +16,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number ||
github.event.workflow_run.head_sha || github.run_id }}
cancel-in-progress: true
+permissions:
+ contents: read
+
jobs:
linkinator:
# See docs here: https://github.com/marketplace/actions/linkinator
@@ -25,6 +28,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
# Do not bump this linkinator-action version without opening
# an ASF Infra ticket to allow the new version first!
- uses:
JustinBeckwith/linkinator-action@af984b9f30f63e796ae2ea5be5e07cb587f1bbd9 #
v2.3
diff --git a/.github/workflows/superset-extensions-cli.yml
b/.github/workflows/superset-extensions-cli.yml
index 1831407a8e0..a6b361c99f0 100644
--- a/.github/workflows/superset-extensions-cli.yml
+++ b/.github/workflows/superset-extensions-cli.yml
@@ -53,7 +53,7 @@ jobs:
- name: Upload coverage reports to Codecov
if: steps.check.outputs.superset-extensions-cli
- uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v5
+ uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v6.0.1
with:
file: ./coverage.xml
flags: superset-extensions-cli
diff --git a/.github/workflows/superset-frontend.yml
b/.github/workflows/superset-frontend.yml
index d42436dbdf7..7ccb4a8709d 100644
--- a/.github/workflows/superset-frontend.yml
+++ b/.github/workflows/superset-frontend.yml
@@ -16,6 +16,9 @@ concurrency:
env:
TAG: apache/superset:GHA-${{ github.run_id }}
+permissions:
+ contents: read
+
jobs:
frontend-build:
runs-on: ubuntu-24.04
@@ -128,7 +131,7 @@ jobs:
run: npx nyc merge coverage/ merged-output/coverage-summary.json
- name: Upload Code Coverage
- uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v5
+ uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v6.0.1
with:
flags: javascript
use_oidc: true
diff --git a/.github/workflows/superset-python-integrationtest.yml
b/.github/workflows/superset-python-integrationtest.yml
index fd94ede20e8..580d87fcaaf 100644
--- a/.github/workflows/superset-python-integrationtest.yml
+++ b/.github/workflows/superset-python-integrationtest.yml
@@ -70,7 +70,7 @@ jobs:
run: |
./scripts/python_tests.sh
- name: Upload code coverage
- uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v5
+ uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v6.0.1
with:
flags: python,mysql
verbose: true
@@ -164,7 +164,7 @@ jobs:
run: |
./scripts/python_tests.sh
- name: Upload code coverage
- uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v5
+ uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v6.0.1
with:
flags: python,postgres
verbose: true
@@ -219,7 +219,7 @@ jobs:
run: |
./scripts/python_tests.sh
- name: Upload code coverage
- uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v5
+ uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v6.0.1
with:
flags: python,sqlite
verbose: true
diff --git a/.github/workflows/superset-python-presto-hive.yml
b/.github/workflows/superset-python-presto-hive.yml
index 20c3b96d35a..264b124f8c5 100644
--- a/.github/workflows/superset-python-presto-hive.yml
+++ b/.github/workflows/superset-python-presto-hive.yml
@@ -79,7 +79,7 @@ jobs:
run: |
./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow'
- name: Upload code coverage
- uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v5
+ uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v6.0.1
with:
flags: python,presto
verbose: true
@@ -150,7 +150,7 @@ jobs:
pip install -e .[hive]
./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow'
- name: Upload code coverage
- uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v5
+ uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v6.0.1
with:
flags: python,hive
verbose: true
diff --git a/.github/workflows/superset-python-unittest.yml
b/.github/workflows/superset-python-unittest.yml
index c7c5e9a0a7d..5a71d311ac2 100644
--- a/.github/workflows/superset-python-unittest.yml
+++ b/.github/workflows/superset-python-unittest.yml
@@ -56,7 +56,7 @@ jobs:
pytest --durations-min=0.5 --cov=superset/sql/
./tests/unit_tests/sql/ --cache-clear --cov-fail-under=100
pytest --durations-min=0.5 --cov=superset/semantic_layers/
./tests/unit_tests/semantic_layers/ --cache-clear --cov-fail-under=100
- name: Upload code coverage
- uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v5
+ uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354
# v6.0.1
with:
flags: python,unit
verbose: true
diff --git a/.github/workflows/tag-release.yml
b/.github/workflows/tag-release.yml
index f97d9aaa449..874f243666c 100644
--- a/.github/workflows/tag-release.yml
+++ b/.github/workflows/tag-release.yml
@@ -21,6 +21,9 @@ on:
options:
- 'true'
- 'false'
+permissions:
+ contents: read
+
jobs:
config:
runs-on: ubuntu-24.04
@@ -42,6 +45,8 @@ jobs:
if: needs.config.outputs.has-secrets
name: docker-release
runs-on: ubuntu-24.04
+ permissions:
+ contents: write
strategy:
matrix:
build_preset: ["dev", "lean", "py310", "websocket", "dockerize",
"py311", "py312"]
@@ -51,6 +56,7 @@ jobs:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
+ persist-credentials: false
fetch-depth: 0
- name: Setup Docker Environment
@@ -114,6 +120,7 @@ jobs:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
+ persist-credentials: false
fetch-depth: 0
- name: Use Node.js 20
diff --git a/.github/workflows/tech-debt.yml b/.github/workflows/tech-debt.yml
index d11ae6d3e1e..41880594a9b 100644
--- a/.github/workflows/tech-debt.yml
+++ b/.github/workflows/tech-debt.yml
@@ -33,6 +33,8 @@ jobs:
steps:
- name: Checkout Repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+ with:
+ persist-credentials: false
- name: Set up Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
diff --git a/.github/workflows/welcome-new-users.yml
b/.github/workflows/welcome-new-users.yml
index 00357aa7c7e..8739ef2100c 100644
--- a/.github/workflows/welcome-new-users.yml
+++ b/.github/workflows/welcome-new-users.yml
@@ -12,7 +12,7 @@ jobs:
steps:
- name: Welcome Message
- uses: actions/first-interaction@v3
+ uses:
actions/first-interaction@1c4688942c71f71d4f5502a26ea67c331730fa4d # v3
with:
repo_token: ${{ github.token }}
issue_message: |-
