This is an automated email from the ASF dual-hosted git repository. rusackas pushed a commit to branch chore/zizmor-template-injection in repository https://gitbox.apache.org/repos/asf/superset.git
commit fb405d8041313c200c8446f9825a6cce036cd1e7 Author: Claude Code <[email protected]> AuthorDate: Fri May 29 23:42:41 2026 -0700 chore(ci): pass workflow inputs via env instead of inline expressions Continues the GitHub Actions static-analysis (zizmor) hardening. For shell `run:` steps that referenced workflow/context/step values inline, the values are now passed through the step `env:` block and read as shell variables, and built-in variables ($GITHUB_EVENT_NAME, $GITHUB_REF, $GITHUB_ACTOR) are used where available. This keeps untrusted-looking values out of the command string. Covers the shell-step cases in setup-backend, docker, ephemeral-env, ephemeral-env-pr-close, pre-commit, showtime-trigger, superset-translations, and latest-release-tag. No workflow logic or behavior is changed. The remaining analyzer items (github-script JS interpolation, a couple of composite-action run inputs, and the dangerous-trigger / cache-poisoning items) need per-case treatment and are left for a follow-up. Co-Authored-By: Claude Opus 4.8 <[email protected]> --- .github/actions/setup-backend/action.yml | 25 +++++++++++++++---------- .github/workflows/docker.yml | 11 +++++++---- .github/workflows/ephemeral-env-pr-close.yml | 7 +++++-- .github/workflows/ephemeral-env.yml | 16 +++++++++++----- .github/workflows/latest-release-tag.yml | 4 +++- .github/workflows/pre-commit.yml | 4 +++- .github/workflows/showtime-trigger.yml | 8 +++++--- .github/workflows/superset-translations.yml | 6 ++++-- 8 files changed, 53 insertions(+), 28 deletions(-) diff --git a/.github/actions/setup-backend/action.yml b/.github/actions/setup-backend/action.yml index c4f2e787eb1..7eaec4861ef 100644 --- a/.github/actions/setup-backend/action.yml +++ b/.github/actions/setup-backend/action.yml @@ -24,16 +24,18 @@ runs: - name: Interpret Python Version id: set-python-version shell: bash + env: + INPUT_PYTHON_VERSION: ${{ inputs.python-version }} run: | - if [ "${{ inputs.python-version }}" = "current" ]; then - echo "PYTHON_VERSION=3.11" >> $GITHUB_ENV - elif [ "${{ inputs.python-version }}" = "next" ]; then + if [ "$INPUT_PYTHON_VERSION" = "current" ]; then + echo "PYTHON_VERSION=3.11" >> "$GITHUB_ENV" + elif [ "$INPUT_PYTHON_VERSION" = "next" ]; then # currently disabled in GHA matrixes because of library compatibility issues - echo "PYTHON_VERSION=3.12" >> $GITHUB_ENV - elif [ "${{ inputs.python-version }}" = "previous" ]; then - echo "PYTHON_VERSION=3.10" >> $GITHUB_ENV + echo "PYTHON_VERSION=3.12" >> "$GITHUB_ENV" + elif [ "$INPUT_PYTHON_VERSION" = "previous" ]; then + echo "PYTHON_VERSION=3.10" >> "$GITHUB_ENV" else - echo "PYTHON_VERSION=${{ inputs.python-version }}" >> $GITHUB_ENV + echo "PYTHON_VERSION=$INPUT_PYTHON_VERSION" >> "$GITHUB_ENV" fi - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 @@ -41,15 +43,18 @@ runs: python-version: ${{ env.PYTHON_VERSION }} cache: ${{ inputs.cache }} - name: Install dependencies + env: + INPUT_INSTALL_SUPERSET: ${{ inputs.install-superset }} + INPUT_REQUIREMENTS_TYPE: ${{ inputs.requirements-type }} run: | - if [ "${{ inputs.install-superset }}" = "true" ]; then + if [ "$INPUT_INSTALL_SUPERSET" = "true" ]; then sudo apt-get update && sudo apt-get -y install libldap2-dev libsasl2-dev pip install --upgrade pip setuptools wheel uv - if [ "${{ inputs.requirements-type }}" = "dev" ]; then + if [ "$INPUT_REQUIREMENTS_TYPE" = "dev" ]; then uv pip install --system -r requirements/development.txt - elif [ "${{ inputs.requirements-type }}" = "base" ]; then + elif [ "$INPUT_REQUIREMENTS_TYPE" = "base" ]; then uv pip install --system -r requirements/base.txt fi diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 5a78d8ca773..558a285f770 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -73,20 +73,21 @@ jobs: shell: bash env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + BUILD_PRESET: ${{ matrix.build_preset }} run: | # Single platform builds in pull_request context to speed things up - if [ "${{ github.event_name }}" = "push" ]; then + if [ "$GITHUB_EVENT_NAME" = "push" ]; then PLATFORM_ARG="--platform linux/arm64 --platform linux/amd64" # can only --load images in single-platform builds PUSH_OR_LOAD="--push" - elif [ "${{ github.event_name }}" = "pull_request" ]; then + elif [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then PLATFORM_ARG="--platform linux/amd64" PUSH_OR_LOAD="--load" fi supersetbot docker \ $PUSH_OR_LOAD \ - --preset ${{ matrix.build_preset }} \ + --preset "$BUILD_PRESET" \ --context "$EVENT" \ --context-ref "$RELEASE" $FORCE_LATEST \ --extra-flags "--build-arg INCLUDE_CHROMIUM=false --tag $IMAGE_TAG" \ @@ -112,8 +113,10 @@ jobs: - name: docker-compose sanity check if: (steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker) && matrix.build_preset == 'dev' shell: bash + env: + BUILD_PRESET: ${{ matrix.build_preset }} run: | - export SUPERSET_BUILD_TARGET=${{ matrix.build_preset }} + export SUPERSET_BUILD_TARGET=$BUILD_PRESET # This should reuse the CACHED image built in the previous steps docker compose build superset-init --build-arg DEV_MODE=false --build-arg INCLUDE_CHROMIUM=false docker compose up superset-init --exit-code-from superset-init diff --git a/.github/workflows/ephemeral-env-pr-close.yml b/.github/workflows/ephemeral-env-pr-close.yml index d1d5b9b2f40..881de94dff2 100644 --- a/.github/workflows/ephemeral-env-pr-close.yml +++ b/.github/workflows/ephemeral-env-pr-close.yml @@ -66,11 +66,14 @@ jobs: - name: Delete ECR image tag if: steps.describe-services.outputs.active == 'true' id: delete-image-tag + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + PR_NUMBER: ${{ github.event.number }} run: | aws ecr batch-delete-image \ - --registry-id $(echo "${{ steps.login-ecr.outputs.registry }}" | grep -Eo "^[0-9]+") \ + --registry-id $(echo "$ECR_REGISTRY" | grep -Eo "^[0-9]+") \ --repository-name superset-ci \ - --image-ids imageTag=pr-${{ github.event.number }} + --image-ids imageTag=pr-$PR_NUMBER - name: Comment (success) if: steps.describe-services.outputs.active == 'true' diff --git a/.github/workflows/ephemeral-env.yml b/.github/workflows/ephemeral-env.yml index 896d268416d..7f279c0e080 100644 --- a/.github/workflows/ephemeral-env.yml +++ b/.github/workflows/ephemeral-env.yml @@ -49,10 +49,10 @@ jobs: - name: Check for the "testenv-up" label id: eval-label run: | - if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then + if [[ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then LABEL_NAME="${INPUT_LABEL_NAME}" else - LABEL_NAME="${{ github.event.label.name }}" + LABEL_NAME="$EVENT_LABEL_NAME" fi echo "Evaluating label: $LABEL_NAME" @@ -65,6 +65,7 @@ jobs: env: INPUT_LABEL_NAME: ${{ github.event.inputs.label_name }} + EVENT_LABEL_NAME: ${{ github.event.label.name }} - name: Get event SHA id: get-sha if: steps.eval-label.outputs.result == 'up' @@ -245,9 +246,10 @@ jobs: continue-on-error: true env: PR_NUMBER: ${{ github.event.inputs.issue_number || github.event.pull_request.number }} + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} run: | aws ecr describe-images \ - --registry-id $(echo "${{ steps.login-ecr.outputs.registry }}" | grep -Eo "^[0-9]+") \ + --registry-id $(echo "$ECR_REGISTRY" | grep -Eo "^[0-9]+") \ --repository-name superset-ci \ --image-ids imageTag=pr-$PR_NUMBER-ci @@ -319,12 +321,16 @@ jobs: INPUT_ISSUE_NUMBER: ${{ github.event.inputs.issue_number || github.event.pull_request.number }} - name: Get network interface id: get-eni + env: + TASK_ARN: ${{ steps.list-tasks.outputs.task }} run: | - echo "eni=$(aws ecs describe-tasks --cluster superset-ci --tasks ${{ steps.list-tasks.outputs.task }} | jq '.tasks[0].attachments[0].details | map(select(.name=="networkInterfaceId"))[0].value')" >> $GITHUB_OUTPUT + echo "eni=$(aws ecs describe-tasks --cluster superset-ci --tasks "$TASK_ARN" | jq '.tasks[0].attachments[0].details | map(select(.name=="networkInterfaceId"))[0].value')" >> $GITHUB_OUTPUT - name: Get public IP id: get-ip + env: + ENI_ID: ${{ steps.get-eni.outputs.eni }} run: | - echo "ip=$(aws ec2 describe-network-interfaces --network-interface-ids ${{ steps.get-eni.outputs.eni }} | jq -r '.NetworkInterfaces | first | .Association.PublicIp')" >> $GITHUB_OUTPUT + echo "ip=$(aws ec2 describe-network-interfaces --network-interface-ids "$ENI_ID" | jq -r '.NetworkInterfaces | first | .Association.PublicIp')" >> $GITHUB_OUTPUT - name: Comment (success) if: ${{ success() }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 diff --git a/.github/workflows/latest-release-tag.yml b/.github/workflows/latest-release-tag.yml index 4a4f38320a8..0d1adc42da7 100644 --- a/.github/workflows/latest-release-tag.yml +++ b/.github/workflows/latest-release-tag.yml @@ -19,8 +19,10 @@ jobs: - name: Check for latest tag id: latest-tag + env: + RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} run: | - source ./scripts/tag_latest_release.sh $(echo ${{ github.event.release.tag_name }}) --dry-run + source ./scripts/tag_latest_release.sh "$RELEASE_TAG_NAME" --dry-run - name: Configure Git run: | diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index d16a729bd21..de70c687eb7 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -71,10 +71,12 @@ jobs: output: ' ' - name: pre-commit + env: + CHANGED_FILES: ${{ steps.changed_files.outputs.files }} run: | set +e # Don't exit immediately on failure export SKIP=type-checking-frontend - pre-commit run --files ${{ steps.changed_files.outputs.files }} + pre-commit run --files $CHANGED_FILES PRE_COMMIT_EXIT_CODE=$? git diff --quiet --exit-code GIT_DIFF_EXIT_CODE=$? diff --git a/.github/workflows/showtime-trigger.yml b/.github/workflows/showtime-trigger.yml index 1c0da7fd147..ce533c224c6 100644 --- a/.github/workflows/showtime-trigger.yml +++ b/.github/workflows/showtime-trigger.yml @@ -102,7 +102,7 @@ jobs: - name: Install Superset Showtime if: steps.auth.outputs.authorized == 'true' run: | - echo "::notice::Maintainer ${{ github.actor }} triggered deploy for PR ${PULL_REQUEST_NUMBER}" + echo "::notice::Maintainer $GITHUB_ACTOR triggered deploy for PR ${PULL_REQUEST_NUMBER}" pip install --upgrade superset-showtime showtime version @@ -173,9 +173,11 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} + CHECK_PR_NUMBER: ${{ steps.check.outputs.pr_number }} + CHECK_TARGET_SHA: ${{ steps.check.outputs.target_sha }} run: | - PR_NUM="${{ steps.check.outputs.pr_number }}" - TARGET_SHA="${{ steps.check.outputs.target_sha }}" + PR_NUM="$CHECK_PR_NUMBER" + TARGET_SHA="$CHECK_TARGET_SHA" if [[ -n "$TARGET_SHA" ]]; then python -m showtime sync $PR_NUM --sha "$TARGET_SHA" else diff --git a/.github/workflows/superset-translations.yml b/.github/workflows/superset-translations.yml index 042ac3fc144..08e06e4133d 100644 --- a/.github/workflows/superset-translations.yml +++ b/.github/workflows/superset-translations.yml @@ -84,13 +84,15 @@ jobs: # drift on the base branch. - name: Fetch base ref and create comparison worktree if: steps.check.outputs.python == 'true' || steps.check.outputs.frontend == 'true' + env: + PR_BASE_REF: ${{ github.event.pull_request.base.ref }} run: | # For PRs use the base branch; for direct pushes compare against the previous commit. - BASE_REF="${{ github.event.pull_request.base.ref }}" + BASE_REF="$PR_BASE_REF" if [ -n "$BASE_REF" ]; then git fetch --depth=1 origin "$BASE_REF" else - git fetch --depth=2 origin "${{ github.ref }}" + git fetch --depth=2 origin "$GITHUB_REF" fi git worktree add /tmp/base-worktree FETCH_HEAD
