rusackas opened a new pull request, #40545: URL: https://github.com/apache/superset/pull/40545
### SUMMARY Hardens the repository's GitHub Actions workflows based on findings from the GHA static analysis (zizmor) that runs in `validate-all-ghas`. This batch covers the low-risk, mechanical categories: | Category | Count | Change | |----------|-------|--------| | Action pinning | 3 | Pin floating action tags to a full commit SHA | | Pin version comments | 11 | Correct `# vX` comments that no longer matched the pinned SHA | | Token permissions | 25 | Add explicit least-privilege `permissions:` blocks (release/publish jobs keep the write scope they need) | | Checkout credentials | 14 | `persist-credentials: false` on checkout steps that don't push | | Dependabot cooldown | 30 | Raise update cooldown to the recommended minimum | **No workflow logic, triggers, or job behavior are changed** — these are configuration-hardening changes only. ### TESTING INSTRUCTIONS - [x] Re-ran the analyzer locally — all five categories above drop to zero findings - [x] YAML-parsed every modified workflow / action file - [ ] `validate-all-ghas` passes on this PR ### ADDITIONAL INFORMATION A follow-up will address the remaining categories that require per-script refactoring rather than mechanical changes. - [ ] Has associated issue: n/a - [ ] Required feature flags: n/a - [ ] Changes UI: No - [ ] Includes DB Migration: No - [ ] Introduces new feature or API: No - [ ] Removes existing feature or API: No 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
