diff --git a/.github/actions/setup-backend/action.yml b/.github/actions/setup-backend/action.yml index 73345481d94..c4f2e787eb1 100644 --- a/.github/actions/setup-backend/action.yml +++ b/.github/actions/setup-backend/action.yml @@ -36,7 +36,7 @@ runs: echo "PYTHON_VERSION=${{ inputs.python-version }}" >> $GITHUB_ENV fi - name: Set up Python ${{ env.PYTHON_VERSION }} - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: ${{ env.PYTHON_VERSION }} cache: ${{ inputs.cache }} diff --git a/.github/actions/setup-supersetbot/action.yml b/.github/actions/setup-supersetbot/action.yml index 9ae360bf930..b6aca8c91ba 100644 --- a/.github/actions/setup-supersetbot/action.yml +++ b/.github/actions/setup-supersetbot/action.yml @@ -23,6 +23,7 @@ runs: if: ${{ inputs.from-npm == 'false' }} uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: + persist-credentials: false repository: apache-superset/supersetbot path: supersetbot diff --git a/.github/dependabot.yml b/.github/dependabot.yml index eb3e9eb80dc..fc0ffbd8561 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,7 +10,7 @@ updates: schedule: interval: "daily" cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" ignore: @@ -59,7 +59,7 @@ updates: open-pull-requests-limit: 30 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "pip" @@ -76,7 +76,7 @@ updates: - pip - dependabot cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: ".github/actions" @@ -85,7 +85,7 @@ updates: open-pull-requests-limit: 10 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/docs/" @@ -110,7 +110,7 @@ updates: open-pull-requests-limit: 10 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-websocket/" @@ -121,7 +121,7 @@ updates: - dependabot versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-websocket/utils/client-ws-app/" @@ -133,7 +133,7 @@ updates: open-pull-requests-limit: 10 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 # Now for all of our plugins and packages! @@ -147,7 +147,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/legacy-plugin-chart-partition/" @@ -159,7 +159,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/legacy-plugin-chart-world-map/" @@ -171,7 +171,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/plugin-chart-pivot-table/" @@ -186,7 +186,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/legacy-plugin-chart-chord/" @@ -198,7 +198,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/legacy-plugin-chart-horizon/" @@ -210,7 +210,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/legacy-plugin-chart-rose/" @@ -222,7 +222,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/legacy-preset-chart-deckgl/" @@ -234,7 +234,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/plugin-chart-table/" @@ -249,7 +249,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/legacy-plugin-chart-country-map/" @@ -261,7 +261,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/legacy-plugin-chart-map-box/" @@ -273,7 +273,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/legacy-preset-chart-nvd3/" @@ -285,7 +285,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/plugin-chart-word-cloud/" @@ -297,7 +297,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/legacy-plugin-chart-paired-t-test/" @@ -309,7 +309,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/plugin-chart-echarts/" @@ -321,7 +321,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/plugin-chart-ag-grid-table/" @@ -333,7 +333,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/plugin-chart-cartodiagram/" @@ -345,7 +345,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/legacy-plugin-chart-parallel-coordinates/" @@ -357,7 +357,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/plugins/plugin-chart-handlebars/" @@ -373,7 +373,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/packages/generator-superset/" @@ -385,7 +385,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/packages/superset-ui-chart-controls/" @@ -397,7 +397,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/packages/superset-ui-core/" @@ -414,7 +414,7 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 - package-ecosystem: "npm" directory: "/superset-frontend/packages/superset-ui-switchboard/" @@ -426,4 +426,4 @@ updates: open-pull-requests-limit: 5 versioning-strategy: increase cooldown: - default-days: 5 + default-days: 7 diff --git a/.github/workflows/cancel_duplicates.yml b/.github/workflows/cancel_duplicates.yml index 76525767ad0..0c017b52915 100644 --- a/.github/workflows/cancel_duplicates.yml +++ b/.github/workflows/cancel_duplicates.yml @@ -32,6 +32,8 @@ jobs: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" if: steps.check_queued.outputs.count >= 20 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Cancel duplicate workflow runs if: steps.check_queued.outputs.count >= 20 diff --git a/.github/workflows/check_db_migration_confict.yml b/.github/workflows/check_db_migration_confict.yml index fe82cee28dd..88953d505d3 100644 --- a/.github/workflows/check_db_migration_confict.yml +++ b/.github/workflows/check_db_migration_confict.yml @@ -26,6 +26,8 @@ jobs: steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Check and notify uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 987eac5b73b..b6355915362 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -6,6 +6,9 @@ on: pull_request_review_comment: types: [created] +permissions: + contents: read + jobs: check-permissions: if: | @@ -75,6 +78,7 @@ jobs: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: + persist-credentials: false fetch-depth: 1 - name: Run Claude PR Action diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e882c0a04c7..58121e3a581 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -32,6 +32,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Check for file changes id: check diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index dc66ffc48ba..ab8777b3762 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -28,6 +28,8 @@ jobs: steps: - name: "Checkout Repository" uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: "Dependency Review" uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 continue-on-error: true @@ -50,6 +52,8 @@ jobs: steps: - name: "Checkout Repository" uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python uses: ./.github/actions/setup-backend/ diff --git a/.github/workflows/embedded-sdk-release.yml b/.github/workflows/embedded-sdk-release.yml index 0d4296e84f6..1373a72d650 100644 --- a/.github/workflows/embedded-sdk-release.yml +++ b/.github/workflows/embedded-sdk-release.yml @@ -34,6 +34,8 @@ jobs: working-directory: superset-embedded-sdk steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: './superset-embedded-sdk/.nvmrc' diff --git a/.github/workflows/embedded-sdk-test.yml b/.github/workflows/embedded-sdk-test.yml index b5be1cbdf81..d59254423b5 100644 --- a/.github/workflows/embedded-sdk-test.yml +++ b/.github/workflows/embedded-sdk-test.yml @@ -22,6 +22,8 @@ jobs: working-directory: superset-embedded-sdk steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: './superset-embedded-sdk/.nvmrc' diff --git a/.github/workflows/ephemeral-env-pr-close.yml b/.github/workflows/ephemeral-env-pr-close.yml index b7f79c69283..d1d5b9b2f40 100644 --- a/.github/workflows/ephemeral-env-pr-close.yml +++ b/.github/workflows/ephemeral-env-pr-close.yml @@ -10,6 +10,9 @@ on: pull_request_target: types: [closed] +permissions: + contents: read + jobs: config: runs-on: ubuntu-24.04 @@ -35,7 +38,7 @@ jobs: pull-requests: write steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6 + uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/ephemeral-env.yml b/.github/workflows/ephemeral-env.yml index 8dd91b80c98..896d268416d 100644 --- a/.github/workflows/ephemeral-env.yml +++ b/.github/workflows/ephemeral-env.yml @@ -25,6 +25,9 @@ on: description: 'Issue or PR number' required: true +permissions: + contents: read + jobs: ephemeral-env-label: concurrency: @@ -191,7 +194,7 @@ jobs: --extra-flags "--build-arg INCLUDE_CHROMIUM=false" - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6 + uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -227,7 +230,7 @@ jobs: persist-credentials: false - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6 + uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 3b85cecc030..09c5cf0eacf 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -9,7 +9,7 @@ jobs: pull-requests: write runs-on: ubuntu-24.04 steps: - - uses: actions/labeler@v6 + - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6 with: sync-labels: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 23e2c0175d3..28f81cd2c08 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,9 @@ on: - "master" - "[0-9].[0-9]*" +permissions: + contents: read + jobs: config: runs-on: ubuntu-24.04 @@ -27,9 +30,12 @@ jobs: if: needs.config.outputs.has-secrets name: Bump version and publish package(s) runs-on: ubuntu-24.04 + permissions: + contents: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: + persist-credentials: false # pulls all commits (needed for lerna / semantic release to correctly version) fetch-depth: 0 - name: Get tags and filter trigger tags diff --git a/.github/workflows/superset-docs-deploy.yml b/.github/workflows/superset-docs-deploy.yml index d4dd52651f2..380841228f9 100644 --- a/.github/workflows/superset-docs-deploy.yml +++ b/.github/workflows/superset-docs-deploy.yml @@ -27,6 +27,9 @@ concurrency: group: docs-deploy-asf-site cancel-in-progress: true +permissions: + contents: read + jobs: config: runs-on: ubuntu-24.04 diff --git a/.github/workflows/superset-docs-verify.yml b/.github/workflows/superset-docs-verify.yml index 0ad9a2458f9..1a2fda92f16 100644 --- a/.github/workflows/superset-docs-verify.yml +++ b/.github/workflows/superset-docs-verify.yml @@ -16,6 +16,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.workflow_run.head_sha || github.run_id }} cancel-in-progress: true +permissions: + contents: read + jobs: linkinator: # See docs here: https://github.com/marketplace/actions/linkinator @@ -25,6 +28,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false # Do not bump this linkinator-action version without opening # an ASF Infra ticket to allow the new version first! - uses: JustinBeckwith/linkinator-action@af984b9f30f63e796ae2ea5be5e07cb587f1bbd9 # v2.3 diff --git a/.github/workflows/superset-extensions-cli.yml b/.github/workflows/superset-extensions-cli.yml index 1831407a8e0..a6b361c99f0 100644 --- a/.github/workflows/superset-extensions-cli.yml +++ b/.github/workflows/superset-extensions-cli.yml @@ -53,7 +53,7 @@ jobs: - name: Upload coverage reports to Codecov if: steps.check.outputs.superset-extensions-cli - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v5 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: file: ./coverage.xml flags: superset-extensions-cli diff --git a/.github/workflows/superset-frontend.yml b/.github/workflows/superset-frontend.yml index d42436dbdf7..7ccb4a8709d 100644 --- a/.github/workflows/superset-frontend.yml +++ b/.github/workflows/superset-frontend.yml @@ -16,6 +16,9 @@ concurrency: env: TAG: apache/superset:GHA-${{ github.run_id }} +permissions: + contents: read + jobs: frontend-build: runs-on: ubuntu-24.04 @@ -128,7 +131,7 @@ jobs: run: npx nyc merge coverage/ merged-output/coverage-summary.json - name: Upload Code Coverage - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v5 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: flags: javascript use_oidc: true diff --git a/.github/workflows/superset-python-integrationtest.yml b/.github/workflows/superset-python-integrationtest.yml index fd94ede20e8..580d87fcaaf 100644 --- a/.github/workflows/superset-python-integrationtest.yml +++ b/.github/workflows/superset-python-integrationtest.yml @@ -70,7 +70,7 @@ jobs: run: | ./scripts/python_tests.sh - name: Upload code coverage - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v5 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: flags: python,mysql verbose: true @@ -164,7 +164,7 @@ jobs: run: | ./scripts/python_tests.sh - name: Upload code coverage - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v5 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: flags: python,postgres verbose: true @@ -219,7 +219,7 @@ jobs: run: | ./scripts/python_tests.sh - name: Upload code coverage - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v5 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: flags: python,sqlite verbose: true diff --git a/.github/workflows/superset-python-presto-hive.yml b/.github/workflows/superset-python-presto-hive.yml index 20c3b96d35a..264b124f8c5 100644 --- a/.github/workflows/superset-python-presto-hive.yml +++ b/.github/workflows/superset-python-presto-hive.yml @@ -79,7 +79,7 @@ jobs: run: | ./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow' - name: Upload code coverage - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v5 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: flags: python,presto verbose: true @@ -150,7 +150,7 @@ jobs: pip install -e .[hive] ./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow' - name: Upload code coverage - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v5 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: flags: python,hive verbose: true diff --git a/.github/workflows/superset-python-unittest.yml b/.github/workflows/superset-python-unittest.yml index c7c5e9a0a7d..5a71d311ac2 100644 --- a/.github/workflows/superset-python-unittest.yml +++ b/.github/workflows/superset-python-unittest.yml @@ -56,7 +56,7 @@ jobs: pytest --durations-min=0.5 --cov=superset/sql/ ./tests/unit_tests/sql/ --cache-clear --cov-fail-under=100 pytest --durations-min=0.5 --cov=superset/semantic_layers/ ./tests/unit_tests/semantic_layers/ --cache-clear --cov-fail-under=100 - name: Upload code coverage - uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v5 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 with: flags: python,unit verbose: true diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml index f97d9aaa449..874f243666c 100644 --- a/.github/workflows/tag-release.yml +++ b/.github/workflows/tag-release.yml @@ -21,6 +21,9 @@ on: options: - 'true' - 'false' +permissions: + contents: read + jobs: config: runs-on: ubuntu-24.04 @@ -42,6 +45,8 @@ jobs: if: needs.config.outputs.has-secrets name: docker-release runs-on: ubuntu-24.04 + permissions: + contents: write strategy: matrix: build_preset: ["dev", "lean", "py310", "websocket", "dockerize", "py311", "py312"] @@ -51,6 +56,7 @@ jobs: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: + persist-credentials: false fetch-depth: 0 - name: Setup Docker Environment @@ -114,6 +120,7 @@ jobs: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: + persist-credentials: false fetch-depth: 0 - name: Use Node.js 20 diff --git a/.github/workflows/tech-debt.yml b/.github/workflows/tech-debt.yml index d11ae6d3e1e..41880594a9b 100644 --- a/.github/workflows/tech-debt.yml +++ b/.github/workflows/tech-debt.yml @@ -33,6 +33,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Set up Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 diff --git a/.github/workflows/welcome-new-users.yml b/.github/workflows/welcome-new-users.yml index 00357aa7c7e..8739ef2100c 100644 --- a/.github/workflows/welcome-new-users.yml +++ b/.github/workflows/welcome-new-users.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Welcome Message - uses: actions/first-interaction@v3 + uses: actions/first-interaction@1c4688942c71f71d4f5502a26ea67c331730fa4d # v3 with: repo_token: ${{ github.token }} issue_message: |-