chore(ci): harden GitHub Actions workflows per static analysis (#40545)

Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-09 09:39:25 +00:00 · 2026-05-29 23:13:43 -07:00
parent f4787a4f25
commit 2e7bec3646
24 changed files with 95 additions and 44 deletions
--- a/.github/workflows/superset-docs-verify.yml
+++ b/.github/workflows/superset-docs-verify.yml
@@ -16,6 +16,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.workflow_run.head_sha || github.run_id }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  linkinator:
    # See docs here: https://github.com/marketplace/actions/linkinator
@@ -25,6 +28,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
      # Do not bump this linkinator-action version without opening
      # an ASF Infra ticket to allow the new version first!
      - uses: JustinBeckwith/linkinator-action@af984b9f30f63e796ae2ea5be5e07cb587f1bbd9  # v2.3