chore(ci): resolve remaining GitHub Actions static-analysis findings (#40556)

Co-authored-by: Claude Code <noreply@anthropic.com>

.github/actions/setup-backend/action.yml

@@ -24,32 +24,41 @@ runs:
     - name: Interpret Python Version
       id: set-python-version
       shell: bash
+      env:
+        INPUT_PYTHON_VERSION: ${{ inputs.python-version }}
       run: |
-        if [ "${{ inputs.python-version }}" = "current" ]; then
-          echo "PYTHON_VERSION=3.11" >> $GITHUB_ENV
-        elif [ "${{ inputs.python-version }}" = "next" ]; then
+        if [ "$INPUT_PYTHON_VERSION" = "current" ]; then
+          RESOLVED_VERSION="3.11"
+        elif [ "$INPUT_PYTHON_VERSION" = "next" ]; then
           # currently disabled in GHA matrixes because of library compatibility issues
-          echo "PYTHON_VERSION=3.12" >> $GITHUB_ENV
-        elif [ "${{ inputs.python-version }}" = "previous" ]; then
-          echo "PYTHON_VERSION=3.10" >> $GITHUB_ENV
+          RESOLVED_VERSION="3.12"
+        elif [ "$INPUT_PYTHON_VERSION" = "previous" ]; then
+          RESOLVED_VERSION="3.10"
+        elif printf '%s' "$INPUT_PYTHON_VERSION" | grep -Eq '^[0-9]+\.[0-9]+(\.[0-9]+)?$'; then
+          RESOLVED_VERSION="$INPUT_PYTHON_VERSION"
         else
-          echo "PYTHON_VERSION=${{ inputs.python-version }}" >> $GITHUB_ENV
+          echo "Invalid python-version: '$INPUT_PYTHON_VERSION'" >&2
+          exit 1
         fi
-    - name: Set up Python ${{ env.PYTHON_VERSION }}
+        echo "python-version=$RESOLVED_VERSION" >> "$GITHUB_OUTPUT"
+    - name: Set up Python ${{ steps.set-python-version.outputs.python-version }}
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       with:
-        python-version: ${{ env.PYTHON_VERSION }}
+        python-version: ${{ steps.set-python-version.outputs.python-version }}
         cache: ${{ inputs.cache }}
     - name: Install dependencies
+      env:
+        INPUT_INSTALL_SUPERSET: ${{ inputs.install-superset }}
+        INPUT_REQUIREMENTS_TYPE: ${{ inputs.requirements-type }}
       run: |
-        if [ "${{ inputs.install-superset }}" = "true" ]; then
+        if [ "$INPUT_INSTALL_SUPERSET" = "true" ]; then
           sudo apt-get update && sudo apt-get -y install libldap2-dev libsasl2-dev
 
           pip install --upgrade pip setuptools wheel uv
 
-          if [ "${{ inputs.requirements-type }}" = "dev" ]; then
+          if [ "$INPUT_REQUIREMENTS_TYPE" = "dev" ]; then
             uv pip install --system -r requirements/development.txt
-          elif [ "${{ inputs.requirements-type }}" = "base" ]; then
+          elif [ "$INPUT_REQUIREMENTS_TYPE" = "base" ]; then
             uv pip install --system -r requirements/base.txt
           fi
 

.github/workflows/docker.yml

@@ -73,20 +73,21 @@ jobs:
         shell: bash
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BUILD_PRESET: ${{ matrix.build_preset }}
         run: |
           # Single platform builds in pull_request context to speed things up
-          if [ "${{ github.event_name }}" = "push" ]; then
+          if [ "$GITHUB_EVENT_NAME" = "push" ]; then
             PLATFORM_ARG="--platform linux/arm64 --platform linux/amd64"
             # can only --load images in single-platform builds
             PUSH_OR_LOAD="--push"
-          elif [ "${{ github.event_name }}" = "pull_request" ]; then
+          elif [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
             PLATFORM_ARG="--platform linux/amd64"
             PUSH_OR_LOAD="--load"
           fi
 
           supersetbot docker \
             $PUSH_OR_LOAD \
-            --preset ${{ matrix.build_preset }} \
+            --preset "$BUILD_PRESET" \
             --context "$EVENT" \
             --context-ref "$RELEASE" $FORCE_LATEST \
             --extra-flags "--build-arg INCLUDE_CHROMIUM=false --tag $IMAGE_TAG" \
@@ -112,8 +113,10 @@ jobs:
       - name: docker-compose sanity check
         if: (steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker) && matrix.build_preset == 'dev'
         shell: bash
+        env:
+          BUILD_PRESET: ${{ matrix.build_preset }}
         run: |
-          export SUPERSET_BUILD_TARGET=${{ matrix.build_preset }}
+          export SUPERSET_BUILD_TARGET=$BUILD_PRESET
           # This should reuse the CACHED image built in the previous steps
           docker compose build superset-init --build-arg DEV_MODE=false --build-arg INCLUDE_CHROMIUM=false
           docker compose up superset-init --exit-code-from superset-init

.github/workflows/latest-release-tag.yml

@@ -19,10 +19,10 @@ jobs:
 
     - name: Check for latest tag
       id: latest-tag
-      run: |
-        source ./scripts/tag_latest_release.sh $(echo ${GITHUB_EVENT_RELEASE_TAG_NAME}) --dry-run
       env:
-        GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+        RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+      run: |
+        source ./scripts/tag_latest_release.sh "$RELEASE_TAG_NAME" --dry-run
 
     - name: Configure Git
       run: |

.github/workflows/pre-commit.yml

@@ -71,10 +71,12 @@ jobs:
           output: ' '
 
       - name: pre-commit
+        env:
+          CHANGED_FILES: ${{ steps.changed_files.outputs.files }}
         run: |
           set +e  # Don't exit immediately on failure
           export SKIP=type-checking-frontend
-          pre-commit run --files ${{ steps.changed_files.outputs.files }}
+          pre-commit run --files $CHANGED_FILES
           PRE_COMMIT_EXIT_CODE=$?
           git diff --quiet --exit-code
           GIT_DIFF_EXIT_CODE=$?

.github/workflows/showtime-trigger.yml

@@ -2,6 +2,7 @@ name: 🎪 Superset Showtime
 
 # Ultra-simple: just sync on any PR state change
 on:
+  # zizmor: ignore[dangerous-triggers] - required to react to PR label changes; this workflow does not check out or execute PR-provided code
   pull_request_target:
     types: [labeled, unlabeled, synchronize, closed]
 
@@ -102,7 +103,7 @@ jobs:
       - name: Install Superset Showtime
         if: steps.auth.outputs.authorized == 'true'
         run: |
-          echo "::notice::Maintainer ${GITHUB_ACTOR} triggered deploy for PR ${PULL_REQUEST_NUMBER}"
+          echo "::notice::Maintainer $GITHUB_ACTOR triggered deploy for PR ${PULL_REQUEST_NUMBER}"
           pip install --upgrade superset-showtime
           showtime version
 
@@ -173,9 +174,11 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
           DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+          CHECK_PR_NUMBER: ${{ steps.check.outputs.pr_number }}
+          CHECK_TARGET_SHA: ${{ steps.check.outputs.target_sha }}
         run: |
-          PR_NUM="${{ steps.check.outputs.pr_number }}"
-          TARGET_SHA="${{ steps.check.outputs.target_sha }}"
+          PR_NUM="$CHECK_PR_NUMBER"
+          TARGET_SHA="$CHECK_TARGET_SHA"
           if [[ -n "$TARGET_SHA" ]]; then
             python -m showtime sync $PR_NUM --sha "$TARGET_SHA"
           else

.github/workflows/superset-docs-deploy.yml

@@ -2,6 +2,7 @@ name: Docs Deployment
 
 on:
   # Deploy after integration tests complete on master
+  # zizmor: ignore[dangerous-triggers] - runs in base-branch context after a trusted upstream workflow; scoped to master
   workflow_run:
     workflows: ["Python-Integration"]
     types: [completed]

.github/workflows/superset-docs-verify.yml

@@ -7,6 +7,7 @@ on:
       - "superset/db_engine_specs/**"
       - ".github/workflows/superset-docs-verify.yml"
     types: [synchronize, opened, reopened, ready_for_review]
+  # zizmor: ignore[dangerous-triggers] - runs in base-branch context and only consumes artifacts from the trusted upstream workflow
   workflow_run:
     workflows: ["Python-Integration"]
     types: [completed]

.github/workflows/superset-e2e.yml

@@ -141,8 +141,9 @@ jobs:
       - name: Set safe app root
         if: failure()
         id: set-safe-app-root
+        env:
+          APP_ROOT: ${{ matrix.app_root }}
         run: |
-          APP_ROOT="${{ matrix.app_root }}"
           SAFE_APP_ROOT=${APP_ROOT//\//_}
           echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
       - name: Upload Artifacts
@@ -254,8 +255,9 @@ jobs:
       - name: Set safe app root
         if: failure()
         id: set-safe-app-root
+        env:
+          APP_ROOT: ${{ matrix.app_root }}
         run: |
-          APP_ROOT="${{ matrix.app_root }}"
           SAFE_APP_ROOT=${APP_ROOT//\//_}
           echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
       - name: Upload Playwright Artifacts

.github/workflows/superset-helm-release.yml

@@ -62,6 +62,8 @@ jobs:
         run: echo "branch_name=helm-publish-${GITHUB_SHA:0:7}" >> $GITHUB_ENV
 
       - name: Force recreate branch from gh-pages
+        env:
+          BRANCH_NAME: ${{ env.branch_name }}
         run: |
           # Ensure a clean working directory
           git reset --hard
@@ -73,13 +75,13 @@ jobs:
           git fetch origin gh-pages
 
           # Check out and reset the target branch based on gh-pages
-          git checkout -B ${{ env.branch_name }} origin/gh-pages
+          git checkout -B "$BRANCH_NAME" origin/gh-pages
 
           # Remove submodules from the branch
           git submodule deinit -f --all
 
           # Force push to the remote branch
-          git push origin ${{ env.branch_name }} --force
+          git push origin "$BRANCH_NAME" --force
 
           # Return to the original branch
           git checkout local_gha_temp
@@ -104,7 +106,7 @@ jobs:
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
-            const branchName = '${{ env.branch_name }}';
+            const branchName = process.env.BRANCH_NAME;
             const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');
 
             if (!branchName) {

.github/workflows/superset-translations-comment.yml

@@ -1,6 +1,7 @@
 name: Translation Regression Comment
 
 on:
+  # zizmor: ignore[dangerous-triggers] - runs in base-branch context and only consumes the uploaded artifact; never checks out PR code (see note below)
   workflow_run:
     workflows: ["Translations"]
     types: [completed]

.github/workflows/superset-translations.yml

@@ -84,13 +84,15 @@ jobs:
       # drift on the base branch.
       - name: Fetch base ref and create comparison worktree
         if: steps.check.outputs.python == 'true' || steps.check.outputs.frontend == 'true'
+        env:
+          PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
           # For PRs use the base branch; for direct pushes compare against the previous commit.
-          BASE_REF="${{ github.event.pull_request.base.ref }}"
+          BASE_REF="$PR_BASE_REF"
           if [ -n "$BASE_REF" ]; then
             git fetch --depth=1 origin "$BASE_REF"
           else
-            git fetch --depth=2 origin "${{ github.ref }}"
+            git fetch --depth=2 origin "$GITHUB_REF"
           fi
           git worktree add /tmp/base-worktree FETCH_HEAD
 

.github/workflows/tag-release.yml

@@ -68,9 +68,11 @@ jobs:
           build: "true"
 
       - name: Use Node.js 20
+        # zizmor: ignore[cache-poisoning] - node only runs the supersetbot CLI; no dependency cache is enabled
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 20
+          package-manager-cache: false
 
       - name: Setup supersetbot
         uses: ./.github/actions/setup-supersetbot/
@@ -125,9 +127,11 @@ jobs:
           fetch-depth: 0
 
       - name: Use Node.js 20
+        # zizmor: ignore[cache-poisoning] - node only runs the supersetbot CLI; no dependency cache is enabled
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 20
+          package-manager-cache: false
 
       - name: Setup supersetbot
         uses: ./.github/actions/setup-supersetbot/

.github/workflows/welcome-new-users.yml

@@ -1,6 +1,7 @@
 name: Welcome New Contributor
 
 on:
+  # zizmor: ignore[dangerous-triggers] - posts a welcome comment only; does not check out or execute PR-provided code
   pull_request_target:
     types: [opened]