From 7e8b8e25a5e59e048b3ff5253bdab4e6f68a71e4 Mon Sep 17 00:00:00 2001 From: Evan Rusackas Date: Sun, 31 May 2026 03:55:26 -0700 Subject: [PATCH] chore(ci): resolve remaining GitHub Actions static-analysis findings (#40556) Co-authored-by: Claude Code --- .github/actions/setup-backend/action.yml | 33 ++++++++++++------- .github/workflows/docker.yml | 11 ++++--- .github/workflows/latest-release-tag.yml | 6 ++-- .github/workflows/pre-commit.yml | 4 ++- .github/workflows/showtime-trigger.yml | 9 +++-- .github/workflows/superset-docs-deploy.yml | 1 + .github/workflows/superset-docs-verify.yml | 1 + .github/workflows/superset-e2e.yml | 6 ++-- .github/workflows/superset-helm-release.yml | 8 +++-- .../superset-translations-comment.yml | 1 + .github/workflows/superset-translations.yml | 6 ++-- .github/workflows/tag-release.yml | 4 +++ .github/workflows/welcome-new-users.yml | 1 + 13 files changed, 61 insertions(+), 30 deletions(-) diff --git a/.github/actions/setup-backend/action.yml b/.github/actions/setup-backend/action.yml index c4f2e787eb1..19e0a78500e 100644 --- a/.github/actions/setup-backend/action.yml +++ b/.github/actions/setup-backend/action.yml @@ -24,32 +24,41 @@ runs: - name: Interpret Python Version id: set-python-version shell: bash + env: + INPUT_PYTHON_VERSION: ${{ inputs.python-version }} run: | - if [ "${{ inputs.python-version }}" = "current" ]; then - echo "PYTHON_VERSION=3.11" >> $GITHUB_ENV - elif [ "${{ inputs.python-version }}" = "next" ]; then + if [ "$INPUT_PYTHON_VERSION" = "current" ]; then + RESOLVED_VERSION="3.11" + elif [ "$INPUT_PYTHON_VERSION" = "next" ]; then # currently disabled in GHA matrixes because of library compatibility issues - echo "PYTHON_VERSION=3.12" >> $GITHUB_ENV - elif [ "${{ inputs.python-version }}" = "previous" ]; then - echo "PYTHON_VERSION=3.10" >> $GITHUB_ENV + RESOLVED_VERSION="3.12" + elif [ "$INPUT_PYTHON_VERSION" = "previous" ]; then + RESOLVED_VERSION="3.10" + elif printf '%s' "$INPUT_PYTHON_VERSION" | grep -Eq '^[0-9]+\.[0-9]+(\.[0-9]+)?$'; then + RESOLVED_VERSION="$INPUT_PYTHON_VERSION" else - echo "PYTHON_VERSION=${{ inputs.python-version }}" >> $GITHUB_ENV + echo "Invalid python-version: '$INPUT_PYTHON_VERSION'" >&2 + exit 1 fi - - name: Set up Python ${{ env.PYTHON_VERSION }} + echo "python-version=$RESOLVED_VERSION" >> "$GITHUB_OUTPUT" + - name: Set up Python ${{ steps.set-python-version.outputs.python-version }} uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: - python-version: ${{ env.PYTHON_VERSION }} + python-version: ${{ steps.set-python-version.outputs.python-version }} cache: ${{ inputs.cache }} - name: Install dependencies + env: + INPUT_INSTALL_SUPERSET: ${{ inputs.install-superset }} + INPUT_REQUIREMENTS_TYPE: ${{ inputs.requirements-type }} run: | - if [ "${{ inputs.install-superset }}" = "true" ]; then + if [ "$INPUT_INSTALL_SUPERSET" = "true" ]; then sudo apt-get update && sudo apt-get -y install libldap2-dev libsasl2-dev pip install --upgrade pip setuptools wheel uv - if [ "${{ inputs.requirements-type }}" = "dev" ]; then + if [ "$INPUT_REQUIREMENTS_TYPE" = "dev" ]; then uv pip install --system -r requirements/development.txt - elif [ "${{ inputs.requirements-type }}" = "base" ]; then + elif [ "$INPUT_REQUIREMENTS_TYPE" = "base" ]; then uv pip install --system -r requirements/base.txt fi diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 5a78d8ca773..558a285f770 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -73,20 +73,21 @@ jobs: shell: bash env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + BUILD_PRESET: ${{ matrix.build_preset }} run: | # Single platform builds in pull_request context to speed things up - if [ "${{ github.event_name }}" = "push" ]; then + if [ "$GITHUB_EVENT_NAME" = "push" ]; then PLATFORM_ARG="--platform linux/arm64 --platform linux/amd64" # can only --load images in single-platform builds PUSH_OR_LOAD="--push" - elif [ "${{ github.event_name }}" = "pull_request" ]; then + elif [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then PLATFORM_ARG="--platform linux/amd64" PUSH_OR_LOAD="--load" fi supersetbot docker \ $PUSH_OR_LOAD \ - --preset ${{ matrix.build_preset }} \ + --preset "$BUILD_PRESET" \ --context "$EVENT" \ --context-ref "$RELEASE" $FORCE_LATEST \ --extra-flags "--build-arg INCLUDE_CHROMIUM=false --tag $IMAGE_TAG" \ @@ -112,8 +113,10 @@ jobs: - name: docker-compose sanity check if: (steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker) && matrix.build_preset == 'dev' shell: bash + env: + BUILD_PRESET: ${{ matrix.build_preset }} run: | - export SUPERSET_BUILD_TARGET=${{ matrix.build_preset }} + export SUPERSET_BUILD_TARGET=$BUILD_PRESET # This should reuse the CACHED image built in the previous steps docker compose build superset-init --build-arg DEV_MODE=false --build-arg INCLUDE_CHROMIUM=false docker compose up superset-init --exit-code-from superset-init diff --git a/.github/workflows/latest-release-tag.yml b/.github/workflows/latest-release-tag.yml index cf7fa3c246e..0d1adc42da7 100644 --- a/.github/workflows/latest-release-tag.yml +++ b/.github/workflows/latest-release-tag.yml @@ -19,10 +19,10 @@ jobs: - name: Check for latest tag id: latest-tag - run: | - source ./scripts/tag_latest_release.sh $(echo ${GITHUB_EVENT_RELEASE_TAG_NAME}) --dry-run env: - GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} + RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} + run: | + source ./scripts/tag_latest_release.sh "$RELEASE_TAG_NAME" --dry-run - name: Configure Git run: | diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index d16a729bd21..de70c687eb7 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -71,10 +71,12 @@ jobs: output: ' ' - name: pre-commit + env: + CHANGED_FILES: ${{ steps.changed_files.outputs.files }} run: | set +e # Don't exit immediately on failure export SKIP=type-checking-frontend - pre-commit run --files ${{ steps.changed_files.outputs.files }} + pre-commit run --files $CHANGED_FILES PRE_COMMIT_EXIT_CODE=$? git diff --quiet --exit-code GIT_DIFF_EXIT_CODE=$? diff --git a/.github/workflows/showtime-trigger.yml b/.github/workflows/showtime-trigger.yml index cbe1aa54f48..4bff0497205 100644 --- a/.github/workflows/showtime-trigger.yml +++ b/.github/workflows/showtime-trigger.yml @@ -2,6 +2,7 @@ name: 🎪 Superset Showtime # Ultra-simple: just sync on any PR state change on: + # zizmor: ignore[dangerous-triggers] - required to react to PR label changes; this workflow does not check out or execute PR-provided code pull_request_target: types: [labeled, unlabeled, synchronize, closed] @@ -102,7 +103,7 @@ jobs: - name: Install Superset Showtime if: steps.auth.outputs.authorized == 'true' run: | - echo "::notice::Maintainer ${GITHUB_ACTOR} triggered deploy for PR ${PULL_REQUEST_NUMBER}" + echo "::notice::Maintainer $GITHUB_ACTOR triggered deploy for PR ${PULL_REQUEST_NUMBER}" pip install --upgrade superset-showtime showtime version @@ -173,9 +174,11 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} + CHECK_PR_NUMBER: ${{ steps.check.outputs.pr_number }} + CHECK_TARGET_SHA: ${{ steps.check.outputs.target_sha }} run: | - PR_NUM="${{ steps.check.outputs.pr_number }}" - TARGET_SHA="${{ steps.check.outputs.target_sha }}" + PR_NUM="$CHECK_PR_NUMBER" + TARGET_SHA="$CHECK_TARGET_SHA" if [[ -n "$TARGET_SHA" ]]; then python -m showtime sync $PR_NUM --sha "$TARGET_SHA" else diff --git a/.github/workflows/superset-docs-deploy.yml b/.github/workflows/superset-docs-deploy.yml index 380841228f9..8932e51f4fb 100644 --- a/.github/workflows/superset-docs-deploy.yml +++ b/.github/workflows/superset-docs-deploy.yml @@ -2,6 +2,7 @@ name: Docs Deployment on: # Deploy after integration tests complete on master + # zizmor: ignore[dangerous-triggers] - runs in base-branch context after a trusted upstream workflow; scoped to master workflow_run: workflows: ["Python-Integration"] types: [completed] diff --git a/.github/workflows/superset-docs-verify.yml b/.github/workflows/superset-docs-verify.yml index 1a2fda92f16..72f87014b07 100644 --- a/.github/workflows/superset-docs-verify.yml +++ b/.github/workflows/superset-docs-verify.yml @@ -7,6 +7,7 @@ on: - "superset/db_engine_specs/**" - ".github/workflows/superset-docs-verify.yml" types: [synchronize, opened, reopened, ready_for_review] + # zizmor: ignore[dangerous-triggers] - runs in base-branch context and only consumes artifacts from the trusted upstream workflow workflow_run: workflows: ["Python-Integration"] types: [completed] diff --git a/.github/workflows/superset-e2e.yml b/.github/workflows/superset-e2e.yml index 113658d7dc2..7db24579c62 100644 --- a/.github/workflows/superset-e2e.yml +++ b/.github/workflows/superset-e2e.yml @@ -141,8 +141,9 @@ jobs: - name: Set safe app root if: failure() id: set-safe-app-root + env: + APP_ROOT: ${{ matrix.app_root }} run: | - APP_ROOT="${{ matrix.app_root }}" SAFE_APP_ROOT=${APP_ROOT//\//_} echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT - name: Upload Artifacts @@ -254,8 +255,9 @@ jobs: - name: Set safe app root if: failure() id: set-safe-app-root + env: + APP_ROOT: ${{ matrix.app_root }} run: | - APP_ROOT="${{ matrix.app_root }}" SAFE_APP_ROOT=${APP_ROOT//\//_} echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT - name: Upload Playwright Artifacts diff --git a/.github/workflows/superset-helm-release.yml b/.github/workflows/superset-helm-release.yml index 732f64ea980..29364b46926 100644 --- a/.github/workflows/superset-helm-release.yml +++ b/.github/workflows/superset-helm-release.yml @@ -62,6 +62,8 @@ jobs: run: echo "branch_name=helm-publish-${GITHUB_SHA:0:7}" >> $GITHUB_ENV - name: Force recreate branch from gh-pages + env: + BRANCH_NAME: ${{ env.branch_name }} run: | # Ensure a clean working directory git reset --hard @@ -73,13 +75,13 @@ jobs: git fetch origin gh-pages # Check out and reset the target branch based on gh-pages - git checkout -B ${{ env.branch_name }} origin/gh-pages + git checkout -B "$BRANCH_NAME" origin/gh-pages # Remove submodules from the branch git submodule deinit -f --all # Force push to the remote branch - git push origin ${{ env.branch_name }} --force + git push origin "$BRANCH_NAME" --force # Return to the original branch git checkout local_gha_temp @@ -104,7 +106,7 @@ jobs: uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: script: | - const branchName = '${{ env.branch_name }}'; + const branchName = process.env.BRANCH_NAME; const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/'); if (!branchName) { diff --git a/.github/workflows/superset-translations-comment.yml b/.github/workflows/superset-translations-comment.yml index 04a43acf39d..739ed5d64f4 100644 --- a/.github/workflows/superset-translations-comment.yml +++ b/.github/workflows/superset-translations-comment.yml @@ -1,6 +1,7 @@ name: Translation Regression Comment on: + # zizmor: ignore[dangerous-triggers] - runs in base-branch context and only consumes the uploaded artifact; never checks out PR code (see note below) workflow_run: workflows: ["Translations"] types: [completed] diff --git a/.github/workflows/superset-translations.yml b/.github/workflows/superset-translations.yml index 042ac3fc144..08e06e4133d 100644 --- a/.github/workflows/superset-translations.yml +++ b/.github/workflows/superset-translations.yml @@ -84,13 +84,15 @@ jobs: # drift on the base branch. - name: Fetch base ref and create comparison worktree if: steps.check.outputs.python == 'true' || steps.check.outputs.frontend == 'true' + env: + PR_BASE_REF: ${{ github.event.pull_request.base.ref }} run: | # For PRs use the base branch; for direct pushes compare against the previous commit. - BASE_REF="${{ github.event.pull_request.base.ref }}" + BASE_REF="$PR_BASE_REF" if [ -n "$BASE_REF" ]; then git fetch --depth=1 origin "$BASE_REF" else - git fetch --depth=2 origin "${{ github.ref }}" + git fetch --depth=2 origin "$GITHUB_REF" fi git worktree add /tmp/base-worktree FETCH_HEAD diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml index 7ff7ac417ad..370c8fa87a3 100644 --- a/.github/workflows/tag-release.yml +++ b/.github/workflows/tag-release.yml @@ -68,9 +68,11 @@ jobs: build: "true" - name: Use Node.js 20 + # zizmor: ignore[cache-poisoning] - node only runs the supersetbot CLI; no dependency cache is enabled uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 20 + package-manager-cache: false - name: Setup supersetbot uses: ./.github/actions/setup-supersetbot/ @@ -125,9 +127,11 @@ jobs: fetch-depth: 0 - name: Use Node.js 20 + # zizmor: ignore[cache-poisoning] - node only runs the supersetbot CLI; no dependency cache is enabled uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 20 + package-manager-cache: false - name: Setup supersetbot uses: ./.github/actions/setup-supersetbot/ diff --git a/.github/workflows/welcome-new-users.yml b/.github/workflows/welcome-new-users.yml index d30215da393..8f1dd1fd4e1 100644 --- a/.github/workflows/welcome-new-users.yml +++ b/.github/workflows/welcome-new-users.yml @@ -1,6 +1,7 @@ name: Welcome New Contributor on: + # zizmor: ignore[dangerous-triggers] - posts a welcome comment only; does not check out or execute PR-provided code pull_request_target: types: [opened]