chore(ci): resolve remaining GitHub Actions static-analysis findings (#40556)

Co-authored-by: Claude Code <noreply@anthropic.com>

.github/workflows/docker.yml

@@ -73,20 +73,21 @@ jobs:
         shell: bash
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BUILD_PRESET: ${{ matrix.build_preset }}
         run: |
           # Single platform builds in pull_request context to speed things up
-          if [ "${{ github.event_name }}" = "push" ]; then
+          if [ "$GITHUB_EVENT_NAME" = "push" ]; then
             PLATFORM_ARG="--platform linux/arm64 --platform linux/amd64"
             # can only --load images in single-platform builds
             PUSH_OR_LOAD="--push"
-          elif [ "${{ github.event_name }}" = "pull_request" ]; then
+          elif [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
             PLATFORM_ARG="--platform linux/amd64"
             PUSH_OR_LOAD="--load"
           fi
 
           supersetbot docker \
             $PUSH_OR_LOAD \
-            --preset ${{ matrix.build_preset }} \
+            --preset "$BUILD_PRESET" \
             --context "$EVENT" \
             --context-ref "$RELEASE" $FORCE_LATEST \
             --extra-flags "--build-arg INCLUDE_CHROMIUM=false --tag $IMAGE_TAG" \
@@ -112,8 +113,10 @@ jobs:
       - name: docker-compose sanity check
         if: (steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker) && matrix.build_preset == 'dev'
         shell: bash
+        env:
+          BUILD_PRESET: ${{ matrix.build_preset }}
         run: |
-          export SUPERSET_BUILD_TARGET=${{ matrix.build_preset }}
+          export SUPERSET_BUILD_TARGET=$BUILD_PRESET
           # This should reuse the CACHED image built in the previous steps
           docker compose build superset-init --build-arg DEV_MODE=false --build-arg INCLUDE_CHROMIUM=false
           docker compose up superset-init --exit-code-from superset-init

.github/workflows/latest-release-tag.yml

@@ -19,10 +19,10 @@ jobs:
 
     - name: Check for latest tag
       id: latest-tag
-      run: |
-        source ./scripts/tag_latest_release.sh $(echo ${GITHUB_EVENT_RELEASE_TAG_NAME}) --dry-run
       env:
-        GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+        RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+      run: |
+        source ./scripts/tag_latest_release.sh "$RELEASE_TAG_NAME" --dry-run
 
     - name: Configure Git
       run: |

.github/workflows/pre-commit.yml

@@ -71,10 +71,12 @@ jobs:
           output: ' '
 
       - name: pre-commit
+        env:
+          CHANGED_FILES: ${{ steps.changed_files.outputs.files }}
         run: |
           set +e  # Don't exit immediately on failure
           export SKIP=type-checking-frontend
-          pre-commit run --files ${{ steps.changed_files.outputs.files }}
+          pre-commit run --files $CHANGED_FILES
           PRE_COMMIT_EXIT_CODE=$?
           git diff --quiet --exit-code
           GIT_DIFF_EXIT_CODE=$?

.github/workflows/showtime-trigger.yml

@@ -2,6 +2,7 @@ name: 🎪 Superset Showtime
 
 # Ultra-simple: just sync on any PR state change
 on:
+  # zizmor: ignore[dangerous-triggers] - required to react to PR label changes; this workflow does not check out or execute PR-provided code
   pull_request_target:
     types: [labeled, unlabeled, synchronize, closed]
 
@@ -102,7 +103,7 @@ jobs:
       - name: Install Superset Showtime
         if: steps.auth.outputs.authorized == 'true'
         run: |
-          echo "::notice::Maintainer ${GITHUB_ACTOR} triggered deploy for PR ${PULL_REQUEST_NUMBER}"
+          echo "::notice::Maintainer $GITHUB_ACTOR triggered deploy for PR ${PULL_REQUEST_NUMBER}"
           pip install --upgrade superset-showtime
           showtime version
 
@@ -173,9 +174,11 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
           DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+          CHECK_PR_NUMBER: ${{ steps.check.outputs.pr_number }}
+          CHECK_TARGET_SHA: ${{ steps.check.outputs.target_sha }}
         run: |
-          PR_NUM="${{ steps.check.outputs.pr_number }}"
-          TARGET_SHA="${{ steps.check.outputs.target_sha }}"
+          PR_NUM="$CHECK_PR_NUMBER"
+          TARGET_SHA="$CHECK_TARGET_SHA"
           if [[ -n "$TARGET_SHA" ]]; then
             python -m showtime sync $PR_NUM --sha "$TARGET_SHA"
           else

.github/workflows/superset-docs-deploy.yml

@@ -2,6 +2,7 @@ name: Docs Deployment
 
 on:
   # Deploy after integration tests complete on master
+  # zizmor: ignore[dangerous-triggers] - runs in base-branch context after a trusted upstream workflow; scoped to master
   workflow_run:
     workflows: ["Python-Integration"]
     types: [completed]

.github/workflows/superset-docs-verify.yml

@@ -7,6 +7,7 @@ on:
       - "superset/db_engine_specs/**"
       - ".github/workflows/superset-docs-verify.yml"
     types: [synchronize, opened, reopened, ready_for_review]
+  # zizmor: ignore[dangerous-triggers] - runs in base-branch context and only consumes artifacts from the trusted upstream workflow
   workflow_run:
     workflows: ["Python-Integration"]
     types: [completed]

.github/workflows/superset-e2e.yml

@@ -141,8 +141,9 @@ jobs:
       - name: Set safe app root
         if: failure()
         id: set-safe-app-root
+        env:
+          APP_ROOT: ${{ matrix.app_root }}
         run: |
-          APP_ROOT="${{ matrix.app_root }}"
           SAFE_APP_ROOT=${APP_ROOT//\//_}
           echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
       - name: Upload Artifacts
@@ -254,8 +255,9 @@ jobs:
       - name: Set safe app root
         if: failure()
         id: set-safe-app-root
+        env:
+          APP_ROOT: ${{ matrix.app_root }}
         run: |
-          APP_ROOT="${{ matrix.app_root }}"
           SAFE_APP_ROOT=${APP_ROOT//\//_}
           echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
       - name: Upload Playwright Artifacts

.github/workflows/superset-helm-release.yml

@@ -62,6 +62,8 @@ jobs:
         run: echo "branch_name=helm-publish-${GITHUB_SHA:0:7}" >> $GITHUB_ENV
 
       - name: Force recreate branch from gh-pages
+        env:
+          BRANCH_NAME: ${{ env.branch_name }}
         run: |
           # Ensure a clean working directory
           git reset --hard
@@ -73,13 +75,13 @@ jobs:
           git fetch origin gh-pages
 
           # Check out and reset the target branch based on gh-pages
-          git checkout -B ${{ env.branch_name }} origin/gh-pages
+          git checkout -B "$BRANCH_NAME" origin/gh-pages
 
           # Remove submodules from the branch
           git submodule deinit -f --all
 
           # Force push to the remote branch
-          git push origin ${{ env.branch_name }} --force
+          git push origin "$BRANCH_NAME" --force
 
           # Return to the original branch
           git checkout local_gha_temp
@@ -104,7 +106,7 @@ jobs:
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
-            const branchName = '${{ env.branch_name }}';
+            const branchName = process.env.BRANCH_NAME;
             const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');
 
             if (!branchName) {

.github/workflows/superset-translations-comment.yml

@@ -1,6 +1,7 @@
 name: Translation Regression Comment
 
 on:
+  # zizmor: ignore[dangerous-triggers] - runs in base-branch context and only consumes the uploaded artifact; never checks out PR code (see note below)
   workflow_run:
     workflows: ["Translations"]
     types: [completed]

.github/workflows/superset-translations.yml

@@ -84,13 +84,15 @@ jobs:
       # drift on the base branch.
       - name: Fetch base ref and create comparison worktree
         if: steps.check.outputs.python == 'true' || steps.check.outputs.frontend == 'true'
+        env:
+          PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
           # For PRs use the base branch; for direct pushes compare against the previous commit.
-          BASE_REF="${{ github.event.pull_request.base.ref }}"
+          BASE_REF="$PR_BASE_REF"
           if [ -n "$BASE_REF" ]; then
             git fetch --depth=1 origin "$BASE_REF"
           else
-            git fetch --depth=2 origin "${{ github.ref }}"
+            git fetch --depth=2 origin "$GITHUB_REF"
           fi
           git worktree add /tmp/base-worktree FETCH_HEAD
 

.github/workflows/tag-release.yml

@@ -68,9 +68,11 @@ jobs:
           build: "true"
 
       - name: Use Node.js 20
+        # zizmor: ignore[cache-poisoning] - node only runs the supersetbot CLI; no dependency cache is enabled
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 20
+          package-manager-cache: false
 
       - name: Setup supersetbot
         uses: ./.github/actions/setup-supersetbot/
@@ -125,9 +127,11 @@ jobs:
           fetch-depth: 0
 
       - name: Use Node.js 20
+        # zizmor: ignore[cache-poisoning] - node only runs the supersetbot CLI; no dependency cache is enabled
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 20
+          package-manager-cache: false
 
       - name: Setup supersetbot
         uses: ./.github/actions/setup-supersetbot/

.github/workflows/welcome-new-users.yml

@@ -1,6 +1,7 @@
 name: Welcome New Contributor
 
 on:
+  # zizmor: ignore[dangerous-triggers] - posts a welcome comment only; does not check out or execute PR-provided code
   pull_request_target:
     types: [opened]