From 96c16cb17526c2d80abf4bbd909f8527adb759d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=90=E1=BB=97=20Tr=E1=BB=8Dng=20H=E1=BA=A3i?= <41283691+hainenber@users.noreply.github.com> Date: Sat, 21 Mar 2026 21:27:30 +0700 Subject: [PATCH] feat(sec): harden GHA ref by using its SHA ID to prevent accidental usage of compromised actions (#38782) Signed-off-by: hainenber (cherry picked from commit 83823911b552bb581c8916d5b94db6ab4564c9b0) --- .github/actions/setup-docker/action.yml | 6 +-- .github/workflows/bump-python-package.yml | 5 +-- .github/workflows/cancel_duplicates.yml | 2 +- .github/workflows/check-python-deps.yml | 3 +- .../workflows/check_db_migration_confict.yml | 4 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/dependency-review.yml | 6 +-- .github/workflows/docker.yml | 8 ++-- .github/workflows/embedded-sdk-release.yml | 6 +-- .github/workflows/embedded-sdk-test.yml | 6 +-- .github/workflows/ephemeral-env-pr-close.yml | 2 +- .github/workflows/ephemeral-env.yml | 34 +++++++-------- .github/workflows/generate-FOSSA-report.yml | 4 +- .github/workflows/github-action-validator.yml | 7 ++-- .github/workflows/issue_creation.yml | 3 +- .github/workflows/latest-release-tag.yml | 42 +++++++++---------- .github/workflows/license-check.yml | 8 ++-- .github/workflows/no-hold-label.yml | 20 ++++----- .github/workflows/pr-lint.yml | 5 +-- .github/workflows/pre-commit.yml | 3 +- .github/workflows/release.yml | 8 ++-- .github/workflows/superset-app-cli.yml | 2 +- .github/workflows/superset-docs-deploy.yml | 16 +++---- .github/workflows/superset-docs-verify.yml | 10 ++--- .github/workflows/superset-e2e.yml | 24 +++++------ .github/workflows/superset-extensions-cli.yml | 8 ++-- .github/workflows/superset-frontend.yml | 17 ++++---- .github/workflows/superset-helm-lint.yml | 6 +-- .github/workflows/superset-helm-release.yml | 6 +-- .../superset-python-integrationtest.yml | 12 +++--- .../workflows/superset-python-presto-hive.yml | 8 ++-- .../workflows/superset-python-unittest.yml | 4 +- .github/workflows/superset-translations.yml | 8 ++-- .github/workflows/superset-websocket.yml | 2 +- .github/workflows/supersetbot.yml | 6 +-- .github/workflows/tag-release.yml | 19 ++++----- .github/workflows/tech-debt.yml | 6 +-- requirements/base.txt | 3 ++ 38 files changed, 168 insertions(+), 173 deletions(-) diff --git a/.github/actions/setup-docker/action.yml b/.github/actions/setup-docker/action.yml index 71a559829f6..91f2c8ce954 100644 --- a/.github/actions/setup-docker/action.yml +++ b/.github/actions/setup-docker/action.yml @@ -26,16 +26,16 @@ runs: - name: Set up QEMU if: ${{ inputs.build == 'true' }} - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx if: ${{ inputs.build == 'true' }} - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Try to login to DockerHub if: ${{ inputs.login-to-dockerhub == 'true' }} continue-on-error: true - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ inputs.dockerhub-user }} password: ${{ inputs.dockerhub-token }} diff --git a/.github/workflows/bump-python-package.yml b/.github/workflows/bump-python-package.yml index 36da48fbb10..5b8e9628aa8 100644 --- a/.github/workflows/bump-python-package.yml +++ b/.github/workflows/bump-python-package.yml @@ -30,9 +30,8 @@ jobs: pull-requests: write checks: write steps: - - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: true ref: master @@ -41,7 +40,7 @@ jobs: uses: ./.github/actions/setup-supersetbot/ - name: Set up Python ${{ inputs.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: "3.10" diff --git a/.github/workflows/cancel_duplicates.yml b/.github/workflows/cancel_duplicates.yml index 24e1eb40afc..76525767ad0 100644 --- a/.github/workflows/cancel_duplicates.yml +++ b/.github/workflows/cancel_duplicates.yml @@ -31,7 +31,7 @@ jobs: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" if: steps.check_queued.outputs.count >= 20 - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Cancel duplicate workflow runs if: steps.check_queued.outputs.count >= 20 diff --git a/.github/workflows/check-python-deps.yml b/.github/workflows/check-python-deps.yml index 749c41b75f8..bd006d53a73 100644 --- a/.github/workflows/check-python-deps.yml +++ b/.github/workflows/check-python-deps.yml @@ -17,9 +17,8 @@ jobs: check-python-deps: runs-on: ubuntu-22.04 steps: - - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive diff --git a/.github/workflows/check_db_migration_confict.yml b/.github/workflows/check_db_migration_confict.yml index d9a6ca85e8c..5d9508edbed 100644 --- a/.github/workflows/check_db_migration_confict.yml +++ b/.github/workflows/check_db_migration_confict.yml @@ -25,9 +25,9 @@ jobs: pull-requests: write steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Check and notify - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ github.token }} script: | diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b038a5723ad..4213e772d95 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -31,7 +31,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Check for file changes id: check diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 65771ed8253..dbe5828ceb3 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -27,9 +27,9 @@ jobs: runs-on: ubuntu-24.04 steps: - name: "Checkout Repository" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: "Dependency Review" - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 continue-on-error: true with: fail-on-severity: critical @@ -51,7 +51,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: "Checkout Repository" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Python uses: ./.github/actions/setup-backend/ diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index df36d2f546d..0143f4399fc 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -14,7 +14,6 @@ concurrency: cancel-in-progress: true jobs: - setup_matrix: runs-on: ubuntu-24.04 outputs: @@ -40,9 +39,8 @@ jobs: IMAGE_TAG: apache/superset:GHA-${{ matrix.build_preset }}-${{ github.run_id }} steps: - - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -91,7 +89,7 @@ jobs: # in the context of push (using multi-platform build), we need to pull the image locally - name: Docker pull if: github.event_name == 'push' && (steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker) - run: docker pull $IMAGE_TAG + run: docker pull $IMAGE_TAG - name: Print docker stats if: steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker @@ -114,7 +112,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Check for file changes diff --git a/.github/workflows/embedded-sdk-release.yml b/.github/workflows/embedded-sdk-release.yml index 66fd44bea61..bcc4824eb0a 100644 --- a/.github/workflows/embedded-sdk-release.yml +++ b/.github/workflows/embedded-sdk-release.yml @@ -28,11 +28,11 @@ jobs: run: working-directory: superset-embedded-sdk steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: "20" - registry-url: 'https://registry.npmjs.org' + registry-url: "https://registry.npmjs.org" - run: npm ci - run: npm run ci:release env: diff --git a/.github/workflows/embedded-sdk-test.yml b/.github/workflows/embedded-sdk-test.yml index 3120608db05..e32a98a43d0 100644 --- a/.github/workflows/embedded-sdk-test.yml +++ b/.github/workflows/embedded-sdk-test.yml @@ -18,11 +18,11 @@ jobs: run: working-directory: superset-embedded-sdk steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: "20" - registry-url: 'https://registry.npmjs.org' + registry-url: "https://registry.npmjs.org" - run: npm ci - run: npm test - run: npm run build diff --git a/.github/workflows/ephemeral-env-pr-close.yml b/.github/workflows/ephemeral-env-pr-close.yml index 60cf75dac82..c45e37d5200 100644 --- a/.github/workflows/ephemeral-env-pr-close.yml +++ b/.github/workflows/ephemeral-env-pr-close.yml @@ -63,7 +63,7 @@ jobs: - name: Comment (success) if: steps.describe-services.outputs.active == 'true' - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{github.token}} script: | diff --git a/.github/workflows/ephemeral-env.yml b/.github/workflows/ephemeral-env.yml index 4c503ed6fe1..4bba79c568e 100644 --- a/.github/workflows/ephemeral-env.yml +++ b/.github/workflows/ephemeral-env.yml @@ -10,11 +10,11 @@ on: workflow_dispatch: inputs: label_name: - description: 'Label name to simulate label-based /testenv trigger' + description: "Label name to simulate label-based /testenv trigger" required: true - default: 'testenv-up' + default: "testenv-up" issue_number: - description: 'Issue or PR number' + description: "Issue or PR number" required: true jobs: @@ -55,7 +55,7 @@ jobs: - name: Get event SHA id: get-sha if: steps.eval-label.outputs.result == 'up' - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -86,7 +86,7 @@ jobs: core.setOutput("sha", prSha); - name: Looking for feature flags in PR description - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 id: eval-feature-flags if: steps.eval-label.outputs.result == 'up' with: @@ -108,7 +108,7 @@ jobs: return results; - name: Reply with confirmation comment - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 if: steps.eval-label.outputs.result == 'up' with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -145,7 +145,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: "Checkout ${{ github.ref }} ( ${{ needs.ephemeral-env-label.outputs.sha }} : ${{steps.get-sha.outputs.sha}} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ needs.ephemeral-env-label.outputs.sha }} persist-credentials: false @@ -174,7 +174,7 @@ jobs: --extra-flags "--build-arg INCLUDE_CHROMIUM=false" - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -182,7 +182,7 @@ jobs: - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v2 + uses: aws-actions/amazon-ecr-login@c962da2960ed15f492addc26fffa274485265950 # v2 - name: Load, tag and push image to ECR id: push-image @@ -205,12 +205,12 @@ jobs: pull-requests: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} @@ -218,7 +218,7 @@ jobs: - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v2 + uses: aws-actions/amazon-ecr-login@c962da2960ed15f492addc26fffa274485265950 # v2 - name: Check target image exists in ECR id: check-image @@ -233,7 +233,7 @@ jobs: - name: Fail on missing container image if: steps.check-image.outcome == 'failure' - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{ github.token }} script: | @@ -248,7 +248,7 @@ jobs: - name: Fill in the new image ID in the Amazon ECS task definition id: task-def - uses: aws-actions/amazon-ecs-render-task-definition@v1 + uses: aws-actions/amazon-ecs-render-task-definition@77954e213ba1f9f9cb016b86a1d4f6fcdea0d57e # v1 with: task-definition: .github/workflows/ecs-task-definition.json container-name: superset-ci @@ -281,7 +281,7 @@ jobs: --tags key=pr,value=$PR_NUMBER key=github_user,value=${{ github.actor }} - name: Deploy Amazon ECS task definition id: deploy-task - uses: aws-actions/amazon-ecs-deploy-task-definition@v2 + uses: aws-actions/amazon-ecs-deploy-task-definition@cbf54ec46642b86ff78c2f5793da6746954cf8ff # v2 with: task-definition: ${{ steps.task-def.outputs.task-definition }} service: pr-${{ github.event.inputs.issue_number || github.event.pull_request.number }}-service @@ -303,7 +303,7 @@ jobs: echo "ip=$(aws ec2 describe-network-interfaces --network-interface-ids ${{ steps.get-eni.outputs.eni }} | jq -r '.NetworkInterfaces | first | .Association.PublicIp')" >> $GITHUB_OUTPUT - name: Comment (success) if: ${{ success() }} - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{github.token}} script: | @@ -316,7 +316,7 @@ jobs: }); - name: Comment (failure) if: ${{ failure() }} - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: github-token: ${{github.token}} script: | diff --git a/.github/workflows/generate-FOSSA-report.yml b/.github/workflows/generate-FOSSA-report.yml index 9f51a396c22..0c10521cc8d 100644 --- a/.github/workflows/generate-FOSSA-report.yml +++ b/.github/workflows/generate-FOSSA-report.yml @@ -27,12 +27,12 @@ jobs: runs-on: ubuntu-24.04 steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive - name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: "temurin" java-version: "11" diff --git a/.github/workflows/github-action-validator.yml b/.github/workflows/github-action-validator.yml index 3bdefddc008..9521f386f0b 100644 --- a/.github/workflows/github-action-validator.yml +++ b/.github/workflows/github-action-validator.yml @@ -9,17 +9,16 @@ on: types: [synchronize, opened, reopened, ready_for_review] jobs: - validate-all-ghas: runs-on: ubuntu-24.04 steps: - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: - node-version: '20' + node-version: "20" - name: Install Dependencies run: npm install -g @action-validator/core @action-validator/cli --save-dev diff --git a/.github/workflows/issue_creation.yml b/.github/workflows/issue_creation.yml index 1d531e77967..43603d33f3b 100644 --- a/.github/workflows/issue_creation.yml +++ b/.github/workflows/issue_creation.yml @@ -15,9 +15,8 @@ jobs: pull-requests: write issues: write steps: - - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false diff --git a/.github/workflows/latest-release-tag.yml b/.github/workflows/latest-release-tag.yml index 72f63d1e8cc..2541c7de25e 100644 --- a/.github/workflows/latest-release-tag.yml +++ b/.github/workflows/latest-release-tag.yml @@ -11,27 +11,27 @@ jobs: contents: write steps: - - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 - with: - persist-credentials: false - submodules: recursive + - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + submodules: recursive - - name: Check for latest tag - id: latest-tag - run: | - source ./scripts/tag_latest_release.sh $(echo ${{ github.event.release.tag_name }}) --dry-run + - name: Check for latest tag + id: latest-tag + run: | + source ./scripts/tag_latest_release.sh $(echo ${{ github.event.release.tag_name }}) --dry-run - - name: Configure Git - run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - name: Run latest-tag - uses: ./.github/actions/latest-tag - if: (! ${{ steps.latest-tag.outputs.SKIP_TAG }} ) - with: - description: Superset latest release - tag-name: latest - env: - GITHUB_TOKEN: ${{ github.token }} + - name: Run latest-tag + uses: ./.github/actions/latest-tag + if: (! ${{ steps.latest-tag.outputs.SKIP_TAG }} ) + with: + description: Superset latest release + tag-name: latest + env: + GITHUB_TOKEN: ${{ github.token }} diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml index 6001eede70d..24dcb2249cd 100644 --- a/.github/workflows/license-check.yml +++ b/.github/workflows/license-check.yml @@ -15,14 +15,14 @@ jobs: runs-on: ubuntu-24.04 steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive - name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: - distribution: 'temurin' - java-version: '11' + distribution: "temurin" + java-version: "11" - name: Run license check run: ./scripts/check_license.sh diff --git a/.github/workflows/no-hold-label.yml b/.github/workflows/no-hold-label.yml index f5d739bad56..b0572500ac2 100644 --- a/.github/workflows/no-hold-label.yml +++ b/.github/workflows/no-hold-label.yml @@ -13,13 +13,13 @@ jobs: check-hold-label: runs-on: ubuntu-24.04 steps: - - name: Check for 'hold' label - uses: actions/github-script@v7 - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - const payload = context.payload.pull_request - const holdLabelPresent = !!payload.labels.find(label => label.name.includes('hold')) - if (holdLabelPresent) { - core.setFailed('Hold label is present, merge is blocked.') - } + - name: Check for 'hold' label + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const payload = context.payload.pull_request + const holdLabelPresent = !!payload.labels.find(label => label.name.includes('hold')) + if (holdLabelPresent) { + core.setFailed('Hold label is present, merge is blocked.') + } diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index 230af3d19c0..eee4ec18a7f 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -16,7 +16,7 @@ jobs: pull-requests: write steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive @@ -26,6 +26,5 @@ jobs: on-failed-regex-fail-action: true on-failed-regex-request-changes: false on-failed-regex-create-review: false - on-failed-regex-comment: - "Please format your PR title to match: `%regex%`!" + on-failed-regex-comment: "Please format your PR title to match: `%regex%`!" repo-token: "${{ github.token }}" diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index f3044353f76..437fc1e336d 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -21,7 +21,7 @@ jobs: python-version: ["current", "previous"] steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive @@ -38,6 +38,7 @@ jobs: echo "HOMEBREW_CELLAR=$HOMEBREW_CELLAR" >>"${GITHUB_ENV}" echo "HOMEBREW_REPOSITORY=$HOMEBREW_REPOSITORY" >>"${GITHUB_ENV}" brew install norwoodj/tap/helm-docs + - name: pre-commit run: | set +e # Don't exit immediately on failure diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3e76a1d14b8..67ab45b04dd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,7 +32,7 @@ jobs: node-version: [20] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: # pulls all commits (needed for lerna / semantic release to correctly version) fetch-depth: 0 @@ -48,13 +48,13 @@ jobs: - name: Use Node.js ${{ matrix.node-version }} if: env.HAS_TAGS - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: ${{ matrix.node-version }} - name: Cache npm if: env.HAS_TAGS - uses: actions/cache@v4 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: ~/.npm # npm cache files are stored in `~/.npm` on Linux/macOS key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }} @@ -68,7 +68,7 @@ jobs: run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT - name: Cache npm if: env.HAS_TAGS - uses: actions/cache@v4 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 id: npm-cache # use this to check for `cache-hit` (`steps.npm-cache.outputs.cache-hit != 'true'`) with: path: ${{ steps.npm-cache-dir-path.outputs.dir }} diff --git a/.github/workflows/superset-app-cli.yml b/.github/workflows/superset-app-cli.yml index f506dba3d57..310bab3a2b1 100644 --- a/.github/workflows/superset-app-cli.yml +++ b/.github/workflows/superset-app-cli.yml @@ -37,7 +37,7 @@ jobs: - 16379:6379 steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive diff --git a/.github/workflows/superset-docs-deploy.yml b/.github/workflows/superset-docs-deploy.yml index 3f03e482d80..8ac5125b1c9 100644 --- a/.github/workflows/superset-docs-deploy.yml +++ b/.github/workflows/superset-docs-deploy.yml @@ -30,21 +30,21 @@ jobs: name: Build & Deploy runs-on: ubuntu-24.04 steps: - - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + - name: "Checkout ${{ github.event.workflow_run.head_sha || github.sha }}" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive - - name: Set up Node.js 20 - uses: actions/setup-node@v4 + - name: Set up Node.js + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: - node-version: '20' + node-version: "20" - name: Setup Python uses: ./.github/actions/setup-backend/ - - uses: actions/setup-java@v4 + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: - distribution: 'zulu' - java-version: '21' + distribution: "zulu" + java-version: "21" - name: Install Graphviz run: sudo apt-get install -y graphviz - name: Compute Entity Relationship diagram (ERD) diff --git a/.github/workflows/superset-docs-verify.yml b/.github/workflows/superset-docs-verify.yml index b08bba091ae..88301c87fc8 100644 --- a/.github/workflows/superset-docs-verify.yml +++ b/.github/workflows/superset-docs-verify.yml @@ -18,7 +18,7 @@ jobs: name: Link Checking runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # Do not bump this linkinator-action version without opening # an ASF Infra ticket to allow the new verison first! - uses: JustinBeckwith/linkinator-action@v1.11.0 @@ -56,14 +56,14 @@ jobs: working-directory: docs steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive - - name: Set up Node.js 20 - uses: actions/setup-node@v4 + - name: Set up Node.js + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: - node-version: '20' + node-version: "20" - name: yarn install run: | yarn install --check-cache diff --git a/.github/workflows/superset-e2e.yml b/.github/workflows/superset-e2e.yml index 85a22bf11e9..8044cf120e6 100644 --- a/.github/workflows/superset-e2e.yml +++ b/.github/workflows/superset-e2e.yml @@ -10,17 +10,17 @@ on: workflow_dispatch: inputs: use_dashboard: - description: 'Use Cypress Dashboard (true/false) [paid service - trigger manually when needed]. You MUST provide a branch and/or PR number below for this to work.' + description: "Use Cypress Dashboard (true/false) [paid service - trigger manually when needed]. You MUST provide a branch and/or PR number below for this to work." required: false - default: 'false' + default: "false" ref: - description: 'The branch or tag to checkout' + description: "The branch or tag to checkout" required: false - default: '' + default: "" pr_id: - description: 'The pull request ID to checkout' + description: "The pull request ID to checkout" required: false - default: '' + default: "" concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }} @@ -68,20 +68,20 @@ jobs: # Conditional checkout based on context - name: Checkout for push or pull_request event if: github.event_name == 'push' || github.event_name == 'pull_request' - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive - name: Checkout using ref (workflow_dispatch) if: github.event_name == 'workflow_dispatch' && github.event.inputs.ref != '' - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false ref: ${{ github.event.inputs.ref }} submodules: recursive - name: Checkout using PR ID (workflow_dispatch) if: github.event_name == 'workflow_dispatch' && github.event.inputs.pr_id != '' - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false ref: refs/pull/${{ github.event.inputs.pr_id }}/merge @@ -107,7 +107,7 @@ jobs: run: testdata - name: Setup Node.js if: steps.check.outputs.python || steps.check.outputs.frontend - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: "20" - name: Install npm dependencies @@ -137,8 +137,8 @@ jobs: with: run: cypress-run-all ${{ env.USE_DASHBOARD }} - name: Upload Artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 if: failure() with: path: ${{ github.workspace }}/superset-frontend/cypress-base/cypress/screenshots - name: cypress-artifact-${{ github.run_id }}-${{ github.job }}-${{ matrix.browser }}-${{ matrix.parallel_id }} + name: cypress-artifact-${{ github.run_id }}-${{ github.job }}-${{ matrix.browser }}-${{ matrix.parallel_id }}--${{ steps.set-safe-app-root.outputs.safe_app_root }} diff --git a/.github/workflows/superset-extensions-cli.yml b/.github/workflows/superset-extensions-cli.yml index 7b792467654..d87ac996051 100644 --- a/.github/workflows/superset-extensions-cli.yml +++ b/.github/workflows/superset-extensions-cli.yml @@ -18,13 +18,13 @@ jobs: runs-on: ubuntu-24.04 strategy: matrix: - python-version: ["previous", "current", "next"] + python-version: ["previous", "current"] defaults: run: working-directory: superset-extensions-cli steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive @@ -49,7 +49,7 @@ jobs: - name: Upload coverage reports to Codecov if: steps.check.outputs.superset-extensions-cli - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5 with: file: ./coverage.xml flags: superset-extensions-cli @@ -58,7 +58,7 @@ jobs: - name: Upload HTML coverage report if: steps.check.outputs.superset-extensions-cli - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: superset-extensions-cli-coverage-html path: htmlcov/ diff --git a/.github/workflows/superset-frontend.yml b/.github/workflows/superset-frontend.yml index 6e1c494a045..0e9c5793251 100644 --- a/.github/workflows/superset-frontend.yml +++ b/.github/workflows/superset-frontend.yml @@ -23,7 +23,7 @@ jobs: should-run: ${{ steps.check.outputs.frontend }} steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -52,7 +52,7 @@ jobs: - name: Upload Docker Image Artifact if: steps.check.outputs.frontend - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: docker-image path: docker-image.tar.gz @@ -67,7 +67,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Download Docker Image Artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: docker-image @@ -84,7 +84,7 @@ jobs: "npm run test -- --coverage --shard=${{ matrix.shard }}/8 --coverageReporters=json-summary" - name: Upload Coverage Artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: coverage-artifacts-${{ matrix.shard }} path: superset-frontend/coverage @@ -95,7 +95,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Download Coverage Artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: coverage-artifacts-* path: coverage/ @@ -107,7 +107,7 @@ jobs: run: npx nyc merge coverage/ merged-output/coverage-summary.json - name: Upload Code Coverage - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5 with: flags: javascript token: ${{ secrets.CODECOV_TOKEN }} @@ -139,7 +139,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Download Docker Image Artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: docker-image @@ -162,7 +162,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Download Docker Image Artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: docker-image @@ -173,7 +173,6 @@ jobs: run: | docker run --rm $TAG bash -c \ "npm run plugins:build" - - name: Build Plugins Storybook run: | docker run --rm $TAG bash -c \ diff --git a/.github/workflows/superset-helm-lint.yml b/.github/workflows/superset-helm-lint.yml index b3b1447641f..e1f9e54506c 100644 --- a/.github/workflows/superset-helm-lint.yml +++ b/.github/workflows/superset-helm-lint.yml @@ -16,21 +16,21 @@ jobs: runs-on: ubuntu-24.04 steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive fetch-depth: 0 - name: Set up Helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4 with: version: v3.16.4 - name: Setup Python uses: ./.github/actions/setup-backend/ with: - install-superset: 'false' + install-superset: "false" - name: Set up chart-testing uses: ./.github/actions/chart-testing-action diff --git a/.github/workflows/superset-helm-release.yml b/.github/workflows/superset-helm-release.yml index 639bb4e7204..948368f832e 100644 --- a/.github/workflows/superset-helm-release.yml +++ b/.github/workflows/superset-helm-release.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ inputs.ref || github.ref_name }} persist-credentials: true @@ -42,7 +42,7 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Install Helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4 with: version: v3.5.4 @@ -101,7 +101,7 @@ jobs: CR_RELEASE_NAME_TEMPLATE: "superset-helm-chart-{{ .Version }}" - name: Open Pull Request - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const branchName = '${{ env.branch_name }}'; diff --git a/.github/workflows/superset-python-integrationtest.yml b/.github/workflows/superset-python-integrationtest.yml index 3a7488966b1..a239e711503 100644 --- a/.github/workflows/superset-python-integrationtest.yml +++ b/.github/workflows/superset-python-integrationtest.yml @@ -41,7 +41,7 @@ jobs: - 16379:6379 steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive @@ -68,7 +68,7 @@ jobs: run: | ./scripts/python_tests.sh - name: Upload code coverage - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5 with: flags: python,mysql token: ${{ secrets.CODECOV_TOKEN }} @@ -99,7 +99,7 @@ jobs: - 16379:6379 steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive @@ -129,7 +129,7 @@ jobs: run: | ./scripts/python_tests.sh - name: Upload code coverage - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5 with: flags: python,postgres token: ${{ secrets.CODECOV_TOKEN }} @@ -152,7 +152,7 @@ jobs: - 16379:6379 steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive @@ -181,7 +181,7 @@ jobs: run: | ./scripts/python_tests.sh - name: Upload code coverage - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5 with: flags: python,sqlite token: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/superset-python-presto-hive.yml b/.github/workflows/superset-python-presto-hive.yml index ba17dd41d1c..d0cb1452721 100644 --- a/.github/workflows/superset-python-presto-hive.yml +++ b/.github/workflows/superset-python-presto-hive.yml @@ -48,7 +48,7 @@ jobs: - 16379:6379 steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive @@ -77,7 +77,7 @@ jobs: run: | ./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow' - name: Upload code coverage - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5 with: flags: python,presto token: ${{ secrets.CODECOV_TOKEN }} @@ -108,7 +108,7 @@ jobs: - 16379:6379 steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive @@ -145,7 +145,7 @@ jobs: pip install -e .[hive] ./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow' - name: Upload code coverage - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5 with: flags: python,hive token: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/superset-python-unittest.yml b/.github/workflows/superset-python-unittest.yml index c4cef8de24c..f850a42adab 100644 --- a/.github/workflows/superset-python-unittest.yml +++ b/.github/workflows/superset-python-unittest.yml @@ -24,7 +24,7 @@ jobs: PYTHONPATH: ${{ github.workspace }} steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive @@ -46,7 +46,7 @@ jobs: run: | pytest --durations-min=0.5 --cov-report= --cov=superset ./tests/common ./tests/unit_tests --cache-clear - name: Upload code coverage - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5 with: flags: python,unit token: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/superset-translations.yml b/.github/workflows/superset-translations.yml index 94babe7c47e..70bc53c665e 100644 --- a/.github/workflows/superset-translations.yml +++ b/.github/workflows/superset-translations.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive @@ -31,9 +31,9 @@ jobs: - name: Setup Node.js if: steps.check.outputs.frontend - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: - node-version: '18' + node-version: "18" - name: Install dependencies if: steps.check.outputs.frontend uses: ./.github/actions/cached-dependencies @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false submodules: recursive diff --git a/.github/workflows/superset-websocket.yml b/.github/workflows/superset-websocket.yml index ce7ec50a92f..83458b7a609 100644 --- a/.github/workflows/superset-websocket.yml +++ b/.github/workflows/superset-websocket.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Install dependencies diff --git a/.github/workflows/supersetbot.yml b/.github/workflows/supersetbot.yml index b78fc743023..64ed7384660 100644 --- a/.github/workflows/supersetbot.yml +++ b/.github/workflows/supersetbot.yml @@ -9,7 +9,7 @@ on: workflow_dispatch: inputs: comment_body: - description: 'Comment Body' + description: "Comment Body" required: true type: string @@ -26,7 +26,7 @@ jobs: steps: - name: Quickly add thumbs up! if: github.event_name == 'issue_comment' && contains(github.event.comment.body, '@supersetbot') - uses: actions/github-script@v7 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/') @@ -38,7 +38,7 @@ jobs: }); - name: "Checkout ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml index 8161304a1c6..536b2d6b885 100644 --- a/.github/workflows/tag-release.yml +++ b/.github/workflows/tag-release.yml @@ -16,11 +16,11 @@ on: force-latest: required: true type: choice - default: 'false' + default: "false" description: Whether to force a latest tag on the release options: - - 'true' - - 'false' + - "true" + - "false" jobs: config: runs-on: ubuntu-24.04 @@ -42,12 +42,12 @@ jobs: runs-on: ubuntu-24.04 strategy: matrix: - build_preset: ["dev", "lean", "py310", "websocket", "dockerize", "py311"] + build_preset: + ["dev", "lean", "py310", "websocket", "dockerize", "py311"] fail-fast: false steps: - - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 @@ -60,7 +60,7 @@ jobs: build: "true" - name: Use Node.js 20 - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: 20 @@ -105,14 +105,13 @@ jobs: contents: read pull-requests: write steps: - - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Use Node.js 20 - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: 20 diff --git a/.github/workflows/tech-debt.yml b/.github/workflows/tech-debt.yml index 1aec723c085..bdafaecbc01 100644 --- a/.github/workflows/tech-debt.yml +++ b/.github/workflows/tech-debt.yml @@ -27,12 +27,12 @@ jobs: name: Generate Reports steps: - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: - node-version: '20' + node-version: "20" - name: Install Dependencies run: npm install diff --git a/requirements/base.txt b/requirements/base.txt index d0ca9ff2b22..c6c42b93896 100644 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -345,6 +345,9 @@ shortid==0.1.2 # via apache-superset (pyproject.toml) simplejson==3.19.3 # via apache-superset (pyproject.toml) +setuptools==80.9.0 + # via + # liccheck six==1.16.0 # via # prison