chore: resolve lingering CI issues after upgrading Node to v24

feat(build): update Node version constraint in superset-websocket
feat(build): update Node version in Dockerfiles to v24
2026-06-10 10:09:14 +00:00 · 2026-06-07 15:18:53 +07:00 · 2026-06-07 14:18:03 +07:00 · 2026-06-07 14:15:35 +07:00 · 2026-06-07 13:44:27 +07:00 · 2026-06-07 12:03:13 +07:00
7064 changed files with 859098 additions and 260441 deletions
--- a/.asf.yaml
+++ b/.asf.yaml
@@ -24,7 +24,9 @@ notifications:
  discussions: notifications@superset.apache.org

 github:
-  del_branch_on_merge: true
+  pull_requests:
+    del_branch_on_merge: true
+    allow_update_branch: true
  description: "Apache Superset is a Data Visualization and Data Exploration Platform"
  homepage: https://superset.apache.org/
  labels:
@@ -75,23 +77,17 @@ github:
        # combination here.
        contexts:
          - lint-check
-          - cypress-matrix (0, chrome)
-          - cypress-matrix (1, chrome)
-          - cypress-matrix (2, chrome)
-          - cypress-matrix (3, chrome)
-          - cypress-matrix (4, chrome)
-          - cypress-matrix (5, chrome)
+          - cypress-matrix-required
          - dependency-review
          - frontend-build
-          - playwright-tests (chromium)
+          - playwright-tests-required
          - pre-commit (current)
-          - pre-commit (previous)
          - test-mysql
-          - test-postgres (current)
+          - test-postgres-required
          - test-postgres-hive
          - test-postgres-presto
          - test-sqlite
-          - unit-tests (current)
+          - unit-tests-required

      required_pull_request_reviews:
        dismiss_stale_reviews: false
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -0,0 +1,15 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "jq -r '.tool_input.command // \"\"' | grep -qE '^git commit' && cd \"$CLAUDE_PROJECT_DIR\" && echo '🔍 Running pre-commit before commit...' && pre-commit run || true"
+          }
+        ]
+      }
+    ]
+  }
+}
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -13,7 +13,7 @@

  "features": {
    "ghcr.io/devcontainers/features/docker-in-docker:2": {
-      "moby": true,
+      "moby": false,
      "dockerDashComposeVersion": "v2"
    },
    "ghcr.io/devcontainers/features/node:1": {
--- a/.envrc.example
+++ b/.envrc.example
@@ -0,0 +1,41 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Auto-configure Docker Compose for multi-instance support
+# Requires direnv: https://direnv.net/
+#
+# Install: brew install direnv (or apt install direnv)
+# Setup: Add 'eval "$(direnv hook bash)"' to ~/.bashrc (or ~/.zshrc)
+# Allow: Run 'direnv allow' in this directory once
+
+# Generate unique project name from directory
+export COMPOSE_PROJECT_NAME=$(basename "$PWD" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g')
+
+# Find available ports sequentially to avoid collisions
+_is_free() { ! lsof -i ":$1" &>/dev/null 2>&1; }
+
+_p=80;    while ! _is_free $_p; do ((_p++)); done; export NGINX_PORT=$_p
+_p=8088;  while ! _is_free $_p; do ((_p++)); done; export SUPERSET_PORT=$_p
+_p=9000;  while ! _is_free $_p; do ((_p++)); done; export NODE_PORT=$_p
+_p=8080;  while ! _is_free $_p || [ $_p -eq $NGINX_PORT ]; do ((_p++)); done; export WEBSOCKET_PORT=$_p
+_p=8081;  while ! _is_free $_p || [ $_p -eq $WEBSOCKET_PORT ]; do ((_p++)); done; export CYPRESS_PORT=$_p
+_p=5432;  while ! _is_free $_p; do ((_p++)); done; export DATABASE_PORT=$_p
+_p=6379;  while ! _is_free $_p; do ((_p++)); done; export REDIS_PORT=$_p
+
+unset _p _is_free
+
+echo "🐳 Superset configured: http://localhost:$SUPERSET_PORT (dev: localhost:$NODE_PORT)"
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -20,7 +20,12 @@

 # Notify PMC members of changes to GitHub Actions

-/.github/ @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @kgabryje @dpgaspar @sadpandajoe
+/.github/ @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @kgabryje @dpgaspar @sadpandajoe @hainenber
+
+# Notify PMC members of changes to CI-executed scripts (supply-chain risk:
+# scripts/ files run directly in CI workflows and can execute arbitrary code)
+
+/scripts/ @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @kgabryje @dpgaspar @sadpandajoe @hainenber

 # Notify PMC members of changes to required GitHub Actions

@@ -31,8 +36,13 @@
 **/*.geojson @villebro @rusackas
 /superset-frontend/plugins/legacy-plugin-chart-country-map/ @villebro @rusackas

+# Notify translation maintainers of changes to translations
+
+/superset/translations/ @sfirke @rusackas
+
 # Notify PMC members of changes to extension-related files

+/docs/developer_portal/extensions/ @michael-s-molina @villebro @rusackas
 /superset-core/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje
 /superset-extensions-cli/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje
 /superset/core/ @michael-s-molina @villebro @geido @eschutho @rusackas @kgabryje
--- a/.github/ISSUE_TEMPLATE/bug-report.yml
+++ b/.github/ISSUE_TEMPLATE/bug-report.yml
@@ -41,8 +41,8 @@ body:
      label: Superset version
      options:
        - master / latest-dev
+        - "6.0.0"
        - "5.0.0"
-        - "4.1.3"
    validations:
      required: true
  - type: dropdown
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -1,38 +0,0 @@
-# Security Policy
-
-This is a project of the [Apache Software Foundation](https://apache.org) and follows the
-ASF [vulnerability handling process](https://apache.org/security/#vulnerability-handling).
-
-## Reporting Vulnerabilities
-
-**⚠️ Please do not file GitHub issues for security vulnerabilities as they are public! ⚠️**
-
-
-Apache Software Foundation takes a rigorous standpoint in annihilating the security issues
-in its software projects. Apache Superset is highly sensitive and forthcoming to issues
-pertaining to its features and functionality.
-If you have any concern or believe you have found a vulnerability in Apache Superset,
-please get in touch with the Apache Superset Security Team privately at
-e-mail address [security@superset.apache.org](mailto:security@superset.apache.org).
-
-More details can be found on the ASF website at
-[ASF vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability)
-
-We kindly ask you to include the following information in your report:
- Apache Superset version that you are using
- A sanitized copy of your `superset_config.py` file or any config overrides
- Detailed steps to reproduce the vulnerability
-
-Note that Apache Superset is not responsible for any third-party dependencies that may
-have security issues. Any vulnerabilities found in third-party dependencies should be
-reported to the maintainers of those projects. Results from security scans of Apache
-Superset dependencies found on its official Docker image can be remediated at release time
-by extending the image itself.
-
-**Your responsible disclosure and collaboration are invaluable.**
-
-## Extra Information
-
- - [Apache Superset documentation](https://superset.apache.org/docs/security)
- - [Common Vulnerabilities and Exposures by release](https://superset.apache.org/docs/security/cves)
- - [How Security Vulnerabilities are Reported & Handled in Apache Superset (Blog)](https://preset.io/blog/how-security-vulnerabilities-are-reported-and-handled-in-apache-superset/)
--- a/.github/actions/change-detector/label-draft-pr.yml
+++ b/.github/actions/change-detector/label-draft-pr.yml
@@ -10,7 +10,7 @@ jobs:
    steps:
      - name: Check if the PR is a draft
        id: check-draft
-        uses: actions/github-script@v6
+        uses: actions/github-script@v8
        with:
          script: |
            const isDraft = context.payload.pull_request.draft;
--- a/.github/actions/setup-backend/action.yml
+++ b/.github/actions/setup-backend/action.yml
@@ -24,32 +24,41 @@ runs:
    - name: Interpret Python Version
      id: set-python-version
      shell: bash
+      env:
+        INPUT_PYTHON_VERSION: ${{ inputs.python-version }}
      run: |
-        if [ "${{ inputs.python-version }}" = "current" ]; then
-          echo "PYTHON_VERSION=3.11" >> $GITHUB_ENV
-        elif [ "${{ inputs.python-version }}" = "next" ]; then
+        if [ "$INPUT_PYTHON_VERSION" = "current" ]; then
+          RESOLVED_VERSION="3.11"
+        elif [ "$INPUT_PYTHON_VERSION" = "next" ]; then
          # currently disabled in GHA matrixes because of library compatibility issues
-          echo "PYTHON_VERSION=3.12" >> $GITHUB_ENV
-        elif [ "${{ inputs.python-version }}" = "previous" ]; then
-          echo "PYTHON_VERSION=3.10" >> $GITHUB_ENV
+          RESOLVED_VERSION="3.12"
+        elif [ "$INPUT_PYTHON_VERSION" = "previous" ]; then
+          RESOLVED_VERSION="3.10"
+        elif printf '%s' "$INPUT_PYTHON_VERSION" | grep -Eq '^[0-9]+\.[0-9]+(\.[0-9]+)?$'; then
+          RESOLVED_VERSION="$INPUT_PYTHON_VERSION"
        else
-          echo "PYTHON_VERSION=${{ inputs.python-version }}" >> $GITHUB_ENV
+          echo "Invalid python-version: '$INPUT_PYTHON_VERSION'" >&2
+          exit 1
        fi
-    - name: Set up Python ${{ env.PYTHON_VERSION }}
-      uses: actions/setup-python@v5
+        echo "python-version=$RESOLVED_VERSION" >> "$GITHUB_OUTPUT"
+    - name: Set up Python ${{ steps.set-python-version.outputs.python-version }}
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
      with:
-        python-version: ${{ env.PYTHON_VERSION }}
+        python-version: ${{ steps.set-python-version.outputs.python-version }}
        cache: ${{ inputs.cache }}
    - name: Install dependencies
+      env:
+        INPUT_INSTALL_SUPERSET: ${{ inputs.install-superset }}
+        INPUT_REQUIREMENTS_TYPE: ${{ inputs.requirements-type }}
      run: |
-        if [ "${{ inputs.install-superset }}" = "true" ]; then
+        if [ "$INPUT_INSTALL_SUPERSET" = "true" ]; then
          sudo apt-get update && sudo apt-get -y install libldap2-dev libsasl2-dev

          pip install --upgrade pip setuptools wheel uv

-          if [ "${{ inputs.requirements-type }}" = "dev" ]; then
+          if [ "$INPUT_REQUIREMENTS_TYPE" = "dev" ]; then
            uv pip install --system -r requirements/development.txt
-          elif [ "${{ inputs.requirements-type }}" = "base" ]; then
+          elif [ "$INPUT_REQUIREMENTS_TYPE" = "base" ]; then
            uv pip install --system -r requirements/base.txt
          fi

--- a/.github/actions/setup-docker/action.yml
+++ b/.github/actions/setup-docker/action.yml
@@ -26,16 +26,25 @@ runs:

    - name: Set up QEMU
      if: ${{ inputs.build == 'true' }}
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
+      with:
+        # Pin the binfmt image to a specific QEMU release. The default
+        # (`tonistiigi/binfmt:latest`) is a moving target, and drift across
+        # QEMU's x86_64→aarch64 translator has been the proximate cause of
+        # intermittent `exit code: 132` (SIGILL) failures during the arm64
+        # leg of the multi-platform docker build — newer Node native modules
+        # emit instructions QEMU's user-mode emulation occasionally drops on
+        # the floor. Pinning a known-good release stabilises that path.
+        image: tonistiigi/binfmt:qemu-v8.1.5

    - name: Set up Docker Buildx
      if: ${{ inputs.build == 'true' }}
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0

    - name: Try to login to DockerHub
      if: ${{ inputs.login-to-dockerhub == 'true' }}
      continue-on-error: true
-      uses: docker/login-action@v3
+      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
      with:
        username: ${{ inputs.dockerhub-user }}
        password: ${{ inputs.dockerhub-token }}
--- a/.github/actions/setup-supersetbot/action.yml
+++ b/.github/actions/setup-supersetbot/action.yml
@@ -10,7 +10,7 @@ runs:
  steps:

    - name: Setup Node Env
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
      with:
        node-version: '20'

@@ -21,8 +21,9 @@ runs:

    - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
      if: ${{ inputs.from-npm == 'false' }}
-      uses: actions/checkout@v4
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
+        persist-credentials: false
        repository: apache-superset/supersetbot
        path: supersetbot

--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,21 +1,55 @@
 version: 2
 enable-beta-ecosystems: true
 updates:
-
  - package-ecosystem: "github-actions"
    directory: "/"
+    ignore:
+      # Ignore temporarily as release schedule is too mentally taxing for dep-handling maintainers
+      # Additionally, very few PRs are reviewed by this action.
+      - dependency-name: anthropics/claude-code-action
    schedule:
      interval: "daily"
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    ignore:
-      # not until React >= 18.0.0
+      # TODO: remove below entries until React >= 18.0.0
      - dependency-name: "storybook"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
      - dependency-name: "@storybook*"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
+      - dependency-name: "eslint-plugin-storybook"
+      - dependency-name: "react-error-boundary"
+      - dependency-name: "@rjsf/*"
+      # remark-gfm v4+ requires react-markdown v9+, which needs React 18
+      - dependency-name: "remark-gfm"
+      - dependency-name: "react-markdown"
+      # TODO: remove below entries until React >= 19.0.0
+      - dependency-name: "react-icons"
      # JSDOM v30 doesn't play well with Jest v30
      # Source: https://jestjs.io/blog#known-issues
      # GH thread: https://github.com/jsdom/jsdom/issues/3492
      - dependency-name: "jest-environment-jsdom"
+      # `@swc/plugin-transform-imports` doesn't work with current Webpack-SWC hybrid setup
+      # See https://github.com/apache/superset/pull/37384#issuecomment-3793991389
+      # TODO: remove the plugin once Lodash usage has been migrated to a more readily tree-shakeable alternative
+      - dependency-name: "@swc/plugin-transform-imports"
+      # `just-handlerbars-helpers` library in plugin-chart-handlebars requires `currencyformatter`` to be < 2
+      - dependency-name: "currencyformatter.js"
+        update-types: ["version-update:semver-major"]
+      # TODO: remove below clause once https://github.com/pmmmwh/react-refresh-webpack-plugin/pull/940 lands onto a future release
+      # and confirm the issue https://github.com/apache/superset/issues/39600 is fixed
+      - dependency-name: "react-checkbox-tree"
+        update-types: ["version-update:semver-major"]
+    groups:
+      storybook:
+        applies-to: version-updates
+        patterns:
+          - "@storybook*"
+          - "storybook"
+        update-types:
+          - "patch"
    directory: "/superset-frontend/"
    schedule:
      interval: "daily"
@@ -24,18 +58,25 @@ updates:
      - dependabot
    open-pull-requests-limit: 30
    versioning-strategy: increase
+    cooldown:
+      default-days: 7


-  # NOTE: `uv` support is in beta, more details here:
-  # https://github.com/dependabot/dependabot-core/pull/10040#issuecomment-2696978430
-  - package-ecosystem: "uv"
-    directory: "requirements/"
+  - package-ecosystem: "pip"
+    directory: "/"
    open-pull-requests-limit: 10
+    # Bump the lower bound to the new version, not just widen the upper
+    # bound. Without this, a `sqlglot>=28.10.0, <29` constraint upgraded
+    # to `<30` would keep the stale lower bound forever, dragging
+    # transitively-resolved versions with it. See #40186 (review thread).
+    versioning-strategy: increase
    schedule:
      interval: "weekly"
    labels:
-      - uv
+      - pip
      - dependabot
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: ".github/actions"
@@ -43,13 +84,33 @@ updates:
      interval: "daily"
    open-pull-requests-limit: 10
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/docs/"
+    ignore:
+      # TODO: remove below entries until React >= 18.0.0 in superset-frontend
+      - dependency-name: "storybook"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
+      - dependency-name: "@storybook*"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
+      - dependency-name: "eslint-plugin-storybook"
+      - dependency-name: "react-error-boundary"
+    groups:
+      storybook:
+        applies-to: version-updates
+        patterns:
+          - "@storybook*"
+          - "storybook"
+        update-types:
+          - "patch"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 10
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-websocket/"
@@ -59,6 +120,8 @@ updates:
      - npm
      - dependabot
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-websocket/utils/client-ws-app/"
@@ -69,6 +132,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 10
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  # Now for all of our plugins and packages!

@@ -81,16 +146,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
-
-  - package-ecosystem: "npm"
-    directory: "/superset-frontend/plugins/legacy-plugin-chart-histogram/"
-    schedule:
-      interval: "daily"
-    labels:
-      - npm
-      - dependabot
-    open-pull-requests-limit: 5
-    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/legacy-plugin-chart-partition/"
@@ -101,6 +158,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/legacy-plugin-chart-world-map/"
@@ -111,9 +170,14 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/plugin-chart-pivot-table/"
+    ignore:
+      # TODO: remove below entries until React >= 19.0.0
+      - dependency-name: "react-icons"
    schedule:
      interval: "daily"
    labels:
@@ -121,6 +185,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/legacy-plugin-chart-chord/"
@@ -131,6 +197,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/legacy-plugin-chart-horizon/"
@@ -141,6 +209,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/legacy-plugin-chart-rose/"
@@ -151,6 +221,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/legacy-preset-chart-deckgl/"
@@ -161,9 +233,14 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/plugin-chart-table/"
+    ignore:
+      # TODO: remove below entries until React >= 19.0.0
+      - dependency-name: "react-icons"
    schedule:
      interval: "daily"
    labels:
@@ -171,6 +248,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/legacy-plugin-chart-country-map/"
@@ -181,6 +260,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/legacy-plugin-chart-map-box/"
@@ -191,16 +272,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
-
-  - package-ecosystem: "npm"
-    directory: "/superset-frontend/plugins/legacy-plugin-chart-sankey/"
-    schedule:
-      interval: "daily"
-    labels:
-      - npm
-      - dependabot
-    open-pull-requests-limit: 5
-    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/legacy-preset-chart-nvd3/"
@@ -211,6 +284,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/plugin-chart-word-cloud/"
@@ -221,16 +296,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
-
-  - package-ecosystem: "npm"
-    directory: "/superset-frontend/plugins/legacy-plugin-chart-event-flow/"
-    schedule:
-      interval: "daily"
-    labels:
-      - npm
-      - dependabot
-    open-pull-requests-limit: 5
-    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/legacy-plugin-chart-paired-t-test/"
@@ -241,16 +308,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
-
-  - package-ecosystem: "npm"
-    directory: "/superset-frontend/plugins/legacy-plugin-chart-sankey-loop/"
-    schedule:
-      interval: "daily"
-    labels:
-      - npm
-      - dependabot
-    open-pull-requests-limit: 5
-    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/plugin-chart-echarts/"
@@ -261,9 +320,11 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
-    directory: "/superset-frontend/plugins/preset-chart-xy/"
+    directory: "/superset-frontend/plugins/plugin-chart-ag-grid-table/"
    schedule:
      interval: "daily"
    labels:
@@ -271,9 +332,11 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
-    directory: "/superset-frontend/plugins/legacy-plugin-chart-heatmap/"
+    directory: "/superset-frontend/plugins/plugin-chart-cartodiagram/"
    schedule:
      interval: "daily"
    labels:
@@ -281,6 +344,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/legacy-plugin-chart-parallel-coordinates/"
@@ -291,19 +356,15 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
-
-  - package-ecosystem: "npm"
-    directory: "/superset-frontend/plugins/legacy-plugin-chart-sunburst/"
-    schedule:
-      interval: "daily"
-    labels:
-      - npm
-      - dependabot
-    open-pull-requests-limit: 5
-    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/plugins/plugin-chart-handlebars/"
+    ignore:
+      # `just-handlerbars-helpers` library in plugin-chart-handlebars requires `currencyformatter`` to be < 2
+      - dependency-name: "currencyformatter.js"
+        update-types: ["version-update:semver-major"]
    schedule:
      interval: "daily"
    labels:
@@ -311,6 +372,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/packages/generator-superset/"
@@ -321,6 +384,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/packages/superset-ui-chart-controls/"
@@ -331,6 +396,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/packages/superset-ui-core/"
@@ -338,6 +405,7 @@ updates:
      # not until React >= 18.0.0
      - dependency-name: "react-markdown"
      - dependency-name: "remark-gfm"
+      - dependency-name: "react-error-boundary"
    schedule:
      interval: "daily"
    labels:
@@ -345,16 +413,8 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
-
-  - package-ecosystem: "npm"
-    directory: "/superset-frontend/packages/superset-ui-demo/"
-    schedule:
-      interval: "daily"
-    labels:
-      - npm
-      - dependabot
-    open-pull-requests-limit: 5
-    versioning-strategy: increase
+    cooldown:
+      default-days: 7

  - package-ecosystem: "npm"
    directory: "/superset-frontend/packages/superset-ui-switchboard/"
@@ -365,3 +425,5 @@ updates:
      - dependabot
    open-pull-requests-limit: 5
    versioning-strategy: increase
+    cooldown:
+      default-days: 7
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -17,6 +17,11 @@
  - any-glob-to-any-file:
    - 'superset/migrations/**'

+"risk:ci-script":
+- changed-files:
+  - any-glob-to-any-file:
+    - 'scripts/**'
+
 ############################################
 # Dependencies
 ############################################
@@ -72,6 +77,11 @@
  - any-glob-to-any-file:
    - 'superset/translations/zh/**'

+"i18n:czech":
+- changed-files:
+  - any-glob-to-any-file:
+    - 'superset/translations/cs/**'
+
 "i18n:traditional-chinese":
 - changed-files:
  - any-glob-to-any-file:
@@ -117,6 +127,11 @@
  - any-glob-to-any-file:
    - 'superset/translations/sk/**'

+"i18n:latvian":
+- changed-files:
+  - any-glob-to-any-file:
+    - 'superset/translations/lv/**'
+
 "i18n:ukrainian":
 - changed-files:
  - any-glob-to-any-file:
--- a/.github/workflows/bashlib.sh
+++ b/.github/workflows/bashlib.sh
@@ -20,10 +20,6 @@ set -e
 GITHUB_WORKSPACE=${GITHUB_WORKSPACE:-.}
 ASSETS_MANIFEST="$GITHUB_WORKSPACE/superset/static/assets/manifest.json"

-# Rounded job start time, used to create a unique Cypress build id for
-# parallelization so we can manually rerun a job after 20 minutes
-NONCE=$(echo "$(date "+%Y%m%d%H%M") - ($(date +%M)%20)" | bc)
-
 # Echo only when not in parallel mode
 say() {
  if [[ $(echo "$INPUT_PARALLEL" | tr '[:lower:]' '[:upper:]') != 'TRUE' ]]; then
@@ -59,6 +55,15 @@ build-assets() {
  say "::endgroup::"
 }

+build-embedded-sdk() {
+  cd "$GITHUB_WORKSPACE/superset-embedded-sdk"
+
+  say "::group::Build embedded SDK bundle for E2E tests"
+  npm ci
+  npm run build
+  say "::endgroup::"
+}
+
 build-instrumented-assets() {
  cd "$GITHUB_WORKSPACE/superset-frontend"

@@ -117,6 +122,33 @@ testdata() {
  say "::endgroup::"
 }

+playwright_testdata() {
+  cd "$GITHUB_WORKSPACE"
+  say "::group::Load all examples for Playwright tests"
+  # must specify PYTHONPATH to make `tests.superset_test_config` importable
+  export PYTHONPATH="$GITHUB_WORKSPACE"
+  pip install -e .
+  superset db upgrade
+  superset load_test_users
+  superset load_examples
+  superset init
+  # Enable DML on the examples database so Playwright tests can create/drop
+  # temporary tables via SQL Lab without depending on external data sources.
+  superset shell <<'PYEOF'
+import sys
+from superset.extensions import db
+from superset.models.core import Database
+examples_db = db.session.query(Database).filter_by(database_name='examples').first()
+if not examples_db:
+    sys.exit('ERROR: examples database not found. load_examples may have failed.')
+
+examples_db.allow_dml = True
+db.session.commit()
+print('Enabled allow_dml on examples database')
+PYEOF
+  say "::endgroup::"
+}
+
 celery-worker() {
  cd "$GITHUB_WORKSPACE"
  say "::group::Start Celery worker"
@@ -148,10 +180,13 @@ cypress-run-all() {
  local APP_ROOT=$2
  cd "$GITHUB_WORKSPACE/superset-frontend/cypress-base"

-  # Start Flask and run it in background
-  # --no-debugger means disable the interactive debugger on the 500 page
-  # so errors can print to stderr.
-  local flasklog="${HOME}/flask.log"
+  # Start the Superset backend via gunicorn (not `flask run`). The Flask
+  # development server is single-threaded and has no crash-recovery, so
+  # heavy tests (dashboard import/export, SQL Lab) can knock it offline
+  # for the rest of the run — surfacing as `ECONNREFUSED` / `socket hang up`
+  # / `Missing CSRF token` cascades. Gunicorn gives us multiple workers,
+  # a request timeout, and worker-recycling under load.
+  local serverlog="${HOME}/superset-cypress.log"
  local port=8081
  CYPRESS_BASE_URL="http://localhost:${port}"
  if [ -n "$APP_ROOT" ]; then
@@ -160,8 +195,58 @@ cypress-run-all() {
  fi
  export CYPRESS_BASE_URL

-  nohup flask run --no-debugger -p $port >"$flasklog" 2>&1 </dev/null &
-  local flaskProcessId=$!
+  # Mirrors the args in docker/entrypoints/run-server.sh (1 worker × 20
+  # gthread threads) to keep parity with production. Multi-worker
+  # configurations expose timing-sensitive races in the SQL Lab → Explore
+  # navigation flow under E2E. We diverge from the entrypoint on:
+  #   --timeout 120: heavy dashboard import/export specs exceed the 60s
+  #     default
+  #   --max-requests / --max-requests-jitter: recycle the worker under
+  #     test load to avoid leaks accumulating across the run
+  #   superset.app:create_app(): explicit factory so we don't depend on
+  #     FLASK_APP being exported
+  nohup gunicorn \
+    --bind "127.0.0.1:$port" \
+    --workers 1 \
+    --worker-class gthread \
+    --threads 20 \
+    --timeout 120 \
+    --max-requests 500 \
+    --max-requests-jitter 50 \
+    --access-logfile - \
+    --error-logfile - \
+    "superset.app:create_app()" \
+    >"$serverlog" 2>&1 </dev/null &
+  local serverPid=$!
+
+  # Ensure the backend is cleaned up and its log is emitted even when the
+  # test runner fails under `set -e`.
+  trap '
+    echo "::group::gunicorn log for Cypress run"
+    cat "'"$serverlog"'" || true
+    echo "::endgroup::"
+    kill '"$serverPid"' 2>/dev/null || true
+  ' EXIT
+
+  # Wait for the backend to be ready before launching Cypress; otherwise
+  # the first spec can race the server bind and see connection errors.
+  local timeout=60
+  say "Waiting for gunicorn server to start on port $port..."
+  while [ $timeout -gt 0 ]; do
+    if curl -f "http://localhost:${port}${APP_ROOT}/health" >/dev/null 2>&1; then
+      say "gunicorn server is ready"
+      break
+    fi
+    sleep 1
+    timeout=$((timeout - 1))
+  done
+  if [ $timeout -eq 0 ]; then
+    echo "::error::gunicorn server failed to start within 60 seconds"
+    echo "::group::Server startup log"
+    cat "$serverlog"
+    echo "::endgroup::"
+    return 1
+  fi

  USE_DASHBOARD_FLAG=''
  if [ "$USE_DASHBOARD" = "true" ]; then
@@ -173,13 +258,6 @@ cypress-run-all() {
  # memoryMonitorPid=$!
  python ../../scripts/cypress_run.py --parallelism $PARALLELISM --parallelism-id $PARALLEL_ID --group $PARALLEL_ID --retries 5 $USE_DASHBOARD_FLAG
  # kill $memoryMonitorPid
-
-  # After job is done, print out Flask log for debugging
-  echo "::group::Flask log for default run"
-  cat "$flasklog"
-  echo "::endgroup::"
-  # make sure the program exits
-  kill $flaskProcessId
 }

 playwright-install() {
@@ -197,29 +275,55 @@ playwright-run() {
  local APP_ROOT=$1
  local TEST_PATH=$2

-  # Start Flask from the project root (same as Cypress)
+  # Start the Superset backend via gunicorn from the project root.
+  # See cypress-run-all() above for the rationale — the Flask dev server
+  # cannot survive the dashboard import/export tests under load.
  cd "$GITHUB_WORKSPACE"
-  local flasklog="${HOME}/flask-playwright.log"
+  local serverlog="${HOME}/superset-playwright.log"
  local port=8081
-  PLAYWRIGHT_BASE_URL="http://localhost:${port}"
+  # Use 127.0.0.1 explicitly: `flask run` binds IPv4 only, and Node's DNS
+  # resolution for `localhost` can return `::1` first (IPv6), which then
+  # refuses against the IPv4 listener and surfaces as
+  # `connect ECONNREFUSED ::1:<port>` in API helpers driven from Node
+  # (e.g., the embedded test app's exposed token fetcher).
+  PLAYWRIGHT_BASE_URL="http://127.0.0.1:${port}"
  if [ -n "$APP_ROOT" ]; then
    export SUPERSET_APP_ROOT=$APP_ROOT
    PLAYWRIGHT_BASE_URL=${PLAYWRIGHT_BASE_URL}${APP_ROOT}/
  fi
  export PLAYWRIGHT_BASE_URL

-  nohup flask run --no-debugger -p $port >"$flasklog" 2>&1 </dev/null &
-  local flaskProcessId=$!
+  # See cypress-run-all() above for the args rationale (1 worker × 20
+  # gthread threads matching docker/entrypoints/run-server.sh, plus a
+  # 120s timeout and request-recycling for heavy E2E load).
+  nohup gunicorn \
+    --bind "127.0.0.1:$port" \
+    --workers 1 \
+    --worker-class gthread \
+    --threads 20 \
+    --timeout 120 \
+    --max-requests 500 \
+    --max-requests-jitter 50 \
+    --access-logfile - \
+    --error-logfile - \
+    "superset.app:create_app()" \
+    >"$serverlog" 2>&1 </dev/null &
+  local serverPid=$!

-  # Ensure cleanup on exit
-  trap "kill $flaskProcessId 2>/dev/null || true" EXIT
+  # Ensure cleanup on exit (and emit the server log on failure)
+  trap '
+    echo "::group::gunicorn log for Playwright run"
+    cat "'"$serverlog"'" || true
+    echo "::endgroup::"
+    kill '"$serverPid"' 2>/dev/null || true
+  ' EXIT

  # Wait for server to be ready with health check
  local timeout=60
-  say "Waiting for Flask server to start on port $port..."
+  say "Waiting for gunicorn server to start on port $port..."
  while [ $timeout -gt 0 ]; do
    if curl -f ${PLAYWRIGHT_BASE_URL}/health >/dev/null 2>&1; then
-      say "Flask server is ready"
+      say "gunicorn server is ready"
      break
    fi
    sleep 1
@@ -227,9 +331,9 @@ playwright-run() {
  done

  if [ $timeout -eq 0 ]; then
-    echo "::error::Flask server failed to start within 60 seconds"
-    echo "::group::Flask startup log"
-    cat "$flasklog"
+    echo "::error::gunicorn server failed to start within 60 seconds"
+    echo "::group::Server startup log"
+    cat "$serverlog"
    echo "::endgroup::"
    return 1
  fi
@@ -244,7 +348,6 @@ playwright-run() {
    if ! find "playwright/tests/${TEST_PATH}" -name "*.spec.ts" -type f 2>/dev/null | grep -q .; then
      echo "No test files found in ${TEST_PATH} - skipping test run"
      say "::endgroup::"
-      kill $flaskProcessId
      return 0
    fi
    echo "Running tests: ${TEST_PATH}"
@@ -261,13 +364,6 @@ playwright-run() {
  fi
  say "::endgroup::"

-  # After job is done, print out Flask log for debugging
-  echo "::group::Flask log for Playwright run"
-  cat "$flasklog"
-  echo "::endgroup::"
-  # make sure the program exits
-  kill $flaskProcessId
-
  return $status
 }

@@ -291,26 +387,3 @@ monitor_memory() {
    sleep 2
  done
 }
-
-cypress-run-applitools() {
-  cd "$GITHUB_WORKSPACE/superset-frontend/cypress-base"
-
-  local flasklog="${HOME}/flask.log"
-  local port=8081
-  local cypress="./node_modules/.bin/cypress run"
-  local browser=${CYPRESS_BROWSER:-chrome}
-
-  export CYPRESS_BASE_URL="http://localhost:${port}"
-
-  nohup flask run --no-debugger -p $port >"$flasklog" 2>&1 </dev/null &
-  local flaskProcessId=$!
-
-  $cypress --spec "cypress/applitools/**/*" --browser "$browser" --headless
-
-  say "::group::Flask log for default run"
-  cat "$flasklog"
-  say "::endgroup::"
-
-  # make sure the program exits
-  kill $flaskProcessId
-}
--- a/.github/workflows/bump-python-package.yml
+++ b/.github/workflows/bump-python-package.yml
@@ -32,7 +32,7 @@ jobs:
    steps:

      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: true
          ref: master
@@ -41,7 +41,7 @@ jobs:
        uses: ./.github/actions/setup-supersetbot/

      - name: Set up Python ${{ inputs.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
        with:
          python-version: "3.10"

@@ -51,27 +51,31 @@ jobs:
      - name: supersetbot bump-python -p "${{ github.event.inputs.package }}"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          INPUT_PACKAGE: ${{ github.event.inputs.package }}
+          INPUT_GROUP: ${{ github.event.inputs.group }}
+          INPUT_EXTRA_FLAGS: ${{ github.event.inputs.extra-flags }}
+          INPUT_LIMIT: ${{ github.event.inputs.limit }}
        run: |
          git config --global user.email "action@github.com"
          git config --global user.name "GitHub Action"

          PACKAGE_OPT=""
-          if [ -n "${{ github.event.inputs.package }}" ]; then
-            PACKAGE_OPT="-p ${{ github.event.inputs.package }}"
+          if [ -n "${INPUT_PACKAGE}" ]; then
+            PACKAGE_OPT="-p ${INPUT_PACKAGE}"
          fi

          GROUP_OPT=""
-          if [ -n "${{ github.event.inputs.group }}" ]; then
-            GROUP_OPT="-g ${{ github.event.inputs.group }}"
+          if [ -n "${INPUT_GROUP}" ]; then
+            GROUP_OPT="-g ${INPUT_GROUP}"
          fi

-          EXTRA_FLAGS="${{ github.event.inputs.extra-flags }}"
+          EXTRA_FLAGS="${INPUT_EXTRA_FLAGS}"

          supersetbot bump-python \
            --verbose \
            --use-current-repo \
            --include-subpackages \
-            --limit ${{ github.event.inputs.limit }} \
+            --limit ${INPUT_LIMIT} \
            $PACKAGE_OPT \
            $GROUP_OPT \
            $EXTRA_FLAGS
--- a/.github/workflows/cancel_duplicates.yml
+++ b/.github/workflows/cancel_duplicates.yml
@@ -1,43 +0,0 @@
-name: Cancel Duplicates
-on:
-  workflow_run:
-    workflows:
-      - "Miscellaneous"
-    types:
-      - requested
-
-jobs:
-  cancel-duplicate-runs:
-    name: Cancel duplicate workflow runs
-    runs-on: ubuntu-24.04
-    permissions:
-      actions: write
-      contents: read
-    steps:
-      - name: Check number of queued tasks
-        id: check_queued
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          GITHUB_REPO: ${{ github.repository }}
-        run: |
-          get_count() {
-            echo $(curl -s -H "Authorization: token $GITHUB_TOKEN" \
-                    "https://api.github.com/repos/$GITHUB_REPO/actions/runs?status=$1" | \
-                    jq ".total_count")
-          }
-          count=$(( `get_count queued` + `get_count in_progress` ))
-          echo "Found $count unfinished jobs."
-          echo "count=$count" >> $GITHUB_OUTPUT
-
-      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        if: steps.check_queued.outputs.count >= 20
-        uses: actions/checkout@v5
-
-      - name: Cancel duplicate workflow runs
-        if: steps.check_queued.outputs.count >= 20
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-        run: |
-          pip install click requests typing_extensions python-dateutil
-          python ./scripts/cancel_github_workflows.py
--- a/.github/workflows/check-python-deps.yml
+++ b/.github/workflows/check-python-deps.yml
@@ -8,6 +8,10 @@ on:
  pull_request:
    types: [synchronize, opened, reopened, ready_for_review]

+permissions:
+  contents: read
+  pull-requests: read
+
 # cancel previous workflow jobs for PRs
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
@@ -18,7 +22,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
@@ -34,6 +38,19 @@ jobs:
        if: steps.check.outputs.python
        uses: ./.github/actions/setup-backend/

+      # Authenticate the Docker daemon so the python:slim pull in
+      # uv-pip-compile.sh uses our (much higher) authenticated rate limit
+      # instead of the shared-runner anonymous one. Best-effort: on fork PRs the
+      # secrets are unavailable, so this no-ops and the pull falls back to
+      # anonymous (covered by the retry loop in the script).
+      - name: Login to Docker Hub
+        if: steps.check.outputs.python
+        continue-on-error: true
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
      - name: Run uv
        if: steps.check.outputs.python
        run: ./scripts/uv-pip-compile.sh
--- a/.github/workflows/check_db_migration_confict.yml
+++ b/.github/workflows/check_db_migration_confict.yml
@@ -25,9 +25,11 @@ jobs:
      pull-requests: write
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
      - name: Check and notify
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ github.token }}
          script: |
@@ -69,7 +71,7 @@ jobs:
                    `❗ @${pull.user.login} Your base branch \`${currentBranch}\` has ` +
                    'also updated `superset/migrations`.\n' +
                    '\n' +
-                    '**Please consider rebasing your branch and [resolving potential db migration conflicts](https://github.com/apache/superset/blob/master/CONTRIBUTING.md#merging-db-migrations).**',
+                    '**Please consider rebasing your branch and [resolving potential db migration conflicts](https://superset.apache.org/docs/contributing/development#merging-db-migrations).**',
                });
              }
            }
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -6,6 +6,9 @@ on:
  pull_request_review_comment:
    types: [created]

+permissions:
+  contents: read
+
 jobs:
  check-permissions:
    if: |
@@ -17,13 +20,12 @@ jobs:
    steps:
      - name: Check if user is allowed
        id: check
+        env:
+          COMMENTER: ${{ github.event.comment.user.login }}
        run: |
          # List of allowed users
          ALLOWED_USERS="mistercrunch,rusackas"

-          # Get the commenter's username
-          COMMENTER="${{ github.event.comment.user.login }}"
-
          echo "Checking permissions for user: $COMMENTER"

          # Check if user is in allowed list
@@ -44,10 +46,13 @@ jobs:
      pull-requests: write
    steps:
      - name: Comment access denied
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        env:
+          COMMENTER_LOGIN: ${{ github.event.comment.user.login || github.event.review.user.login || github.event.issue.user.login }}
        with:
          script: |
-            const message = `👋 Hi @${{ github.event.comment.user.login || github.event.review.user.login || github.event.issue.user.login }}!
+            const commenter = process.env.COMMENTER_LOGIN;
+            const message = `👋 Hi @${commenter}!

            Thanks for trying to use Claude Code, but currently only certain team members have access to this feature.

@@ -71,12 +76,13 @@ jobs:
      id-token: write
    steps:
    - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      with:
+        persist-credentials: false
        fetch-depth: 1

    - name: Run Claude PR Action
-      uses: anthropics/claude-code-action@beta
+      uses: anthropics/claude-code-action@5fb899572b81d2bb648d4d187173a2f423a9677c # beta
      with:
        anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
        timeout_minutes: "60"
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -15,9 +15,35 @@ concurrency:
  cancel-in-progress: true

 jobs:
+  changes:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      python: ${{ steps.check.outputs.python }}
+      frontend: ${{ steps.check.outputs.frontend }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Check for file changes
+        id: check
+        uses: ./.github/actions/change-detector/
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
  analyze:
    name: Analyze
+    needs: changes
+    # Skip on PRs that touch neither code group (e.g. docs-only) so the
+    # analysis runners don't spin up. push/schedule runs always proceed:
+    # the change-detector returns "all changed" for non-PR events.
+    if: needs.changes.outputs.python == 'true' || needs.changes.outputs.frontend == 'true'
    runs-on: ubuntu-24.04
+    timeout-minutes: 30
    permissions:
      actions: read
      contents: read
@@ -31,17 +57,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
-
-      - name: Check for file changes
-        id: check
-        uses: ./.github/actions/change-detector/
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
@@ -52,7 +74,6 @@ jobs:
          # queries: security-extended,security-and-quality

      - name: Perform CodeQL Analysis
-        if: steps.check.outputs.python || steps.check.outputs.frontend
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
        with:
          category: "/language:${{matrix.language}}"
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -27,9 +27,11 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout Repository"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
      - name: "Dependency Review"
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
        continue-on-error: true
        with:
          fail-on-severity: critical
@@ -39,13 +41,9 @@ jobs:
          # pkg:npm/store2@2.14.2
          #   adding an exception for an ambigious license on store2, which has been resolved in
          #   the latest version. It's MIT: https://github.com/nbubna/store/blob/master/LICENSE-MIT
-          # pkg:npm/applitools/*
-          #   adding exception for all applitools modules (eyes-cypress and its dependencies),
-          #   which has an explicit OSS license approved by ASF
-          #   license: https://applitools.com/legal/open-source-terms-of-use/
          # pkg:npm/node-forge@1.3.1
          #   selecting BSD-3-Clause licensing terms for node-forge to ensure compatibility with Apache
-          allow-dependencies-licenses: pkg:npm/store2@2.14.2, pkg:npm/applitools/core, pkg:npm/applitools/core-base, pkg:npm/applitools/css-tree, pkg:npm/applitools/ec-client, pkg:npm/applitools/eg-socks5-proxy-server, pkg:npm/applitools/eyes, pkg:npm/applitools/eyes-cypress, pkg:npm/applitools/nml-client, pkg:npm/applitools/tunnel-client, pkg:npm/applitools/utils, pkg:npm/node-forge@1.3.1, pkg:npm/rgbcolor, pkg:npm/jszip@3.10.1
+          allow-dependencies-licenses: pkg:npm/store2@2.14.2, pkg:npm/node-forge@1.3.1, pkg:npm/rgbcolor, pkg:npm/jszip@3.10.1

  python-dependency-liccheck:
    # NOTE: Configuration for liccheck lives in our pyproject.yml.
@@ -53,7 +51,9 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: "Checkout Repository"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false

      - name: Setup Python
        uses: ./.github/actions/setup-backend/
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -9,14 +9,40 @@ on:
    branches:
      - "master"

+permissions:
+  contents: read
+  pull-requests: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: true

 jobs:

+  changes:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      python: ${{ steps.check.outputs.python }}
+      frontend: ${{ steps.check.outputs.frontend }}
+      docker: ${{ steps.check.outputs.docker }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - name: Check for file changes
+        id: check
+        uses: ./.github/actions/change-detector/
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
  setup_matrix:
    runs-on: ubuntu-24.04
+    timeout-minutes: 5
    outputs:
      matrix_config: ${{ steps.set_matrix.outputs.matrix_config }}
    steps:
@@ -28,8 +54,13 @@ jobs:

  docker-build:
    name: docker-build
-    needs: setup_matrix
+    needs: [setup_matrix, changes]
+    if: >-
+      needs.changes.outputs.python == 'true' ||
+      needs.changes.outputs.frontend == 'true' ||
+      needs.changes.outputs.docker == 'true'
    runs-on: ubuntu-24.04
+    timeout-minutes: 60
    strategy:
      matrix:
        build_preset: ${{fromJson(needs.setup_matrix.outputs.matrix_config)}}
@@ -42,18 +73,11 @@ jobs:
    steps:

      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false

-      - name: Check for file changes
-        id: check
-        uses: ./.github/actions/change-detector/
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-
      - name: Setup Docker Environment
-        if: steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker
        uses: ./.github/actions/setup-docker
        with:
          dockerhub-user: ${{ secrets.DOCKERHUB_USER }}
@@ -61,28 +85,27 @@ jobs:
          build: "true"

      - name: Setup supersetbot
-        if: steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker
        uses: ./.github/actions/setup-supersetbot/

      - name: Build Docker Image
-        if: steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker
        shell: bash
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BUILD_PRESET: ${{ matrix.build_preset }}
        run: |
          # Single platform builds in pull_request context to speed things up
-          if [ "${{ github.event_name }}" = "push" ]; then
+          if [ "$GITHUB_EVENT_NAME" = "push" ]; then
            PLATFORM_ARG="--platform linux/arm64 --platform linux/amd64"
            # can only --load images in single-platform builds
            PUSH_OR_LOAD="--push"
-          elif [ "${{ github.event_name }}" = "pull_request" ]; then
+          elif [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
            PLATFORM_ARG="--platform linux/amd64"
            PUSH_OR_LOAD="--load"
          fi

          supersetbot docker \
            $PUSH_OR_LOAD \
-            --preset ${{ matrix.build_preset }} \
+            --preset "$BUILD_PRESET" \
            --context "$EVENT" \
            --context-ref "$RELEASE" $FORCE_LATEST \
            --extra-flags "--build-arg INCLUDE_CHROMIUM=false --tag $IMAGE_TAG" \
@@ -90,11 +113,14 @@ jobs:

      # in the context of push (using multi-platform build), we need to pull the image locally
      - name: Docker pull
-        if: github.event_name == 'push' && (steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker)
-        run:  docker pull $IMAGE_TAG
+        if: github.event_name == 'push'
+        run: |
+          for i in 1 2 3; do
+            docker pull $IMAGE_TAG && break
+            [ $i -lt 3 ] && sleep 30
+          done

      - name: Print docker stats
-        if: steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker
        run: |
          echo "SHA: ${{ github.sha }}"
          echo "IMAGE: $IMAGE_TAG"
@@ -102,10 +128,12 @@ jobs:
          docker history $IMAGE_TAG

      - name: docker-compose sanity check
-        if: (steps.check.outputs.python || steps.check.outputs.frontend || steps.check.outputs.docker) && matrix.build_preset == 'dev'
+        if: matrix.build_preset == 'dev'
        shell: bash
+        env:
+          BUILD_PRESET: ${{ matrix.build_preset }}
        run: |
-          export SUPERSET_BUILD_TARGET=${{ matrix.build_preset }}
+          export SUPERSET_BUILD_TARGET=$BUILD_PRESET
          # This should reuse the CACHED image built in the previous steps
          docker compose build superset-init --build-arg DEV_MODE=false --build-arg INCLUDE_CHROMIUM=false
          docker compose up superset-init --exit-code-from superset-init
@@ -113,20 +141,16 @@ jobs:
  docker-compose-image-tag:
    # Run this job only on pushes to master (not for PRs)
    # goal is to check that building the latest image works, not required for all PR pushes
-    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    needs: changes
+    if: github.event_name == 'push' && github.ref == 'refs/heads/master' && needs.changes.outputs.docker == 'true'
    runs-on: ubuntu-24.04
+    timeout-minutes: 30
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
-      - name: Check for file changes
-        id: check
-        uses: ./.github/actions/change-detector/
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Setup Docker Environment
-        if: steps.check.outputs.docker
        uses: ./.github/actions/setup-docker
        with:
          dockerhub-user: ${{ secrets.DOCKERHUB_USER }}
@@ -134,7 +158,6 @@ jobs:
          build: "false"
          install-docker-compose: "true"
      - name: docker-compose sanity check
-        if: steps.check.outputs.docker
        shell: bash
        run: |
          docker compose -f docker-compose-image-tag.yml up superset-init --exit-code-from superset-init
--- a/.github/workflows/embedded-sdk-release.yml
+++ b/.github/workflows/embedded-sdk-release.yml
@@ -6,6 +6,9 @@ on:
      - "master"
      - "[0-9].[0-9]*"

+permissions:
+  contents: read
+
 jobs:
  config:
    runs-on: ubuntu-24.04
@@ -16,10 +19,12 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ -n "${{ (secrets.NPM_TOKEN != '') || '' }}" ]; then
+          if [ -n "${NPM_TOKEN}" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

+        env:
+          NPM_TOKEN: ${{ (secrets.NPM_TOKEN != '') || '' }}
  build:
    needs: config
    if: needs.config.outputs.has-secrets
@@ -28,8 +33,10 @@ jobs:
      run:
        working-directory: superset-embedded-sdk
    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: './superset-embedded-sdk/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
--- a/.github/workflows/embedded-sdk-test.yml
+++ b/.github/workflows/embedded-sdk-test.yml
@@ -6,6 +6,9 @@ on:
      - "superset-embedded-sdk/**"
    types: [synchronize, opened, reopened, ready_for_review]

+permissions:
+  contents: read
+
 # cancel previous workflow jobs for PRs
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
@@ -18,8 +21,10 @@ jobs:
      run:
        working-directory: superset-embedded-sdk
    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: './superset-embedded-sdk/.nvmrc'
          registry-url: 'https://registry.npmjs.org'
--- a/.github/workflows/ephemeral-env-pr-close.yml
+++ b/.github/workflows/ephemeral-env-pr-close.yml
@@ -1,81 +0,0 @@
-name: Cleanup ephemeral envs (PR close) [DEPRECATED]
-
-# ⚠️  DEPRECATION NOTICE ⚠️
-# This workflow is deprecated and will be removed in a future version.
-# The new Superset Showtime workflow handles cleanup automatically.
-# See .github/workflows/showtime.yml and showtime-cleanup.yml for replacements.
-# Migration guide: https://github.com/mistercrunch/superset-showtime
-
-on:
-  pull_request_target:
-    types: [closed]
-
-jobs:
-  config:
-    runs-on: ubuntu-24.04
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.AWS_ACCESS_KEY_ID != '' && secrets.AWS_SECRET_ACCESS_KEY != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
-  ephemeral-env-cleanup:
-    needs: config
-    if: needs.config.outputs.has-secrets
-    name: Cleanup ephemeral envs
-    runs-on: ubuntu-24.04
-    permissions:
-      pull-requests: write
-    steps:
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v5
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
-
-      - name: Describe ECS service
-        id: describe-services
-        run: |
-          echo "active=$(aws ecs describe-services --cluster superset-ci --services pr-${{ github.event.number }}-service | jq '.services[] | select(.status == "ACTIVE") | any')" >> $GITHUB_OUTPUT
-
-      - name: Delete ECS service
-        if: steps.describe-services.outputs.active == 'true'
-        id: delete-service
-        run: |
-          aws ecs delete-service \
-          --cluster superset-ci \
-          --service pr-${{ github.event.number }}-service \
-          --force
-
-      - name: Login to Amazon ECR
-        if: steps.describe-services.outputs.active == 'true'
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
-
-      - name: Delete ECR image tag
-        if: steps.describe-services.outputs.active == 'true'
-        id: delete-image-tag
-        run: |
-          aws ecr batch-delete-image \
-          --registry-id $(echo "${{ steps.login-ecr.outputs.registry }}" | grep -Eo "^[0-9]+") \
-          --repository-name superset-ci \
-          --image-ids imageTag=pr-${{ github.event.number }}
-
-      - name: Comment (success)
-        if: steps.describe-services.outputs.active == 'true'
-        uses: actions/github-script@v8
-        with:
-          github-token: ${{github.token}}
-          script: |
-            github.rest.issues.createComment({
-              issue_number: ${{ github.event.number }},
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: '⚠️ **DEPRECATED WORKFLOW** - Ephemeral environment shutdown and build artifacts deleted. Please migrate to the new Superset Showtime system for future PRs.'
-            })
--- a/.github/workflows/ephemeral-env.yml
+++ b/.github/workflows/ephemeral-env.yml
@@ -1,344 +0,0 @@
-name: Ephemeral env workflow [DEPRECATED]
-
-# ⚠️  DEPRECATION NOTICE ⚠️
-# This workflow is deprecated and will be removed in a future version.
-# Please use the new Superset Showtime workflow instead:
-# - Use label "🎪 trigger-start" instead of "testenv-up"
-# - Showtime provides better reliability and easier management
-# - See .github/workflows/showtime.yml for the replacement
-# - Migration guide: https://github.com/mistercrunch/superset-showtime
-
-# Example manual trigger:
-# gh workflow run ephemeral-env.yml --ref fix_ephemerals --field label_name="testenv-up" --field issue_number=666
-
-on:
-  pull_request_target:
-    types:
-      - labeled
-  workflow_dispatch:
-    inputs:
-      label_name:
-        description: 'Label name to simulate label-based /testenv trigger'
-        required: true
-        default: 'testenv-up'
-      issue_number:
-        description: 'Issue or PR number'
-        required: true
-
-jobs:
-  ephemeral-env-label:
-    concurrency:
-      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}-label
-      cancel-in-progress: true
-    name: Evaluate ephemeral env label trigger
-    runs-on: ubuntu-24.04
-    permissions:
-      pull-requests: write
-    outputs:
-      slash-command: ${{ steps.eval-label.outputs.result }}
-      feature-flags: ${{ steps.eval-feature-flags.outputs.result }}
-      sha: ${{ steps.get-sha.outputs.sha }}
-    env:
-      DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
-      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
-
-    steps:
-      - name: Check for the "testenv-up" label
-        id: eval-label
-        run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            LABEL_NAME="${{ github.event.inputs.label_name }}"
-          else
-            LABEL_NAME="${{ github.event.label.name }}"
-          fi
-
-          echo "Evaluating label: $LABEL_NAME"
-
-          if [[ "$LABEL_NAME" == "testenv-up" ]]; then
-            echo "result=up" >> $GITHUB_OUTPUT
-          else
-            echo "result=noop" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Get event SHA
-        id: get-sha
-        if: steps.eval-label.outputs.result == 'up'
-        uses: actions/github-script@v8
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            let prSha;
-
-            // If event is workflow_dispatch, use the issue_number from inputs
-            if (context.eventName === "workflow_dispatch") {
-              const prNumber = "${{ github.event.inputs.issue_number }}";
-              if (!prNumber) {
-                console.log("No PR number found.");
-                return;
-              }
-
-              // Fetch PR details using the provided issue_number
-              const { data: pr } = await github.rest.pulls.get({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                pull_number: prNumber
-              });
-
-              prSha = pr.head.sha;
-            } else {
-              // If it's not workflow_dispatch, use the PR head sha from the event
-              prSha = context.payload.pull_request.head.sha;
-            }
-
-            console.log(`PR SHA: ${prSha}`);
-            core.setOutput("sha", prSha);
-
-      - name: Looking for feature flags in PR description
-        uses: actions/github-script@v8
-        id: eval-feature-flags
-        if: steps.eval-label.outputs.result == 'up'
-        with:
-          script: |
-            const description = context.payload.pull_request
-              ? context.payload.pull_request.body || ''
-              : context.payload.inputs.pr_description || '';
-
-            const pattern = /FEATURE_(\w+)=(\w+)/g;
-            let results = [];
-            [...description.matchAll(pattern)].forEach(match => {
-              const config = {
-                name: `SUPERSET_FEATURE_${match[1]}`,
-                value: match[2],
-              };
-              results.push(config);
-            });
-
-            return results;
-
-      - name: Reply with confirmation comment
-        uses: actions/github-script@v8
-        if: steps.eval-label.outputs.result == 'up'
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const action = '${{ steps.eval-label.outputs.result }}';
-            const user = context.actor;
-            const runId = context.runId;
-            const workflowUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${runId}`;
-
-            const issueNumber = context.payload.pull_request
-              ? context.payload.pull_request.number
-              : context.payload.inputs.issue_number;
-
-            if (!issueNumber) {
-              throw new Error("Issue number is not available.");
-            }
-
-            const body = `⚠️ **DEPRECATED WORKFLOW** ⚠️\n\n@${user} This workflow is deprecated! Please use the new **Superset Showtime** system instead:\n\n` +
-              `- Replace "testenv-up" label with "🎪 trigger-start"\n` +
-              `- Better reliability and easier management\n` +
-              `- See https://github.com/mistercrunch/superset-showtime for details\n\n` +
-              `Processing your ephemeral environment request [here](${workflowUrl}). Action: **${action}**.` +
-              ` More information on [how to use or configure ephemeral environments]` +
-              `(https://superset.apache.org/docs/contributing/howtos/#github-ephemeral-environments)`;
-
-
-            await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: issueNumber,
-              body,
-            });
-
-  ephemeral-docker-build:
-    concurrency:
-      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}-build
-      cancel-in-progress: true
-    needs: ephemeral-env-label
-    if: needs.ephemeral-env-label.outputs.slash-command == 'up'
-    name: ephemeral-docker-build
-    runs-on: ubuntu-24.04
-    steps:
-      - name: "Checkout ${{ github.ref }} ( ${{ needs.ephemeral-env-label.outputs.sha }} : ${{steps.get-sha.outputs.sha}} )"
-        uses: actions/checkout@v5
-        with:
-          ref: ${{ needs.ephemeral-env-label.outputs.sha }}
-          persist-credentials: false
-
-      - name: Setup Docker Environment
-        uses: ./.github/actions/setup-docker
-        with:
-          dockerhub-user: ${{ secrets.DOCKERHUB_USER }}
-          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
-          build: "true"
-          install-docker-compose: "false"
-
-      - name: Setup supersetbot
-        uses: ./.github/actions/setup-supersetbot/
-
-      - name: Build ephemeral env image
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          supersetbot docker \
-            --push \
-            --load \
-            --preset ci \
-            --platform  linux/amd64 \
-            --context-ref "$RELEASE" \
-            --extra-flags "--build-arg INCLUDE_CHROMIUM=false"
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v5
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
-
-      - name: Login to Amazon ECR
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
-
-      - name: Load, tag and push image to ECR
-        id: push-image
-        env:
-          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          ECR_REPOSITORY: superset-ci
-          IMAGE_TAG: apache/superset:${{ needs.ephemeral-env-label.outputs.sha }}-ci
-          PR_NUMBER: ${{ github.event.inputs.issue_number || github.event.pull_request.number }}
-        run: |
-          docker tag $IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:pr-$PR_NUMBER-ci
-          docker push -a $ECR_REGISTRY/$ECR_REPOSITORY
-
-  ephemeral-env-up:
-    needs: [ephemeral-env-label, ephemeral-docker-build]
-    if: needs.ephemeral-env-label.outputs.slash-command == 'up'
-    name: Spin up an ephemeral environment
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-      pull-requests: write
-
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v5
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-west-2
-
-      - name: Login to Amazon ECR
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
-
-      - name: Check target image exists in ECR
-        id: check-image
-        continue-on-error: true
-        env:
-          PR_NUMBER: ${{ github.event.inputs.issue_number || github.event.pull_request.number }}
-        run: |
-          aws ecr describe-images \
-          --registry-id $(echo "${{ steps.login-ecr.outputs.registry }}" | grep -Eo "^[0-9]+") \
-          --repository-name superset-ci \
-          --image-ids imageTag=pr-$PR_NUMBER-ci
-
-      - name: Fail on missing container image
-        if: steps.check-image.outcome == 'failure'
-        uses: actions/github-script@v8
-        with:
-          github-token: ${{ github.token }}
-          script: |
-            const errMsg = '@${{ github.event.comment.user.login }} Container image not yet published for this PR. Please try again when build is complete.';
-            github.rest.issues.createComment({
-              issue_number: ${{ github.event.inputs.issue_number || github.event.pull_request.number }},
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: errMsg
-            });
-            core.setFailed(errMsg);
-
-      - name: Fill in the new image ID in the Amazon ECS task definition
-        id: task-def
-        uses: aws-actions/amazon-ecs-render-task-definition@v1
-        with:
-          task-definition: .github/workflows/ecs-task-definition.json
-          container-name: superset-ci
-          image: ${{ steps.login-ecr.outputs.registry }}/superset-ci:pr-${{ github.event.inputs.issue_number || github.event.pull_request.number }}-ci
-
-      - name: Update env vars in the Amazon ECS task definition
-        run: |
-          cat <<< "$(jq '.containerDefinitions[0].environment += ${{ needs.ephemeral-env-label.outputs.feature-flags }}' < ${{ steps.task-def.outputs.task-definition }})" > ${{ steps.task-def.outputs.task-definition }}
-
-      - name: Describe ECS service
-        id: describe-services
-        run: |
-          echo "active=$(aws ecs describe-services --cluster superset-ci --services pr-${{ github.event.inputs.issue_number || github.event.pull_request.number }}-service | jq '.services[] | select(.status == "ACTIVE") | any')" >> $GITHUB_OUTPUT
-      - name: Create ECS service
-        id: create-service
-        if: steps.describe-services.outputs.active != 'true'
-        env:
-          ECR_SUBNETS: subnet-0e15a5034b4121710,subnet-0e8efef4a72224974
-          ECR_SECURITY_GROUP: sg-092ff3a6ae0574d91
-          PR_NUMBER: ${{ github.event.inputs.issue_number || github.event.pull_request.number }}
-        run: |
-          aws ecs create-service \
-          --cluster superset-ci \
-          --service-name pr-$PR_NUMBER-service \
-          --task-definition superset-ci \
-          --launch-type FARGATE \
-          --desired-count 1 \
-          --platform-version LATEST \
-          --network-configuration "awsvpcConfiguration={subnets=[$ECR_SUBNETS],securityGroups=[$ECR_SECURITY_GROUP],assignPublicIp=ENABLED}" \
-          --tags key=pr,value=$PR_NUMBER key=github_user,value=${{ github.actor }}
-      - name: Deploy Amazon ECS task definition
-        id: deploy-task
-        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
-        with:
-          task-definition: ${{ steps.task-def.outputs.task-definition }}
-          service: pr-${{ github.event.inputs.issue_number || github.event.pull_request.number }}-service
-          cluster: superset-ci
-          wait-for-service-stability: true
-          wait-for-minutes: 10
-
-      - name: List tasks
-        id: list-tasks
-        run: |
-          echo "task=$(aws ecs list-tasks --cluster superset-ci --service-name pr-${{ github.event.inputs.issue_number || github.event.pull_request.number }}-service | jq '.taskArns | first')" >> $GITHUB_OUTPUT
-      - name: Get network interface
-        id: get-eni
-        run: |
-          echo "eni=$(aws ecs describe-tasks --cluster superset-ci --tasks ${{ steps.list-tasks.outputs.task }} | jq '.tasks[0].attachments[0].details | map(select(.name=="networkInterfaceId"))[0].value')" >> $GITHUB_OUTPUT
-      - name: Get public IP
-        id: get-ip
-        run: |
-          echo "ip=$(aws ec2 describe-network-interfaces --network-interface-ids ${{ steps.get-eni.outputs.eni }} | jq -r '.NetworkInterfaces | first | .Association.PublicIp')" >> $GITHUB_OUTPUT
-      - name: Comment (success)
-        if: ${{ success() }}
-        uses: actions/github-script@v8
-        with:
-          github-token: ${{github.token}}
-          script: |
-            const issue_number = context.payload.inputs?.issue_number || context.issue.number;
-            github.rest.issues.createComment({
-              issue_number: issue_number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: `@${{ github.actor }} Ephemeral environment spinning up at http://${{ steps.get-ip.outputs.ip }}:8080. Credentials are 'admin'/'admin'. Please allow several minutes for bootstrapping and startup.`
-            });
-      - name: Comment (failure)
-        if: ${{ failure() }}
-        uses: actions/github-script@v8
-        with:
-          github-token: ${{github.token}}
-          script: |
-            const issue_number = context.payload.inputs?.issue_number || context.issue.number;
-            github.rest.issues.createComment({
-              issue_number: issue_number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: '@${{ github.event.inputs.user_login || github.event.comment.user.login }} Ephemeral environment creation failed. Please check the Actions logs for details.'
-            })
--- a/.github/workflows/generate-FOSSA-report.yml
+++ b/.github/workflows/generate-FOSSA-report.yml
@@ -6,6 +6,9 @@ on:
      - "master"
      - "[0-9].[0-9]*"

+permissions:
+  contents: read
+
 jobs:
  config:
    runs-on: ubuntu-24.04
@@ -16,10 +19,12 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ -n "${{ (secrets.FOSSA_API_KEY != '' ) || '' }}" ]; then
+          if [ -n "${FOSSA_API_KEY}" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

+        env:
+          FOSSA_API_KEY: ${{ (secrets.FOSSA_API_KEY != '' ) || '' }}
  license_check:
    needs: config
    if: needs.config.outputs.has-secrets
@@ -27,12 +32,12 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
      - name: Setup Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
        with:
          distribution: "temurin"
          java-version: "11"
--- a/.github/workflows/github-action-validator.yml
+++ b/.github/workflows/github-action-validator.yml
@@ -6,18 +6,34 @@ on:
      - "master"
      - "[0-9].[0-9]*"
  pull_request:
-    types: [synchronize, opened, reopened, ready_for_review]
+    branches:
+      - "**"
+
+permissions:
+  contents: read
+
+# cancel previous workflow jobs for PRs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true

 jobs:

  validate-all-ghas:
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      # Required for the zizmor action to upload its SARIF results to
+      # GitHub code scanning (advanced-security is enabled by default).
+      security-events: write
    steps:
      - name: Checkout Repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: '20'

@@ -26,3 +42,6 @@ jobs:

      - name: Run Script
        run: bash .github/workflows/github-action-validator.sh
+
+      - name: Check for security issues on GHA workflows
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
--- a/.github/workflows/issue_creation.yml
+++ b/.github/workflows/issue_creation.yml
@@ -17,7 +17,7 @@ jobs:
    steps:

      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false

--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -2,6 +2,11 @@ name: "Pull Request Labeler"
 on:
 - pull_request_target

+# cancel previous workflow jobs for PRs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  labeler:
    permissions:
@@ -9,7 +14,7 @@ jobs:
      pull-requests: write
    runs-on: ubuntu-24.04
    steps:
-    - uses: actions/labeler@v6
+    - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
      with:
        sync-labels: true

--- a/.github/workflows/latest-release-tag.yml
+++ b/.github/workflows/latest-release-tag.yml
@@ -12,15 +12,17 @@ jobs:

    steps:
    - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-      uses: actions/checkout@v5
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      with:
        persist-credentials: false
        submodules: recursive

    - name: Check for latest tag
      id: latest-tag
+      env:
+        RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
      run: |
-        source ./scripts/tag_latest_release.sh $(echo ${{ github.event.release.tag_name }}) --dry-run
+        source ./scripts/tag_latest_release.sh "$RELEASE_TAG_NAME" --dry-run

    - name: Configure Git
      run: |
@@ -29,7 +31,7 @@ jobs:

    - name: Run latest-tag
      uses: ./.github/actions/latest-tag
-      if: (! ${{ steps.latest-tag.outputs.SKIP_TAG }} )
+      if: steps.latest-tag.outputs.SKIP_TAG != 'true'
      with:
        description: Superset latest release
        tag-name: latest
--- a/.github/workflows/license-check.yml
+++ b/.github/workflows/license-check.yml
@@ -4,6 +4,9 @@ on:
  pull_request:
    types: [synchronize, opened, reopened, ready_for_review]

+permissions:
+  contents: read
+
 # cancel previous workflow jobs for PRs
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
@@ -15,12 +18,12 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
      - name: Setup Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
        with:
          distribution: 'temurin'
          java-version: '11'
--- a/.github/workflows/no-hold-label.yml
+++ b/.github/workflows/no-hold-label.yml
@@ -4,17 +4,23 @@ on:
  pull_request:
    types: [labeled, unlabeled, opened, reopened, synchronize]

-# cancel previous workflow jobs for PRs
+permissions:
+  pull-requests: read
+
+# Let each label event run to completion. Cancelling in-progress runs leaves
+# CANCELLED entries in the PR's check-suite rollup, which poisons GitHub's
+# `status:success` search filter even though all real CI passed. The job is
+# a tiny no-op github-script call, so the wasted compute is negligible.
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
-  cancel-in-progress: true
+  cancel-in-progress: false

 jobs:
  check-hold-label:
    runs-on: ubuntu-24.04
    steps:
    - name: Check for 'hold' label
-      uses: actions/github-script@v8
+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
      with:
        github-token: ${{secrets.GITHUB_TOKEN}}
        script: |
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -8,6 +8,11 @@ on:
    # Possible values: https://help.github.com/en/actions/reference/events-that-trigger-workflows#pull-request-event-pull_request
    types: [opened, edited, reopened, synchronize]

+# cancel previous workflow jobs for PRs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  lint-check:
    runs-on: ubuntu-24.04
@@ -16,7 +21,7 @@ jobs:
      pull-requests: write
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -8,6 +8,9 @@ on:
  pull_request:
    types: [synchronize, opened, reopened, ready_for_review]

+permissions:
+  contents: read
+
 # cancel previous workflow jobs for PRs
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
@@ -16,12 +19,16 @@ concurrency:
 jobs:
  pre-commit:
    runs-on: ubuntu-24.04
+    timeout-minutes: 20
    strategy:
      matrix:
-        python-version: ["current", "previous", "next"]
+        # Run the full version spread on push (master/release) and nightly,
+        # but only the current version on PRs — lint/format/type results
+        # rarely differ across patch versions, so 3x per PR is wasteful.
+        python-version: ${{ github.event_name == 'pull_request' && fromJSON('["current"]') || fromJSON('["current", "previous", "next"]') }}
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
@@ -39,9 +46,11 @@ jobs:
          echo "HOMEBREW_REPOSITORY=$HOMEBREW_REPOSITORY" >>"${GITHUB_ENV}"
          brew install norwoodj/tap/helm-docs
      - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
-          node-version: '20'
+          node-version-file: "superset-frontend/.nvmrc"
+          cache: "npm"
+          cache-dependency-path: "superset-frontend/package-lock.json"

      - name: Install Frontend Dependencies
        run: |
@@ -54,24 +63,34 @@ jobs:
          yarn install --immutable

      - name: Cache pre-commit environments
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ~/.cache/pre-commit
          key: pre-commit-v2-${{ runner.os }}-py${{ matrix.python-version }}-${{ hashFiles('.pre-commit-config.yaml') }}
          restore-keys: |
            pre-commit-v2-${{ runner.os }}-py${{ matrix.python-version }}-

+      - name: Get changed files
+        id: changed_files
+        uses: ./.github/actions/file-changes-action
+        with:
+          output: " "
+
      - name: pre-commit
+        env:
+          CHANGED_FILES: ${{ steps.changed_files.outputs.files }}
        run: |
          set +e  # Don't exit immediately on failure
-          export SKIP=eslint-frontend,type-checking-frontend
-          pre-commit run --all-files
+          export SKIP=type-checking-frontend
+          pre-commit run --files $CHANGED_FILES
          PRE_COMMIT_EXIT_CODE=$?
          git diff --quiet --exit-code
          GIT_DIFF_EXIT_CODE=$?
          if [ "${PRE_COMMIT_EXIT_CODE}" -ne 0 ] || [ "${GIT_DIFF_EXIT_CODE}" -ne 0 ]; then
            if [ "${PRE_COMMIT_EXIT_CODE}" -ne 0 ]; then
-              echo "❌ Pre-commit check failed (exit code: ${EXIT_CODE})."
+              echo "❌ Pre-commit check failed (exit code: ${PRE_COMMIT_EXIT_CODE})."
+              echo "🔍 Modified files:"
+              git diff --name-only
            else
              echo "❌ Git working directory is dirty."
              echo "📌 This likely means that pre-commit made changes that were not committed."
--- a/.github/workflows/prefer-typescript.yml
+++ b/.github/workflows/prefer-typescript.yml
@@ -1,70 +0,0 @@
-name: Prefer TypeScript
-
-on:
-  push:
-    branches:
-      - "master"
-      - "[0-9].[0-9]*"
-    paths:
-      - "superset-frontend/src/**"
-  pull_request:
-    types: [synchronize, opened, reopened, ready_for_review]
-    paths:
-      - "superset-frontend/src/**"
-
-# cancel previous workflow jobs for PRs
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  prefer_typescript:
-    if: github.ref == 'ref/heads/master' && github.event_name == 'pull_request'
-    name: Prefer TypeScript
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-          submodules: recursive
-      - name: Get changed files
-        id: changed
-        uses: ./.github/actions/file-changes-action
-        with:
-          githubToken: ${{ github.token }}
-
-      - name: Determine if a .js or .jsx file was added
-        id: check
-        run: |
-          js_files_added() {
-            jq -r '
-              map(
-                select(
-                  endswith(".js") or endswith(".jsx")
-                )
-              ) | join("\n")
-            ' ${HOME}/files_added.json
-          }
-          echo "js_files_added=$(js_files_added)" >> $GITHUB_OUTPUT
-
-      - if: steps.check.outputs.js_files_added
-        name: Add Comment to PR
-        uses: ./.github/actions/comment-on-pr
-        continue-on-error: true
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        with:
-          msg: |
-            ### WARNING: Prefer TypeScript
-
-            Looks like your PR contains new `.js` or `.jsx` files:
-
-            ```
-            ${{steps.check.outputs.js_files_added}}
-            ```
-
-            As decided in [SIP-36](https://github.com/apache/superset/issues/9101), all new frontend code should be written in TypeScript. Please convert above files to TypeScript then re-request review.
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,9 @@ on:
      - "master"
      - "[0-9].[0-9]*"

+permissions:
+  contents: read
+
 jobs:
  config:
    runs-on: ubuntu-24.04
@@ -16,18 +19,23 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ -n "${{ (secrets.NPM_TOKEN != '' && secrets.GH_PERSONAL_ACCESS_TOKEN != '') || '' }}" ]; then
+          if [ -n "${NPM_TOKEN}" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

+        env:
+          NPM_TOKEN: ${{ (secrets.NPM_TOKEN != '' && secrets.GH_PERSONAL_ACCESS_TOKEN != '') || '' }}
  build:
    needs: config
    if: needs.config.outputs.has-secrets
    name: Bump version and publish package(s)
    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
+          persist-credentials: false
          # pulls all commits (needed for lerna / semantic release to correctly version)
          fetch-depth: 0
      - name: Get tags and filter trigger tags
@@ -42,13 +50,13 @@ jobs:

      - name: Install Node.js
        if: env.HAS_TAGS
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: './superset-frontend/.nvmrc'

      - name: Cache npm
        if: env.HAS_TAGS
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: ~/.npm # npm cache files are stored in `~/.npm` on Linux/macOS
          key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }}
@@ -62,7 +70,7 @@ jobs:
        run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT
      - name: Cache npm
        if: env.HAS_TAGS
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        id: npm-cache # use this to check for `cache-hit` (`steps.npm-cache.outputs.cache-hit != 'true'`)
        with:
          path: ${{ steps.npm-cache-dir-path.outputs.dir }}
--- a/.github/workflows/showtime-cleanup.yml
+++ b/.github/workflows/showtime-cleanup.yml
@@ -7,12 +7,6 @@ on:

  # Manual trigger for testing
  workflow_dispatch:
-    inputs:
-      max_age_hours:
-        description: 'Maximum age in hours before cleanup'
-        required: false
-        default: '48'
-        type: string

 # Common environment variables
 env:
@@ -38,13 +32,5 @@ jobs:

      - name: Cleanup expired environments
        run: |
-          MAX_AGE="${{ github.event.inputs.max_age_hours || '48' }}"
-
-          # Validate max_age is numeric
-          if [[ ! "$MAX_AGE" =~ ^[0-9]+$ ]]; then
-            echo "❌ Invalid max_age_hours format: $MAX_AGE (must be numeric)"
-            exit 1
-          fi
-
-          echo "Cleaning up environments older than ${MAX_AGE}h"
-          python -m showtime cleanup --older-than "${MAX_AGE}h"
+          echo "Cleaning up environments respecting TTL labels"
+          python -m showtime cleanup --respect-ttl
--- a/.github/workflows/showtime-trigger.yml
+++ b/.github/workflows/showtime-trigger.yml
@@ -2,6 +2,7 @@ name: 🎪 Superset Showtime

 # Ultra-simple: just sync on any PR state change
 on:
+  # zizmor: ignore[dangerous-triggers] - required to react to PR label changes; this workflow does not check out or execute PR-provided code
  pull_request_target:
    types: [labeled, unlabeled, synchronize, closed]

@@ -37,7 +38,7 @@ jobs:
    steps:
      - name: Security Check - Authorize Maintainers Only
        id: auth
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@@ -102,10 +103,12 @@ jobs:
      - name: Install Superset Showtime
        if: steps.auth.outputs.authorized == 'true'
        run: |
-          echo "::notice::Maintainer ${{ github.actor }} triggered deploy for PR ${{ github.event.pull_request.number || github.event.inputs.pr_number }}"
+          echo "::notice::Maintainer $GITHUB_ACTOR triggered deploy for PR ${PULL_REQUEST_NUMBER}"
          pip install --upgrade superset-showtime
          showtime version

+        env:
+          PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number || github.event.inputs.pr_number }}
      - name: Check what actions are needed
        if: steps.auth.outputs.authorized == 'true'
        id: check
@@ -113,12 +116,14 @@ jobs:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          INPUT_PR_NUMBER: ${{ github.event.inputs.pr_number }}
+          INPUT_SHA: ${{ github.event.inputs.sha }}
        run: |
          # Bulletproof PR number extraction
          if [[ -n "${{ github.event.pull_request.number }}" ]]; then
            PR_NUM="${{ github.event.pull_request.number }}"
-          elif [[ -n "${{ github.event.inputs.pr_number }}" ]]; then
-            PR_NUM="${{ github.event.inputs.pr_number }}"
+          elif [[ -n "${INPUT_PR_NUMBER}" ]]; then
+            PR_NUM="${INPUT_PR_NUMBER}"
          else
            echo "❌ No PR number found in event or inputs"
            exit 1
@@ -127,8 +132,8 @@ jobs:
          echo "Using PR number: $PR_NUM"

          # Run sync check-only with optional SHA override
-          if [[ -n "${{ github.event.inputs.sha }}" ]]; then
-            OUTPUT=$(python -m showtime sync $PR_NUM --check-only --sha "${{ github.event.inputs.sha }}")
+          if [[ -n "${INPUT_SHA}" ]]; then
+            OUTPUT=$(python -m showtime sync $PR_NUM --check-only --sha "${INPUT_SHA}")
          else
            OUTPUT=$(python -m showtime sync $PR_NUM --check-only)
          fi
@@ -147,7 +152,7 @@ jobs:

      - name: Checkout PR code (only if build needed)
        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.build_needed == 'true'
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          ref: ${{ steps.check.outputs.target_sha }}
          persist-credentials: false
@@ -169,9 +174,11 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+          CHECK_PR_NUMBER: ${{ steps.check.outputs.pr_number }}
+          CHECK_TARGET_SHA: ${{ steps.check.outputs.target_sha }}
        run: |
-          PR_NUM="${{ steps.check.outputs.pr_number }}"
-          TARGET_SHA="${{ steps.check.outputs.target_sha }}"
+          PR_NUM="$CHECK_PR_NUMBER"
+          TARGET_SHA="$CHECK_TARGET_SHA"
          if [[ -n "$TARGET_SHA" ]]; then
            python -m showtime sync $PR_NUM --sha "$TARGET_SHA"
          else
--- a/.github/workflows/superset-app-cli.yml
+++ b/.github/workflows/superset-app-cli.yml
@@ -8,6 +8,10 @@ on:
  pull_request:
    types: [synchronize, opened, reopened, ready_for_review]

+permissions:
+  contents: read
+  pull-requests: read
+
 # cancel previous workflow jobs for PRs
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
@@ -23,7 +27,7 @@ jobs:
      SUPERSET__SQLALCHEMY_DATABASE_URI: postgresql+psycopg2://superset:superset@127.0.0.1:15432/superset
    services:
      postgres:
-        image: postgres:16-alpine
+        image: postgres:17-alpine
        env:
          POSTGRES_USER: superset
          POSTGRES_PASSWORD: superset
@@ -37,7 +41,7 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
--- a/.github/workflows/superset-applitool-cypress.yml
+++ b/.github/workflows/superset-applitool-cypress.yml
@@ -1,91 +0,0 @@
-name: Applitools Cypress
-
-on:
-  schedule:
-    - cron: "0 1 * * *"
-
-jobs:
-  config:
-    runs-on: ubuntu-24.04
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.APPLITOOLS_API_KEY != '' && secrets.APPLITOOLS_API_KEY != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
-  cypress-applitools:
-    needs: config
-    if: needs.config.outputs.has-secrets
-    runs-on: ubuntu-24.04
-    strategy:
-      fail-fast: false
-      matrix:
-        browser: ["chrome"]
-    env:
-      SUPERSET_ENV: development
-      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
-      SUPERSET__SQLALCHEMY_DATABASE_URI: postgresql+psycopg2://superset:superset@127.0.0.1:15432/superset
-      PYTHONPATH: ${{ github.workspace }}
-      REDIS_PORT: 16379
-      GITHUB_TOKEN: ${{ github.token }}
-      APPLITOOLS_APP_NAME: Superset
-      APPLITOOLS_API_KEY: ${{ secrets.APPLITOOLS_API_KEY }}
-      APPLITOOLS_BATCH_ID: ${{ github.sha }}
-      APPLITOOLS_BATCH_NAME: Superset Cypress
-    services:
-      postgres:
-        image: postgres:16-alpine
-        env:
-          POSTGRES_USER: superset
-          POSTGRES_PASSWORD: superset
-        ports:
-          - 15432:5432
-      redis:
-        image: redis:7-alpine
-        ports:
-          - 16379:6379
-    steps:
-      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-          submodules: recursive
-          ref: master
-      - name: Setup Python
-        uses: ./.github/actions/setup-backend/
-      - name: Import test data
-        uses: ./.github/actions/cached-dependencies
-        with:
-          run: testdata
-      - name: Setup Node.js
-        uses: actions/setup-node@v5
-        with:
-          node-version-file: './superset-frontend/.nvmrc'
-      - name: Install npm dependencies
-        uses: ./.github/actions/cached-dependencies
-        with:
-          run: npm-install
-      - name: Build javascript packages
-        uses: ./.github/actions/cached-dependencies
-        with:
-          run: build-instrumented-assets
-      - name: Setup Postgres
-        if: steps.check.outcome == 'failure'
-        uses: ./.github/actions/cached-dependencies
-        with:
-          run: setup-postgres
-      - name: Install cypress
-        uses: ./.github/actions/cached-dependencies
-        with:
-          run: cypress-install
-      - name: Run Cypress
-        uses: ./.github/actions/cached-dependencies
-        env:
-          CYPRESS_BROWSER: ${{ matrix.browser }}
-        with:
-          run: cypress-run-applitools
--- a/.github/workflows/superset-applitools-storybook.yml
+++ b/.github/workflows/superset-applitools-storybook.yml
@@ -1,52 +0,0 @@
-name: Applitools Storybook
-
-on:
-  schedule:
-    - cron: "0 0 * * *"
-
-env:
-  APPLITOOLS_APP_NAME: Superset
-  APPLITOOLS_API_KEY: ${{ secrets.APPLITOOLS_API_KEY }}
-  APPLITOOLS_BATCH_ID: ${{ github.sha }}
-  APPLITOOLS_BATCH_NAME: Superset Storybook
-
-jobs:
-  config:
-    runs-on: ubuntu-24.04
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.APPLITOOLS_API_KEY != '' && secrets.APPLITOOLS_API_KEY != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
-  cron:
-    needs: config
-    if: needs.config.outputs.has-secrets
-    runs-on: ubuntu-24.04
-    steps:
-      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-          submodules: recursive
-          ref: master
-      - name: Set up Node.js
-        uses: actions/setup-node@v5
-        with:
-          node-version-file: './superset-frontend/.nvmrc'
-      - name: Install eyes-storybook dependencies
-        uses: ./.github/actions/cached-dependencies
-        with:
-          run: eyes-storybook-dependencies
-      - name: Install NPM dependencies
-        uses: ./.github/actions/cached-dependencies
-        with:
-          run: npm-install
-      - name: Run Applitools Eyes-Storybook
-        working-directory: ./superset-frontend
-        run: npx eyes-storybook -u https://superset-storybook.netlify.app/
--- a/.github/workflows/superset-docs-deploy.yml
+++ b/.github/workflows/superset-docs-deploy.yml
@@ -1,6 +1,14 @@
 name: Docs Deployment

 on:
+  # Deploy after integration tests complete on master
+  # zizmor: ignore[dangerous-triggers] - runs in base-branch context after a trusted upstream workflow; scoped to master
+  workflow_run:
+    workflows: ["Python-Integration"]
+    types: [completed]
+    branches: [master]
+
+  # Also allow manual trigger and direct pushes to docs
  push:
    paths:
      - "docs/**"
@@ -10,6 +18,19 @@ on:

  workflow_dispatch: {}

+# Serialize deploys: the action pushes to apache/superset-site without
+# rebasing, so concurrent runs race on the final push and the loser fails
+# with `! [rejected] asf-site -> asf-site (fetch first)`. Cancel any
+# in-progress run as soon as a newer one starts — the destination repo
+# isn't touched until the final push step, so canceling mid-build is safe,
+# and the freshest content always wins.
+concurrency:
+  group: docs-deploy-asf-site
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
 jobs:
  config:
    runs-on: ubuntu-24.04
@@ -20,28 +41,37 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ -n "${{ (secrets.SUPERSET_SITE_BUILD != '' && secrets.SUPERSET_SITE_BUILD != '') || '' }}" ]; then
+          if [ -n "${SUPERSET_SITE_BUILD}" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

+        env:
+          SUPERSET_SITE_BUILD: ${{ (secrets.SUPERSET_SITE_BUILD != '' && secrets.SUPERSET_SITE_BUILD != '') || '' }}
  build-deploy:
    needs: config
-    if: needs.config.outputs.has-secrets
+    # For workflow_run triggers, only deploy when the triggering run originated
+    # from this repository (not a fork), ensuring the checked-out code and any
+    # local actions executed with deploy credentials are trusted.
+    if: >-
+      needs.config.outputs.has-secrets &&
+      (github.event_name != 'workflow_run' ||
+       github.event.workflow_run.head_repository.full_name == github.repository)
    name: Build & Deploy
    runs-on: ubuntu-24.04
    steps:
-      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+      - name: "Checkout ${{ github.event.workflow_run.head_sha || github.sha }}"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
+          ref: ${{ github.event.workflow_run.head_sha || github.sha }}
          persist-credentials: false
          submodules: recursive
      - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: './docs/.nvmrc'
      - name: Setup Python
        uses: ./.github/actions/setup-backend/
-      - uses: actions/setup-java@v5
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
        with:
          distribution: 'zulu'
          java-version: '21'
@@ -58,6 +88,35 @@ jobs:
        working-directory: docs
        run: |
          yarn install --check-cache
+      - name: Download database diagnostics (if triggered by integration tests)
+        if: github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success'
+        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
+        continue-on-error: true
+        with:
+          workflow: superset-python-integrationtest.yml
+          run_id: ${{ github.event.workflow_run.id }}
+          name: database-diagnostics
+          path: docs/src/data/
+      - name: Try to download latest diagnostics (for push/dispatch triggers)
+        if: github.event_name != 'workflow_run'
+        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
+        continue-on-error: true
+        with:
+          workflow: superset-python-integrationtest.yml
+          name: database-diagnostics
+          path: docs/src/data/
+          branch: master
+          search_artifacts: true
+          if_no_artifact_found: warn
+      - name: Use diagnostics artifact if available
+        working-directory: docs
+        run: |
+          if [ -f "src/data/databases-diagnostics.json" ]; then
+            echo "Using fresh diagnostics from integration tests"
+            mv src/data/databases-diagnostics.json src/data/databases.json
+          else
+            echo "Using committed databases.json (no artifact found)"
+          fi
      - name: yarn build
        working-directory: docs
        run: |
@@ -71,5 +130,5 @@ jobs:
          destination-github-username: "apache"
          destination-repository-name: "superset-site"
          target-branch: "asf-site"
-          commit-message: "deploying docs: ${{ github.event.head_commit.message }} (apache/superset@${{ github.sha }})"
+          commit-message: "deploying docs: ${{ github.event.head_commit.message || 'triggered by integration tests' }} (apache/superset@${{ github.event.workflow_run.head_sha || github.sha }})"
          user-email: dev@superset.apache.org
--- a/.github/workflows/superset-docs-verify.yml
+++ b/.github/workflows/superset-docs-verify.yml
@@ -4,24 +4,36 @@ on:
  pull_request:
    paths:
      - "docs/**"
+      - "superset/db_engine_specs/**"
      - ".github/workflows/superset-docs-verify.yml"
    types: [synchronize, opened, reopened, ready_for_review]
+  # zizmor: ignore[dangerous-triggers] - runs in base-branch context and only consumes artifacts from the trusted upstream workflow
+  workflow_run:
+    workflows: ["Python-Integration"]
+    types: [completed]

 # cancel previous workflow jobs for PRs
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.workflow_run.head_sha || github.run_id }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  linkinator:
    # See docs here: https://github.com/marketplace/actions/linkinator
+    # Only run on pull_request, not workflow_run
+    if: github.event_name == 'pull_request'
    name: Link Checking
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
      # Do not bump this linkinator-action version without opening
      # an ASF Infra ticket to allow the new version first!
-      - uses: JustinBeckwith/linkinator-action@3d5ba091319fa7b0ac14703761eebb7d100e6f6d  # v1.11.0
+      - uses: JustinBeckwith/linkinator-action@af984b9f30f63e796ae2ea5be5e07cb587f1bbd9  # v2.3
        continue-on-error: true # This will make the job advisory (non-blocking, no red X)
        with:
          paths: "**/*.md, **/*.mdx"
@@ -50,25 +62,84 @@ jobs:
            https://timbr.ai/,
            https://opensource.org/license/apache-2-0,
            https://www.plaidcloud.com/
-  build-deploy:
-    name: Build & Deploy
+
+  build-on-pr:
+    # Build docs when PR changes docs/** (uses committed databases.json)
+    if: github.event_name == 'pull_request'
+    name: Build (PR trigger)
    runs-on: ubuntu-24.04
    defaults:
      run:
        working-directory: docs
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
      - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: './docs/.nvmrc'
      - name: yarn install
        run: |
          yarn install --check-cache
+      - name: Lint docs links
+        # Fast source-level check for bare relative internal links
+        # like `[Foo](../foo)` that Docusaurus's onBrokenLinks
+        # setting can't catch. Runs in seconds; fails fast before
+        # the expensive build step.
+        run: |
+          yarn lint:docs-links
+      - name: yarn typecheck
+        run: |
+          yarn typecheck
+      - name: yarn build
+        run: |
+          yarn build
+
+  build-after-tests:
+    # Build docs after integration tests complete (uses fresh diagnostics)
+    # Only runs if integration tests succeeded
+    if: >
+      github.event_name == 'workflow_run' &&
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.head_repository.full_name == github.repository
+    name: Build (after integration tests)
+    runs-on: ubuntu-24.04
+    defaults:
+      run:
+        working-directory: docs
+    steps:
+      - name: "Checkout PR head: ${{ github.event.workflow_run.head_sha }}"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
+          persist-credentials: false
+          submodules: recursive
+      - name: Set up Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        with:
+          node-version-file: './docs/.nvmrc'
+      - name: yarn install
+        run: |
+          yarn install --check-cache
+      - name: Download database diagnostics from integration tests
+        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
+        with:
+          workflow: superset-python-integrationtest.yml
+          run_id: ${{ github.event.workflow_run.id }}
+          name: database-diagnostics
+          path: docs/src/data/
+          if_no_artifact_found: 'warning'
+      - name: Use fresh diagnostics
+        run: |
+          if [ -f "src/data/databases-diagnostics.json" ]; then
+            echo "Using fresh diagnostics from integration tests"
+            mv src/data/databases-diagnostics.json src/data/databases.json
+          else
+            echo "Warning: No diagnostics artifact found, using committed data"
+          fi
      - name: yarn typecheck
        run: |
          yarn typecheck
--- a/.github/workflows/superset-e2e.yml
+++ b/.github/workflows/superset-e2e.yml
@@ -27,9 +27,32 @@ concurrency:
  cancel-in-progress: true

 jobs:
+  changes:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      python: ${{ steps.check.outputs.python }}
+      frontend: ${{ steps.check.outputs.frontend }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - name: Check for file changes
+        id: check
+        uses: ./.github/actions/change-detector/
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
  cypress-matrix:
+    needs: changes
+    if: needs.changes.outputs.python == 'true' || needs.changes.outputs.frontend == 'true'
    # Somehow one test flakes on 24.04 for unknown reasons, this is the only GHA left on 22.04
    runs-on: ubuntu-22.04
+    timeout-minutes: 30
    permissions:
      contents: read
      pull-requests: read
@@ -40,9 +63,14 @@ jobs:
      # https://github.com/cypress-io/github-action/issues/48
      fail-fast: false
      matrix:
-        parallel_id: [0, 1, 2, 3, 4, 5]
+        parallel_id: [0, 1]
        browser: ["chrome"]
-        app_root: ["", "/app/prefix"]
+        app_root: ${{ github.event_name == 'push' && fromJSON('["", "/app/prefix"]') || fromJSON('[""]') }}
+        # The /app/prefix variant (push events only) is smoke-tested on a single
+        # shard rather than the full matrix, so exclude it from the other shards.
+        exclude:
+          - parallel_id: 1
+            app_root: "/app/prefix"
    env:
      SUPERSET_ENV: development
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -54,7 +82,7 @@ jobs:
      USE_DASHBOARD: ${{ github.event.inputs.use_dashboard == 'true' || 'false' }}
    services:
      postgres:
-        image: postgres:16-alpine
+        image: postgres:17-alpine
        env:
          POSTGRES_USER: superset
          POSTGRES_PASSWORD: superset
@@ -69,71 +97,60 @@ jobs:
      # Conditional checkout based on context
      - name: Checkout for push or pull_request event
        if: github.event_name == 'push' || github.event_name == 'pull_request'
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
      - name: Checkout using ref (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.ref != ''
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          ref: ${{ github.event.inputs.ref }}
          submodules: recursive
      - name: Checkout using PR ID (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.pr_id != ''
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          ref: refs/pull/${{ github.event.inputs.pr_id }}/merge
          submodules: recursive
      # -------------------------------------------------------
-      - name: Check for file changes
-        id: check
-        uses: ./.github/actions/change-detector/
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Setup Python
        uses: ./.github/actions/setup-backend/
-        if: steps.check.outputs.python || steps.check.outputs.frontend
      - name: Setup postgres
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        with:
          run: setup-postgres
      - name: Import test data
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        with:
          run: testdata
      - name: Setup Node.js
-        if: steps.check.outputs.python || steps.check.outputs.frontend
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: './superset-frontend/.nvmrc'
+          cache: 'npm'
+          cache-dependency-path: 'superset-frontend/package-lock.json'
      - name: Install npm dependencies
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        with:
          run: npm-install
      - name: Build javascript packages
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        with:
          run: build-instrumented-assets
      - name: Install cypress
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        with:
          run: cypress-install
      - name: Run Cypress
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        env:
          CYPRESS_BROWSER: ${{ matrix.browser }}
          PARALLEL_ID: ${{ matrix.parallel_id }}
-          PARALLELISM: 6
+          PARALLELISM: 2
          CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }}
          NODE_OPTIONS: "--max-old-space-size=4096"
        with:
@@ -141,19 +158,23 @@ jobs:
      - name: Set safe app root
        if: failure()
        id: set-safe-app-root
+        env:
+          APP_ROOT: ${{ matrix.app_root }}
        run: |
-          APP_ROOT="${{ matrix.app_root }}"
          SAFE_APP_ROOT=${APP_ROOT//\//_}
          echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
      - name: Upload Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        if: failure()
        with:
          path: ${{ github.workspace }}/superset-frontend/cypress-base/cypress/screenshots
          name: cypress-artifact-${{ github.run_id }}-${{ github.job }}-${{ matrix.browser }}-${{ matrix.parallel_id }}--${{ steps.set-safe-app-root.outputs.safe_app_root }}

  playwright-tests:
+    needs: changes
+    if: needs.changes.outputs.python == 'true' || needs.changes.outputs.frontend == 'true'
    runs-on: ubuntu-22.04
+    timeout-minutes: 30
    permissions:
      contents: read
      pull-requests: read
@@ -161,7 +182,7 @@ jobs:
      fail-fast: false
      matrix:
        browser: ["chromium"]
-        app_root: ["", "/app/prefix"]
+        app_root: ${{ github.event_name == 'push' && fromJSON('["", "/app/prefix"]') || fromJSON('[""]') }}
    env:
      SUPERSET_ENV: development
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -171,7 +192,7 @@ jobs:
      GITHUB_TOKEN: ${{ github.token }}
    services:
      postgres:
-        image: postgres:16-alpine
+        image: postgres:17-alpine
        env:
          POSTGRES_USER: superset
          POSTGRES_PASSWORD: superset
@@ -186,66 +207,59 @@ jobs:
      # Conditional checkout based on context (same as Cypress workflow)
      - name: Checkout for push or pull_request event
        if: github.event_name == 'push' || github.event_name == 'pull_request'
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
      - name: Checkout using ref (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.ref != ''
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          ref: ${{ github.event.inputs.ref }}
          submodules: recursive
      - name: Checkout using PR ID (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.pr_id != ''
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          ref: refs/pull/${{ github.event.inputs.pr_id }}/merge
          submodules: recursive
      # -------------------------------------------------------
-      - name: Check for file changes
-        id: check
-        uses: ./.github/actions/change-detector/
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Setup Python
        uses: ./.github/actions/setup-backend/
-        if: steps.check.outputs.python || steps.check.outputs.frontend
      - name: Setup postgres
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        with:
          run: setup-postgres
      - name: Import test data
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        with:
-          run: testdata
+          run: playwright_testdata
      - name: Setup Node.js
-        if: steps.check.outputs.python || steps.check.outputs.frontend
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: './superset-frontend/.nvmrc'
+          cache: 'npm'
+          cache-dependency-path: 'superset-frontend/package-lock.json'
      - name: Install npm dependencies
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        with:
          run: npm-install
      - name: Build javascript packages
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        with:
          run: build-instrumented-assets
+      - name: Build embedded SDK
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: build-embedded-sdk
      - name: Install Playwright
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        with:
          run: playwright-install
      - name: Run Playwright (Required Tests)
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        env:
          NODE_OPTIONS: "--max-old-space-size=4096"
@@ -254,15 +268,76 @@ jobs:
      - name: Set safe app root
        if: failure()
        id: set-safe-app-root
+        env:
+          APP_ROOT: ${{ matrix.app_root }}
        run: |
-          APP_ROOT="${{ matrix.app_root }}"
          SAFE_APP_ROOT=${APP_ROOT//\//_}
          echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
      - name: Upload Playwright Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        if: failure()
        with:
          path: |
            ${{ github.workspace }}/superset-frontend/playwright-results/
            ${{ github.workspace }}/superset-frontend/test-results/
          name: playwright-artifact-${{ github.run_id }}-${{ github.job }}-${{ matrix.browser }}--${{ steps.set-safe-app-root.outputs.safe_app_root }}
+
+  # Stable required-status-check anchors. cypress-matrix and playwright-tests
+  # are matrix jobs gated on change detection (python || frontend). On a PR
+  # that touches neither — e.g. a docs-only PR — they are skipped at the job
+  # level, which happens before matrix expansion, so the per-combination
+  # contexts (`cypress-matrix (0, chrome)`, `playwright-tests (chromium)`) are
+  # never produced and branch protection waits on them forever. These
+  # always-running jobs report a single stable context that passes when the
+  # underlying matrix job succeeded or was skipped, and fails only on a real
+  # failure. Require these in .asf.yaml instead of the matrix-expanded names.
+  #
+  # A matrix job reads as "skipped" in two distinct cases, and only the first
+  # is a legitimate pass: (a) change detection succeeded and gated the job off
+  # (docs-only PR); (b) the `changes` job itself failed or was cancelled, in
+  # which case GHA skips its dependents too. Accepting (b) would let a broken
+  # change-detector report a false green, so each anchor first requires
+  # `changes` to have succeeded before honouring a skip.
+  cypress-matrix-required:
+    needs: [changes, cypress-matrix]
+    if: always()
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions: {}
+    steps:
+      - name: Check cypress-matrix result
+        env:
+          CHANGES: ${{ needs.changes.result }}
+          RESULT: ${{ needs.cypress-matrix.result }}
+        run: |
+          if [ "$CHANGES" != "success" ]; then
+            echo "change detection did not succeed (result: $CHANGES); refusing to pass on a skipped matrix"
+            exit 1
+          fi
+          if [ "$RESULT" != "success" ] && [ "$RESULT" != "skipped" ]; then
+            echo "cypress-matrix did not pass (result: $RESULT)"
+            exit 1
+          fi
+          echo "cypress-matrix result: $RESULT (changes: $CHANGES)"
+
+  playwright-tests-required:
+    needs: [changes, playwright-tests]
+    if: always()
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions: {}
+    steps:
+      - name: Check playwright-tests result
+        env:
+          CHANGES: ${{ needs.changes.result }}
+          RESULT: ${{ needs.playwright-tests.result }}
+        run: |
+          if [ "$CHANGES" != "success" ]; then
+            echo "change detection did not succeed (result: $CHANGES); refusing to pass on a skipped matrix"
+            exit 1
+          fi
+          if [ "$RESULT" != "success" ] && [ "$RESULT" != "skipped" ]; then
+            echo "playwright-tests did not pass (result: $RESULT)"
+            exit 1
+          fi
+          echo "playwright-tests result: $RESULT (changes: $CHANGES)"
--- a/.github/workflows/superset-extensions-cli.yml
+++ b/.github/workflows/superset-extensions-cli.yml
@@ -8,6 +8,10 @@ on:
  pull_request:
    types: [synchronize, opened, reopened, ready_for_review]

+permissions:
+  contents: read
+  pull-requests: read
+
 # cancel previous workflow jobs for PRs
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
@@ -16,15 +20,18 @@ concurrency:
 jobs:
  test-superset-extensions-cli-package:
    runs-on: ubuntu-24.04
+    timeout-minutes: 30
    strategy:
      matrix:
-        python-version: ["previous", "current", "next"]
+        # Full version spread on push (master/release) + nightly; current only
+        # on PRs to cut runner cost (cross-version breaks are caught at merge).
+        python-version: ${{ github.event_name == 'pull_request' && fromJSON('["current"]') || fromJSON('["previous", "current", "next"]') }}
    defaults:
      run:
        working-directory: superset-extensions-cli
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
@@ -49,7 +56,7 @@ jobs:

      - name: Upload coverage reports to Codecov
        if: steps.check.outputs.superset-extensions-cli
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          file: ./coverage.xml
          flags: superset-extensions-cli
@@ -58,7 +65,7 @@ jobs:

      - name: Upload HTML coverage report
        if: steps.check.outputs.superset-extensions-cli
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        with:
          name: superset-extensions-cli-coverage-html
          path: htmlcov/
--- a/.github/workflows/superset-frontend.yml
+++ b/.github/workflows/superset-frontend.yml
@@ -16,14 +16,18 @@ concurrency:
 env:
  TAG: apache/superset:GHA-${{ github.run_id }}

+permissions:
+  contents: read
+
 jobs:
  frontend-build:
    runs-on: ubuntu-24.04
+    timeout-minutes: 30
    outputs:
      should-run: ${{ steps.check.outputs.frontend }}
    steps:
      - name: Checkout Code
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          fetch-depth: 0
@@ -54,14 +58,14 @@ jobs:
      - name: Save Docker Image as Artifact
        if: steps.check.outputs.frontend
        run: |
-          docker save $TAG | gzip > docker-image.tar.gz
+          docker save $TAG | zstd -3 --threads=0 > docker-image.tar.zst

      - name: Upload Docker Image Artifact
        if: steps.check.outputs.frontend
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        with:
          name: docker-image
-          path: docker-image.tar.gz
+          path: docker-image.tar.zst

  sharded-jest-tests:
    needs: frontend-build
@@ -71,14 +75,16 @@ jobs:
        shard: [1, 2, 3, 4, 5, 6, 7, 8]
      fail-fast: false
    runs-on: ubuntu-24.04
+    timeout-minutes: 20
    steps:
      - name: Download Docker Image Artifact
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: docker-image

      - name: Load Docker Image
-        run: docker load < docker-image.tar.gz
+        run: |
+          zstd -d < docker-image.tar.zst | docker load

      - name: npm run test with coverage
        run: |
@@ -87,10 +93,10 @@ jobs:
          -v ${{ github.workspace }}/superset-frontend/coverage:/app/superset-frontend/coverage \
          --rm $TAG \
          bash -c \
-          "npm run test -- --coverage --shard=${{ matrix.shard }}/8 --coverageReporters=json-summary"
+          "npm run test -- --coverage --shard=${{ matrix.shard }}/8 --coverageReporters=json"

      - name: Upload Coverage Artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        with:
          name: coverage-artifacts-${{ matrix.shard }}
          path: superset-frontend/coverage
@@ -99,25 +105,41 @@ jobs:
    needs: [sharded-jest-tests]
    if: needs.frontend-build.outputs.should-run == 'true'
    runs-on: ubuntu-24.04
+    timeout-minutes: 15
+    permissions:
+      id-token: write
    steps:
+      - name: Checkout Code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
+
      - name: Download Coverage Artifacts
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          pattern: coverage-artifacts-*
          path: coverage/

-      - name: Show Files
-        run: find coverage/
+      - name: Reorganize test result reports
+        run: |
+          find coverage/
+          for i in {1..8}; do
+            mv coverage/coverage-artifacts-${i}/coverage-final.json coverage/coverage-shard-${i}.json
+          done
+        shell: bash

      - name: Merge Code Coverage
        run: npx nyc merge coverage/ merged-output/coverage-summary.json

      - name: Upload Code Coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          flags: javascript
-          token: ${{ secrets.CODECOV_TOKEN }}
+          use_oidc: true
          verbose: true
+          disable_search: true
          files: merged-output/coverage-summary.json
          slug: apache/superset

@@ -125,15 +147,16 @@ jobs:
    needs: frontend-build
    if: needs.frontend-build.outputs.should-run == 'true'
    runs-on: ubuntu-24.04
+    timeout-minutes: 20
    steps:
      - name: Download Docker Image Artifact
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: docker-image

      - name: Load Docker Image
        run: |
-          docker load < docker-image.tar.gz
+          zstd -d < docker-image.tar.zst | docker load

      - name: lint
        run: |
@@ -149,21 +172,38 @@ jobs:
    needs: frontend-build
    if: needs.frontend-build.outputs.should-run == 'true'
    runs-on: ubuntu-24.04
+    timeout-minutes: 20
    steps:
      - name: Download Docker Image Artifact
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: docker-image

      - name: Load Docker Image
-        run: docker load < docker-image.tar.gz
+        run: |
+          zstd -d < docker-image.tar.zst | docker load

      - name: Build Plugins Packages
        run: |
          docker run --rm $TAG bash -c \
          "npm run plugins:build"

-      - name: Build Plugins Storybook
+  test-storybook:
+    needs: frontend-build
+    if: needs.frontend-build.outputs.should-run == 'true'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 25
+    steps:
+      - name: Download Docker Image Artifact
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        with:
+          name: docker-image
+
+      - name: Load Docker Image
+        run: |
+          zstd -d < docker-image.tar.zst | docker load
+
+      - name: Build Storybook and Run Tests
        run: |
          docker run --rm $TAG bash -c \
-          "npm run plugins:build-storybook"
+          "npm run build-storybook && npx playwright install-deps && npx playwright install chromium && npm run test-storybook:ci"
--- a/.github/workflows/superset-helm-lint.yml
+++ b/.github/workflows/superset-helm-lint.yml
@@ -6,6 +6,9 @@ on:
    paths:
      - "helm/**"

+permissions:
+  contents: read
+
 # cancel previous workflow jobs for PRs
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
@@ -16,14 +19,14 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
          fetch-depth: 0

      - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
        with:
          version: v3.16.4

--- a/.github/workflows/superset-helm-release.yml
+++ b/.github/workflows/superset-helm-release.yml
@@ -29,7 +29,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          ref: ${{ inputs.ref || github.ref_name }}
          persist-credentials: true
@@ -42,7 +42,7 @@ jobs:
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"

      - name: Install Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
        with:
          version: v3.5.4

@@ -62,6 +62,8 @@ jobs:
        run: echo "branch_name=helm-publish-${GITHUB_SHA:0:7}" >> $GITHUB_ENV

      - name: Force recreate branch from gh-pages
+        env:
+          BRANCH_NAME: ${{ env.branch_name }}
        run: |
          # Ensure a clean working directory
          git reset --hard
@@ -73,13 +75,13 @@ jobs:
          git fetch origin gh-pages

          # Check out and reset the target branch based on gh-pages
-          git checkout -B ${{ env.branch_name }} origin/gh-pages
+          git checkout -B "$BRANCH_NAME" origin/gh-pages

          # Remove submodules from the branch
          git submodule deinit -f --all

          # Force push to the remote branch
-          git push origin ${{ env.branch_name }} --force
+          git push origin "$BRANCH_NAME" --force

          # Return to the original branch
          git checkout local_gha_temp
@@ -101,10 +103,10 @@ jobs:
          CR_RELEASE_NAME_TEMPLATE: "superset-helm-chart-{{ .Version }}"

      - name: Open Pull Request
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
-            const branchName = '${{ env.branch_name }}';
+            const branchName = process.env.BRANCH_NAME;
            const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');

            if (!branchName) {
--- a/.github/workflows/superset-playwright.yml
+++ b/.github/workflows/superset-playwright.yml
@@ -23,10 +23,33 @@ concurrency:
  cancel-in-progress: true

 jobs:
+  changes:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      python: ${{ steps.check.outputs.python }}
+      frontend: ${{ steps.check.outputs.frontend }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - name: Check for file changes
+        id: check
+        uses: ./.github/actions/change-detector/
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
  # NOTE: Required Playwright tests are in superset-e2e.yml (E2E / playwright-tests)
  # This workflow contains only experimental tests that run in shadow mode
  playwright-tests-experimental:
+    needs: changes
+    if: needs.changes.outputs.python == 'true' || needs.changes.outputs.frontend == 'true'
    runs-on: ubuntu-22.04
+    timeout-minutes: 30
    continue-on-error: true
    permissions:
      contents: read
@@ -45,7 +68,7 @@ jobs:
      GITHUB_TOKEN: ${{ github.token }}
    services:
      postgres:
-        image: postgres:16-alpine
+        image: postgres:17-alpine
        env:
          POSTGRES_USER: superset
          POSTGRES_PASSWORD: superset
@@ -60,71 +83,78 @@ jobs:
      # Conditional checkout based on context (same as Cypress workflow)
      - name: Checkout for push or pull_request event
        if: github.event_name == 'push' || github.event_name == 'pull_request'
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
          ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
      - name: Checkout using ref (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.ref != ''
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          ref: ${{ github.event.inputs.ref }}
          submodules: recursive
      - name: Checkout using PR ID (workflow_dispatch)
        if: github.event_name == 'workflow_dispatch' && github.event.inputs.pr_id != ''
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          ref: refs/pull/${{ github.event.inputs.pr_id }}/merge
          submodules: recursive
      # -------------------------------------------------------
-      - name: Check for file changes
-        id: check
-        uses: ./.github/actions/change-detector/
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Setup Python
        uses: ./.github/actions/setup-backend/
-        if: steps.check.outputs.python || steps.check.outputs.frontend
      - name: Setup postgres
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        with:
          run: setup-postgres
      - name: Import test data
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        with:
-          run: testdata
+          run: playwright_testdata
      - name: Setup Node.js
-        if: steps.check.outputs.python || steps.check.outputs.frontend
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: './superset-frontend/.nvmrc'
+          cache: 'npm'
+          cache-dependency-path: 'superset-frontend/package-lock.json'
      - name: Install npm dependencies
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        with:
          run: npm-install
      - name: Build javascript packages
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        with:
          run: build-instrumented-assets
+      - name: Build embedded SDK
+        uses: ./.github/actions/cached-dependencies
+        with:
+          run: build-embedded-sdk
      - name: Install Playwright
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        with:
          run: playwright-install
      - name: Run Playwright (Experimental Tests)
-        if: steps.check.outputs.python || steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
        env:
          NODE_OPTIONS: "--max-old-space-size=4096"
        with:
          run: playwright-run "${{ matrix.app_root }}" experimental/
+      - name: Run Playwright (Embedded Tests)
+        uses: ./.github/actions/cached-dependencies
+        env:
+          NODE_OPTIONS: "--max-old-space-size=4096"
+          # Scope embedded-only env vars to this step. Setting them at the job
+          # level enabled the EMBEDDED_SUPERSET feature flag inside Flask for
+          # the preceding "Required Tests" and "Experimental Tests" steps too,
+          # which loads extra handlers and destabilizes the werkzeug dev
+          # server under the 2-worker Playwright load. Required Tests should
+          # match master's Flask configuration.
+          SUPERSET_FEATURE_EMBEDDED_SUPERSET: "true"
+          INCLUDE_EMBEDDED: "true"
+        with:
+          run: playwright-run "${{ matrix.app_root }}" embedded
      - name: Set safe app root
        if: failure()
        id: set-safe-app-root
@@ -133,7 +163,7 @@ jobs:
          SAFE_APP_ROOT=${APP_ROOT//\//_}
          echo "safe_app_root=$SAFE_APP_ROOT" >> $GITHUB_OUTPUT
      - name: Upload Playwright Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        if: failure()
        with:
          path: |
--- a/.github/workflows/superset-python-integrationtest.yml
+++ b/.github/workflows/superset-python-integrationtest.yml
@@ -14,8 +14,32 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test-mysql:
+  changes:
    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      python: ${{ steps.check.outputs.python }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - name: Check for file changes
+        id: check
+        uses: ./.github/actions/change-detector/
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+  test-mysql:
+    needs: changes
+    if: needs.changes.outputs.python == 'true'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 45
+    permissions:
+      id-token: write
    env:
      PYTHONPATH: ${{ github.workspace }}
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -25,6 +49,8 @@ jobs:
    services:
      mysql:
        image: mysql:8.0
+        # Authenticated pulls use our higher Docker Hub rate limit. Empty on
+        # fork PRs (secrets unavailable) -> runner falls back to anonymous.
        env:
          MYSQL_ROOT_PASSWORD: root
        ports:
@@ -41,43 +67,70 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
-      - name: Check for file changes
-        id: check
-        uses: ./.github/actions/change-detector/
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Setup Python
        uses: ./.github/actions/setup-backend/
-        if: steps.check.outputs.python
      - name: Setup MySQL
-        if: steps.check.outputs.python
        uses: ./.github/actions/cached-dependencies
        with:
          run: setup-mysql
      - name: Start Celery worker
-        if: steps.check.outputs.python
        uses: ./.github/actions/cached-dependencies
        with:
          run: celery-worker
      - name: Python integration tests (MySQL)
-        if: steps.check.outputs.python
        run: |
          ./scripts/python_tests.sh
      - name: Upload code coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          flags: python,mysql
-          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true
+          use_oidc: true
+          slug: apache/superset
+      - name: Generate database diagnostics for docs
+        env:
+          SUPERSET_CONFIG: tests.integration_tests.superset_test_config
+          SUPERSET__SQLALCHEMY_DATABASE_URI: |
+            mysql+mysqldb://superset:superset@127.0.0.1:13306/superset?charset=utf8mb4&binary_prefix=true
+        run: |
+          python -c "
+          import json
+          from superset.app import create_app
+          from superset.db_engine_specs.lib import generate_yaml_docs
+          app = create_app()
+          with app.app_context():
+              docs = generate_yaml_docs()
+              # Wrap in the expected format
+              output = {
+                  'generated': '$(date -Iseconds)',
+                  'databases': docs
+              }
+              with open('databases-diagnostics.json', 'w') as f:
+                  json.dump(output, f, indent=2, default=str)
+              print(f'Generated diagnostics for {len(docs)} databases')
+          "
+      - name: Upload database diagnostics artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: database-diagnostics
+          path: databases-diagnostics.json
+          retention-days: 7
  test-postgres:
+    needs: changes
+    if: needs.changes.outputs.python == 'true'
    runs-on: ubuntu-24.04
+    timeout-minutes: 45
+    permissions:
+      id-token: write
    strategy:
      matrix:
-        python-version: ["current", "previous", "next"]
+        # Full version spread on push (master/release) + nightly; current only
+        # on PRs to cut runner cost (cross-version breaks are caught at merge).
+        python-version: ${{ github.event_name == 'pull_request' && fromJSON('["current"]') || fromJSON('["current", "previous", "next"]') }}
    env:
      PYTHONPATH: ${{ github.workspace }}
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -85,7 +138,7 @@ jobs:
      SUPERSET__SQLALCHEMY_DATABASE_URI: postgresql+psycopg2://superset:superset@127.0.0.1:15432/superset
    services:
      postgres:
-        image: postgres:16-alpine
+        image: postgres:17-alpine
        env:
          POSTGRES_USER: superset
          POSTGRES_PASSWORD: superset
@@ -99,44 +152,41 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
-      - name: Check for file changes
-        id: check
-        uses: ./.github/actions/change-detector/
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Setup Python
        uses: ./.github/actions/setup-backend/
-        if: steps.check.outputs.python
        with:
          python-version: ${{ matrix.python-version }}
      - name: Setup Postgres
-        if: steps.check.outputs.python
        uses: ./.github/actions/cached-dependencies
        with:
          run: |
            setup-postgres
      - name: Start Celery worker
-        if: steps.check.outputs.python
        uses: ./.github/actions/cached-dependencies
        with:
          run: celery-worker
      - name: Python integration tests (PostgreSQL)
-        if: steps.check.outputs.python
        run: |
          ./scripts/python_tests.sh
      - name: Upload code coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          flags: python,postgres
-          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true
+          use_oidc: true
+          slug: apache/superset

  test-sqlite:
+    needs: changes
+    if: needs.changes.outputs.python == 'true'
    runs-on: ubuntu-24.04
+    timeout-minutes: 45
+    permissions:
+      id-token: write
    env:
      PYTHONPATH: ${{ github.workspace }}
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -152,37 +202,51 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
-      - name: Check for file changes
-        id: check
-        uses: ./.github/actions/change-detector/
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Setup Python
        uses: ./.github/actions/setup-backend/
-        if: steps.check.outputs.python
      - name: Install dependencies
-        if: steps.check.outputs.python
        uses: ./.github/actions/cached-dependencies
        with:
          run: |
            # sqlite needs this working directory
            mkdir ${{ github.workspace }}/.temp
      - name: Start Celery worker
-        if: steps.check.outputs.python
        uses: ./.github/actions/cached-dependencies
        with:
          run: celery-worker
      - name: Python integration tests (SQLite)
-        if: steps.check.outputs.python
        run: |
          ./scripts/python_tests.sh
      - name: Upload code coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          flags: python,sqlite
-          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true
+          use_oidc: true
+          slug: apache/superset
+
+  # Stable required-status-check anchor for the matrix-based test-postgres job.
+  # It is gated on change detection, so on non-Python PRs it is skipped and
+  # never produces its `test-postgres (current)` context (a job-level skip
+  # happens before matrix expansion). This always-running job reports a single
+  # context branch protection can require: it passes when test-postgres
+  # succeeded or was skipped, and fails only on a real failure.
+  test-postgres-required:
+    needs: [changes, test-postgres]
+    if: always()
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - name: Check test-postgres result
+        env:
+          RESULT: ${{ needs.test-postgres.result }}
+        run: |
+          if [ "$RESULT" != "success" ] && [ "$RESULT" != "skipped" ]; then
+            echo "test-postgres did not pass (result: $RESULT)"
+            exit 1
+          fi
+          echo "test-postgres result: $RESULT"
--- a/.github/workflows/superset-python-presto-hive.yml
+++ b/.github/workflows/superset-python-presto-hive.yml
@@ -15,8 +15,32 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test-postgres-presto:
+  changes:
    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      python: ${{ steps.check.outputs.python }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - name: Check for file changes
+        id: check
+        uses: ./.github/actions/change-detector/
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+  test-postgres-presto:
+    needs: changes
+    if: needs.changes.outputs.python == 'true'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 45
+    permissions:
+      id-token: write
    env:
      PYTHONPATH: ${{ github.workspace }}
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -25,7 +49,7 @@ jobs:
      SUPERSET__SQLALCHEMY_EXAMPLES_URI: presto://localhost:15433/memory/default
    services:
      postgres:
-        image: postgres:16-alpine
+        image: postgres:17-alpine
        env:
          POSTGRES_USER: superset
          POSTGRES_PASSWORD: superset
@@ -48,43 +72,38 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
-      - name: Check for file changes
-        id: check
-        uses: ./.github/actions/change-detector/
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Setup Python
        uses: ./.github/actions/setup-backend/
-        if: steps.check.outputs.python == 'true'
      - name: Setup Postgres
-        if: steps.check.outputs.python
        uses: ./.github/actions/cached-dependencies
        with:
-          run: |
-            echo "${{ steps.check.outputs.python }}"
-            setup-postgres
+          run: setup-postgres
      - name: Start Celery worker
-        if: steps.check.outputs.python
        uses: ./.github/actions/cached-dependencies
        with:
          run: celery-worker
      - name: Python unit tests (PostgreSQL)
-        if: steps.check.outputs.python
        run: |
          ./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow'
      - name: Upload code coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          flags: python,presto
-          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true
+          use_oidc: true
+          slug: apache/superset

  test-postgres-hive:
+    needs: changes
+    if: needs.changes.outputs.python == 'true'
    runs-on: ubuntu-24.04
+    timeout-minutes: 45
+    permissions:
+      id-token: write
    env:
      PYTHONPATH: ${{ github.workspace }}
      SUPERSET_CONFIG: tests.integration_tests.superset_test_config
@@ -94,7 +113,7 @@ jobs:
      UPLOAD_FOLDER: /tmp/.superset/uploads/
    services:
      postgres:
-        image: postgres:16-alpine
+        image: postgres:17-alpine
        env:
          POSTGRES_USER: superset
          POSTGRES_PASSWORD: superset
@@ -108,45 +127,34 @@ jobs:
          - 16379:6379
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
-      - name: Check for file changes
-        id: check
-        uses: ./.github/actions/change-detector/
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Create csv upload directory
-        if: steps.check.outputs.python
        run: sudo mkdir -p /tmp/.superset/uploads
      - name: Give write access to the csv upload directory
-        if: steps.check.outputs.python
        run: sudo chown -R $USER:$USER /tmp/.superset
      - name: Start hadoop and hive
-        if: steps.check.outputs.python
        run: docker compose -f scripts/databases/hive/docker-compose.yml up -d
      - name: Setup Python
        uses: ./.github/actions/setup-backend/
-        if: steps.check.outputs.python
      - name: Setup Postgres
-        if: steps.check.outputs.python
        uses: ./.github/actions/cached-dependencies
        with:
          run: setup-postgres
      - name: Start Celery worker
-        if: steps.check.outputs.python
        uses: ./.github/actions/cached-dependencies
        with:
          run: celery-worker
      - name: Python unit tests (PostgreSQL)
-        if: steps.check.outputs.python
        run: |
          pip install -e .[hive]
          ./scripts/python_tests.sh -m 'chart_data_flow or sql_json_flow'
      - name: Upload code coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          flags: python,hive
-          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true
+          use_oidc: true
+          slug: apache/superset
--- a/.github/workflows/superset-python-unittest.yml
+++ b/.github/workflows/superset-python-unittest.yml
@@ -15,46 +15,88 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  unit-tests:
+  changes:
    runs-on: ubuntu-24.04
-    strategy:
-      matrix:
-        python-version: ["previous", "current", "next"]
-    env:
-      PYTHONPATH: ${{ github.workspace }}
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      python: ${{ steps.check.outputs.python }}
    steps:
-      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
-          submodules: recursive
      - name: Check for file changes
        id: check
        uses: ./.github/actions/change-detector/
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
+
+  unit-tests:
+    needs: changes
+    if: needs.changes.outputs.python == 'true'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
+    permissions:
+      id-token: write
+    strategy:
+      matrix:
+        # Full version spread on push (master/release) + nightly; current only
+        # on PRs to cut runner cost (cross-version breaks are caught at merge).
+        python-version: ${{ github.event_name == 'pull_request' && fromJSON('["current"]') || fromJSON('["previous", "current", "next"]') }}
+    env:
+      PYTHONPATH: ${{ github.workspace }}
+    steps:
+      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+          submodules: recursive
      - name: Setup Python
        uses: ./.github/actions/setup-backend/
-        if: steps.check.outputs.python
        with:
          python-version: ${{ matrix.python-version }}
      - name: Python unit tests
-        if: steps.check.outputs.python
        env:
          SUPERSET_TESTENV: true
          SUPERSET_SECRET_KEY: not-a-secret
        run: |
          pytest --durations-min=0.5 --cov-report= --cov=superset ./tests/common ./tests/unit_tests --cache-clear --maxfail=50
      - name: Python 100% coverage unit tests
-        if: steps.check.outputs.python
        env:
          SUPERSET_TESTENV: true
          SUPERSET_SECRET_KEY: not-a-secret
        run: |
          pytest --durations-min=0.5 --cov=superset/sql/ ./tests/unit_tests/sql/ --cache-clear --cov-fail-under=100
+          pytest --durations-min=0.5 --cov=superset/semantic_layers/ ./tests/unit_tests/semantic_layers/ --cache-clear --cov-fail-under=100
      - name: Upload code coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          flags: python,unit
-          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true
+          use_oidc: true
+          slug: apache/superset
+
+  # Stable required-status-check anchor. `unit-tests` is a matrix job gated on
+  # change detection, so on non-Python PRs it is skipped and never produces its
+  # `unit-tests (current)` context (a job-level skip happens before matrix
+  # expansion). This always-running job reports a single context that branch
+  # protection can require: it passes when unit-tests succeeded or was skipped,
+  # and fails only on a real failure.
+  unit-tests-required:
+    needs: [changes, unit-tests]
+    if: always()
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - name: Check unit-tests result
+        env:
+          RESULT: ${{ needs.unit-tests.result }}
+        run: |
+          if [ "$RESULT" != "success" ] && [ "$RESULT" != "skipped" ]; then
+            echo "unit-tests did not pass (result: $RESULT)"
+            exit 1
+          fi
+          echo "unit-tests result: $RESULT"
--- a/.github/workflows/superset-translations-comment.yml
+++ b/.github/workflows/superset-translations-comment.yml
@@ -0,0 +1,88 @@
+name: Translation Regression Comment
+
+on:
+  # zizmor: ignore[dangerous-triggers] - runs in base-branch context and only consumes the uploaded artifact; never checks out PR code (see note below)
+  workflow_run:
+    workflows: ["Translations"]
+    types: [completed]
+
+# This workflow posts a PR comment when the Translations workflow detects a
+# regression. It uses the workflow_run trigger so that it always runs in the
+# base-branch context and can safely be granted write permissions, even for
+# PRs from forks.
+#
+# IMPORTANT: This workflow must NEVER check out code from the PR branch.
+# All data comes from the artifact uploaded by the Translations workflow.
+
+permissions:
+  pull-requests: write
+  actions: read
+
+jobs:
+  post-comment:
+    runs-on: ubuntu-24.04
+    # Only act when the Translations workflow failed (which means a regression
+    # was detected — the workflow exits 1 on regression).
+    if: github.event.workflow_run.conclusion == 'failure'
+
+    steps:
+      - name: Download regression artifact
+        id: download
+        continue-on-error: true
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        with:
+          name: translation-regression
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          path: /tmp/translation-regression
+
+      - name: Post or update PR comment
+        if: steps.download.outcome == 'success'
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          script: |
+            const fs = require('fs');
+
+            const prNumberFile = '/tmp/translation-regression/pr-number.txt';
+            const reportFile = '/tmp/translation-regression/regression-report.md';
+
+            if (!fs.existsSync(prNumberFile) || !fs.existsSync(reportFile)) {
+              console.log('Artifact files not found, skipping comment.');
+              return;
+            }
+
+            const prNumber = parseInt(fs.readFileSync(prNumberFile, 'utf8').trim(), 10);
+            if (!prNumber) {
+              console.log('Could not parse PR number, skipping comment.');
+              return;
+            }
+
+            const report = fs.readFileSync(reportFile, 'utf8');
+            const marker = '<!-- translation-regression-bot -->';
+            const body = `${marker}\n${report}`;
+
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+            });
+
+            const existing = comments.find(c => c.body && c.body.includes(marker));
+
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body,
+              });
+              console.log(`Updated existing comment ${existing.id} on PR #${prNumber}`);
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body,
+              });
+              console.log(`Created new comment on PR #${prNumber}`);
+            }
--- a/.github/workflows/superset-translations.yml
+++ b/.github/workflows/superset-translations.yml
@@ -8,6 +8,10 @@ on:
  pull_request:
    types: [synchronize, opened, reopened, ready_for_review]

+permissions:
+  contents: read
+  pull-requests: read
+
 # cancel previous workflow jobs for PRs
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
@@ -16,9 +20,12 @@ concurrency:
 jobs:
  frontend-check-translations:
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      pull-requests: read
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
@@ -31,9 +38,11 @@ jobs:

      - name: Setup Node.js
        if: steps.check.outputs.frontend
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file:  './superset-frontend/.nvmrc'
+          cache: 'npm'
+          cache-dependency-path: 'superset-frontend/package-lock.json'
      - name: Install dependencies
        if: steps.check.outputs.frontend
        uses: ./.github/actions/cached-dependencies
@@ -47,12 +56,16 @@ jobs:

  babel-extract:
    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      pull-requests: read
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
          submodules: recursive
+
      - name: Check for file changes
        id: check
        uses: ./.github/actions/change-detector/
@@ -60,8 +73,83 @@ jobs:
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Python
-        if: steps.check.outputs.python
+        if: steps.check.outputs.python == 'true' || steps.check.outputs.frontend == 'true'
        uses: ./.github/actions/setup-backend/
-      - name: Test babel extraction
-        if: steps.check.outputs.python
+
+      - name: Install gettext tools
+        if: steps.check.outputs.python == 'true' || steps.check.outputs.frontend == 'true'
+        run: sudo apt-get update && sudo apt-get install -y gettext
+
+      # Fetch the base ref so we can compare PR-introduced regressions
+      # against a fair baseline (also runs babel_update against the base
+      # source) — this isolates the PR's contribution from any pre-existing
+      # drift on the base branch.
+      - name: Fetch base ref and create comparison worktree
+        if: steps.check.outputs.python == 'true' || steps.check.outputs.frontend == 'true'
+        env:
+          PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
+        run: |
+          # For PRs use the base branch; for direct pushes compare against the previous commit.
+          BASE_REF="$PR_BASE_REF"
+          if [ -n "$BASE_REF" ]; then
+            git fetch --depth=1 origin "$BASE_REF"
+          else
+            git fetch --depth=2 origin "$GITHUB_REF"
+          fi
+          git worktree add /tmp/base-worktree FETCH_HEAD
+
+      # Run babel_update against BASE source + BASE translations. Any drift
+      # already present on the base branch (source strings that have changed
+      # without .po updates) shows up here as fuzzies — and will also show
+      # up in the PR run, so it cancels out in the comparison.
+      - name: Baseline — run babel_update against BASE source
+        if: steps.check.outputs.python == 'true' || steps.check.outputs.frontend == 'true'
+        working-directory: /tmp/base-worktree
        run: ./scripts/translations/babel_update.sh
+
+      - name: Record baseline translation counts
+        if: steps.check.outputs.python == 'true' || steps.check.outputs.frontend == 'true'
+        run: |
+          python scripts/translations/check_translation_regression.py \
+            --count \
+            --translations-dir /tmp/base-worktree/superset/translations \
+            > /tmp/before.json
+
+      # Run babel_update against the PR source and PR translations. This keeps
+      # committed .po fixes in play while the base babel_update above still
+      # cancels out translation drift already present on the base branch.
+      - name: Run babel_update against PR source
+        if: steps.check.outputs.python == 'true' || steps.check.outputs.frontend == 'true'
+        run: ./scripts/translations/babel_update.sh
+
+      - name: Check for translation regression
+        id: regression
+        if: steps.check.outputs.python == 'true' || steps.check.outputs.frontend == 'true'
+        continue-on-error: true
+        run: |
+          python scripts/translations/check_translation_regression.py \
+            --compare /tmp/before.json \
+            --report /tmp/regression-report.md
+
+      # Save the PR number so the comment workflow can post the report without
+      # needing write permissions on this pull_request-triggered job.
+      - name: Save PR number for comment workflow
+        if: >-
+          github.event_name == 'pull_request' &&
+          steps.regression.outcome == 'failure'
+        run: echo "${{ github.event.pull_request.number }}" > /tmp/pr-number.txt
+
+      - name: Upload regression artifact
+        if: >-
+          github.event_name == 'pull_request' &&
+          steps.regression.outcome == 'failure'
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: translation-regression
+          path: |
+            /tmp/regression-report.md
+            /tmp/pr-number.txt
+
+      - name: Fail if regression detected
+        if: steps.regression.outcome == 'failure'
+        run: exit 1
--- a/.github/workflows/superset-websocket.yml
+++ b/.github/workflows/superset-websocket.yml
@@ -11,6 +11,9 @@ on:
      - "superset-websocket/**"
    types: [synchronize, opened, reopened, ready_for_review]

+permissions:
+  contents: read
+
 # cancel previous workflow jobs for PRs
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
@@ -19,9 +22,10 @@ concurrency:
 jobs:
  app-checks:
    runs-on: ubuntu-24.04
+    timeout-minutes: 20
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - name: Install dependencies
--- a/.github/workflows/supersetbot.yml
+++ b/.github/workflows/supersetbot.yml
@@ -26,7 +26,7 @@ jobs:
    steps:
      - name: Quickly add thumbs up!
        if: github.event_name == 'issue_comment' && contains(github.event.comment.body, '@supersetbot')
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/')
@@ -38,7 +38,7 @@ jobs:
            });

      - name: "Checkout ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false

--- a/.github/workflows/tag-release.yml
+++ b/.github/workflows/tag-release.yml
@@ -21,6 +21,9 @@ on:
        options:
          - 'true'
          - 'false'
+permissions:
+  contents: read
+
 jobs:
  config:
    runs-on: ubuntu-24.04
@@ -31,15 +34,19 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ -n "${{ (secrets.DOCKERHUB_USER != '' && secrets.DOCKERHUB_TOKEN != '') || '' }}" ]; then
+          if [ -n "${DOCKERHUB_USER}" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

+        env:
+          DOCKERHUB_USER: ${{ (secrets.DOCKERHUB_USER != '' && secrets.DOCKERHUB_TOKEN != '') || '' }}
  docker-release:
    needs: config
    if: needs.config.outputs.has-secrets
    name: docker-release
    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
    strategy:
      matrix:
        build_preset: ["dev", "lean", "py310", "websocket", "dockerize", "py311", "py312"]
@@ -47,8 +54,9 @@ jobs:
    steps:

      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
+          persist-credentials: false
          fetch-depth: 0

      - name: Setup Docker Environment
@@ -60,9 +68,11 @@ jobs:
          build: "true"

      - name: Use Node.js 20
-        uses: actions/setup-node@v5
+        # zizmor: ignore[cache-poisoning] - node only runs the supersetbot CLI; no dependency cache is enabled
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: 20
+          package-manager-cache: false

      - name: Setup supersetbot
        uses: ./.github/actions/setup-supersetbot/
@@ -72,17 +82,21 @@ jobs:
          DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          INPUT_RELEASE: ${{ github.event.inputs.release }}
+          INPUT_FORCE_LATEST: ${{ github.event.inputs.force-latest }}
+          INPUT_GIT_REF: ${{ github.event.inputs.git-ref }}
+          GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
        run: |
-          RELEASE="${{ github.event.release.tag_name }}"
+          RELEASE="${GITHUB_EVENT_RELEASE_TAG_NAME}"
          FORCE_LATEST=""
          EVENT="${{github.event_name}}"
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            # in the case of a manually-triggered run, read release from input
-            RELEASE="${{ github.event.inputs.release }}"
-            if [ "${{ github.event.inputs.force-latest }}" = "true" ]; then
+            RELEASE="${INPUT_RELEASE}"
+            if [ "${INPUT_FORCE_LATEST}" = "true" ]; then
              FORCE_LATEST="--force-latest"
            fi
-            git checkout "${{ github.event.inputs.git-ref }}"
+            git checkout "${INPUT_GIT_REF}"
            EVENT="release"
          fi

@@ -107,14 +121,17 @@ jobs:
    steps:

      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
+          persist-credentials: false
          fetch-depth: 0

      - name: Use Node.js 20
-        uses: actions/setup-node@v5
+        # zizmor: ignore[cache-poisoning] - node only runs the supersetbot CLI; no dependency cache is enabled
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: 20
+          package-manager-cache: false

      - name: Setup supersetbot
        uses: ./.github/actions/setup-supersetbot/
@@ -122,13 +139,15 @@ jobs:
      - name: Label the PRs with the right release-related labels
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          INPUT_RELEASE: ${{ github.event.inputs.release }}
+          GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
        run: |
          export GITHUB_ACTOR=""
          git fetch --all --tags
          git checkout master
-          RELEASE="${{ github.event.release.tag_name }}"
+          RELEASE="${GITHUB_EVENT_RELEASE_TAG_NAME}"
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            # in the case of a manually-triggered run, read release from input
-            RELEASE="${{ github.event.inputs.release }}"
+            RELEASE="${INPUT_RELEASE}"
          fi
          supersetbot release-label $RELEASE
--- a/.github/workflows/tech-debt.yml
+++ b/.github/workflows/tech-debt.yml
@@ -6,6 +6,9 @@ on:
      - master
      - "[0-9].[0-9]*"

+permissions:
+  contents: read
+
 jobs:
  config:
    runs-on: ubuntu-24.04
@@ -16,10 +19,12 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ -n "${{ (secrets.GSHEET_KEY != '' ) || '' }}" ]; then
+          if [ -n "${GSHEET_KEY}" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

+        env:
+          GSHEET_KEY: ${{ (secrets.GSHEET_KEY != '' ) || '' }}
  process-and-upload:
    needs: config
    if: needs.config.outputs.has-secrets
@@ -27,10 +32,12 @@ jobs:
    name: Generate Reports
    steps:
      - name: Checkout Repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false

      - name: Set up Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: './superset-frontend/.nvmrc'

--- a/.github/workflows/welcome-new-users.yml
+++ b/.github/workflows/welcome-new-users.yml
@@ -1,22 +1,29 @@
 name: Welcome New Contributor

 on:
+  # zizmor: ignore[dangerous-triggers] - posts a welcome comment only; does not check out or execute PR-provided code
  pull_request_target:
    types: [opened]

 jobs:
  welcome:
    runs-on: ubuntu-24.04
+    if: github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
    permissions:
      pull-requests: write

    steps:
      - name: Welcome Message
-        uses: actions/first-interaction@v3
-        continue-on-error: true
+        uses: actions/first-interaction@1c4688942c71f71d4f5502a26ea67c331730fa4d # v3.1.0
        with:
-          repo-token: ${{ github.token }}
-          pr-message: |-
+          repo_token: ${{ github.token }}
+          issue_message: |-
+            Congrats on opening your first issue and thank you for contributing to Superset! :tada: :heart:
+
+            Please read our [New Contributor Welcome & Expectations](https://github.com/apache/superset/wiki/New-Contributor-Welcome-&-Expectations) guide.
+          pr_message: |-
            Congrats on making your first PR and thank you for contributing to Superset! :tada: :heart:

+            Please read our [New Contributor Welcome & Expectations](https://github.com/apache/superset/wiki/New-Contributor-Welcome-&-Expectations) guide.
+
            We hope to see you in our [Slack](https://apache-superset.slack.com/) community too! Not signed up? Use our [Slack App](http://bit.ly/join-superset-slack) to self-register.
--- a/.gitignore
+++ b/.gitignore
@@ -61,21 +61,19 @@ tmp
 rat-results.txt
 superset/app/
 superset-websocket/config.json
+.direnv
+*.log

 # Node.js, webpack artifacts, storybook
 *.entry.js
 *.js.map
 node_modules
 npm-debug.log*
+superset/static/*
 superset/static/assets/*
 !superset/static/assets/.gitkeep
 superset/static/uploads/*
 !superset/static/uploads/.gitkeep
-superset/static/version_info.json
-superset-frontend/**/esm/*
-superset-frontend/**/lib/*
-superset-frontend/**/storybook-static/*
-superset-frontend/migration-storybook.log
 yarn-error.log
 *.map
 *.min.js
@@ -117,6 +115,8 @@ release.json
 superset/translations/**/messages.json
 # these mo binary files are generated by `pybabel compile`
 superset/translations/**/messages.mo
+# cross-language index generated by scripts/translations/build_translation_index.py
+superset/translations/translation_index.json

 docker/requirements-local.txt

@@ -136,5 +136,8 @@ CLAUDE.local.md
 PROJECT.md
 .aider*
 .claude_rc*
+.claude/settings.local.json
 .env.local
 oxc-custom-build/
+*.code-workspace
+*.duckdb
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -27,6 +27,7 @@ repos:
        args: [--check-untyped-defs]
        exclude: ^superset-extensions-cli/
        additional_dependencies: [
+            types-cachetools,
            types-simplejson,
            types-python-dateutil,
            types-requests,
@@ -49,12 +50,12 @@ repos:
    hooks:
      - id: check-docstring-first
      - id: check-added-large-files
-        exclude: ^.*\.(geojson)$|^docs/static/img/screenshots/.*|^superset-frontend/CHANGELOG\.md$
+        exclude: ^.*\.(geojson)$|^docs/static/img/screenshots/.*|^superset-frontend/CHANGELOG\.md$|^superset/examples/.*/data\.parquet$|^superset/translations/.*\.po$
      - id: check-yaml
        exclude: ^helm/superset/templates/
      - id: debug-statements
      - id: end-of-file-fixer
-        exclude: .*/lerna\.json$
+        exclude: .*/lerna\.json$|^docs/static/img/logos/
      - id: trailing-whitespace
        exclude: ^.*\.(snap)
        args: ["--markdown-linebreak-ext=md"]
@@ -82,7 +83,7 @@ repos:
        files: ^superset-frontend/.*\.(js|jsx|ts|tsx)$
      - id: eslint-docs
        name: eslint (docs)
-        entry: bash -c 'cd docs && FILES=$(echo "$@" | sed "s|docs/||g") && yarn eslint --fix --quiet $FILES'
+        entry: bash -c 'cd docs && FILES=$(printf "%s\n" "$@" | sed "s|^docs/||" | tr "\n" " ") && yarn eslint --fix --quiet $FILES'
        language: system
        pass_filenames: true
        files: ^docs/.*\.(js|jsx|ts|tsx)$
@@ -106,12 +107,19 @@ repos:
        files: helm
        verbose: false
        args: ["--log-level", "error"]
-  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.9.7
+  # Using local hooks ensures ruff version matches requirements/development.txt
+  - repo: local
    hooks:
      - id: ruff-format
+        name: ruff-format
+        entry: ruff format
+        language: system
+        types: [python]
      - id: ruff
-        args: [--fix]
+        name: ruff
+        entry: ruff check --fix --show-fixes
+        language: system
+        types: [python]
  - repo: local
    hooks:
      - id: pylint
@@ -135,3 +143,29 @@ repos:
            else
              echo "No Python files to lint."
            fi
+      - id: db-engine-spec-metadata
+        name: database engine spec metadata validation
+        entry: python superset/db_engine_specs/lint_metadata.py --strict
+        language: system
+        files: ^superset/db_engine_specs/.*\.py$
+        exclude: ^superset/db_engine_specs/(base|lib|lint_metadata|__init__)\.py$
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: feature-flags-sync
+        name: feature flags documentation sync
+        entry: bash -c 'python scripts/extract_feature_flags.py > docs/static/feature-flags.json.tmp && if ! diff -q docs/static/feature-flags.json docs/static/feature-flags.json.tmp > /dev/null 2>&1; then mv docs/static/feature-flags.json.tmp docs/static/feature-flags.json && echo "Updated docs/static/feature-flags.json" && exit 1; else rm docs/static/feature-flags.json.tmp; fi'
+        language: system
+        files: ^superset/config\.py$
+        pass_filenames: false
+      - id: zizmor
+        name: zizmor (GHA security audit)
+        entry: zizmor
+        language: python
+        additional_dependencies: [zizmor==1.25.2]
+        files: ^\.github/
+        types: [yaml]
+        pass_filenames: false
+        # Advisory until pre-existing findings are resolved; remove
+        # --no-exit-codes to make this hook blocking.
+        args: [--no-exit-codes, .github/]
--- a/.pylintrc
+++ b/.pylintrc
@@ -53,7 +53,7 @@ extension-pkg-whitelist=pyarrow

 [MESSAGES CONTROL]
 disable=all
-enable=json-import,disallowed-sql-import,consider-using-transaction
+enable=disallowed-sql-import,consider-using-transaction


 [REPORTS]
--- a/.rat-excludes
+++ b/.rat-excludes
@@ -43,6 +43,9 @@ _build/*
 _static/*
 .buildinfo
 searchindex.js
+# auto-generated by docs/scripts/convert-api-sidebar.mjs from openapi.json
+sidebar.js
+sidebar.ts
 # auto generated
 requirements/*
 # vendorized
@@ -67,22 +70,19 @@ temporary_superset_ui/*
 # skip license checks for auto-generated test snapshots
 .*snap

-# docs overrides for third party logos we don't have the rights to
-google-big-query.svg
-google-sheets.svg
-ibm-db2.svg
-postgresql.svg
-snowflake.svg
-ydb.svg
-loading.svg
+# docs third-party logos (database logos, org logos, etc.)
+databases/*
+logos/*

 # docs-related
 erd.puml
 erd.svg
 intro_header.txt
+TODO.md

 # for LLMs
 llm-context.md
+llms.txt
 AGENTS.md
 LLMS.md
 CLAUDE.md
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -2,6 +2,27 @@

 Apache Superset is a data visualization platform with Flask/Python backend and React/TypeScript frontend.

+## ⚠️ CRITICAL: Always Run Pre-commit Before Pushing
+
+**ALWAYS run `pre-commit run --all-files` before pushing commits.** CI will fail if pre-commit checks don't pass. This is non-negotiable.
+
+```bash
+# Stage your changes first
+git add .
+
+# Run pre-commit on all files
+pre-commit run --all-files
+
+# If there are auto-fixes, stage them and commit
+git add .
+git commit --amend  # or new commit
+```
+
+Common pre-commit failures:
+- **Formatting** - black, prettier, eslint will auto-fix
+- **Type errors** - mypy failures need manual fixes
+- **Linting** - ruff, pylint issues need manual fixes
+
 ## ⚠️ CRITICAL: Ongoing Refactors (What NOT to Do)

 **These migrations are actively happening - avoid deprecated patterns:**
@@ -31,6 +52,43 @@ Apache Superset is a data visualization platform with Flask/Python backend and R
 - **External API exposure** - Use UUIDs in public APIs instead of internal integer IDs
 - **Existing models** - Add UUID fields alongside integer IDs for gradual migration

+## Security and Threat Model
+
+Before evaluating any code path for security issues, read [`SECURITY.md`](SECURITY.md). It is the canonical, authoritative source for Apache Superset's security model and is referenced by both human reporters and automated scanners.
+
+In short, the test for whether a finding is in scope is one question:
+
+> *Does it let a principal perform an action the role and capability matrix in `SECURITY.md` does not entitle them to?*
+
+If yes, it is in scope. If no, it is not.
+
+The three trust boundaries are:
+
+1. **The Admin role** is a fully trusted operational principal. Anything an Admin can do through documented configuration, API, or UI is an intended capability, not a vulnerability.
+2. **The operator** owns deployment-time decisions (secrets, network exposure, feature-flag selection, connector and codec choices, notification destinations, third-party plugins). Misconfiguration at this layer is a deployment defect, not a Superset vulnerability.
+3. **The codebase** is responsible for enforcing the role and capability matrix wherever it exposes functionality to a principal: API routes, command and DAO layers, UI handlers, background jobs, and any other entry point. A missing or incorrect enforcement check is in scope no matter where it lives.
+
+The security model assumes that operator-controlled infrastructure, including the metadata database, cache backends, message brokers, secret stores, and deployment environment, remains within the operator's trust boundary. Vulnerabilities must demonstrate a security boundary violation by an attacker who does not already control those systems.
+
+Route-level authorization in this codebase uses one of three Flask-AppBuilder decorators depending on the route type:
+
+- `@protect()` for REST API routes (`ModelRestApi` / `BaseApi`)
+- `@has_access_api` for legacy view routes
+- `@has_access` for legacy HTML view routes
+
+Object-level authorization via `security_manager.raise_for_access(...)` applies to data-bearing resources: dashboards, charts, datasets and datasources, queries, database and table access, and query contexts. Other resources (annotations, tags, CSS templates, reports, RLS rules, and similar) rely on the route-level decorator plus DAO `base_filters` for ownership scoping; the absence of `raise_for_access` on these resources is by design, not a finding. Code that omits the per-object gate on a route that returns or mutates a specific data-bearing object is in scope; code that follows the correct pattern for its resource class can still contain injection, SSRF, XSS, or other classes of finding unrelated to authorization, which are evaluated separately.
+
+The full role and capability matrix, in-scope and out-of-scope class lists, and CVE aggregation rules are in [`SECURITY.md`](SECURITY.md). Defer to that document for any specifics.
+
+**Requirements for findings filed by automated tooling**
+
+Automated scanners (LLM-based code scanners, static analyzers, dependency tools) that file findings against this codebase must, in each finding, name:
+
+1. The specific role and capability matrix row in [`SECURITY.md`](SECURITY.md) the finding believes is violated.
+2. The principal the finding assumes the attacker holds (Public, Gamma, sql_lab, Alpha, Admin, Embedded guest token, or a custom role with explicit capability grants).
+
+Findings that cannot identify both should be filed as questions, not vulnerabilities. This requirement exists to ensure every reported issue is testable against the published security model and to keep speculative or pattern-match-only reports out of the triage queue.
+
 ## Key Directories

 ```
@@ -80,9 +138,34 @@ superset/
 - **UPDATING.md**: Add breaking changes here
 - **Docstrings**: Required for new functions/classes

+## Developer Portal: Storybook-to-MDX Documentation
+
+The Developer Portal auto-generates MDX documentation from Storybook stories. **Stories are the single source of truth.**
+
+### Core Philosophy
+- **Fix issues in the STORY, not the generator** - When something doesn't render correctly, update the story file first
+- **Generator should be lightweight** - It extracts and passes through data; avoid special cases
+- **Stories define everything** - Props, controls, galleries, examples all come from story metadata
+
+### Story Requirements for Docs Generation
+- Use `export default { title: '...' }` (inline), not `const meta = ...; export default meta;`
+- Name interactive stories `Interactive${ComponentName}` (e.g., `InteractiveButton`)
+- Define `args` for default prop values
+- Define `argTypes` at the story level (not meta level) with control types and descriptions
+- Use `parameters.docs.gallery` for size×style variant grids
+- Use `parameters.docs.sampleChildren` for components that need children
+- Use `parameters.docs.liveExample` for custom live code blocks
+- Use `parameters.docs.staticProps` for complex object props that can't be parsed inline
+
+### Generator Location
+- Script: `docs/scripts/generate-superset-components.mjs`
+- Wrapper: `docs/src/components/StorybookWrapper.jsx`
+- Output: `docs/developer_portal/components/`
+
 ## Architecture Patterns

 ### Security & Features
+- **Security model**: see the top-level [Security and Threat Model](#security-and-threat-model) section and [`SECURITY.md`](SECURITY.md)
 - **RBAC**: Role-based access via Flask-AppBuilder
 - **Feature flags**: Control feature rollouts
 - **Row-level security**: SQL-based data access control
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -49,3 +49,4 @@ under the License.
 - [4.1.3](./CHANGELOG/4.1.3.md)
 - [4.1.4](./CHANGELOG/4.1.4.md)
 - [5.0.0](./CHANGELOG/5.0.0.md)
+- [6.0.0](./CHANGELOG/6.0.0.md)
--- a/CHANGELOG/6.0.0.md
+++ b/CHANGELOG/6.0.0.md
--- a/28
+++ b/28
@@ -26,13 +26,10 @@ ARG BUILDPLATFORM=${BUILDPLATFORM:-amd64}
 # Include translations in the final build
 ARG BUILD_TRANSLATIONS="false"

-# Build arg to pre-populate examples DuckDB file
-ARG LOAD_EXAMPLES_DUCKDB="false"
-
 ######################################################################
 # superset-node-ci used as a base for building frontend assets and CI
 ######################################################################
-FROM --platform=${BUILDPLATFORM} node:20-trixie-slim AS superset-node-ci
+FROM --platform=${BUILDPLATFORM} node:24-trixie-slim AS superset-node-ci
 ARG BUILD_TRANSLATIONS
 ENV BUILD_TRANSLATIONS=${BUILD_TRANSLATIONS}
 ARG DEV_MODE="false"           # Skip frontend build in dev mode
@@ -116,7 +113,7 @@ RUN useradd --user-group -d ${SUPERSET_HOME} -m --no-log-init --shell /bin/bash
 # Some bash scripts needed throughout the layers
 COPY --chmod=755 docker/*.sh /app/docker/

-RUN pip install --no-cache-dir --upgrade uv
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv

 # Using uv as it's faster/simpler than pip
 RUN uv venv /app/.venv
@@ -146,9 +143,6 @@ RUN if [ "${BUILD_TRANSLATIONS}" = "true" ]; then \
 ######################################################################
 FROM python-base AS python-common

-# Re-declare build arg to receive it in this stage
-ARG LOAD_EXAMPLES_DUCKDB
-
 ENV SUPERSET_HOME="/app/superset_home" \
    HOME="/app/superset_home" \
    SUPERSET_ENV="production" \
@@ -160,7 +154,7 @@ ENV SUPERSET_HOME="/app/superset_home" \
 COPY --chmod=755 docker/entrypoints /app/docker/entrypoints

 WORKDIR /app
-# Set up necessary directories and user
+# Set up necessary directories
 RUN mkdir -p \
      ${PYTHONPATH} \
      superset/static \
@@ -202,20 +196,14 @@ RUN /app/docker/apt-install.sh \
      libecpg-dev \
      libldap2-dev

-# Pre-load examples DuckDB file if requested
-RUN if [ "$LOAD_EXAMPLES_DUCKDB" = "true" ]; then \
-        mkdir -p /app/data && \
-        echo "Downloading pre-built examples.duckdb..." && \
-        curl -L -o /app/data/examples.duckdb \
-            "https://raw.githubusercontent.com/apache-superset/examples-data/master/examples.duckdb" && \
-        chown -R superset:superset /app/data; \
-    else \
-        mkdir -p /app/data && \
-        chown -R superset:superset /app/data; \
-    fi
+# Create data directory for DuckDB examples database
+# The database file will be created at runtime when examples are loaded from Parquet files
+RUN mkdir -p /app/data && chown -R superset:superset /app/data

 # Copy compiled things from previous stages
 COPY --from=superset-node /app/superset/static/assets superset/static/assets
+# Copy service.worker.js optionall as it doesn't exist when DEV_MODE=true
+COPY --from=superset-node /app/superset/static/service-worker.j[s] superset/static/service-worker.js

 # TODO, when the next version comes out, use --exclude superset/translations
 COPY superset superset
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -16,8 +16,20 @@ KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 -->
-# INSTALL / BUILD instructions for Apache Superset
+# Installing Apache Superset

-At this time, the docker file at RELEASING/Dockerfile.from_local_tarball
-constitutes the recipe on how to get to a working release from a source
-release tarball.
+For comprehensive installation instructions, please see the Apache Superset documentation:
+
+**[📚 Installation Guide →](https://superset.apache.org/docs/installation/installation-methods)**
+
+The documentation covers:
+- [Docker Compose](https://superset.apache.org/docs/installation/docker-compose) (recommended for development)
+- [Kubernetes / Helm](https://superset.apache.org/docs/installation/kubernetes)
+- [PyPI](https://superset.apache.org/docs/installation/pypi)
+- [Docker Builds](https://superset.apache.org/docs/installation/docker-builds)
+- [Architecture Overview](https://superset.apache.org/docs/installation/architecture)
+
+## Building from Source
+
+For building from a source release tarball, see the Dockerfile at:
+`RELEASING/Dockerfile.from_local_tarball`
--- a/LINTING_ARCHITECTURE.md
+++ b/LINTING_ARCHITECTURE.md
@@ -1,121 +0,0 @@
-<!--
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License.  You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing,
-software distributed under the License is distributed on an
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied.  See the License for the
-specific language governing permissions and limitations
-under the License.
-->
-
-# Superset Frontend Linting Architecture
-
-## Overview
-We use a hybrid linting approach combining OXC (fast, standard rules) with custom AST-based checks for Superset-specific patterns.
-
-## Components
-
-### 1. Primary Linter: OXC
- **What**: Oxidation Compiler's linter (oxlint)
- **Handles**: 95% of linting rules (standard ESLint rules, TypeScript, React, etc.)
- **Speed**: ~50-100x faster than ESLint
- **Config**: `oxlint.json`
-
-### 2. Custom Rule Checker
- **What**: Node.js AST-based script
- **Handles**: Superset-specific rules:
-  - No literal colors (use theme)
-  - No FontAwesome icons (use Icons component)
-  - No template vars in i18n
- **Speed**: Fast enough for pre-commit
- **Script**: `scripts/check-custom-rules.js`
-
-## Developer Workflow
-
-### Local Development
-```bash
-# Fast linting (OXC only)
-npm run lint
-
-# Full linting (OXC + custom rules)
-npm run lint:full
-
-# Auto-fix what's possible
-npm run lint-fix
-```
-
-### Pre-commit
-1. OXC runs first (via `scripts/oxlint.sh`)
-2. Custom rules check runs second (lightweight, AST-based)
-3. Both must pass for commit to succeed
-
-### CI Pipeline
-```yaml
- name: Lint with OXC
-  run: npm run lint
-
- name: Check custom rules
-  run: npm run check:custom-rules
-```
-
-## Why This Architecture?
-
-### ✅ Pros
-1. **No binary distribution issues** - ASF compatible
-2. **Fast performance** - OXC for bulk, lightweight script for custom
-3. **Maintainable** - Custom rules in JavaScript, not Rust
-4. **Flexible** - Can evolve as OXC adds plugin support
-5. **Cacheable** - Both OXC and Node.js are standard tools
-
-### ❌ Cons  
-1. **Two tools** - Slightly more complex than single linter
-2. **Duplicate parsing** - Files parsed twice (once by each tool)
-
-### 🔄 Migration Path
-When OXC supports JavaScript plugins:
-1. Convert `check-custom-rules.js` to OXC plugin format
-2. Consolidate back to single tool
-3. Keep same rules and developer experience
-
-## Implementation Checklist
-
- [x] OXC for standard linting
- [x] Pre-commit integration  
- [ ] Custom rules script
- [ ] Combine in npm scripts
- [ ] Update CI pipeline
- [ ] Developer documentation
-
-## Performance Targets
-
-| Operation | Target Time | Current |
-|-----------|------------|---------|
-| Pre-commit (changed files) | <2s | ✅ 1.5s |
-| Full lint (all files) | <10s | ✅ 8s |
-| Custom rules check | <5s | 🔄 TBD |
-
-## Caching Strategy
-
-### Local Development
- OXC: Built-in incremental checking
- Custom rules: Use file hash cache (similar to pytest cache)
-
-### CI
- Cache `node_modules` (includes oxlint binary)
- Cache custom rules results by commit hash
- Skip unchanged files using git diff
-
-## Future Improvements
-
-1. **When OXC adds plugin support**: Migrate custom rules to OXC plugins
-2. **Consider Biome**: Another Rust-based linter with plugin support
-3. **AST sharing**: Investigate sharing AST between tools to avoid double parsing
--- a/27
+++ b/27
@@ -18,7 +18,7 @@
 # Python version installed; we need 3.10-3.11
 PYTHON=`command -v python3.11 || command -v python3.10`

-.PHONY: install superset venv pre-commit
+.PHONY: install superset venv pre-commit up down logs ps nuke ports open

 install: superset pre-commit

@@ -112,3 +112,28 @@ report-celery-beat:

 admin-user:
 	superset fab create-admin
+
+# Docker Compose with auto-assigned ports (for running multiple instances)
+up:
+	./scripts/docker-compose-up.sh
+
+up-detached:
+	./scripts/docker-compose-up.sh -d
+
+down:
+	./scripts/docker-compose-up.sh down
+
+logs:
+	./scripts/docker-compose-up.sh logs -f
+
+ps:
+	./scripts/docker-compose-up.sh ps
+
+nuke:
+	./scripts/docker-compose-up.sh nuke
+
+ports:
+	./scripts/docker-compose-up.sh ports
+
+open:
+	./scripts/docker-compose-up.sh open
--- a/README.md
+++ b/README.md
@@ -23,8 +23,12 @@ under the License.
 [![Latest Release on Github](https://img.shields.io/github/v/release/apache/superset?sort=semver)](https://github.com/apache/superset/releases/latest)
 [![Build Status](https://github.com/apache/superset/actions/workflows/superset-python-unittest.yml/badge.svg)](https://github.com/apache/superset/actions)
 [![PyPI version](https://badge.fury.io/py/apache_superset.svg)](https://badge.fury.io/py/apache_superset)
-[![Coverage Status](https://codecov.io/github/apache/superset/coverage.svg?branch=master)](https://codecov.io/github/apache/superset)
 [![PyPI](https://img.shields.io/pypi/pyversions/apache_superset.svg?maxAge=2592000)](https://pypi.python.org/pypi/apache_superset)
+[![GitHub Stars](https://img.shields.io/github/stars/apache/superset?style=social)](https://github.com/apache/superset/stargazers)
+[![Contributors](https://img.shields.io/github/contributors/apache/superset)](https://github.com/apache/superset/graphs/contributors)
+[![Last Commit](https://img.shields.io/github/last-commit/apache/superset)](https://github.com/apache/superset/commits/master)
+[![Open Issues](https://img.shields.io/github/issues/apache/superset)](https://github.com/apache/superset/issues)
+[![Open PRs](https://img.shields.io/github/issues-pr/apache/superset)](https://github.com/apache/superset/pulls)
 [![Get on Slack](https://img.shields.io/badge/slack-join-orange.svg)](http://bit.ly/join-superset-slack)
 [![Documentation](https://img.shields.io/badge/docs-apache.org-blue.svg)](https://superset.apache.org)

@@ -44,14 +48,18 @@ under the License.

 A modern, enterprise-ready business intelligence web application.

+### Documentation
+
+- **[User Guide](https://superset.apache.org/user-docs/)** — For analysts and business users. Explore data, build charts, create dashboards, and connect databases.
+- **[Administrator Guide](https://superset.apache.org/admin-docs/)** — Install, configure, and operate Superset. Covers security, scaling, and database drivers.
+- **[Developer Guide](https://superset.apache.org/developer-docs/)** — Contribute to Superset or build on its REST API and extension framework.
+
 [**Why Superset?**](#why-superset) |
 [**Supported Databases**](#supported-databases) |
-[**Installation and Configuration**](#installation-and-configuration) |
 [**Release Notes**](https://github.com/apache/superset/blob/master/RELEASING/README.md#release-notes-for-recent-releases) |
 [**Get Involved**](#get-involved) |
-[**Contributor Guide**](#contributor-guide) |
 [**Resources**](#resources) |
-[**Organizations Using Superset**](https://github.com/apache/superset/blob/master/RESOURCES/INTHEWILD.md)
+[**Organizations Using Superset**](https://superset.apache.org/inTheWild)

 ## Why Superset?

@@ -85,7 +93,7 @@ Superset provides:

 **Craft Beautiful, Dynamic Dashboards**

-<kbd><img title="View Dashboards" src="https://superset.apache.org/img/screenshots/slack_dash.jpg"/></kbd><br/>
+<kbd><img title="View Dashboards" src="https://superset.apache.org/img/screenshots/dashboard.jpg"/></kbd><br/>

 **No-Code Chart Builder**

@@ -97,51 +105,77 @@ Superset provides:

 ## Supported Databases

-Superset can query data from any SQL-speaking datastore or data engine (Presto, Trino, Athena, [and more](https://superset.apache.org/docs/configuration/databases)) that has a Python DB-API driver and a SQLAlchemy dialect.
+Superset can query data from any SQL-speaking datastore or data engine (Presto, Trino, Athena, [and more](https://superset.apache.org/docs/databases)) that has a Python DB-API driver and a SQLAlchemy dialect.

 Here are some of the major database solutions that are supported:

+<!-- SUPPORTED_DATABASES_START -->
 <p align="center">
-  <img src="https://superset.apache.org/img/databases/redshift.png" alt="redshift" border="0" width="200"/>
-  <img src="https://superset.apache.org/img/databases/google-biquery.png" alt="google-bigquery" border="0" width="200"/>
-  <img src="https://superset.apache.org/img/databases/snowflake.png" alt="snowflake" border="0" width="200"/>
-  <img src="https://superset.apache.org/img/databases/trino.png" alt="trino" border="0" width="150" />
-  <img src="https://superset.apache.org/img/databases/presto.png" alt="presto" border="0" width="200"/>
-  <img src="https://superset.apache.org/img/databases/databricks.png" alt="databricks" border="0" width="160" />
-  <img src="https://superset.apache.org/img/databases/druid.png" alt="druid" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/firebolt.png" alt="firebolt" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/timescale.png" alt="timescale" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/postgresql.png" alt="postgresql" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/mysql.png" alt="mysql" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/mssql-server.png" alt="mssql-server" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/ibm-db2.svg" alt="db2" border="0" width="220" />
-  <img src="https://superset.apache.org/img/databases/sqlite.png" alt="sqlite" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/sybase.png" alt="sybase" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/mariadb.png" alt="mariadb" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/vertica.png" alt="vertica" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/oracle.png" alt="oracle" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/firebird.png" alt="firebird" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/greenplum.png" alt="greenplum" border="0" width="200"  />
-  <img src="https://superset.apache.org/img/databases/clickhouse.png" alt="clickhouse" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/exasol.png" alt="exasol" border="0" width="160" />
-  <img src="https://superset.apache.org/img/databases/monet-db.png" alt="monet-db" border="0" width="200"  />
-  <img src="https://superset.apache.org/img/databases/apache-kylin.png" alt="apache-kylin" border="0" width="80"/>
-  <img src="https://superset.apache.org/img/databases/hologres.png" alt="hologres" border="0" width="80"/>
-  <img src="https://superset.apache.org/img/databases/netezza.png" alt="netezza" border="0" width="80"/>
-  <img src="https://superset.apache.org/img/databases/pinot.png" alt="pinot" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/teradata.png" alt="teradata" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/yugabyte.png" alt="yugabyte" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/databend.png" alt="databend" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/starrocks.png" alt="starrocks" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/doris.png" alt="doris" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/oceanbase.svg" alt="oceanbase" border="0" width="220" />
-  <img src="https://superset.apache.org/img/databases/sap-hana.png" alt="sap-hana" border="0" width="220" />
-  <img src="https://superset.apache.org/img/databases/denodo.png" alt="denodo" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/ydb.svg" alt="ydb" border="0" width="200" />
-  <img src="https://superset.apache.org/img/databases/tdengine.png" alt="TDengine" border="0" width="200" />
+  <a href="https://superset.apache.org/docs/databases/supported/amazon-athena" title="Amazon Athena"><img src="docs/static/img/databases/amazon-athena.jpg" alt="Amazon Athena" width="76" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/amazon-dynamodb" title="Amazon DynamoDB"><img src="docs/static/img/databases/aws.png" alt="Amazon DynamoDB" width="40" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/amazon-redshift" title="Amazon Redshift"><img src="docs/static/img/databases/redshift.png" alt="Amazon Redshift" width="100" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/apache-doris" title="Apache Doris"><img src="docs/static/img/databases/doris.png" alt="Apache Doris" width="103" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/apache-drill" title="Apache Drill"><img src="docs/static/img/databases/apache-drill.png" alt="Apache Drill" width="81" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/apache-druid" title="Apache Druid"><img src="docs/static/img/databases/druid.png" alt="Apache Druid" width="117" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/apache-hive" title="Apache Hive"><img src="docs/static/img/databases/apache-hive.svg" alt="Apache Hive" width="44" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/apache-impala" title="Apache Impala"><img src="docs/static/img/databases/apache-impala.png" alt="Apache Impala" width="21" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/apache-kylin" title="Apache Kylin"><img src="docs/static/img/databases/apache-kylin.png" alt="Apache Kylin" width="44" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/apache-pinot" title="Apache Pinot"><img src="docs/static/img/databases/apache-pinot.svg" alt="Apache Pinot" width="76" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/apache-solr" title="Apache Solr"><img src="docs/static/img/databases/apache-solr.png" alt="Apache Solr" width="79" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/apache-spark-sql" title="Apache Spark SQL"><img src="docs/static/img/databases/apache-spark.png" alt="Apache Spark SQL" width="75" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/ascend" title="Ascend"><img src="docs/static/img/databases/ascend.webp" alt="Ascend" width="117" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/aurora-mysql-data-api" title="Aurora MySQL (Data API)"><img src="docs/static/img/databases/mysql.png" alt="Aurora MySQL (Data API)" width="77" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/aurora-postgresql-data-api" title="Aurora PostgreSQL (Data API)"><img src="docs/static/img/databases/postgresql.svg" alt="Aurora PostgreSQL (Data API)" width="76" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/azure-data-explorer" title="Azure Data Explorer"><img src="docs/static/img/databases/kusto.png" alt="Azure Data Explorer" width="40" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/azure-synapse" title="Azure Synapse"><img src="docs/static/img/databases/azure.svg" alt="Azure Synapse" width="40" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/clickhouse" title="ClickHouse"><img src="docs/static/img/databases/clickhouse.png" alt="ClickHouse" width="150" height="37" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/cloudflare-d1" title="Cloudflare D1"><img src="docs/static/img/databases/cloudflare.png" alt="Cloudflare D1" width="40" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/cockroachdb" title="CockroachDB"><img src="docs/static/img/databases/cockroachdb.png" alt="CockroachDB" width="150" height="24" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/couchbase" title="Couchbase"><img src="docs/static/img/databases/couchbase.svg" alt="Couchbase" width="150" height="35" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/cratedb" title="CrateDB"><img src="docs/static/img/databases/cratedb.svg" alt="CrateDB" width="180" height="24" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/databend" title="Databend"><img src="docs/static/img/databases/databend.png" alt="Databend" width="100" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/databricks" title="Databricks"><img src="docs/static/img/databases/databricks.png" alt="Databricks" width="152" height="24" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/denodo" title="Denodo"><img src="docs/static/img/databases/denodo.png" alt="Denodo" width="138" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/dremio" title="Dremio"><img src="docs/static/img/databases/dremio.png" alt="Dremio" width="126" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/duckdb" title="DuckDB"><img src="docs/static/img/databases/duckdb.png" alt="DuckDB" width="52" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/elasticsearch" title="Elasticsearch"><img src="docs/static/img/databases/elasticsearch.png" alt="Elasticsearch" width="40" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/exasol" title="Exasol"><img src="docs/static/img/databases/exasol.png" alt="Exasol" width="72" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/firebird" title="Firebird"><img src="docs/static/img/databases/firebird.png" alt="Firebird" width="100" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/firebolt" title="Firebolt"><img src="docs/static/img/databases/firebolt.png" alt="Firebolt" width="100" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/google-bigquery" title="Google BigQuery"><img src="docs/static/img/databases/google-big-query.svg" alt="Google BigQuery" width="76" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/google-sheets" title="Google Sheets"><img src="docs/static/img/databases/google-sheets.svg" alt="Google Sheets" width="76" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/greenplum" title="Greenplum"><img src="docs/static/img/databases/greenplum.png" alt="Greenplum" width="124" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/hologres" title="Hologres"><img src="docs/static/img/databases/hologres.png" alt="Hologres" width="44" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/ibm-db2" title="IBM Db2"><img src="docs/static/img/databases/ibm-db2.svg" alt="IBM Db2" width="91" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/ibm-netezza-performance-server" title="IBM Netezza Performance Server"><img src="docs/static/img/databases/netezza.png" alt="IBM Netezza Performance Server" width="40" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/mariadb" title="MariaDB"><img src="docs/static/img/databases/mariadb.png" alt="MariaDB" width="150" height="37" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/microsoft-sql-server" title="Microsoft SQL Server"><img src="docs/static/img/databases/msql.png" alt="Microsoft SQL Server" width="50" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/monetdb" title="MonetDB"><img src="docs/static/img/databases/monet-db.png" alt="MonetDB" width="100" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/mongodb" title="MongoDB"><img src="docs/static/img/databases/mongodb.png" alt="MongoDB" width="150" height="38" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/motherduck" title="MotherDuck"><img src="docs/static/img/databases/motherduck.png" alt="MotherDuck" width="40" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/oceanbase" title="OceanBase"><img src="docs/static/img/databases/oceanbase.svg" alt="OceanBase" width="175" height="24" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/oracle" title="Oracle"><img src="docs/static/img/databases/oraclelogo.png" alt="Oracle" width="111" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/presto" title="Presto"><img src="docs/static/img/databases/presto-og.png" alt="Presto" width="127" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/risingwave" title="RisingWave"><img src="docs/static/img/databases/risingwave.svg" alt="RisingWave" width="147" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/sap-hana" title="SAP HANA"><img src="docs/static/img/databases/sap-hana.png" alt="SAP HANA" width="137" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/sap-sybase" title="SAP Sybase"><img src="docs/static/img/databases/sybase.png" alt="SAP Sybase" width="100" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/shillelagh" title="Shillelagh"><img src="docs/static/img/databases/shillelagh.png" alt="Shillelagh" width="40" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/singlestore" title="SingleStore"><img src="docs/static/img/databases/singlestore.png" alt="SingleStore" width="150" height="31" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/snowflake" title="Snowflake"><img src="docs/static/img/databases/snowflake.svg" alt="Snowflake" width="76" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/sqlite" title="SQLite"><img src="docs/static/img/databases/sqlite.png" alt="SQLite" width="84" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/starrocks" title="StarRocks"><img src="docs/static/img/databases/starrocks.png" alt="StarRocks" width="149" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/superset-meta-database" title="Superset meta database"><img src="docs/static/img/databases/superset.svg" alt="Superset meta database" width="150" height="39" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/tdengine" title="TDengine"><img src="docs/static/img/databases/tdengine.png" alt="TDengine" width="140" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/teradata" title="Teradata"><img src="docs/static/img/databases/teradata.png" alt="Teradata" width="124" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/timescaledb" title="TimescaleDB"><img src="docs/static/img/databases/timescale.png" alt="TimescaleDB" width="150" height="36" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/trino" title="Trino"><img src="docs/static/img/databases/trino.png" alt="Trino" width="89" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/vertica" title="Vertica"><img src="docs/static/img/databases/vertica.png" alt="Vertica" width="128" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/ydb" title="YDB"><img src="docs/static/img/databases/ydb.svg" alt="YDB" width="110" height="40" /></a> &nbsp;
+  <a href="https://superset.apache.org/docs/databases/supported/yugabytedb" title="YugabyteDB"><img src="docs/static/img/databases/yugabyte.png" alt="YugabyteDB" width="150" height="26" /></a>
 </p>
+<!-- SUPPORTED_DATABASES_END -->

-**A more comprehensive list of supported databases** along with the configuration instructions can be found [here](https://superset.apache.org/docs/configuration/databases).
+**A more comprehensive list of supported databases** along with the configuration instructions can be found [here](https://superset.apache.org/docs/databases).

 Want to add support for your datastore or data engine? Read more [here](https://superset.apache.org/docs/frequently-asked-questions#does-superset-work-with-insert-database-engine-here) about the technical requirements.

@@ -155,20 +189,25 @@ Try out Superset's [quickstart](https://superset.apache.org/docs/quickstart/) gu
 - [Join our community's Slack](http://bit.ly/join-superset-slack)
  and please read our [Slack Community Guidelines](https://github.com/apache/superset/blob/master/CODE_OF_CONDUCT.md#slack-community-guidelines)
 - [Join our dev@superset.apache.org Mailing list](https://lists.apache.org/list.html?dev@superset.apache.org). To join, simply send an email to [dev-subscribe@superset.apache.org](mailto:dev-subscribe@superset.apache.org)
+- Follow us on social media:
+  [X](https://x.com/apachesuperset) |
+  [LinkedIn](https://www.linkedin.com/company/apache-superset) |
+  [Bluesky](https://bsky.app/profile/apachesuperset.bsky.social) |
+  [Reddit](https://reddit.com/r/apache-superset)
 - If you want to help troubleshoot GitHub Issues involving the numerous database drivers that Superset supports, please consider adding your name and the databases you have access to on the [Superset Database Familiarity Rolodex](https://docs.google.com/spreadsheets/d/1U1qxiLvOX0kBTUGME1AHHi6Ywel6ECF8xk_Qy-V9R8c/edit#gid=0)
 - Join Superset's Town Hall and [Operational Model](https://preset.io/blog/the-superset-operational-model-wants-you/) recurring meetings. Meeting info is available on the [Superset Community Calendar](https://superset.apache.org/community)

 ## Contributor Guide

 Interested in contributing? Check out our
-[CONTRIBUTING.md](https://github.com/apache/superset/blob/master/CONTRIBUTING.md)
+[Developer Guide](https://superset.apache.org/developer-docs/)
 to find resources around contributing along with a detailed guide on
 how to set up a development environment.

 ## Resources

- [Superset "In the Wild"](https://github.com/apache/superset/blob/master/RESOURCES/INTHEWILD.md) - open a PR to add your org to the list!
- [Feature Flags](https://github.com/apache/superset/blob/master/RESOURCES/FEATURE_FLAGS.md) - the status of Superset's Feature Flags.
+- [Superset "In the Wild"](https://superset.apache.org/inTheWild) - see who's using Superset, and [add your organization](https://github.com/apache/superset/edit/master/RESOURCES/INTHEWILD.yaml) to the list!
+- [Feature Flags](https://superset.apache.org/docs/configuration/feature-flags) - the status of Superset's Feature Flags.
 - [Standard Roles](https://github.com/apache/superset/blob/master/RESOURCES/STANDARD_ROLES.md) - How RBAC permissions map to roles.
 - [Superset Wiki](https://github.com/apache/superset/wiki) - Tons of additional community resources: best practices, community content and other information.
 - [Superset SIPs](https://github.com/orgs/apache/projects/170) - The status of Superset's SIPs (Superset Improvement Proposals) for both consensus and implementation status.
--- a/RELEASING/README.md
+++ b/RELEASING/README.md
@@ -458,7 +458,7 @@ cd ../
 sed -i '' "s/version_string = .*/version_string = \"$SUPERSET_VERSION\"/" setup.py

 # build the python distribution
-python setup.py sdist
+python -m build
 ```

 Publish to PyPI
--- a/RELEASING/release-notes-1-0/README.md
+++ b/RELEASING/release-notes-1-0/README.md
@@ -92,7 +92,7 @@ Some of the new features in this release are disabled by default. Each has a fea

 | Feature | Feature Flag | Dependencies | Documentation
 | --- | --- | --- | --- |
-| Global Async Queries | `GLOBAL_ASYNC_QUERIES: True` | Redis 5.0+, celery workers configured and running | [Extra documentation](https://github.com/apache/superset/blob/master/CONTRIBUTING.md#async-chart-queries )
+| Global Async Queries | `GLOBAL_ASYNC_QUERIES: True` | Redis 5.0+, celery workers configured and running | [Extra documentation](https://superset.apache.org/docs/contributing/misc#async-chart-queries)
 | Dashboard Native Filters | `DASHBOARD_NATIVE_FILTERS: True` | |
 | Alerts & Reporting | `ALERT_REPORTS: True` | [Celery workers configured & celery beat process](https://superset.apache.org/docs/installation/async-queries-celery) |
 | Homescreen Thumbnails | `THUMBNAILS: TRUE, THUMBNAIL_CACHE_CONFIG: CacheConfig = { "CACHE_TYPE": "null", "CACHE_NO_NULL_WARNING": True}`| selenium, pillow 7, celery |
--- a/RELEASING/verify_release.py
+++ b/RELEASING/verify_release.py
@@ -56,8 +56,33 @@ def verify_sha512(filename: str) -> str:
 # Part 2: Verify RSA key - this is the same as running `gpg --verify {release}.asc {release}` and comparing the RSA key and email address against the KEYS file  # noqa: E501


+KEYS_URL = "https://downloads.apache.org/superset/KEYS"
+
+
+def ensure_keys_imported() -> None:
+    """Import the Apache Superset KEYS file into the local GPG keyring.
+
+    Without this, `gpg --verify` returns "No public key" and the signature
+    cannot actually be verified — only the key ID in the signature metadata
+    is visible.
+    """
+    try:
+        keys = requests.get(KEYS_URL, timeout=30)
+    except requests.RequestException as exc:
+        print(f"Warning: could not fetch KEYS file for import: {exc}")
+        return
+    if keys.status_code != 200:
+        print(f"Warning: could not fetch KEYS file (HTTP {keys.status_code})")
+        return
+    subprocess.run(  # noqa: S603
+        ["gpg", "--import"],  # noqa: S607
+        input=keys.content,
+        capture_output=True,
+    )
+
+
 def get_gpg_info(filename: str) -> tuple[Optional[str], Optional[str]]:
-    """Run the GPG verify command and extract RSA key and email address."""
+    """Run the GPG verify command and extract RSA/EDDSA key and email address."""
    asc_filename = filename + ".asc"
    result = subprocess.run(  # noqa: S603
        ["gpg", "--verify", asc_filename, filename],  # noqa: S607
@@ -65,25 +90,50 @@ def get_gpg_info(filename: str) -> tuple[Optional[str], Optional[str]]:
    )
    output = result.stderr.decode()

+    # If no public key was available, import KEYS and retry so that
+    # `Good signature from "Name <email>"` appears in the output.
+    if "No public key" in output:
+        ensure_keys_imported()
+        result = subprocess.run(  # noqa: S603
+            ["gpg", "--verify", asc_filename, filename],  # noqa: S607
+            capture_output=True,  # noqa: S607
+        )
+        output = result.stderr.decode()
+
    rsa_key = re.search(r"RSA key ([0-9A-F]+)", output)
    eddsa_key = re.search(r"EDDSA key ([0-9A-F]+)", output)
-    email = re.search(r'issuer "([^"]+)"', output)
+
+    # Try multiple patterns — `Good signature from` is the most reliable
+    # source of the email; `issuer` is a fallback for older gpg output.
+    email_patterns = (
+        r'Good signature from ".*?<([^>]+)>"',
+        r'aka ".*?<([^>]+)>"',
+        r'issuer "([^"]+)"',
+    )
+    email_result: Optional[str] = None
+    for pattern in email_patterns:
+        match = re.search(pattern, output)
+        if match:
+            email_result = match.group(1)
+            break

    rsa_key_result = rsa_key.group(1) if rsa_key else None
    eddsa_key_result = eddsa_key.group(1) if eddsa_key else None
-    email_result = email.group(1) if email else None
-
    key_result = rsa_key_result or eddsa_key_result

-    # Debugging:
    if key_result:
        print("RSA or EDDSA Key found")
    else:
        print("Warning: No RSA or EDDSA key found in GPG verification output.")
    if email_result:
-        print("email found")
+        print(f"Email found: {email_result}")
    else:
        print("Warning: No email address found in GPG verification output.")
+        if "No public key" in output:
+            print(
+                "Hint: public key is not in your keyring. Import it with:\n"
+                f"  curl -s {KEYS_URL} | gpg --import"
+            )

    return key_result, email_result

--- a/RESOURCES/FEATURE_FLAGS.md
+++ b/RESOURCES/FEATURE_FLAGS.md
@@ -1,103 +0,0 @@
-<!--
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License.  You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing,
-software distributed under the License is distributed on an
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied.  See the License for the
-specific language governing permissions and limitations
-under the License.
-->
-
-# Superset Feature Flags
-
-This is a list of the current Superset optional features. See config.py for default values. These features can be turned on/off by setting your preferred values in superset_config.py to True/False respectively
-
-## In Development
-
-These features are considered **unfinished** and should only be used on development environments.
-
-[//]: # "PLEASE KEEP THE LIST SORTED ALPHABETICALLY"
-
- ALERT_REPORT_TABS
- DATE_RANGE_TIMESHIFTS_ENABLED
- ENABLE_ADVANCED_DATA_TYPES
- PRESTO_EXPAND_DATA
- SHARE_QUERIES_VIA_KV_STORE
- TAGGING_SYSTEM
- CHART_PLUGINS_EXPERIMENTAL
-
-## In Testing
-
-These features are **finished** but currently being tested. They are usable, but may still contain some bugs.
-
-[//]: # "PLEASE KEEP THE LIST SORTED ALPHABETICALLY"
-
- ALERT_REPORTS: [(docs)](https://superset.apache.org/docs/configuration/alerts-reports)
- ALLOW_FULL_CSV_EXPORT
- CACHE_IMPERSONATION
- CONFIRM_DASHBOARD_DIFF
- DYNAMIC_PLUGINS
- DATE_FORMAT_IN_EMAIL_SUBJECT: [(docs)](https://superset.apache.org/docs/configuration/alerts-reports#commons)
- ENABLE_SUPERSET_META_DB: [(docs)](https://superset.apache.org/docs/configuration/databases/#querying-across-databases)
- ESTIMATE_QUERY_COST
- GLOBAL_ASYNC_QUERIES [(docs)](https://github.com/apache/superset/blob/master/CONTRIBUTING.md#async-chart-queries)
- IMPERSONATE_WITH_EMAIL_PREFIX
- PLAYWRIGHT_REPORTS_AND_THUMBNAILS
- RLS_IN_SQLLAB
- SSH_TUNNELING [(docs)](https://superset.apache.org/docs/configuration/setup-ssh-tunneling)
- USE_ANALAGOUS_COLORS
-
-## Stable
-
-These features flags are **safe for production**. They have been tested and will be supported for the at least the current major version cycle.
-
-[//]: # "PLEASE KEEP THESE LISTS SORTED ALPHABETICALLY"
-
-### Flags on the path to feature launch and flag deprecation/removal
-
- DASHBOARD_VIRTUALIZATION
-
-### Flags retained for runtime configuration
-
-Currently some of our feature flags act as dynamic configurations that can changed
-on the fly. This acts in contradiction with the typical ephemeral feature flag use case,
-where the flag is used to mature a feature, and eventually deprecated once the feature is
-solid. Eventually we'll likely refactor these under a more formal "dynamic configurations" managed
-independently. This new framework will also allow for non-boolean configurations.
-
- ALERTS_ATTACH_REPORTS
- ALLOW_ADHOC_SUBQUERY
- DASHBOARD_RBAC [(docs)](https://superset.apache.org/docs/using-superset/creating-your-first-dashboard#manage-access-to-dashboards)
- DATAPANEL_CLOSED_BY_DEFAULT
- DRILL_BY
- DRUID_JOINS
- EMBEDDABLE_CHARTS
- EMBEDDED_SUPERSET
- ENABLE_TEMPLATE_PROCESSING
- ESCAPE_MARKDOWN_HTML
- LISTVIEWS_DEFAULT_CARD_VIEW
- SCHEDULED_QUERIES [(docs)](https://superset.apache.org/docs/configuration/alerts-reports)
- SLACK_ENABLE_AVATARS (see `superset/config.py` for more information)
- SQLLAB_BACKEND_PERSISTENCE
- SQL_VALIDATORS_BY_ENGINE [(docs)](https://superset.apache.org/docs/configuration/sql-templating)
- THUMBNAILS [(docs)](https://superset.apache.org/docs/configuration/cache)
-
-## Deprecated Flags
-
-These features flags currently default to True and **will be removed in a future major release**. For this current release you can turn them off by setting your config to False, but it is advised to remove or set these flags in your local configuration to **True** so that you do not experience any unexpected changes in a future release.
-
-[//]: # "PLEASE KEEP THE LIST SORTED ALPHABETICALLY"
-
- AVOID_COLORS_COLLISION
- DRILL_TO_DETAIL
- ENABLE_JAVASCRIPT_CONTROLS
- KV_STORE
--- a/RESOURCES/INTHEWILD.md
+++ b/RESOURCES/INTHEWILD.md
@@ -1,226 +0,0 @@
-<!--
-Licensed to the Apache Software Foundation (ASF) under one
-or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
-to you under the Apache License, Version 2.0 (the
-"License"); you may not use this file except in compliance
-with the License.  You may obtain a copy of the License at
-
-  http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing,
-software distributed under the License is distributed on an
-"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-KIND, either express or implied.  See the License for the
-specific language governing permissions and limitations
-under the License.
-->
-
-## Superset Users in the Wild
-
-Here's a list of organizations, broken down into broad industry categories, that have taken the time to send a PR to let
-the world know they are using Apache Superset. If you are a user and want to be recognized,
-all you have to do is file a simple PR [like this one](https://github.com/apache/superset/pull/10122) — [just click here](https://github.com/apache/superset/edit/master/RESOURCES/INTHEWILD.md) to do so. If you think
-the categorization is inaccurate, please file a PR with your correction as well.
-Join our growing community!
-
-### Sharing Economy
-
- [Airbnb](https://github.com/airbnb)
- [Faasos](https://faasos.com/) [@shashanksingh]
- [Free2Move](https://www.free2move.com/) [@PaoloTerzi]
- [Hostnfly](https://www.hostnfly.com/) [@alexisrosuel]
- [Lime](https://www.li.me/) [@cxmcc]
- [Lyft](https://www.lyft.com/)
- [Ontruck](https://www.ontruck.com/)
-
-### Financial Services
-
- [Aktia Bank plc](https://www.aktia.com)
- [American Express](https://www.americanexpress.com) [@TheLastSultan]
- [bumper](https://www.bumper.co/) [@vasu-ram, @JamiePercival]
- [Cape Crypto](https://capecrypto.com)
- [Capital Service S.A.](https://capitalservice.pl) [@pkonarzewski]
- [Clark.de](https://clark.de/)
- [Europace](https://europace.de)
- [KarrotPay](https://www.daangnpay.com/)
- [Remita](https://remita.net) [@mujibishola]
- [Taveo](https://www.taveo.com) [@codek]
- [Unit](https://www.unit.co/about-us) [@amitmiran137]
- [Wise](https://wise.com) [@koszti]
- [Xendit](https://xendit.co/) [@LieAlbertTriAdrian]
- [Cover Genius](https://covergenius.com/)
-
-### Gaming
-
- [Popoko VM Games Studio](https://popoko.live)
-
-### E-Commerce
-
- [AiHello](https://www.aihello.com) [@ganeshkrishnan1]
- [Bazaar Technologies](https://www.bazaartech.com) [@umair-abro]
- [Dragonpass](https://www.dragonpass.com.cn/) [@zhxjdwh]
- [Dropit Shopping](https://www.dropit.shop/) [@dropit-dev]
- [Fanatics](https://www.fanatics.com/) [@coderfender]
- [Fordeal](https://www.fordeal.com) [@Renkai]
- [Fynd](https://www.fynd.com/) [@darpanjain07]
- [GFG - Global Fashion Group](https://global-fashion-group.com) [@ksaagariconic]
- [GoTo/Gojek](https://www.gojek.io/) [@gwthm-in]
- [HuiShouBao](https://www.huishoubao.com/) [@Yukinoshita-Yukino]
- [Now](https://www.now.vn/) [@davidkohcw]
- [Qunar](https://www.qunar.com/) [@flametest]
- [Rakuten Viki](https://www.viki.com)
- [Shopee](https://shopee.sg) [@xiaohanyu]
- [Shopkick](https://www.shopkick.com) [@LAlbertalli]
- [ShopUp](https://www.shopup.org/) [@gwthm-in]
- [Tails.com](https://tails.com/gb/) [@alanmcruickshank]
- [THE ICONIC](https://theiconic.com.au/) [@ksaagariconic]
- [Utair](https://www.utair.ru) [@utair-digital]
- [VkusVill](https://vkusvill.ru/) [@ETselikov]
- [Zalando](https://www.zalando.com) [@dmigo]
- [Zalora](https://www.zalora.com) [@ksaagariconic]
- [Zepto](https://www.zeptonow.com/) [@gwthm-in]
-
-### Enterprise Technology
-
- [A3Data](https://a3data.com.br) [@neylsoncrepalde]
- [Analytics Aura](https://analyticsaura.com/) [@Analytics-Aura]
- [Apollo GraphQL](https://www.apollographql.com/) [@evans]
- [Astronomer](https://www.astronomer.io) [@ryw]
- [Avesta Technologies](https://avestatechnologies.com/) [@TheRum]
- [Caizin](https://caizin.com/) [@tejaskatariya]
- [Canonical](https://canonical.com)
- [Careem](https://www.careem.com/) [@samraHanif0340]
- [Cloudsmith](https://cloudsmith.io) [@alancarson]
- [Cyberhaven](https://www.cyberhaven.com/) [@toliver-ch]
- [Deepomatic](https://deepomatic.com/) [@Zanoellia]
- [Dial Once](https://www.dial-once.com/)
- [Dremio](https://dremio.com) [@narendrans]
- [EFinance](https://www.efinance.com.eg) [@habeeb556]
- [Elestio](https://elest.io/) [@kaiwalyakoparkar]
- [ELMO Cloud HR & Payroll](https://elmosoftware.com.au/)
- [Endress+Hauser](https://www.endress.com/) [@rumbin]
- [FBK - ICT center](https://ict.fbk.eu)
- [Formbricks](https://formbricks.com)
- [Gavagai](https://gavagai.io) [@gavagai-corp]
- [GfK Data Lab](https://www.gfk.com/home) [@mherr]
- [HPE](https://www.hpe.com/in/en/home.html) [@anmol-hpe]
- [Hydrolix](https://www.hydrolix.io/)
- [Intercom](https://www.intercom.com/) [@kate-gallo]
- [jampp](https://jampp.com/)
- [Konfío](https://konfio.mx) [@uis-rodriguez]
- [Mainstrat](https://mainstrat.com/)
- [mishmash io](https://mishmash.io/) [@mishmash-io]
- [Myra Labs](https://www.myralabs.com/) [@viksit]
- [Nielsen](https://www.nielsen.com/) [@amitNielsen]
- [Ona](https://ona.io) [@pld]
- [Orange](https://www.orange.com) [@icsu]
- [Oslandia](https://oslandia.com)
- [Oxylabs](https://oxylabs.io/) [@rytis-ulys]
- [Peak AI](https://www.peak.ai/) [@azhar22k]
- [PeopleDoc](https://www.people-doc.com) [@rodo]
- [PlaidCloud](https://www.plaidcloud.com)
- [Preset, Inc.](https://preset.io)
- [PubNub](https://pubnub.com) [@jzucker2]
- [ReadyTech](https://www.readytech.io)
- [Reward Gateway](https://www.rewardgateway.com)
- [RIADVICE](https://riadvice.tn) [@riadvice]
- [ScopeAI](https://www.getscopeai.com) [@iloveluce]
- [shipmnts](https://shipmnts.com)
- [Showmax](https://showmax.com) [@bobek]
- [SingleStore](https://www.singlestore.com/)
- [TechAudit](https://www.techaudit.info) [@ETselikov]
- [Tenable](https://www.tenable.com) [@dflionis]
- [Tentacle](https://www.linkedin.com/company/tentacle-cmi/) [@jdclarke5]
- [timbr.ai](https://timbr.ai/) [@semantiDan]
- [Tobii](https://www.tobii.com/) [@dwa]
- [Tooploox](https://www.tooploox.com/) [@jakubczaplicki]
- [Unvired](https://unvired.com) [@srinisubramanian]
- [Virtuoso QA](https://www.virtuosoqa.com)
- [Whale](https://whale.im)
- [Windsor.ai](https://www.windsor.ai/) [@octaviancorlade]
- [WinWin Network马上赢](https://brandct.cn/) [@wenbinye]
- [Zeta](https://www.zeta.tech/) [@shaikidris]
-
-### Media & Entertainment
-
- [6play](https://www.6play.fr) [@CoryChaplin]
- [bilibili](https://www.bilibili.com) [@Moinheart]
- [BurdaForward](https://www.burda-forward.de/en/)
- [Douban](https://www.douban.com/) [@luchuan]
- [Kuaishou](https://www.kuaishou.com/) [@zhaoyu89730105]
- [Netflix](https://www.netflix.com/)
- [Prensa Iberica](https://www.prensaiberica.es/) [@zamar-roura]
- [TME QQMUSIC/WESING](https://www.tencentmusic.com/) [@shenyuanli,@marklaw]
- [Xite](https://xite.com/) [@shashankkoppar]
- [Zaihang](https://www.zaih.com/)
-
-### Education
-
- [Aveti Learning](https://avetilearning.com/) [@TheShubhendra]
- [Brilliant.org](https://brilliant.org/)
- [Open edX](https://openedx.org/)
- [Platzi.com](https://platzi.com/)
- [Sunbird](https://www.sunbird.org/) [@eksteporg]
- [The GRAPH Network](https://thegraphnetwork.org/) [@fccoelho]
- [Udemy](https://www.udemy.com/) [@sungjuly]
- [VIPKID](https://www.vipkid.com.cn/) [@illpanda]
- [WikiMedia Foundation](https://wikimediafoundation.org) [@vg]
-
-### Energy
-
- [Airboxlab](https://foobot.io) [@antoine-galataud]
- [DouroECI](https://www.douroeci.com/) [@nunohelibeires]
- [Safaricom](https://www.safaricom.co.ke/) [@mmutiso]
- [Scoot](https://scoot.co/) [@haaspt]
- [Wattbewerb](https://wattbewerb.de/) [@wattbewerb]
-
-### Healthcare
-
- [Amino](https://amino.com) [@shkr]
- [Bluesquare](https://www.bluesquarehub.com/) [@madewulf]
- [Care](https://www.getcare.io/) [@alandao2021]
- [Living Goods](https://www.livinggoods.org) [@chelule]
- [Maieutical Labs](https://maieuticallabs.it) [@xrmx]
- [Medic](https://medic.org) [@1yuv]
- [REDCap Cloud](https://www.redcapcloud.com/)
- [TrustMedis](https://trustmedis.com/) [@famasya]
- [WeSure](https://www.wesure.cn/)
- [2070Health](https://2070health.com/)
-
-### HR / Staffing
-
- [Swile](https://www.swile.co/) [@PaoloTerzi]
- [Symmetrics](https://www.symmetrics.fyi)
- [bluquist](https://bluquist.com/)
-
-### Government
-
- [City of Ann Arbor, MI](https://www.a2gov.org/) [@sfirke]
- [RIS3 Strategy of CZ, MIT CR](https://www.ris3.cz/) [@RIS3CZ]
- [NRLM - Sarathi, India](https://pib.gov.in/PressReleasePage.aspx?PRID=1999586)
-
-### Travel
-
- [Agoda](https://www.agoda.com/) [@lostseaway, @maiake, @obombayo]
- [HomeToGo](https://hometogo.com/) [@pedromartinsteenstrup]
- [Skyscanner](https://www.skyscanner.net/) [@cleslie, @stanhoucke]
-
-### Others
-
- [10Web](https://10web.io/)
- [AI inside](https://inside.ai/en/)
- [Automattic](https://automattic.com/) [@Khrol, @Usiel]
- [Dropbox](https://www.dropbox.com/) [@bkyryliuk]
- [Flowbird](https://flowbird.com) [@EmmanuelCbd]
- [GEOTAB](https://www.geotab.com) [@JZ6]
- [Grassroot](https://www.grassrootinstitute.org/)
- [Increff](https://www.increff.com/) [@ishansinghania]
- [komoot](https://www.komoot.com/) [@christophlingg]
- [Let's Roam](https://www.letsroam.com/)
- [Machrent SA](https://www.machrent.com/)
- [Onebeat](https://1beat.com/) [@GuyAttia]
- [X](https://x.com/)
- [VLMedia](https://www.vlmedia.com.tr/) [@ibotheperfect]
- [Yahoo!](https://yahoo.com/)
--- a/RESOURCES/INTHEWILD.yaml
+++ b/RESOURCES/INTHEWILD.yaml
@@ -0,0 +1,703 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Apache Superset Users in the Wild
+#
+# To add your organization:
+# 1. Find the appropriate category (or add a new one)
+# 2. Add an entry with your organization details
+# 3. Optionally add a logo file to docs/static/img/logos/
+#
+# Required fields:
+#   - name: Your organization name
+#   - url: Link to your organization's website
+#
+# Optional fields:
+#   - logo: Filename of logo in docs/static/img/logos/ (e.g., "mycompany.svg")
+#   - contributors: List of GitHub usernames who contributed (e.g., ["@username"])
+
+categories:
+  Sharing Economy:
+    - name: Airbnb
+      url: https://github.com/airbnb
+
+    - name: Faasos
+      url: https://faasos.com/
+      contributors: ["@shashanksingh"]
+
+    - name: Free2Move
+      url: https://www.free2move.com/
+      contributors: ["@PaoloTerzi"]
+
+    - name: Hostnfly
+      url: https://www.hostnfly.com/
+      contributors: ["@alexisrosuel"]
+
+    - name: Lime
+      url: https://www.li.me/
+      contributors: ["@cxmcc"]
+
+    - name: Lyft
+      url: https://www.lyft.com/
+
+    - name: Ontruck
+      url: https://www.ontruck.com/
+
+  Financial Services:
+    - name: Aadhar Housing Finance Limited
+      url: https://www.aadharhousing.com
+      contributors: ["@thakerhardiks"]
+
+    - name: Aktia Bank plc
+      url: https://www.aktia.com
+
+    - name: American Express
+      url: https://www.americanexpress.com
+      contributors: ["@TheLastSultan"]
+
+    - name: bumper
+      url: https://www.bumper.co/
+      contributors: ["@vasu-ram", "@JamiePercival"]
+
+    - name: Cape Crypto
+      url: https://capecrypto.com
+
+    - name: Capital Service S.A.
+      url: https://capitalservice.pl
+      contributors: ["@pkonarzewski"]
+
+    - name: Clark.de
+      url: https://clark.de/
+
+    - name: EnquiryLabs
+      url: https://www.enquirylabs.co.uk
+
+    - name: Europace
+      url: https://europace.de
+
+    - name: KarrotPay
+      url: https://www.daangnpay.com/
+
+    - name: Remita
+      url: https://remita.net
+      contributors: ["@mujibishola"]
+
+    - name: Taveo
+      url: https://www.taveo.com
+      contributors: ["@codek"]
+
+    - name: Unit
+      url: https://www.unit.co/about-us
+      contributors: ["@amitmiran137"]
+
+    - name: Wise
+      url: https://wise.com
+      contributors: ["@koszti"]
+
+    - name: Xendit
+      url: https://xendit.co/
+      contributors: ["@LieAlbertTriAdrian"]
+
+    - name: Cover Genius
+      url: https://covergenius.com/
+
+  Gaming:
+    - name: Popoko VM Games Studio
+      url: https://popoko.live
+
+  E-Commerce:
+    - name: AiHello
+      url: https://www.aihello.com
+      contributors: ["@ganeshkrishnan1"]
+
+    - name: Bazaar Technologies
+      url: https://www.bazaartech.com
+      contributors: ["@umair-abro"]
+
+    - name: Blinkit
+      url: https://www.blinkit.com/
+      contributors: ["@amsharm2"]
+
+    - name: Dragonpass
+      url: https://www.dragonpass.com.cn/
+      contributors: ["@zhxjdwh"]
+
+    - name: Dropit Shopping
+      url: https://www.dropit.shop/
+      contributors: ["@dropit-dev"]
+
+    - name: Fordeal
+      url: https://www.fordeal.com
+      contributors: ["@Renkai"]
+
+    - name: Fynd
+      url: https://www.fynd.com/
+      contributors: ["@darpanjain07"]
+
+    - name: GFG - Global Fashion Group
+      url: https://global-fashion-group.com
+      contributors: ["@ksaagariconic"]
+
+    - name: GoTo/Gojek
+      url: https://www.gojek.io/
+      contributors: ["@gwthm-in"]
+
+    - name: HuiShouBao
+      url: https://www.huishoubao.com/
+      contributors: ["@Yukinoshita-Yukino"]
+
+    - name: Now
+      url: https://www.now.vn/
+      contributors: ["@davidkohcw"]
+
+    - name: Qunar
+      url: https://www.qunar.com/
+      contributors: ["@flametest"]
+
+    - name: Rakuten Viki
+      url: https://www.viki.com
+
+    - name: Shopee
+      url: https://shopee.sg
+      contributors: ["@xiaohanyu"]
+
+    - name: Shopkick
+      url: https://www.shopkick.com
+      contributors: ["@LAlbertalli"]
+
+    - name: ShopUp
+      url: https://www.shopup.org/
+      contributors: ["@gwthm-in"]
+
+    - name: Tails.com
+      url: https://tails.com/gb/
+      contributors: ["@alanmcruickshank"]
+
+    - name: THE ICONIC
+      url: https://theiconic.com.au/
+      contributors: ["@ksaagariconic"]
+
+    - name: Utair
+      url: https://www.utair.ru
+      contributors: ["@utair-digital"]
+
+    - name: VkusVill
+      url: https://vkusvill.ru/
+      contributors: ["@ETselikov"]
+
+    - name: Zalando
+      url: https://www.zalando.com
+      contributors: ["@dmigo"]
+
+    - name: Zalora
+      url: https://www.zalora.com
+      contributors: ["@ksaagariconic"]
+
+    - name: Zepto
+      url: https://www.zeptonow.com/
+      contributors: ["@gwthm-in"]
+
+  Enterprise Technology:
+    - name: A3Data
+      url: https://a3data.com.br
+      contributors: ["@neylsoncrepalde"]
+
+    - name: Analytics Aura
+      url: https://analyticsaura.com/
+      contributors: ["@Analytics-Aura"]
+
+    - name: Apollo GraphQL
+      url: https://www.apollographql.com/
+      contributors: ["@evans"]
+
+    - name: Astronomer
+      url: https://www.astronomer.io
+      contributors: ["@ryw"]
+
+    - name: Avesta Technologies
+      url: https://avestatechnologies.com/
+      contributors: ["@TheRum"]
+
+    - name: Caizin
+      url: https://caizin.com/
+      contributors: ["@tejaskatariya"]
+
+    - name: Canonical
+      url: https://canonical.com
+
+    - name: Careem
+      url: https://www.careem.com/
+      contributors: ["@samraHanif0340"]
+
+    - name: Cloudsmith
+      url: https://cloudsmith.io
+      contributors: ["@alancarson"]
+
+    - name: Cyberhaven
+      url: https://www.cyberhaven.com/
+      contributors: ["@toliver-ch"]
+
+    - name: Deepomatic
+      url: https://deepomatic.com/
+      contributors: ["@Zanoellia"]
+
+    - name: Dial Once
+      url: https://www.dial-once.com/
+
+    - name: Dremio
+      url: https://dremio.com
+      contributors: ["@narendrans"]
+
+    - name: EFinance
+      url: https://www.efinance.com.eg
+      contributors: ["@habeeb556"]
+
+    - name: Elestio
+      url: https://elest.io/
+      contributors: ["@kaiwalyakoparkar"]
+
+    - name: ELMO Cloud HR & Payroll
+      url: https://elmosoftware.com.au/
+
+    - name: Endress+Hauser
+      url: https://www.endress.com/
+      contributors: ["@rumbin"]
+
+    - name: FBK - ICT center
+      url: https://ict.fbk.eu
+
+    - name: Formbricks
+      url: https://formbricks.com
+
+    - name: Gavagai
+      url: https://gavagai.io
+      contributors: ["@gavagai-corp"]
+
+    - name: GfK Data Lab
+      url: https://www.gfk.com/home
+      contributors: ["@mherr"]
+
+    - name: Hifadih Business & Technology
+      url: https://hifadih.net/en
+      logo: hifadih.png
+      contributors: ["@saintLaurent00"]
+
+    # Logo approved by @anmol-hpe on behalf of HPE
+    - name: HPE
+      url: https://www.hpe.com/in/en/home.html
+      logo: hpe.png
+      contributors: ["@anmol-hpe"]
+
+    - name: Hydrolix
+      url: https://www.hydrolix.io/
+
+    - name: Intercom
+      url: https://www.intercom.com/
+      contributors: ["@kate-gallo"]
+
+    - name: jampp
+      url: https://jampp.com/
+
+    - name: Konfío
+      url: https://konfio.mx
+      contributors: ["@uis-rodriguez"]
+
+    - name: Mainstrat
+      url: https://mainstrat.com/
+
+    - name: mishmash io
+      url: https://mishmash.io/
+      contributors: ["@mishmash-io"]
+
+    - name: Myra Labs
+      url: https://www.myralabs.com/
+      contributors: ["@viksit"]
+
+    - name: Nielsen
+      url: https://www.nielsen.com/
+      contributors: ["@amitNielsen"]
+
+    - name: Ona
+      url: https://ona.io
+      contributors: ["@pld"]
+
+    - name: Orange
+      url: https://www.orange.com
+      contributors: ["@icsu"]
+
+    - name: Oslandia
+      url: https://oslandia.com
+
+    - name: Oxylabs
+      url: https://oxylabs.io/
+      contributors: ["@rytis-ulys"]
+
+    - name: Peak AI
+      url: https://www.peak.ai/
+      contributors: ["@azhar22k"]
+
+    - name: PeopleDoc
+      url: https://www.people-doc.com
+      contributors: ["@rodo"]
+
+    - name: PlaidCloud
+      url: https://plaidcloud.com
+      logo: plaidcloud.svg
+      contributors: ["@rad-pat"]
+
+    - name: Preset, Inc.
+      url: https://preset.io
+      logo: preset.svg
+      contributors: ["@mistercrunch", "@betodealmeida", "@dpgaspar", "@rusackas", "@sadpandajoe", "@Vitor-Avila", "@kgabryje", "@geido", "@eschutho", "@Antonio-RiveroMartnez", "@yousoph"]
+
+    - name: PubNub
+      url: https://pubnub.com
+      contributors: ["@jzucker2"]
+
+    - name: ReadyTech
+      url: https://www.readytech.io
+
+    - name: Reward Gateway
+      url: https://www.rewardgateway.com
+
+    - name: RIADVICE
+      url: https://riadvice.tn
+      contributors: ["@riadvice"]
+
+    - name: ScopeAI
+      url: https://www.getscopeai.com
+      contributors: ["@iloveluce"]
+
+    - name: shipmnts
+      url: https://shipmnts.com
+
+    - name: Showmax
+      url: https://showmax.com
+      contributors: ["@bobek"]
+
+    - name: SingleStore
+      url: https://www.singlestore.com/
+
+    - name: TechAudit
+      url: https://www.techaudit.info
+      contributors: ["@ETselikov"]
+
+    - name: Tenable
+      url: https://www.tenable.com
+      contributors: ["@dflionis"]
+
+    - name: Tentacle
+      url: https://www.linkedin.com/company/tentacle-cmi/
+      contributors: ["@jdclarke5"]
+
+    - name: timbr.ai
+      url: https://timbr.ai/
+      contributors: ["@semantiDan"]
+
+    - name: Tobii
+      url: https://www.tobii.com/
+      contributors: ["@dwa"]
+
+    - name: Tooploox
+      url: https://www.tooploox.com/
+      contributors: ["@jakubczaplicki"]
+
+    - name: Unvired
+      url: https://unvired.com
+      contributors: ["@srinisubramanian"]
+
+    - name: UserGuiding
+      url: https://userguiding.com/
+      logo: userguiding.svg
+      contributors: ["@tzercin"]
+
+    - name: Virtuoso QA
+      url: https://www.virtuosoqa.com
+
+    - name: Whale
+      url: https://whale.im
+
+    - name: Windsor.ai
+      url: https://www.windsor.ai/
+      contributors: ["@octaviancorlade"]
+
+    - name: WinWin Network马上赢
+      url: https://brandct.cn/
+      contributors: ["@wenbinye"]
+
+    - name: XNET
+      url: https://xnetmobile.com/
+      logo: xnet.png
+      contributors: ["@deuspt"]
+
+    - name: Zeta
+      url: https://www.zeta.tech/
+      contributors: ["@shaikidris"]
+
+  Media & Entertainment:
+    - name: 6play
+      url: https://www.6play.fr
+      contributors: ["@CoryChaplin"]
+
+    - name: bilibili
+      url: https://www.bilibili.com
+      contributors: ["@Moinheart"]
+
+    - name: BurdaForward
+      url: https://www.burda-forward.de/en/
+
+    - name: Douban
+      url: https://www.douban.com/
+      contributors: ["@luchuan"]
+
+    - name: Kuaishou
+      url: https://www.kuaishou.com/
+      contributors: ["@zhaoyu89730105"]
+
+    - name: Netflix
+      url: https://www.netflix.com/
+
+    - name: Prensa Iberica
+      url: https://www.prensaiberica.es/
+      contributors: ["@zamar-roura"]
+
+    - name: TME QQMUSIC/WESING
+      url: https://www.tencentmusic.com/
+      contributors: ["@shenyuanli", "@marklaw"]
+
+    - name: Xite
+      url: https://xite.com/
+      contributors: ["@shashankkoppar"]
+
+    - name: Zaihang
+      url: https://www.zaih.com/
+
+  Education:
+    - name: Aveti Learning
+      url: https://avetilearning.com/
+      contributors: ["@TheShubhendra"]
+
+    - name: Brilliant.org
+      url: https://brilliant.org/
+
+    - name: Cirrus Assessment
+      url: https://cirrusassessment.com/
+      logo: cirrus.svg
+      contributors: ["@jeroenhabets", "@ddmm-white", "@paulrocost"]
+
+    - name: Open edX
+      url: https://openedx.org/
+
+    - name: Platzi.com
+      url: https://platzi.com/
+
+    - name: Sunbird
+      url: https://www.sunbird.org/
+      contributors: ["@eksteporg"]
+
+    - name: The GRAPH Network
+      url: https://thegraphnetwork.org/
+      contributors: ["@fccoelho"]
+
+    - name: Udemy
+      url: https://www.udemy.com/
+      contributors: ["@sungjuly"]
+
+    - name: VIPKID
+      url: https://www.vipkid.com.cn/
+      contributors: ["@illpanda"]
+
+    - name: WikiMedia Foundation
+      url: https://wikimediafoundation.org
+      contributors: ["@vg"]
+
+  Energy:
+    - name: Airboxlab
+      url: https://foobot.io
+      contributors: ["@antoine-galataud"]
+
+    - name: DouroECI
+      url: https://www.douroeci.com/
+      contributors: ["@nunohelibeires"]
+
+    - name: Safaricom
+      url: https://www.safaricom.co.ke/
+      contributors: ["@mmutiso"]
+
+    - name: Scoot
+      url: https://scoot.co/
+      contributors: ["@haaspt"]
+
+    - name: Wattbewerb
+      url: https://wattbewerb.de/
+      contributors: ["@wattbewerb"]
+
+    - name: Rogow
+      url: https://rogow.com.br/
+      contributors: ["@nilmonto"]
+
+  Healthcare:
+    - name: Amino
+      url: https://amino.com
+      contributors: ["@shkr"]
+
+    - name: Bluesquare
+      url: https://www.bluesquarehub.com/
+      contributors: ["@madewulf"]
+
+    - name: Care
+      url: https://www.getcare.io/
+      contributors: ["@alandao2021"]
+
+    - name: Living Goods
+      url: https://www.livinggoods.org
+      contributors: ["@chelule"]
+
+    - name: Maieutical Labs
+      url: https://maieuticallabs.it
+      contributors: ["@xrmx"]
+
+    - name: Medic
+      url: https://medic.org
+      contributors: ["@1yuv"]
+
+    - name: REDCap Cloud
+      url: https://www.redcapcloud.com/
+
+    - name: TrustMedis
+      url: https://trustmedis.com/
+      contributors: ["@famasya"]
+
+    - name: WeSure
+      url: https://www.wesure.cn/
+
+    - name: 2070Health
+      url: https://2070health.com/
+
+  HR / Staffing:
+    - name: Swile
+      url: https://www.swile.co/
+      contributors: ["@PaoloTerzi"]
+
+    - name: Symmetrics
+      url: https://www.symmetrics.fyi
+
+    - name: bluquist
+      url: https://bluquist.com/
+
+  Government:
+    - name: City of Ann Arbor, MI
+      url: https://www.a2gov.org/
+      contributors: ["@sfirke"]
+
+    - name: RIS3 Strategy of CZ, MIT CR
+      url: https://www.ris3.cz/
+      contributors: ["@RIS3CZ"]
+
+    - name: NRLM - Sarathi, India
+      url: https://pib.gov.in/PressReleasePage.aspx?PRID=1999586
+
+  Mobile Software:
+    - name: VLMedia
+      url: https://www.vlmedia.com.tr
+      logo: vlmedia.svg
+      contributors: ["@iercan"]
+
+  Travel:
+    - name: Agoda
+      url: https://www.agoda.com/
+      contributors: ["@lostseaway", "@maiake", "@obombayo"]
+
+    - name: HomeToGo
+      url: https://hometogo.com/
+      contributors: ["@pedromartinsteenstrup"]
+
+    - name: Skyscanner
+      url: https://www.skyscanner.net/
+      contributors: ["@cleslie", "@stanhoucke"]
+
+  Logistics:
+    - name: Stockarea
+      url: https://stockarea.io
+
+    - name: VTG
+      url: https://www.vtg.de
+
+  Sports:
+    - name: Club 25 de Agosto (Femenino / Women's Team)
+      url: https://www.instagram.com/25deagosto.basketfemenino/
+      contributors: [ "@lion90" ]
+      logo: club25deagosto.svg
+
+    - name: Fanatics
+      url: https://www.fanatics.com/
+      contributors: [ "@coderfender" ]
+
+    - name: komoot
+      url: https://www.komoot.com/
+      contributors: [ "@christophlingg" ]
+
+  Others:
+    - name: 10Web
+      url: https://10web.io/
+
+    - name: AI inside
+      url: https://inside.ai/en/
+
+    - name: Automattic
+      url: https://automattic.com/
+      contributors: ["@Khrol", "@Usiel"]
+
+    - name: Dropbox
+      url: https://www.dropbox.com/
+      contributors: ["@bkyryliuk"]
+
+    - name: Flowbird
+      url: https://flowbird.com
+      contributors: ["@EmmanuelCbd"]
+
+    - name: GEOTAB
+      url: https://www.geotab.com
+      contributors: ["@JZ6"]
+
+    - name: Grassroot
+      url: https://www.grassrootinstitute.org/
+
+    - name: HOLLYLAND猛玛
+      url: https://www.hollyland.com
+      logo: hollyland猛玛.svg
+      contributors: ["@hlyda0601"]
+
+    - name: Increff
+      url: https://www.increff.com/
+      contributors: ["@ishansinghania"]
+
+    - name: Let's Roam
+      url: https://www.letsroam.com/
+
+    - name: Machrent SA
+      url: https://www.machrent.com/
+
+    - name: Onebeat
+      url: https://1beat.com/
+      contributors: ["@GuyAttia"]
+
+    - name: X
+      url: https://x.com/
+
+    - name: Yahoo!
+      url: https://yahoo.com/
--- a/RESOURCES/STANDARD_ROLES.md
+++ b/RESOURCES/STANDARD_ROLES.md
@@ -17,192 +17,193 @@ specific language governing permissions and limitations
 under the License.
 -->

-|                                                  |Admin|Alpha|Gamma|SQL_LAB|
-|--------------------------------------------------|---|---|---|---|
-| Permission/role description                      |Admins have all possible rights, including granting or revoking rights from other users and altering other people’s slices and dashboards.|Alpha users have access to all data sources, but they cannot grant or revoke access from other users. They are also limited to altering the objects that they own. Alpha users can add and alter data sources.|Gamma users have limited access. They can only consume data coming from data sources they have been given access to through another complementary role. They only have access to view the slices and dashboards made from data sources that they have access to. Currently Gamma users are not able to alter or add data sources. We assume that they are mostly content consumers, though they can create slices and dashboards.|The sql_lab role grants access to SQL Lab. Note that while Admin users have access to all databases by default, both Alpha and Gamma users need to be given access on a per database basis.||
-| can read on SavedQuery                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can write on SavedQuery                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can read on CssTemplate                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can write on CssTemplate                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can read on ReportSchedule                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can write on ReportSchedule                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can read on Chart                                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can write on Chart                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can read on Annotation                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can write on Annotation                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can read on Dataset                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can write on Dataset                             |:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can read on Log                                  |:heavy_check_mark:|O|O|O|
-| can write on Log                                 |:heavy_check_mark:|O|O|O|
-| can read on Dashboard                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can write on Dashboard                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can read on Database                             |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can write on Database                            |:heavy_check_mark:|O|O|O|
-| can read on Query                                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can this form get on ResetPasswordView           |:heavy_check_mark:|O|O|O|
-| can this form post on ResetPasswordView          |:heavy_check_mark:|O|O|O|
-| can this form get on ResetMyPasswordView         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can this form post on ResetMyPasswordView        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can this form get on UserInfoEditView            |:heavy_check_mark:|O|O|O|
-| can this form post on UserInfoEditView           |:heavy_check_mark:|O|O|O|
-| can show on UserDBModelView                      |:heavy_check_mark:|O|O|O|
-| can edit on UserDBModelView                      |:heavy_check_mark:|O|O|O|
-| can delete on UserDBModelView                    |:heavy_check_mark:|O|O|O|
-| can add on UserDBModelView                       |:heavy_check_mark:|O|O|O|
-| can list on UserDBModelView                      |:heavy_check_mark:|O|O|O|
-| can userinfo on UserDBModelView                  |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| resetmypassword on UserDBModelView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| resetpasswords on UserDBModelView                |:heavy_check_mark:|O|O|O|
-| userinfoedit on UserDBModelView                  |:heavy_check_mark:|O|O|O|
-| can show on RoleModelView                        |:heavy_check_mark:|O|O|O|
-| can edit on RoleModelView                        |:heavy_check_mark:|O|O|O|
-| can delete on RoleModelView                      |:heavy_check_mark:|O|O|O|
-| can add on RoleModelView                         |:heavy_check_mark:|O|O|O|
-| can list on RoleModelView                        |:heavy_check_mark:|O|O|O|
-| copyrole on RoleModelView                        |:heavy_check_mark:|O|O|O|
-| can get on OpenApi                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can show on SwaggerView                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can get on MenuApi                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can list on AsyncEventsRestApi                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can invalidate on CacheRestApi                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can csv upload on Database                       |:heavy_check_mark:|O|O|O|
-| can excel upload on Database                     |:heavy_check_mark:|O|O|O|
-| can query form data on Api                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can query on Api                                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can time range on Api                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can external metadata on Datasource              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can save on Datasource                           |:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can get on Datasource                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can my queries on SqlLab                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can log on Superset                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can import dashboards on Superset                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can schemas on Superset                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can sqllab history on Superset                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can publish on Superset                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can csv on Superset                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can slice on Superset                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can sync druid source on Superset                |:heavy_check_mark:|O|O|O|
-| can explore on Superset                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can approve on Superset                          |:heavy_check_mark:|O|O|O|
-| can explore json on Superset                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can fetch datasource metadata on Superset        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can csrf token on Superset                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can sqllab on Superset                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can select star on Superset                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can warm up cache on Superset                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can sqllab table viz on Superset                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can available domains on Superset                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can request access on Superset                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can dashboard on Superset                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can post on TableSchemaView                      |:heavy_check_mark:|O|O|:heavy_check_mark:|
-| can expanded on TableSchemaView                  |:heavy_check_mark:|O|O|:heavy_check_mark:|
-| can delete on TableSchemaView                    |:heavy_check_mark:|O|O|:heavy_check_mark:|
-| can get on TabStateView                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can post on TabStateView                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can delete query on TabStateView                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can migrate query on TabStateView                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can activate on TabStateView                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can delete on TabStateView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can put on TabStateView                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can read on SecurityRestApi                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| menu access on Security                          |:heavy_check_mark:|O|O|O|
-| menu access on List Users                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on List Roles                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on Action Log                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on Manage                            |:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Annotation Layers                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on CSS Templates                     |:heavy_check_mark:|:heavy_check_mark:|O|O|
-| menu access on Import Dashboards                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on Data                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on Databases                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on Datasets                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on Charts                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on Dashboards                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on SQL Lab                           |:heavy_check_mark:|O|O|:heavy_check_mark:|
-| menu access on SQL Editor                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| menu access on Saved Queries                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| menu access on Query Search                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| all datasource access on all_datasource_access   |:heavy_check_mark:|:heavy_check_mark:|O|O|
-| all database access on all_database_access       |:heavy_check_mark:|:heavy_check_mark:|O|O|
-| all query access on all_query_access             |:heavy_check_mark:|O|O|O|
-| can write on DynamicPlugin                       |:heavy_check_mark:|O|O|O|
-| can edit on DynamicPlugin                        |:heavy_check_mark:|O|O|O|
-| can list on DynamicPlugin                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can show on DynamicPlugin                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can download on DynamicPlugin                    |:heavy_check_mark:|O|O|O|
-| can add on DynamicPlugin                         |:heavy_check_mark:|O|O|O|
-| can delete on DynamicPlugin                      |:heavy_check_mark:|O|O|O|
-| can external metadata by name on Datasource      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can get value on KV                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can store on KV                                  |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can tagged objects on TagView                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can suggestions on TagView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can get on TagView                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can post on TagView                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can delete on TagView                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can edit on DashboardEmailScheduleView           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can list on DashboardEmailScheduleView           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can show on DashboardEmailScheduleView           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can add on DashboardEmailScheduleView            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can delete on DashboardEmailScheduleView         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| muldelete on DashboardEmailScheduleView          |:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can edit on SliceEmailScheduleView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can list on SliceEmailScheduleView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can show on SliceEmailScheduleView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can add on SliceEmailScheduleView                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can delete on SliceEmailScheduleView             |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| muldelete on SliceEmailScheduleView              |:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can edit on AlertModelView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can list on AlertModelView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can show on AlertModelView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can add on AlertModelView                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can delete on AlertModelView                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can list on AlertLogModelView                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can show on AlertLogModelView                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can list on AlertObservationModelView            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can show on AlertObservationModelView            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on Row Level Security                |:heavy_check_mark:|O|O|O|
-| menu access on Access requests                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on Home                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on Plugins                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on Dashboard Email Schedules         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on Chart Emails                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on Alerts                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on Alerts & Report                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| menu access on Scan New Datasources              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can share dashboard on Superset                  |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can share chart on Superset                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can this form get on ColumnarToDatabaseView      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can this form post on ColumnarToDatabaseView     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can export on Chart                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can write on DashboardFilterStateRestApi         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can read on DashboardFilterStateRestApi          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can write on DashboardPermalinkRestApi           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can read on DashboardPermalinkRestApi            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can delete embedded on Dashboard                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can set embedded on Dashboard                    |:heavy_check_mark:|O|O|O|
-| can export on Dashboard                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can get embedded on Dashboard                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can export on Database                           |:heavy_check_mark:|O|O|O|
-| can export on Dataset                            |:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can write on ExploreFormDataRestApi              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can read on ExploreFormDataRestApi               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can write on ExplorePermalinkRestApi             |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can read on ExplorePermalinkRestApi              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can export on ImportExportRestApi                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can import on ImportExportRestApi                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can export on SavedQuery                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|
-| can dashboard permalink on Superset              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can grant guest token on SecurityRestApi         |:heavy_check_mark:|O|O|O|
-| can read on AdvancedDataType                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can read on EmbeddedDashboard                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can duplicate on Dataset                         |:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can read on Explore                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can samples on Datasource                        |:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can read on AvailableDomains                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
-| can get or create dataset on Dataset             |:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can get column values on Datasource              |:heavy_check_mark:|:heavy_check_mark:|O|O|
-| can export csv on SQLLab                         |:heavy_check_mark:|O|O|:heavy_check_mark:|
-| can get results on SQLLab                        |:heavy_check_mark:|O|O|:heavy_check_mark:|
-| can execute sql query on SQLLab                  |:heavy_check_mark:|O|O|:heavy_check_mark:|
-| can recent activity on Log                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+|                                                  |Admin|Alpha|Gamma|Public|SQL_LAB|
+|--------------------------------------------------|---|---|---|---|---|
+| Permission/role description                      |Admins have all possible rights, including granting or revoking rights from other users and altering other people's slices and dashboards.|Alpha users have access to all data sources, but they cannot grant or revoke access from other users. They are also limited to altering the objects that they own. Alpha users can add and alter data sources.|Gamma users have limited access. They can only consume data coming from data sources they have been given access to through another complementary role. They only have access to view the slices and dashboards made from data sources that they have access to. Currently Gamma users are not able to alter or add data sources. We assume that they are mostly content consumers, though they can create slices and dashboards.|Public is the most restrictive built-in role, designed for anonymous/unauthenticated users viewing public dashboards. It provides minimal read-only access for dashboard viewing with interactive filters. Use `PUBLIC_ROLE_LIKE = "Public"` to apply these permissions to anonymous users.|The sql_lab role grants access to SQL Lab. Note that while Admin users have access to all databases by default, both Alpha and Gamma users need to be given access on a per database basis.||
+| can read on SavedQuery                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can write on SavedQuery                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can read on CssTemplate                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can write on CssTemplate                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can read on ReportSchedule                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can write on ReportSchedule                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can read on Chart                                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can write on Chart                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can read on Annotation                           |:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|O|
+| can write on Annotation                          |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
+| can read on AnnotationLayerRestApi               |:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|O|
+| can read on Dataset                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can write on Dataset                             |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
+| can read on Log                                  |:heavy_check_mark:|O|O|O|O|
+| can write on Log                                 |:heavy_check_mark:|O|O|O|O|
+| can read on Dashboard                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can write on Dashboard                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can read on Database                             |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can write on Database                            |:heavy_check_mark:|O|O|O|O|
+| can read on Query                                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can this form get on ResetPasswordView           |:heavy_check_mark:|O|O|O|O|
+| can this form post on ResetPasswordView          |:heavy_check_mark:|O|O|O|O|
+| can this form get on ResetMyPasswordView         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can this form post on ResetMyPasswordView        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can this form get on UserInfoEditView            |:heavy_check_mark:|O|O|O|O|
+| can this form post on UserInfoEditView           |:heavy_check_mark:|O|O|O|O|
+| can show on UserDBModelView                      |:heavy_check_mark:|O|O|O|O|
+| can edit on UserDBModelView                      |:heavy_check_mark:|O|O|O|O|
+| can delete on UserDBModelView                    |:heavy_check_mark:|O|O|O|O|
+| can add on UserDBModelView                       |:heavy_check_mark:|O|O|O|O|
+| can list on UserDBModelView                      |:heavy_check_mark:|O|O|O|O|
+| can userinfo on UserDBModelView                  |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| resetmypassword on UserDBModelView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| resetpasswords on UserDBModelView                |:heavy_check_mark:|O|O|O|O|
+| userinfoedit on UserDBModelView                  |:heavy_check_mark:|O|O|O|O|
+| can show on RoleModelView                        |:heavy_check_mark:|O|O|O|O|
+| can edit on RoleModelView                        |:heavy_check_mark:|O|O|O|O|
+| can delete on RoleModelView                      |:heavy_check_mark:|O|O|O|O|
+| can add on RoleModelView                         |:heavy_check_mark:|O|O|O|O|
+| can list on RoleModelView                        |:heavy_check_mark:|O|O|O|O|
+| copyrole on RoleModelView                        |:heavy_check_mark:|O|O|O|O|
+| can get on OpenApi                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can show on SwaggerView                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can get on MenuApi                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can list on AsyncEventsRestApi                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can invalidate on CacheRestApi                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can csv upload on Database                       |:heavy_check_mark:|O|O|O|O|
+| can excel upload on Database                     |:heavy_check_mark:|O|O|O|O|
+| can query form data on Api                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can query on Api                                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can time range on Api                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can external metadata on Datasource              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can save on Datasource                           |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
+| can get on Datasource                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can my queries on SqlLab                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can log on Superset                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can import dashboards on Superset                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can schemas on Superset                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can sqllab history on Superset                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can publish on Superset                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can csv on Superset                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can slice on Superset                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can sync druid source on Superset                |:heavy_check_mark:|O|O|O|O|
+| can explore on Superset                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can approve on Superset                          |:heavy_check_mark:|O|O|O|O|
+| can explore json on Superset                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can fetch datasource metadata on Superset        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can csrf token on Superset                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can sqllab on Superset                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can select star on Superset                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can warm up cache on Superset                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can sqllab table viz on Superset                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can available domains on Superset                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can request access on Superset                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can dashboard on Superset                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can post on TableSchemaView                      |:heavy_check_mark:|O|O|O|:heavy_check_mark:|
+| can expanded on TableSchemaView                  |:heavy_check_mark:|O|O|O|:heavy_check_mark:|
+| can delete on TableSchemaView                    |:heavy_check_mark:|O|O|O|:heavy_check_mark:|
+| can get on TabStateView                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can post on TabStateView                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can delete query on TabStateView                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can migrate query on TabStateView                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can activate on TabStateView                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can delete on TabStateView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can put on TabStateView                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can read on SecurityRestApi                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| menu access on Security                          |:heavy_check_mark:|O|O|O|O|
+| menu access on List Users                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on List Roles                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Action Log                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Manage                            |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
+| menu access on Annotation Layers                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on CSS Templates                     |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
+| menu access on Import Dashboards                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Data                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Databases                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Datasets                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Charts                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Dashboards                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on SQL Lab                           |:heavy_check_mark:|O|O|O|:heavy_check_mark:|
+| menu access on SQL Editor                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| menu access on Saved Queries                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| menu access on Query Search                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| all datasource access on all_datasource_access   |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
+| all database access on all_database_access       |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
+| all query access on all_query_access             |:heavy_check_mark:|O|O|O|O|
+| can write on DynamicPlugin                       |:heavy_check_mark:|O|O|O|O|
+| can edit on DynamicPlugin                        |:heavy_check_mark:|O|O|O|O|
+| can list on DynamicPlugin                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can show on DynamicPlugin                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can download on DynamicPlugin                    |:heavy_check_mark:|O|O|O|O|
+| can add on DynamicPlugin                         |:heavy_check_mark:|O|O|O|O|
+| can delete on DynamicPlugin                      |:heavy_check_mark:|O|O|O|O|
+| can external metadata by name on Datasource      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can get value on KV                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can store on KV                                  |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can tagged objects on TagView                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can suggestions on TagView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can get on TagView                               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can post on TagView                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can delete on TagView                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can edit on DashboardEmailScheduleView           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can list on DashboardEmailScheduleView           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can show on DashboardEmailScheduleView           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can add on DashboardEmailScheduleView            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can delete on DashboardEmailScheduleView         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| muldelete on DashboardEmailScheduleView          |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
+| can edit on SliceEmailScheduleView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can list on SliceEmailScheduleView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can show on SliceEmailScheduleView               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can add on SliceEmailScheduleView                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can delete on SliceEmailScheduleView             |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| muldelete on SliceEmailScheduleView              |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
+| can edit on AlertModelView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can list on AlertModelView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can show on AlertModelView                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can add on AlertModelView                        |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can delete on AlertModelView                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can list on AlertLogModelView                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can show on AlertLogModelView                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can list on AlertObservationModelView            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can show on AlertObservationModelView            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Row Level Security                |:heavy_check_mark:|O|O|O|O|
+| menu access on Access requests                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Home                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Plugins                           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Dashboard Email Schedules         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Chart Emails                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Alerts                            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Alerts & Report                   |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| menu access on Scan New Datasources              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can share dashboard on Superset                  |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can share chart on Superset                      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can this form get on ColumnarToDatabaseView      |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can this form post on ColumnarToDatabaseView     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can export on Chart                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can write on DashboardFilterStateRestApi         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can read on DashboardFilterStateRestApi          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can write on DashboardPermalinkRestApi           |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can read on DashboardPermalinkRestApi            |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can delete embedded on Dashboard                 |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can set embedded on Dashboard                    |:heavy_check_mark:|O|O|O|O|
+| can export on Dashboard                          |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can get embedded on Dashboard                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can export on Database                           |:heavy_check_mark:|O|O|O|O|
+| can export on Dataset                            |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
+| can write on ExploreFormDataRestApi              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can read on ExploreFormDataRestApi               |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can write on ExplorePermalinkRestApi             |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can read on ExplorePermalinkRestApi              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can export on ImportExportRestApi                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can import on ImportExportRestApi                |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can export on SavedQuery                         |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|:heavy_check_mark:|
+| can dashboard permalink on Superset              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can grant guest token on SecurityRestApi         |:heavy_check_mark:|O|O|O|O|
+| can read on AdvancedDataType                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can read on EmbeddedDashboard                    |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|
+| can duplicate on Dataset                         |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
+| can read on Explore                              |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can samples on Datasource                        |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
+| can read on AvailableDomains                     |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
+| can get or create dataset on Dataset             |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
+| can get column values on Datasource              |:heavy_check_mark:|:heavy_check_mark:|O|O|O|
+| can export csv on SQLLab                         |:heavy_check_mark:|O|O|O|:heavy_check_mark:|
+| can get results on SQLLab                        |:heavy_check_mark:|O|O|O|:heavy_check_mark:|
+| can execute sql query on SQLLab                  |:heavy_check_mark:|O|O|O|:heavy_check_mark:|
+| can recent activity on Log                       |:heavy_check_mark:|:heavy_check_mark:|:heavy_check_mark:|O|O|
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,145 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# Security Policy
+
+This is a project of the [Apache Software Foundation](https://apache.org) and follows the
+ASF [vulnerability handling process](https://apache.org/security/#vulnerability-handling).
+
+## Reporting Vulnerabilities
+
+**⚠️ Please do not file GitHub issues for security vulnerabilities as they are public! ⚠️**
+
+
+Apache Software Foundation takes a rigorous standpoint in resolving the security issues
+in its software projects. Apache Superset is highly sensitive and forthcoming to issues
+pertaining to its features and functionality.
+If you have any concern or believe you have found a vulnerability in Apache Superset,
+please get in touch with the Apache Superset Security Team privately at
+e-mail address [security@superset.apache.org](mailto:security@superset.apache.org).
+
+More details can be found on the ASF website at
+[ASF vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability)
+
+**Submission Standards & AI Policy**
+
+To ensure engineering focus remains on verified risks and to manage high reporting volumes, all reports must meet the following criteria:
+- Plain Text Format: In accordance with Apache guidelines, please provide all details in plain text within the email body. Avoid sending PDFs, Word documents, or password-protected archives.
+- Mandatory AI Disclosure: If you utilized Large Language Models (LLMs) or AI tools to identify a flaw or assist in writing a report, you must disclose this in your submission so our triage team can contextualize the findings.
+- Human-Verified PoC: All submissions must include a manual, step-by-step Proof of Concept (PoC) performed on a supported release. Raw AI outputs, hypothetical chat transcripts, or unverified scanner logs will be closed as Invalid.
+
+We kindly ask you to include the following information in your report to assist our developers in triaging and remediating issues efficiently:
+- Version/Commit: The specific version of Apache Superset or the Git commit hash you are using.
+- Configuration: A sanitized copy of your `superset_config.py` file or any config overrides.
+- Environment: Your deployment method (e.g., Docker Compose, Helm, or source) and relevant OS/Browser details.
+- Impacted Component: Identification of the affected area (e.g., Python backend, React frontend, or a specific database connector).
+- Expected vs. Actual Behavior: A clear description of the intended system behavior versus the observed vulnerability.
+- Detailed Reproduction Steps: Clear, manual steps to reproduce the vulnerability.
+
+## Security Model
+
+This section defines what Apache Superset considers a security issue and what it does not. It is the canonical reference for reporters, the Apache Superset Security Team, and any automated tool (LLM-based scanner, static analyzer, dependency tool) that needs to constrain its hypotheses to behaviors that genuinely violate the project's security policy.
+
+The model is intentionally written in terms of principals, trust boundaries, and capability surface rather than in terms of specific files, functions, or libraries. New code paths inherit the model automatically.
+
+### Trust Boundaries
+
+Apache Superset's threat model assumes three trust boundaries.
+
+1. *The Admin role* is a fully trusted operational principal. Anything an Admin can do through the documented user interface, REST API, or configuration system is an intended capability, not a vulnerability, even if individually powerful or destructive. The Admin role is, by policy, equivalent to operating-system-level trust over the Apache Superset application. This is unavoidable rather than aspirational: an Admin can, for example, register new database connections of arbitrary type, execute arbitrary SQL through SQL Lab, render Jinja templates that resolve to SQL or rendered HTML, and override application configuration. Granting Admin is functionally equivalent to granting shell access on the host, which is the reasoning behind treating it as a trust boundary in the sense of MITRE CNA Operational Rules 4.1.
+
+2. *The operator* is whoever deploys, configures, and runs Apache Superset. Behaviors that depend on deployment-time decisions are the operator's responsibility, not Apache Superset's. This includes the values of secrets, the network reachability of the application and its data sources, the choice of database connectors and cache backends, the selection of feature flags, the destinations of notifications, and the trust placed in third-party plugins. Defaults that fail closed are the responsibility of the Apache Superset codebase. Defaults that fail open must be accompanied by a documented hardening requirement; applying that hardening is the operator's responsibility, while shipping an undocumented or unflagged fail-open default is a codebase issue.
+
+3. *The Apache Superset codebase* is responsible for enforcing the role and capability matrix below across its product surface. A failure to enforce, anywhere in that surface, is in scope. The codebase's commitments are limited to the role and capability matrix and to controls Apache Superset's own documentation (this file and the linked Security documentation) explicitly positions as security boundaries; configurable hardening that operators can layer on top is treated separately under *Vulnerability Scope* below.
+
+### Roles and Capabilities
+
+Apache Superset ships with the following first-class principals. Detailed permission definitions live in the [Security documentation](https://superset.apache.org/docs/security).
+
+| Principal | Read data | Write objects | Execute SQL | Manage databases | Manage users, roles, RLS |
+|---|---|---|---|---|---|
+| Public (anonymous) | none by default | no | no | no | no |
+| Gamma | only granted datasets | own charts and dashboards on granted datasets | no by default (requires the `sql_lab` role) | no | no |
+| Alpha | all data sources | own charts, dashboards, and datasets | no by default (requires the `sql_lab` role) | data upload to existing databases only | no |
+| Admin | all | all | yes | yes | yes |
+| Embedded guest token | data sources reachable through the embedded dashboards the token authorizes | no | no | no | no |
+
+The `sql_lab` role is *additive*: it grants the SQL Lab permission set on top of the base role above, and is the only path by which Gamma or Alpha gain SQL execution capability. Database access is still scoped per the base role's grants. Admin includes SQL Lab access by default.
+
+Deployments may grant or revoke individual view-menu permissions, which shifts the boundary for that deployment but does not redefine the model. Any custom role created by an operator inherits the same principle: its capabilities are whatever the operator has explicitly granted it. The Public principal follows the same rule: operators may grant the Public role read access to specific datasets or dashboards (typically for anonymous reporting use cases), which shifts the boundary for that deployment without redefining the model.
+
+### Vulnerability Scope
+
+The test for whether a finding is in scope is a single question:
+
+> *Does this finding let a principal perform an action the role and capability matrix above does not entitle them to?*
+
+If yes, it is in scope. If no, it is out of scope. The lists below apply that test to the classes Apache Superset most commonly receives reports about; they are illustrative, not exhaustive.
+
+*In Scope*
+
+- A user, embedded guest, or anonymous visitor reads, modifies, or deletes data outside their granted set. Includes object-level access bypass on charts, dashboards, datasets, saved queries, tags, annotations, and similar per-object endpoints, and row-level-security rule bypass.
+- A user supplies input that the codebase should sanitize or parameterize but does not, causing arbitrary SQL, template code, or scripts to execute. Includes injection through Jinja templates, SQL-construction paths, and any field the codebase passes to a query engine or template engine.
+- A user bypasses authentication, fixates or reuses another user's session, or reaches an authenticated endpoint without logging in.
+- An embedded guest token authorizes actions outside the dashboard it was issued for, or can be forged, replayed, or escalated to a higher principal.
+- Apache Superset, acting on behalf of an unprivileged user, fetches an outbound URL the user controls in a feature where Apache Superset itself, not the operator, controls the outbound destination set (server-side request forgery).
+- An Apache Superset default fails open without an accompanying documented hardening requirement. The codebase is responsible for shipping fail-closed defaults or for documenting the hardening required when a default fails open; failures of that responsibility are in scope (see *Trust Boundaries*).
+- A user bypasses a control Apache Superset documents specifically as a security boundary. This includes row-level security, the access checks tied to the role and capability matrix above, and any feature whose documentation positions it as security-relevant. The codebase commits to enforcing those controls; bypasses are in scope regardless of which principal triggers them.
+- A user causes a script to execute in another user's browser through a field the codebase renders to that other user (cross-site scripting), or causes cross-origin leakage of authenticated session state or data.
+- A user reaches a route, page, or API endpoint that requires a role they do not have.
+
+*Out of Scope*
+
+- Any action an Admin role can perform through documented configuration, API, or UI. The Admin role is a trusted operational principal by policy. Per MITRE CNA Operational Rules 4.1, a qualifying vulnerability must violate a security policy; behavior within a documented trust boundary does not.
+- Deployment or operator decisions: the values of secrets and tokens, whether internal networks are reachable from the server, which database connectors or cache backends are enabled, which feature flags are set, where notifications are delivered, and which third-party plugins are loaded.
+- Compromise, modification, or malicious control of trusted backend infrastructure. Apache Superset assumes the integrity of its metastore, cache backends (for example Redis or Memcached), message brokers, secret stores, and other operator-managed infrastructure. Findings that require an attacker to read from, write to, or otherwise tamper with these systems, including injecting malicious state, serialized objects, cache entries, task metadata, configuration, or database records, are post-compromise scenarios and do not constitute vulnerabilities in Apache Superset itself. A finding remains in scope only if an unprivileged user can cause such modification through a vulnerability in Apache Superset.
+- The continued presence of expired key-value or metastore-cache entries that have not yet been deleted from the metadata database. Such entries are excluded from reads once expired, are purged opportunistically on write, and are removed in bulk by the scheduled `prune_key_value` maintenance task; their lingering until purged is an eventual-cleanup property, not a security boundary, and does not constitute a vulnerability.
+- How a downstream application (spreadsheet program, email client, browser handling user-downloaded files) interprets output Apache Superset produced for it.
+- Findings without a reproducible proof of concept against a supported release. The burden of demonstrating exploitability rests with the reporter; findings closed for lack of a proof of concept may be refiled if one is later produced.
+- Brute force, rate limiting, denial of service, or resource exhaustion that does not bypass a documented control.
+- Missing security headers, banner or version disclosure, user or object enumeration through error messages or timing, and similar low-impact information disclosure that does not enable a further concrete exploit.
+- Bypasses of configurable defense-in-depth hardening that Apache Superset does not document as a security boundary. Apache Superset is not a SQL or database firewall: operator-deployable filters such as SQL function or table denylists, URI restrictions on already-authorized database connectors, and similar belt-and-braces controls are provided to let operators layer hardening on top of the role and capability matrix, not as firewall-grade guarantees the codebase commits to. Findings against such hardening are improvements, not vulnerabilities, unless the documentation positions the specific control as security-relevant.
+- Hardening suggestions that improve defense in depth but do not violate the security model.
+
+Findings in third-party dependencies fall into two cases. A finding in a transitive dependency, or in an operator-selected dependency that Apache Superset does not ship, is out of scope and should be reported to the dependency's maintainers. A finding caused by Apache Superset pinning a known-vulnerable version of a direct dependency it ships, or using a dependency in a way that creates a vulnerability the dependency itself does not have, remains in scope. Dependency findings in the official Apache Superset Docker image that fall into the first case can be remediated by extending the image at release time.
+
+When uncertain whether a finding falls in scope, please file it through the reporting process above. The triage team will classify it and explain the reasoning if it is closed as out of scope.
+
+**Outcome of Reports**
+
+Reports that are deemed out of scope for a CVE but represent valid security best practices or hardening opportunities are typically converted into public GitHub issues, where the community can contribute fixes alongside the maintainers. The triage decision and reasoning are communicated back to the reporter in either case.
+
+**Vulnerability Aggregation & CVE Attribution**
+
+In accordance with MITRE CNA Operational Rules (4.1.10, 4.1.11, and 4.2.13), Apache Superset issues CVEs based on the underlying architectural root cause rather than the number of affected endpoints or exploit payloads.
+- Aggregation: If multiple exploit vectors stem from the same programmatic failure or shared vulnerable code, they must be aggregated into a single, comprehensive report.
+- Independent Fixes: Separate CVEs will only be assigned if the vulnerabilities reside in decoupled architectural modules and can be fixed independently of one another.
+Reports that fail to aggregate related findings will be merged during triage to ensure an accurate and defensible CVE record.
+
+**Your responsible disclosure and collaboration are invaluable.**
+
+## Extra Information
+
+ - [Apache Superset documentation](https://superset.apache.org/docs/security)
+ - [Common Vulnerabilities and Exposures by release](https://superset.apache.org/docs/security/cves)
+ - [How Security Vulnerabilities are Reported & Handled in Apache Superset (Blog)](https://preset.io/blog/how-security-vulnerabilities-are-reported-and-handled-in-apache-superset/)
+
+**For LLM agents and automated scanners**
+
+This file is the canonical source of truth for what Apache Superset considers a security vulnerability. Automated tooling (LLM-based code scanners, static analyzers, dependency tools) should treat the Security Model section as authoritative when classifying findings. The repository's [AGENTS.md](AGENTS.md) file contains a short pointer to this document for agents that read AGENTS.md as their entry point.
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -24,6 +24,186 @@ assists people when migrating to a new version.

 ## Next

+### Duration formatter precision
+
+The `DURATION` number formatter now uses `Intl.DurationFormat` for locale-aware output. By default, sub-second fields are omitted, so values that previously displayed fractional seconds with `pretty-ms`, such as `10500` milliseconds rendering as `10.5s`, now render as `10s`.
+
+To preserve sub-second precision in custom duration formatters, enable `formatSubMilliseconds`.
+
+### Cache warmup authenticates via SUPERSET_CACHE_WARMUP_USER
+
+The `cache-warmup` Celery task now drives a real WebDriver session for reliable authentication and reads the user to authenticate as from the new `SUPERSET_CACHE_WARMUP_USER` config option. It no longer consults `CACHE_WARMUP_EXECUTORS` for the warmup path. `SUPERSET_CACHE_WARMUP_USER` defaults to `None`, so the task fails fast with a clear message until you set it. Operators who previously relied on `CACHE_WARMUP_EXECUTORS` for cache warmup must set `SUPERSET_CACHE_WARMUP_USER` to a dedicated least-privilege user with access to the dashboards they want warmed up before the next warmup run.
+
+### YDB now uses a native sqlglot dialect
+
+YDB SQL parsing now relies on the dedicated [`ydb-sqlglot-plugin`](https://pypi.org/project/ydb-sqlglot-plugin/) dialect, which registers itself with sqlglot automatically. YDB users must install this plugin (e.g., via `pip install "apache-superset[ydb]"`) to avoid a `ValueError` when Superset parses YDB queries.
+
+### Embedded dashboards enforce configured Allowed Domains for postMessage
+
+The embedded dashboard page now validates the origin of incoming `postMessage` events against the dashboard's configured **Allowed Domains**. The server-rendered embedded page exposes the configured domains in its bootstrap payload, and the frontend rejects message events whose origin is not in that list.
+
+Enforcement only applies when the Allowed Domains list is non-empty. If the list is empty (the default), any origin is accepted, so there is no behavior change for embeds that did not configure Allowed Domains.
+
+### Dataset import validates catalog against the target connection
+
+Importing a dataset now validates the `catalog` field against the target database connection. When the connection has multi-catalog disabled (`allow_multi_catalog` off) and the dataset's catalog is not the connection's default catalog, the import fails instead of silently persisting the non-default catalog. This matches the validation already enforced on the dataset update path and prevents imported datasets from querying an unintended database.
+
+If you relied on importing datasets with a non-default catalog, enable "Allow changing catalogs" on the target connection, or set the dataset's catalog to the connection's default before importing.
+
+### Extension supply-chain controls (denylist + version policy)
+
+Two opt-in static gates control which extensions are allowed to load:
+
+- `EXTENSION_DENYLIST` refuses extensions matching an id (every version) or `id@version` (a single version), e.g. `["compromised-extension", "other-ext@1.2.3"]`.
+- `EXTENSION_VERSION_POLICY` enforces a minimum version per extension id, e.g. `{"acme.widget": "1.2.0"}` (PEP 440 comparison); a release below the minimum is refused.
+
+Both default to empty (no behavior change). They apply to both the `LOCAL_EXTENSIONS` and `EXTENSIONS_PATH` load paths.
+
+### Dynamic Group By respects the sort toggle for display values
+
+The Dynamic Group By chart customization now orders its display values according to the "Sort display control values" toggle: ascending (A–Z), descending (Z–A), or the dataset's source order when the toggle is unset. Previously the dropdown always sorted alphabetically. Existing dashboards where the toggle was never set will show options in source order instead of A–Z; open the customization and enable the toggle to restore alphabetical ordering.
+
+### Granular Export Controls
+
+A new feature flag `GRANULAR_EXPORT_CONTROLS` introduces three fine-grained permissions that replace the legacy `can_csv` permission:
+
+| Permission | Controls |
+|---|---|
+| `can_export_data` | CSV, Excel, JSON exports |
+| `can_export_image` | Screenshot/PDF exports |
+| `can_copy_clipboard` | Copy-to-clipboard operations |
+
+When the feature flag is enabled, these permissions are enforced on both the frontend (disabled buttons with tooltips) and backend (403 responses from API endpoints). When disabled, legacy `can_csv` behavior is preserved.
+
+**Migration behavior:** All three new permissions are granted to every role that currently has `can_csv`, preserving existing access. Admins can then selectively revoke individual export permissions from specific roles as needed.
+
+### Deck.gl MapBox viewport and opacity controls are functional
+
+The Deck.gl MapBox chart's **Opacity**, **Default longitude**, **Default latitude**, and **Zoom** controls were previously non-functional — changing them had no effect on the rendered map. These controls are now wired up correctly.
+
+**Behavior change for existing charts:** Previously, the viewport controls had hard-coded default values (`-122.405293`, `37.772123`, zoom `11` — San Francisco) that were stored in each chart's `form_data` but never applied. The map always used `fitBounds` to center on the data. With this fix, those stored values are now respected, which means existing MapBox charts may open centered on the old default coordinates instead of fitting to data bounds.
+
+**To restore fit-to-data behavior:** Open the chart in Explore, clear the **Default longitude**, **Default latitude**, and **Zoom** fields in the Viewport section, and re-save the chart.
+
+### Combined datasource list endpoint
+
+Added a new combined datasource list endpoint at `GET /api/v1/datasource/` to serve datasets and semantic views in one response.
+
+- The endpoint is available to users with at least one of `can_read` on `Dataset` or `SemanticView`.
+- Semantic views are included only when the `SEMANTIC_LAYERS` feature flag is enabled.
+- The endpoint enforces strict `order_column` validation and returns `400` for invalid sort columns.
+### ClickHouse minimum driver version bump
+
+The minimum required version of `clickhouse-connect` has been raised to `>=0.13.0`. If you are using the ClickHouse connector, please upgrade your `clickhouse-connect` package. The `_mutate_label` workaround that appended hash suffixes to column aliases has also been removed, as it is no longer needed with modern versions of the driver.
+
+### MCP Tool Observability
+
+MCP (Model Context Protocol) tools now include enhanced observability instrumentation for monitoring and debugging:
+
+**Two-layer instrumentation:**
+1. **Middleware layer** (`LoggingMiddleware`): Automatically logs all MCP tool calls with `duration_ms` and `success` status in the audit log (Action Log UI, logs table)
+2. **Sub-operation tracking**: All 19 MCP tools include granular `event_logger.log_context()` blocks for tracking individual operations like validation, database writes, and query execution
+
+**Action naming convention:**
+- Tool-level logs: `mcp_tool_call` (via middleware)
+- Sub-operation logs: `mcp.{tool_name}.{operation}` (e.g., `mcp.generate_chart.validation`, `mcp.execute_sql.query_execution`)
+
+**Querying MCP logs:**
+```sql
+-- Top slowest MCP operations
+SELECT action, COUNT(*) as calls, AVG(duration_ms) as avg_ms
+FROM logs
+WHERE action LIKE 'mcp.%'
+GROUP BY action
+ORDER BY avg_ms DESC
+LIMIT 20;
+
+-- MCP tool success rate
+SELECT
+    json_extract(curated_payload, '$.tool') as tool,
+    COUNT(*) as total_calls,
+    SUM(CASE WHEN json_extract(curated_payload, '$.success') = 'true' THEN 1 ELSE 0 END) as successful,
+    ROUND(100.0 * SUM(CASE WHEN json_extract(curated_payload, '$.success') = 'true' THEN 1 ELSE 0 END) / COUNT(*), 2) as success_rate
+FROM logs
+WHERE action = 'mcp_tool_call'
+GROUP BY tool
+ORDER BY total_calls DESC;
+```
+
+**Security note:** Sensitive parameters (passwords, API keys, tokens) are automatically redacted in logs as `[REDACTED]`.
+
+### Distributed Coordination Backend
+
+A new `DISTRIBUTED_COORDINATION_CONFIG` configuration provides a unified Redis-based backend for real-time coordination features in Superset. This backend enables:
+
+- **Pub/sub messaging** for real-time event notifications between workers
+- **Atomic distributed locking** using Redis SET NX EX (more performant than database-backed locks)
+- **Event-based coordination** for background task management
+
+The distributed coordination is used by the Global Task Framework (GTF) for abort notifications and task completion signaling, and will eventually replace `GLOBAL_ASYNC_QUERIES_CACHE_BACKEND` as the standard signaling backend. Configuring this is recommended for Redis enabled production deployments.
+
+Example configuration in `superset_config.py`:
+```python
+DISTRIBUTED_COORDINATION_CONFIG = {
+    "CACHE_TYPE": "RedisCache",
+    "CACHE_KEY_PREFIX": "signal_",
+    "CACHE_REDIS_URL": "redis://localhost:6379/1",
+    "CACHE_DEFAULT_TIMEOUT": 300,
+}
+```
+
+See `superset/config.py` for complete configuration options.
+
+### WebSocket config for GAQ with Docker
+
+[35896](https://github.com/apache/superset/pull/35896) and [37624](https://github.com/apache/superset/pull/37624) updated documentation on how to run and configure Superset with Docker. Specifically for the WebSocket configuration, a new `docker/superset-websocket/config.example.json` was added to the repo, so that users could copy it to create a `docker/superset-websocket/config.json` file. The existing `docker/superset-websocket/config.json` was removed and git-ignored, so if you're using GAQ / WebSocket make sure to:
+- Stash/backup your existing `config.json` file, to re-apply it after (will get git-ignored going forward)
+- Update the `volumes` configuration for the `superset-websocket` service in your `docker-compose.override.yml` file, to include the `docker/superset-websocket/config.json` file. For example:
+``` yaml
+services:
+  superset-websocket:
+    volumes:
+      - ./superset-websocket:/home/superset-websocket
+      - /home/superset-websocket/node_modules
+      - /home/superset-websocket/dist
+      - ./docker/superset-websocket/config.json:/home/superset-websocket/config.json:ro
+```
+
+### Example Data Loading Improvements
+
+#### New Directory Structure
+Examples are now organized by name with data and configs co-located:
+```
+superset/examples/
+├── _shared/              # Shared database & metadata configs
+├── birth_names/          # Each example is self-contained
+│   ├── data.parquet     # Dataset (Parquet format)
+│   ├── dataset.yaml     # Dataset metadata
+│   ├── dashboard.yaml   # Dashboard config (optional)
+│   └── charts/          # Chart configs (optional)
+└── ...
+```
+
+#### Simplified Parquet-based Loading
+- Auto-discovery: create `superset/examples/my_dataset/data.parquet` to add a new example
+- Parquet is an Apache project format: compressed (~27% smaller), self-describing schema
+- YAML configs define datasets, charts, and dashboards declaratively
+- Removed Python-based data generation from individual example files
+
+#### Test Data Reorganization
+- Moved `big_data.py` to `superset/cli/test_loaders.py` - better reflects its purpose as a test utility
+- Fixed inverted logic for `--load-test-data` flag (now correctly includes .test.yaml files when flag is set)
+- Clarified CLI flags:
+  - `--force` / `-f`: Force reload even if tables exist
+  - `--only-metadata` / `-m`: Create table metadata without loading data
+  - `--load-test-data` / `-t`: Include test dashboards and .test.yaml configs
+  - `--load-big-data` / `-b`: Generate synthetic stress-test data
+
+#### Bug Fixes
+- Fixed numpy array serialization for PostgreSQL (converts complex types to JSON strings)
+- Fixed KeyError for `allow_csv_upload` field in database configs (now optional with default)
+- Fixed test data loading logic that was incorrectly filtering files
+
 ### MCP Service

 The MCP (Model Context Protocol) service enables AI assistants and automation tools to interact programmatically with Superset.
@@ -124,8 +304,53 @@ See `superset/mcp_service/PRODUCTION.md` for deployment guides.

 ---

- [33055](https://github.com/apache/superset/pull/33055): Upgrades Flask-AppBuilder to 5.0.0. The AUTH_OID authentication type has been deprecated and is no longer available as an option in Flask-AppBuilder. OpenID (OID) is considered a deprecated authentication protocol - if you are using AUTH_OID, you will need to migrate to an alternative authentication method such as OAuth, LDAP, or database authentication before upgrading.
+- [35621](https://github.com/apache/superset/pull/35621): The default hash algorithm has changed from MD5 to SHA-256 for improved security and FedRAMP compliance. This affects cache keys for thumbnails, dashboard digests, chart digests, and filter option names. Existing cached data will be invalidated upon upgrade. To opt out of this change and maintain backward compatibility, set `HASH_ALGORITHM = "md5"` in your `superset_config.py`.
 - [35062](https://github.com/apache/superset/pull/35062): Changed the function signature of `setupExtensions` to `setupCodeOverrides` with options as arguments.
+
+### Breaking Changes
+- [37370](https://github.com/apache/superset/pull/37370): The `APP_NAME` configuration variable no longer controls the browser window/tab title or other frontend branding. Application names should now be configured using the theme system with the `brandAppName` token. The `APP_NAME` config is still used for backend contexts (MCP service, logs, etc.) and serves as a fallback if `brandAppName` is not set.
+  - **Migration:**
+  ```python
+  # Before (Superset 5.x)
+  APP_NAME = "My Custom App"
+
+  # After (Superset 6.x) - Option 1: Use theme system (recommended)
+  THEME_DEFAULT = {
+    "token": {
+      "brandAppName": "My Custom App",  # Window titles
+      "brandLogoAlt": "My Custom App",  # Logo alt text
+      "brandLogoUrl": "/static/assets/images/custom_logo.png"
+    }
+  }
+
+  # After (Superset 6.x) - Option 2: Temporary fallback
+  # Keep APP_NAME for now (will be used as fallback for brandAppName)
+  APP_NAME = "My Custom App"
+  # But you should migrate to THEME_DEFAULT.token.brandAppName
+  ```
+  - **Note:** For dark mode, set the same tokens in `THEME_DARK` configuration.
+
+- [36317](https://github.com/apache/superset/pull/36317): The `CUSTOM_FONT_URLS` configuration option has been removed. Use the new per-theme `fontUrls` token in `THEME_DEFAULT` or database-managed themes instead.
+  - **Before:**
+  ```python
+  CUSTOM_FONT_URLS = [
+    "https://fonts.example.com/myfont.css",
+  ]
+  ```
+  - **After:**
+  ```python
+  THEME_DEFAULT = {
+    "token": {
+      "fontUrls": [
+        "https://fonts.example.com/myfont.css",
+        ],
+        # ... other tokens
+    }
+  }
+  ```
+
+## 6.0.0
+- [33055](https://github.com/apache/superset/pull/33055): Upgrades Flask-AppBuilder to 5.0.0. The AUTH_OID authentication type has been deprecated and is no longer available as an option in Flask-AppBuilder. OpenID (OID) is considered a deprecated authentication protocol - if you are using AUTH_OID, you will need to migrate to an alternative authentication method such as OAuth, LDAP, or database authentication before upgrading.
 - [34871](https://github.com/apache/superset/pull/34871): Fixed Jest test hanging issue from Ant Design v5 upgrade. MessageChannel is now mocked in test environment to prevent rc-overflow from causing Jest to hang. Test environment only - no production impact.
 - [34782](https://github.com/apache/superset/pull/34782): Dataset exports now include the dataset ID in their file name (similar to charts and dashboards). If managing assets as code, make sure to rename existing dataset YAMLs to include the ID (and avoid duplicated files).
 - [34536](https://github.com/apache/superset/pull/34536): The `ENVIRONMENT_TAG_CONFIG` color values have changed to support only Ant Design semantic colors. Update your `superset_config.py`:
@@ -143,13 +368,13 @@ Note: Pillow is now a required dependency (previously optional) to support image
  There's a migration added that can potentially affect a significant number of existing charts.
 - [32317](https://github.com/apache/superset/pull/32317) The horizontal filter bar feature is now out of testing/beta development and its feature flag `HORIZONTAL_FILTER_BAR` has been removed.
 - [31590](https://github.com/apache/superset/pull/31590) Marks the beginning of intricate work around supporting dynamic Theming, and breaks support for [THEME_OVERRIDES](https://github.com/apache/superset/blob/732de4ac7fae88e29b7f123b6cbb2d7cd411b0e4/superset/config.py#L671) in favor of a new theming system based on AntD V5. Likely this will be in disrepair until settling over the 5.x lifecycle.
- [32432](https://github.com/apache/superset/pull/31260) Moves the List Roles FAB view to the frontend and requires `FAB_ADD_SECURITY_API` to be enabled in the configuration and `superset init` to be executed.
+- [32432](https://github.com/apache/superset/pull/32432) Moves the List Roles FAB view to the frontend and requires `FAB_ADD_SECURITY_API` to be enabled in the configuration and `superset init` to be executed.
 - [34319](https://github.com/apache/superset/pull/34319) Drill to Detail and Drill By is now supported in Embedded mode, and also with the `DASHBOARD_RBAC` FF. If you don't want to expose these features in Embedded / `DASHBOARD_RBAC`, make sure the roles used for Embedded / `DASHBOARD_RBAC`don't have the required permissions to perform D2D actions.

 ## 5.0.0

 - [31976](https://github.com/apache/superset/pull/31976) Removed the `DISABLE_LEGACY_DATASOURCE_EDITOR` feature flag. The previous value of the feature flag was `True` and now the feature is permanently removed.
- [31959](https://github.com/apache/superset/pull/32000) Removes CSV_UPLOAD_MAX_SIZE config, use your web server to control file upload size.
+- [32000](https://github.com/apache/superset/pull/32000) Removes CSV_UPLOAD_MAX_SIZE config, use your web server to control file upload size.
 - [31959](https://github.com/apache/superset/pull/31959) Removes the following endpoints from data uploads: `/api/v1/database/<id>/<file type>_upload` and `/api/v1/database/<file type>_metadata`, in favour of new one (Details on the PR). And simplifies permissions.
 - [31844](https://github.com/apache/superset/pull/31844) The `ALERT_REPORTS_EXECUTE_AS` and `THUMBNAILS_EXECUTE_AS` config parameters have been renamed to `ALERT_REPORTS_EXECUTORS` and `THUMBNAILS_EXECUTORS` respectively. A new config flag `CACHE_WARMUP_EXECUTORS` has also been introduced to be able to control which user is used to execute cache warmup tasks. Finally, the config flag `THUMBNAILS_SELENIUM_USER` has been removed. To use a fixed executor for async tasks, use the new `FixedExecutor` class. See the config and docs for more info on setting up different executor profiles.
 - [31894](https://github.com/apache/superset/pull/31894) Domain sharding is deprecated in favor of HTTP2. The `SUPERSET_WEBSERVER_DOMAINS` configuration will be removed in the next major version (6.0)
@@ -157,7 +382,7 @@ Note: Pillow is now a required dependency (previously optional) to support image
 - [31774](https://github.com/apache/superset/pull/31774): Fixes the spelling of the `USE-ANALAGOUS-COLORS` feature flag. Please update any scripts/configuration item to use the new/corrected `USE-ANALOGOUS-COLORS` flag spelling.
 - [31582](https://github.com/apache/superset/pull/31582) Removed the legacy Area, Bar, Event Flow, Heatmap, Histogram, Line, Sankey, and Sankey Loop charts. They were all automatically migrated to their ECharts counterparts with the exception of the Event Flow and Sankey Loop charts which were removed as they were not actively maintained and not widely used. If you were using the Event Flow or Sankey Loop charts, you will need to find an alternative solution.
 - [31198](https://github.com/apache/superset/pull/31198) Disallows by default the use of the following ClickHouse functions: "version", "currentDatabase", "hostName".
- [29798](https://github.com/apache/superset/pull/29798) Since 3.1.0, the intial schedule for an alert or report was mistakenly offset by the specified timezone's relation to UTC. The initial schedule should now begin at the correct time.
+- [29798](https://github.com/apache/superset/pull/29798) Since 3.1.0, the initial schedule for an alert or report was mistakenly offset by the specified timezone's relation to UTC. The initial schedule should now begin at the correct time.
 - [30021](https://github.com/apache/superset/pull/30021) The `dev` layer in our Dockerfile no long includes firefox binaries, only Chromium to reduce bloat/docker-build-time.
 - [30099](https://github.com/apache/superset/pull/30099) Translations are no longer included in the default docker image builds. If your environment requires translations, you'll want to set the docker build arg `BUILD_TRANSLATIONS=true`.
 - [31262](https://github.com/apache/superset/pull/31262) NOTE: deprecated `pylint` in favor of `ruff` as our only python linter. Only affect development workflows positively (not the release itself). It should cover most important rules, be much faster, but some things linting rules that were enforced before may not be enforce in the exact same way as before.
@@ -170,7 +395,7 @@ Note: Pillow is now a required dependency (previously optional) to support image
 - [25166](https://github.com/apache/superset/pull/25166) Changed the default configuration of `UPLOAD_FOLDER` from `/app/static/uploads/` to `/static/uploads/`. It also removed the unused `IMG_UPLOAD_FOLDER` and `IMG_UPLOAD_URL` configuration options.
 - [30284](https://github.com/apache/superset/pull/30284) Deprecated GLOBAL_ASYNC_QUERIES_REDIS_CONFIG in favor of the new GLOBAL_ASYNC_QUERIES_CACHE_BACKEND configuration. To leverage Redis Sentinel, set CACHE_TYPE to RedisSentinelCache, or use RedisCache for standalone Redis
 - [31961](https://github.com/apache/superset/pull/31961) Upgraded React from version 16.13.1 to 17.0.2. If you are using custom frontend extensions or plugins, you may need to update them to be compatible with React 17.
- [31260](https://github.com/apache/superset/pull/31260) Docker images now use `uv pip install` instead of `pip install` to manage the python envrionment. Most docker-based deployments will be affected, whether you derive one of the published images, or have custom bootstrap script that install python libraries (drivers)
+- [31260](https://github.com/apache/superset/pull/31260) Docker images now use `uv pip install` instead of `pip install` to manage the python environment. Most docker-based deployments will be affected, whether you derive one of the published images, or have custom bootstrap script that install python libraries (drivers)

 ### Potential Downtime

@@ -247,7 +472,7 @@ Note: Pillow is now a required dependency (previously optional) to support image
 - [26462](https://github.com/apache/superset/issues/26462): Removes the Profile feature given that it's not actively maintained and not widely used.
 - [26377](https://github.com/apache/superset/pull/26377): Removes the deprecated Redirect API that supported short URLs used before the permalink feature.
 - [26329](https://github.com/apache/superset/issues/26329): Removes the deprecated `DASHBOARD_NATIVE_FILTERS` feature flag. The previous value of the feature flag was `True` and now the feature is permanently enabled.
- [25510](https://github.com/apache/superset/pull/25510): Reenforces that any newly defined Python data format (other than epoch) must adhere to the ISO 8601 standard (enforced by way of validation at the API and database level) after a previous relaxation to include slashes in addition to dashes. From now on when specifying new columns, dataset owners will need to use a SQL expression instead to convert their string columns of the form %Y/%m/%d etc. to a `DATE`, `DATETIME`, etc. type.
+- [25510](https://github.com/apache/superset/pull/25510): Reinforces that any newly defined Python data format (other than epoch) must adhere to the ISO 8601 standard (enforced by way of validation at the API and database level) after a previous relaxation to include slashes in addition to dashes. From now on when specifying new columns, dataset owners will need to use a SQL expression instead to convert their string columns of the form %Y/%m/%d etc. to a `DATE`, `DATETIME`, etc. type.
 - [26372](https://github.com/apache/superset/issues/26372): Removes the deprecated `GENERIC_CHART_AXES` feature flag. The previous value of the feature flag was `True` and now the feature is permanently enabled.

 ### Potential Downtime
--- a/docker-compose-image-tag.yml
+++ b/docker-compose-image-tag.yml
@@ -45,7 +45,7 @@ services:
        required: true
      - path: docker/.env-local # optional override
        required: false
-    image: postgres:16
+    image: postgres:17
    container_name: superset_db
    restart: unless-stopped
    volumes:
--- a/docker-compose-light.yml
+++ b/docker-compose-light.yml
@@ -67,7 +67,6 @@ x-superset-volumes: &superset-volumes
  - ./superset-frontend:/app/superset-frontend
  - superset_home_light:/app/superset_home
  - ./tests:/app/tests
-  - ./extensions:/app/extensions
 x-common-build: &common-build
  context: .
  target: ${SUPERSET_BUILD_TARGET:-dev} # can use `dev` (default) or `lean`
@@ -78,7 +77,6 @@ x-common-build: &common-build
    INCLUDE_CHROMIUM: ${INCLUDE_CHROMIUM:-false}
    INCLUDE_FIREFOX: ${INCLUDE_FIREFOX:-false}
    BUILD_TRANSLATIONS: ${BUILD_TRANSLATIONS:-false}
-    LOAD_EXAMPLES_DUCKDB: ${LOAD_EXAMPLES_DUCKDB:-true}

 services:
  db-light:
@@ -87,7 +85,7 @@ services:
        required: true
      - path: docker/.env-local # optional override
        required: false
-    image: postgres:16
+    image: postgres:17
    restart: unless-stopped
    volumes:
      - db_home_light:/var/lib/postgresql/data
@@ -117,7 +115,10 @@ services:
      DATABASE_HOST: db-light
      DATABASE_DB: superset_light
      POSTGRES_DB: superset_light
-      SUPERSET__SQLALCHEMY_EXAMPLES_URI: "duckdb:////app/data/examples.duckdb"
+      EXAMPLES_HOST: db-light
+      EXAMPLES_DB: superset_light
+      EXAMPLES_USER: superset
+      EXAMPLES_PASSWORD: superset
      SUPERSET_CONFIG_PATH: /app/docker/pythonpath_dev/superset_config_docker_light.py
      GITHUB_HEAD_REF: ${GITHUB_HEAD_REF:-}
      GITHUB_SHA: ${GITHUB_SHA:-}
@@ -140,7 +141,10 @@ services:
      DATABASE_HOST: db-light
      DATABASE_DB: superset_light
      POSTGRES_DB: superset_light
-      SUPERSET__SQLALCHEMY_EXAMPLES_URI: "duckdb:////app/data/examples.duckdb"
+      EXAMPLES_HOST: db-light
+      EXAMPLES_DB: superset_light
+      EXAMPLES_USER: superset
+      EXAMPLES_PASSWORD: superset
      SUPERSET_CONFIG_PATH: /app/docker/pythonpath_dev/superset_config_docker_light.py
    healthcheck:
      disable: true
@@ -161,10 +165,11 @@ services:
      BUILD_SUPERSET_FRONTEND_IN_DOCKER: true
      NPM_RUN_PRUNE: false
      SCARF_ANALYTICS: "${SCARF_ANALYTICS:-}"
+      DISABLE_TS_CHECKER: "${DISABLE_TS_CHECKER:-true}"
      # configuring the dev-server to use the host.docker.internal to connect to the backend
      superset: "http://superset-light:8088"
-      # Webpack dev server configuration
-      WEBPACK_DEVSERVER_HOST: "${WEBPACK_DEVSERVER_HOST:-127.0.0.1}"
+      # Webpack dev server must bind to 0.0.0.0 to be accessible from outside the container
+      WEBPACK_DEVSERVER_HOST: "${WEBPACK_DEVSERVER_HOST:-0.0.0.0}"
      WEBPACK_DEVSERVER_PORT: "${WEBPACK_DEVSERVER_PORT:-9000}"
    ports:
      - "${NODE_PORT:-9001}:9000"  # Parameterized port, accessible on all interfaces
@@ -197,7 +202,6 @@ services:
      DATABASE_DB: test
      POSTGRES_DB: test
      SUPERSET__SQLALCHEMY_DATABASE_URI: postgresql+psycopg2://superset:superset@db-light:5432/test
-      SUPERSET__SQLALCHEMY_EXAMPLES_URI: "duckdb:////app/data/examples.duckdb"
      SUPERSET_CONFIG: superset_test_config_light
      PYTHONPATH: /app/pythonpath:/app/docker/pythonpath_dev:/app

--- a/docker-compose-non-dev.yml
+++ b/docker-compose-non-dev.yml
@@ -49,7 +49,7 @@ services:
        required: true
      - path: docker/.env-local # optional override
        required: false
-    image: postgres:16
+    image: postgres:17
    container_name: superset_db
    restart: unless-stopped
    volumes:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -44,7 +44,6 @@ x-common-build: &common-build
    INCLUDE_CHROMIUM: ${INCLUDE_CHROMIUM:-false}
    INCLUDE_FIREFOX: ${INCLUDE_FIREFOX:-false}
    BUILD_TRANSLATIONS: ${BUILD_TRANSLATIONS:-false}
-    LOAD_EXAMPLES_DUCKDB: ${LOAD_EXAMPLES_DUCKDB:-true}

 services:
  nginx:
@@ -54,22 +53,45 @@ services:
      - path: docker/.env-local # optional override
        required: false
    image: nginx:latest
-    container_name: superset_nginx
    restart: unless-stopped
    ports:
-      - "80:80"
+      - "${NGINX_PORT:-80}:80"
    extra_hosts:
      - "host.docker.internal:host-gateway"
    volumes:
      - ./docker/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./docker/nginx/templates:/etc/nginx/templates:ro
+    # Wait for the webpack dev server's manifest.json to be served before
+    # starting nginx. This prevents 404s on static assets at startup. The
+    # probe targets host.docker.internal so it works regardless of whether
+    # the dev server runs in the superset-node container
+    # (BUILD_SUPERSET_FRONTEND_IN_DOCKER=true, the default) or directly on
+    # the host (BUILD_SUPERSET_FRONTEND_IN_DOCKER=false).
+    command:
+      - /bin/bash
+      - -c
+      - |
+        url="http://host.docker.internal:9000/static/assets/manifest.json"
+        max_attempts=150  # ~5 minutes at 2s intervals
+        echo "Waiting for webpack dev server at $url..."
+        attempt=0
+        until curl -sf --max-time 5 -o /dev/null "$url"; do
+          attempt=$((attempt + 1))
+          if [ "$attempt" -ge "$max_attempts" ]; then
+            echo "ERROR: webpack dev server did not serve $url after $max_attempts attempts (~5 minutes)." >&2
+            echo "Is the dev server running? With BUILD_SUPERSET_FRONTEND_IN_DOCKER=false you must start it on the host (e.g. 'npm run dev' in superset-frontend)." >&2
+            exit 1
+          fi
+          sleep 2
+        done
+        echo "Webpack dev server is ready; starting nginx."
+        exec nginx -g 'daemon off;'

  redis:
    image: redis:7
-    container_name: superset_cache
    restart: unless-stopped
    ports:
-      - "127.0.0.1:6379:6379"
+      - "127.0.0.1:${REDIS_PORT:-6379}:6379"
    volumes:
      - redis:/data

@@ -79,11 +101,10 @@ services:
        required: true
      - path: docker/.env-local # optional override
        required: false
-    image: postgres:16
-    container_name: superset_db
+    image: postgres:17
    restart: unless-stopped
    ports:
-      - "127.0.0.1:5432:5432"
+      - "127.0.0.1:${DATABASE_PORT:-5432}:5432"
    volumes:
      - db_home:/var/lib/postgresql/data
      - ./docker/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d
@@ -96,13 +117,12 @@ services:
        required: false
    build:
      <<: *common-build
-    container_name: superset_app
    command: ["/app/docker/docker-bootstrap.sh", "app"]
    restart: unless-stopped
    ports:
-      - 8088:8088
+      - ${SUPERSET_PORT:-8088}:8088
      # When in cypress-mode ->
-      - 8081:8081
+      - ${CYPRESS_PORT:-8081}:8081
    extra_hosts:
      - "host.docker.internal:host-gateway"
    user: *superset-user
@@ -110,14 +130,11 @@ services:
      superset-init:
        condition: service_completed_successfully
    volumes: *superset-volumes
-    environment:
-      SUPERSET__SQLALCHEMY_EXAMPLES_URI: "duckdb:////app/data/examples.duckdb"

  superset-websocket:
-    container_name: superset_websocket
    build: ./superset-websocket
    ports:
-      - 8080:8080
+      - ${WEBSOCKET_PORT:-8080}:8080
    extra_hosts:
      - "host.docker.internal:host-gateway"
    depends_on:
@@ -149,7 +166,6 @@ services:
  superset-init:
    build:
      <<: *common-build
-    container_name: superset_init
    command: ["/app/docker/docker-init.sh"]
    env_file:
      - path: docker/.env # default
@@ -163,8 +179,6 @@ services:
        condition: service_started
    user: *superset-user
    volumes: *superset-volumes
-    environment:
-      SUPERSET__SQLALCHEMY_EXAMPLES_URI: "duckdb:////app/data/examples.duckdb"
    healthcheck:
      disable: true

@@ -186,9 +200,10 @@ services:
      SCARF_ANALYTICS: "${SCARF_ANALYTICS:-}"
      # configuring the dev-server to use the host.docker.internal to connect to the backend
      superset: "http://superset:8088"
+      # Webpack dev server must bind to 0.0.0.0 to be accessible from outside the container
+      WEBPACK_DEVSERVER_HOST: "0.0.0.0"
    ports:
-      - "127.0.0.1:9000:9000"  # exposing the dynamic webpack dev server
-    container_name: superset_node
+      - "127.0.0.1:${NODE_PORT:-9000}:9000"  # exposing the dynamic webpack dev server
    command: ["/app/docker/docker-frontend.sh"]
    env_file:
      - path: docker/.env # default
@@ -200,7 +215,6 @@ services:
  superset-worker:
    build:
      <<: *common-build
-    container_name: superset_worker
    command: ["/app/docker/docker-bootstrap.sh", "worker"]
    env_file:
      - path: docker/.env # default
@@ -226,7 +240,6 @@ services:
  superset-worker-beat:
    build:
      <<: *common-build
-    container_name: superset_worker_beat
    command: ["/app/docker/docker-bootstrap.sh", "beat"]
    env_file:
      - path: docker/.env # default
@@ -244,7 +257,6 @@ services:
  superset-tests-worker:
    build:
      <<: *common-build
-    container_name: superset_tests_worker
    command: ["/app/docker/docker-bootstrap.sh", "worker"]
    env_file:
      - path: docker/.env # default
--- a/docker/.env
+++ b/docker/.env
@@ -21,6 +21,15 @@ PYTHONUNBUFFERED=1
 COMPOSE_PROJECT_NAME=superset
 DEV_MODE=true

+# Port configuration (override in .env-local for multiple instances)
+# NGINX_PORT=80
+# SUPERSET_PORT=8088
+# NODE_PORT=9000
+# WEBSOCKET_PORT=8080
+# CYPRESS_PORT=8081
+# DATABASE_PORT=5432
+# REDIS_PORT=6379
+
 # database configurations (do not modify)
 DATABASE_DB=superset
 DATABASE_HOST=db
--- a/docker/.env-local.example
+++ b/docker/.env-local.example
@@ -0,0 +1,39 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# -----------------------------------------------------------------------
+# Example .env-local file for running multiple Superset instances
+# Copy this file to .env-local and customize for your setup
+# -----------------------------------------------------------------------
+
+# Unique project name prevents container/volume conflicts between clones
+# Each clone should have a different name (e.g., superset-pr123, superset-feature-x)
+COMPOSE_PROJECT_NAME=superset-dev2
+
+# Port offsets for running multiple instances simultaneously
+# Instance 1 (default): 80, 8088, 9000, 8080, 8081, 5432, 6379
+# Instance 2 example:   81, 8089, 9001, 8082, 8083, 5433, 6380
+NGINX_PORT=81
+SUPERSET_PORT=8089
+NODE_PORT=9001
+WEBSOCKET_PORT=8082
+CYPRESS_PORT=8083
+DATABASE_PORT=5433
+REDIS_PORT=6380
+
+# For verbose logging during development:
+# SUPERSET_LOG_LEVEL=debug
--- a/docker/README.md
+++ b/docker/README.md
@@ -77,6 +77,34 @@ To run the container, simply run: `docker compose up`
 After waiting several minutes for Superset initialization to finish, you can open a browser and view [`http://localhost:8088`](http://localhost:8088)
 to start your journey.

+### Running Multiple Instances
+
+If you need to run multiple Superset instances simultaneously (e.g., different branches or clones), use the make targets which automatically find available ports:
+
+```bash
+make up
+```
+
+This automatically:
+- Generates a unique project name from your directory
+- Finds available ports (incrementing from defaults if in use)
+- Displays the assigned URLs before starting
+
+Available commands (run from repo root):
+
+| Command | Description |
+|---------|-------------|
+| `make up` | Start services (foreground) |
+| `make up-detached` | Start services (background) |
+| `make down` | Stop all services |
+| `make ps` | Show running containers |
+| `make logs` | Follow container logs |
+| `make nuke` | Stop, remove volumes & local images |
+
+From a subdirectory, use: `make -C $(git rev-parse --show-toplevel) up`
+
+**Important**: Always use these commands instead of plain `docker compose down`, which won't know the correct project name.
+
 ## Developing

 While running, the container server will reload on modification of the Superset Python and JavaScript source code.
--- a/docker/docker-bootstrap.sh
+++ b/docker/docker-bootstrap.sh
@@ -80,7 +80,23 @@ case "${1}" in
    ;;
  app)
    echo "Starting web app (using development server)..."
-    flask run -p $PORT --reload --debugger --without-threads --host=0.0.0.0 --exclude-patterns "*/node_modules/*:*/.venv/*:*/build/*:*/__pycache__/*"
+
+    # Environment-based debugger control for security
+    # Only enable Werkzeug interactive debugger when explicitly requested
+    # Modern Werkzeug (3.0+) includes PIN protection, but defense-in-depth approach
+    # Override FLASK_DEBUG so the effective state matches SUPERSET_DEBUG_ENABLED even
+    # when FLASK_DEBUG=true is inherited from docker/.env or .flaskenv
+    if [[ "${SUPERSET_DEBUG_ENABLED:-}" == "true" ]]; then
+        export FLASK_DEBUG=1
+        DEBUGGER_FLAG="--debugger"
+        echo "  ⚠️  Werkzeug debugger enabled (requires PIN for /console access)"
+    else
+        export FLASK_DEBUG=0
+        DEBUGGER_FLAG="--no-debugger"
+        echo "  🔒 Werkzeug debugger disabled (set SUPERSET_DEBUG_ENABLED=true to enable)"
+    fi
+
+    flask run -p $PORT --reload $DEBUGGER_FLAG --host=0.0.0.0 --exclude-patterns "*/node_modules/*:*/.venv/*:*/build/*:*/__pycache__/*:*/superset-frontend/*"
    ;;
  app-gunicorn)
    echo "Starting web app..."
--- a/docker/docker-frontend.sh
+++ b/docker/docker-frontend.sh
@@ -28,11 +28,11 @@ if [ "$BUILD_SUPERSET_FRONTEND_IN_DOCKER" = "true" ]; then
    cd /app/superset-frontend

    if [ "$NPM_RUN_PRUNE" = "true" ]; then
-        echo "Running `npm run prune`"
+        echo "Running \"npm run prune\""
        npm run prune
    fi

-    echo "Running `npm install`"
+    echo "Running \"npm install\""
    npm install

    echo "Start webpack dev server"
--- a/docker/pythonpath_dev/superset_config.py
+++ b/docker/pythonpath_dev/superset_config.py
@@ -105,15 +105,13 @@ class CeleryConfig:

 CELERY_CONFIG = CeleryConfig

-# Extensions configuration
-# For local development, point to the extensions directory
-# Note: If running in Docker, this path needs to be accessible from inside the container
-EXTENSIONS_PATH = os.getenv("EXTENSIONS_PATH", "/app/extensions")
-
 FEATURE_FLAGS = {
    "ALERT_REPORTS": True,
+    "DATASET_FOLDERS": True,
    "ENABLE_EXTENSIONS": True,
+    "SEMANTIC_LAYERS": True,
 }
+EXTENSIONS_PATH = "/app/docker/extensions"
 ALERT_REPORTS_NOTIFICATION_DRY_RUN = True
 WEBDRIVER_BASEURL = f"http://superset_app{os.environ.get('SUPERSET_APP_ROOT', '/')}/"  # When using docker compose baseurl should be http://superset_nginx{ENV{BASEPATH}}/  # noqa: E501
 # The base URL for the email report hyperlinks.
--- a/docker/pythonpath_dev/superset_config_docker_light.py
+++ b/docker/pythonpath_dev/superset_config_docker_light.py
@@ -18,7 +18,10 @@
 # Configuration for docker-compose-light.yml - disables Redis and uses minimal services

 # Import all settings from the main config first
+import os
+
 from flask_caching.backends.filesystemcache import FileSystemCache
+
 from superset_config import *  # noqa: F403

 # Override caching to use simple in-memory cache instead of Redis
@@ -35,3 +38,32 @@ THUMBNAIL_CACHE_CONFIG = CACHE_CONFIG

 # Disable Celery entirely for lightweight mode
 CELERY_CONFIG = None  # type: ignore[assignment,misc]
+
+# Honor SUPERSET_FEATURE_<NAME> env vars on top of any flags inherited from
+# superset_config. Lets local dev/e2e enable features (e.g. EMBEDDED_SUPERSET)
+# without editing shipped config files. Only the literal string "true"
+# (case-insensitive) is treated as enabled — "1"/"yes"/"on" are not, matching
+# the strict-string convention used elsewhere in Superset's env parsing.
+FEATURE_FLAGS = {
+    **FEATURE_FLAGS,  # noqa: F405
+    **{
+        name[len("SUPERSET_FEATURE_") :]: value.strip().lower() == "true"
+        for name, value in os.environ.items()
+        if name.startswith("SUPERSET_FEATURE_")
+    },
+}
+
+if os.environ.get("SUPERSET_FEATURE_EMBEDDED_SUPERSET", "").strip().lower() == "true":
+    # Disable Talisman so /embedded/<uuid> doesn't return X-Frame-Options:SAMEORIGIN.
+    # Without this, browsers refuse to render Superset inside an iframe from a
+    # different origin (i.e. the embedded SDK use case). Production/CI configures
+    # Talisman with explicit `frame-ancestors`; for the lightweight local stack we
+    # just turn it off.
+    TALISMAN_ENABLED = False
+
+    # Guest tokens (used by the embedded SDK) inherit the "Public" role's perms.
+    # Out of the box Public has zero perms, so embedded dashboards immediately fail
+    # their first call (`/api/v1/me/roles/`) with 403. Mirror Public to Gamma —
+    # the standard read-only viewer role — so the embedded flow can authenticate
+    # and load dashboard data in local dev.
+    PUBLIC_ROLE_LIKE = "Gamma"
--- a/docker/superset-websocket/config.json
+++ b/docker/superset-websocket/config.json
@@ -1,22 +0,0 @@
-{
-  "port": 8080,
-  "logLevel": "info",
-  "logToFile": false,
-  "logFilename": "app.log",
-  "statsd": {
-    "host": "127.0.0.1",
-    "port": 8125,
-    "globalTags": []
-  },
-  "redis": {
-    "port": 6379,
-    "host": "127.0.0.1",
-    "password": "",
-    "db": 0,
-    "ssl": false
-  },
-  "redisStreamPrefix": "async-events-",
-  "jwtAlgorithms": ["HS256"],
-  "jwtSecret": "CHANGE-ME-IN-PRODUCTION-GOTTA-BE-LONG-AND-SECRET",
-  "jwtCookieName": "async-token"
-}
--- a/docs/.claude/instructions.md
+++ b/docs/.claude/instructions.md
@@ -0,0 +1,115 @@
+# Developer Portal Documentation Instructions
+
+## Core Principle: Stories Are the Single Source of Truth
+
+When working on the Storybook-to-MDX documentation system:
+
+**ALWAYS fix the story first. NEVER add workarounds to the generator.**
+
+## Why This Matters
+
+The generator (`scripts/generate-superset-components.mjs`) should be lightweight - it extracts data from stories and passes it through. When you add special cases to the generator:
+- It becomes harder to maintain
+- Stories diverge from their docs representation
+- Future stories need to know about generator quirks
+
+When you fix stories to match the expected patterns:
+- Stories work identically in Storybook and Docs
+- The generator stays simple and predictable
+- Patterns are consistent and learnable
+
+## Story Patterns for Docs Generation
+
+### Required Structure
+```tsx
+// Use inline export default (NOT const meta = ...; export default meta)
+export default {
+  title: 'Components/MyComponent',
+  component: MyComponent,
+};
+
+// Name interactive stories with Interactive prefix
+export const InteractiveMyComponent: Story = {
+  args: {
+    // Default prop values
+  },
+  argTypes: {
+    // Control definitions - MUST be at story level, not meta level
+    propName: {
+      control: { type: 'select' },
+      options: ['a', 'b', 'c'],
+      description: 'What this prop does',
+    },
+  },
+};
+```
+
+### For Components with Variants (size × style grids)
+```tsx
+const sizes = ['small', 'medium', 'large'];
+const variants = ['primary', 'secondary', 'danger'];
+
+InteractiveButton.parameters = {
+  docs: {
+    gallery: {
+      component: 'Button',
+      sizes,
+      styles: variants,
+      sizeProp: 'size',
+      styleProp: 'variant',
+    },
+  },
+};
+```
+
+### For Components Requiring Children
+```tsx
+InteractiveIconTooltip.parameters = {
+  docs: {
+    // Component descriptors with dot notation for nested components
+    sampleChildren: [{ component: 'Icons.InfoCircleOutlined', props: { iconSize: 'l' } }],
+  },
+};
+```
+
+### For Custom Live Code Examples
+```tsx
+InteractiveMyComponent.parameters = {
+  docs: {
+    liveExample: `function Demo() {
+  return <MyComponent prop="value">Content</MyComponent>;
+}`,
+  },
+};
+```
+
+### For Complex Props (objects, arrays)
+```tsx
+InteractiveMenu.parameters = {
+  docs: {
+    staticProps: {
+      items: [
+        { key: '1', label: 'Item 1' },
+        { key: '2', label: 'Item 2' },
+      ],
+    },
+  },
+};
+```
+
+## Common Issues and How to Fix Them (in the Story)
+
+| Issue | Wrong Approach | Right Approach |
+|-------|---------------|----------------|
+| Component not generated | Add pattern to generator | Change story to use inline `export default` |
+| Control shows as text instead of select | Add special case in generator | Add `argTypes` with `control: { type: 'select' }` |
+| Missing children/content | Modify StorybookWrapper | Add `parameters.docs.sampleChildren` |
+| Gallery not showing | Add to generator output | Add `parameters.docs.gallery` config |
+| Wrong live example | Hardcode in generator | Add `parameters.docs.liveExample` |
+
+## Files
+
+- **Generator**: `docs/scripts/generate-superset-components.mjs`
+- **Wrapper**: `docs/src/components/StorybookWrapper.jsx`
+- **Output**: `docs/developer_docs/components/`
+- **Stories**: `superset-frontend/packages/superset-ui-core/src/components/*/`
--- a/docs/.gitignore
+++ b/docs/.gitignore
@@ -23,3 +23,24 @@ docs/.zshrc

 # Gets copied from the root of the project at build time (yarn start / yarn build)
 docs/intro.md
+
+# Generated badge images (downloaded at build time by remark-localize-badges plugin)
+static/badges/
+
+# Generated database documentation MDX files (regenerated at build time)
+# Source of truth is in superset/db_engine_specs/*.py metadata attributes
+docs/databases/
+
+# Generated API documentation (regenerated at build time from openapi.json)
+# Source of truth is static/resources/openapi.json
+developer_docs/api/
+
+# Generated component documentation MDX files (regenerated at build time)
+# Source of truth is Storybook stories in superset-frontend/packages/superset-ui-core/src/components/
+developer_docs/components/
+
+# Note: src/data/databases.json is COMMITTED (not ignored) to preserve feature diagnostics
+# that require Flask context to generate. Update it locally with: npm run gen-db-docs
+
+# Generated component metadata JSON (regenerated by generate-superset-components.mjs)
+static/data/components.json
--- a/docs/.nvmrc
+++ b/docs/.nvmrc
@@ -1 +1 @@
-v20.18.3
+v24.16.0
--- a/docs/DOCS_CLAUDE.md
+++ b/docs/DOCS_CLAUDE.md
@@ -31,8 +31,9 @@ You are currently in the `/docs` subdirectory of the Apache Superset repository.
 ├── superset-frontend/             # React/TypeScript frontend
 └── docs/                         # Documentation site (YOU ARE HERE)
    ├── docs/                     # Main documentation content
-    ├── developer_portal/         # Developer guides (currently disabled)
-    ├── components/               # Component playground (currently disabled)
+    ├── admin_docs/               # Admin-focused guides
+    ├── developer_docs/           # Developer guides
+    ├── components/               # Component playground
    └── docusaurus.config.ts      # Site configuration
 ```

@@ -46,12 +47,19 @@ yarn build                # Build production site
 yarn serve                # Serve built site locally

 # Version Management (USE THESE, NOT docusaurus commands)
-yarn version:add:docs <version>              # Add new docs version
-yarn version:add:developer_portal <version>  # Add developer portal version  
+# The add scripts auto-run `generate:smart` so auto-gen content (database
+# pages, API reference, component pages) is fresh before snapshotting.
+# For maximum-detail databases.json, drop the `database-diagnostics`
+# artifact from Python-Integration CI at src/data/databases.json before
+# cutting. See README.md "Before You Cut".
+yarn version:add:user_docs <version>              # Add new docs version
+yarn version:add:admin_docs <version>        # Add admin docs version
+yarn version:add:developer_docs <version>    # Add developer docs version
 yarn version:add:components <version>        # Add components version
-yarn version:remove:docs <version>           # Remove docs version
-yarn version:remove:developer_portal <version> # Remove developer portal version
-yarn version:remove:components <version>      # Remove components version
+yarn version:remove:user_docs <version>           # Remove docs version
+yarn version:remove:admin_docs <version>     # Remove admin docs version
+yarn version:remove:developer_docs <version> # Remove developer docs version
+yarn version:remove:components <version>     # Remove components version

 # Quality Checks
 yarn typecheck            # TypeScript validation
@@ -95,15 +103,14 @@ docs/
    └── [security guides]
 ```

-### Developer Portal (`/developer_portal`) - Currently Disabled
-When enabled, contains developer-focused content:
- API documentation
- Architecture guides
- CLI tools
- Code examples
+### Admin Docs (`/admin_docs`)
+Admin-focused content: installation, configuration, security.

-### Component Playground (`/components`) - Currently Disabled
-When enabled, provides interactive component examples for UI development.
+### Developer Docs (`/developer_docs`)
+Developer-focused content: API documentation, architecture guides, CLI tools, code examples.
+
+### Component Playground (`/components`)
+Interactive component examples for UI development.

 ## 📝 Documentation Standards

@@ -221,17 +228,20 @@ Versions are managed through `versions-config.json`:

 ```bash
 # ✅ CORRECT - Updates both Docusaurus and versions-config.json
-yarn version:add:docs 6.1.0
+yarn version:add:user_docs 6.1.0

 # ❌ WRONG - Only updates Docusaurus, breaks version dropdown
 yarn docusaurus docs:version 6.1.0
 ```

 ### Version Files Created
-When versioning, these files are created:
- `versioned_docs/version-X.X.X/` - Snapshot of current docs
- `versioned_sidebars/version-X.X.X-sidebars.json` - Sidebar config
- `versions.json` - List of all versions
+When versioning, these files are created (per section, with the
+section's plugin id as prefix):
+- `<section>_versioned_docs/version-X.X.X/` - Snapshot of current docs
+- `<section>_versioned_sidebars/version-X.X.X-sidebars.json` - Sidebar config
+- `<section>_versions.json` - List of all versions
+
+Section plugin ids: `user_docs`, `admin_docs`, `developer_docs`, `components`.

 ## 🎨 Styling and Theming

@@ -379,7 +389,7 @@ Docusaurus includes Algolia DocSearch integration configured in `docusaurus.conf

 ## 🚫 Common Pitfalls to Avoid

-1. **Never use `yarn docusaurus docs:version`** - Use `yarn version:add:docs` instead
+1. **Never use `yarn docusaurus docs:version`** - Use `yarn version:add:user_docs` instead
 2. **Don't edit versioned docs directly** - Edit current docs and create new version
 3. **Avoid absolute paths in links** - Use relative paths for maintainability
 4. **Don't forget frontmatter** - Every doc needs title and description
@@ -409,14 +419,14 @@ yarn eslint
 ### Version Issues
 If versions don't appear in dropdown:
 1. Check `versions-config.json` includes the version
-2. Verify version files exist in `versioned_docs/`
+2. Verify version files exist in `<section>_versioned_docs/`
 3. Restart dev server

 ## 📚 Resources

 - [Docusaurus Documentation](https://docusaurus.io/docs)
 - [MDX Documentation](https://mdxjs.com/)
- [Superset Contributing Guide](../CONTRIBUTING.md)
+- [Superset Developer Docs](https://superset.apache.org/developer-docs/)
 - [Main Superset Documentation](https://superset.apache.org/docs/intro)

 ## 📖 Real Examples and Patterns
--- a/docs/README.md
+++ b/docs/README.md
@@ -18,16 +18,17 @@ under the License.
 -->

 This is the public documentation site for Superset, built using
-[Docusaurus 3](https://docusaurus.io/). See
-[CONTRIBUTING.md](../CONTRIBUTING.md#documentation) for documentation on
-contributing to documentation.
+[Docusaurus 3](https://docusaurus.io/). See the
+[Developer Docs](https://superset.apache.org/developer-docs/contributing/development-setup#documentation)
+for documentation on contributing to documentation.

 ## Version Management

-The Superset documentation site uses Docusaurus versioning with three independent versioned sections:
+The Superset documentation site uses Docusaurus versioning with four independent sections:

- **Main Documentation** (`/docs/`) - Core Superset documentation
- **Developer Portal** (`/developer_portal/`) - Developer guides and tutorials  
+- **User Documentation** (`/user-docs/`) - End-user guides and tutorials
+- **Admin Documentation** (`/admin-docs/`) - Installation, configuration, and security
+- **Developer Docs** (`/developer-docs/`) - Developer guides, contributing, and extensions
 - **Component Playground** (`/components/`) - Interactive component examples (currently disabled)

 Each section maintains its own version history and can be versioned independently.
@@ -36,23 +37,45 @@ Each section maintains its own version history and can be versioned independentl

 To create a new version for any section, use the Docusaurus version command with the appropriate plugin ID or use our automated scripts:

+#### Before You Cut
+
+The cut snapshots whatever's on disk into a frozen historical version, including auto-generated content (database pages from `superset/db_engine_specs/`, API reference from `static/resources/openapi.json`, component pages from Storybook stories). The cut script refreshes these via `generate:smart` before snapshotting, but the **`databases.json` diagnostics file** needs special care to capture full detail:
+
+1. **Canonical release cut**: download the `database-diagnostics` artifact from a green `Python-Integration` run on master, place it at `docs/src/data/databases.json`, then run the cut script with `--skip-generate` to preserve it. This is what the production deploy uses and includes full Flask-context diagnostics (driver versions, feature support matrix, etc.).
+2. **Local dev cut**: just run the script normally. `generate:smart` will regenerate `databases.json` using your local Flask environment — accurate to whatever drivers/extras you have installed, but typically less complete than the CI artifact.
+3. **No Flask available**: also fine — the database generator falls back to AST parsing of engine spec files. The MDX pages are still correct; only the diagnostics JSON is leaner.
+
+Also: confirm `master` CI is green, and that your local checkout matches the SHA you intend to cut from.
+
 #### Using Automated Scripts (Required)

-**⚠️ Important:** Always use these custom commands instead of the native Docusaurus commands. These scripts ensure that both the Docusaurus versioning system AND the `versions-config.json` file are updated correctly.
+**⚠️ Important:** Always use these custom commands instead of the native Docusaurus commands. These scripts ensure that both the Docusaurus versioning system AND the `versions-config.json` file are updated correctly, AND that auto-generated content is refreshed before snapshotting.

 ```bash
 # Main Documentation
-yarn version:add:docs 1.2.0
+yarn version:add:user_docs 1.2.0

-# Developer Portal
-yarn version:add:developer_portal 1.2.0
+# Admin Docs
+yarn version:add:admin_docs 1.2.0

-# Component Playground (when enabled)
+# Developer Docs
+yarn version:add:developer_docs 1.2.0
+
+# Component Playground
 yarn version:add:components 1.2.0
 ```

+What the script does:
+1. Refreshes auto-generated content via `generate:smart` (database pages, API reference, component pages).
+2. Calls `yarn docusaurus docs:version` (or the per-section equivalent) to snapshot the section.
+3. Freezes any data-file imports (`@site/static/*.json`, `../../data/*.json`) into a snapshot-local `_versioned_data/` dir so the historical version doesn't silently mutate when the source files change.
+4. Adjusts relative import paths (`../../src/...` → `../../../src/...`) for files now one directory deeper.
+5. Updates `versions-config.json` and `<section>_versions.json`.
+
 **Do NOT use** the native Docusaurus commands directly (`yarn docusaurus docs:version`), as they will:
 - ❌ Create version files but NOT update `versions-config.json`
+- ❌ Skip auto-gen refresh, freezing whatever was on disk
+- ❌ Skip data-import freezing, leaving the snapshot pointed at live data
 - ❌ Cause versions to not appear in dropdown menus
 - ❌ Require manual fixes to synchronize the configuration

@@ -75,7 +98,7 @@ If creating versions manually, you'll need to:
   - **Versioned sidebars**: `[section]_versioned_sidebars/version-X.X.X-sidebars.json`
   - **Versions list**: `[section]_versions.json`

-   Note: For main docs, the prefix is omitted (e.g., `versioned_docs/` instead of `docs_versioned_docs/`)
+   All four sections (`user_docs`, `admin_docs`, `developer_docs`, `components`) follow this naming pattern uniformly.

 3. **Important**: After adding a version, restart the development server to see changes:
   ```bash
@@ -88,10 +111,13 @@ If creating versions manually, you'll need to:
 #### Using Automated Scripts (Recommended)
 ```bash
 # Main Documentation
-yarn version:remove:docs 1.0.0
+yarn version:remove:user_docs 1.0.0

-# Developer Portal
-yarn version:remove:developer_portal 1.0.0
+# Admin Docs
+yarn version:remove:admin_docs 1.0.0
+
+# Developer Docs
+yarn version:remove:developer_docs 1.0.0

 # Component Playground
 yarn version:remove:components 1.0.0
@@ -101,18 +127,21 @@ yarn version:remove:components 1.0.0
 To manually remove a version:

 1. **Delete the version folder** from the appropriate location:
-   - Main docs: `versioned_docs/version-X.X.X/` (no prefix for main)
-   - Developer Portal: `developer_portal_versioned_docs/version-X.X.X/`
+   - User Docs: `user_docs_versioned_docs/version-X.X.X/`
+   - Admin Docs: `admin_docs_versioned_docs/version-X.X.X/`
+   - Developer Docs: `developer_docs_versioned_docs/version-X.X.X/`
   - Components: `components_versioned_docs/version-X.X.X/`

 2. **Delete the version metadata file**:
-   - Main docs: `versioned_sidebars/version-X.X.X-sidebars.json` (no prefix)
-   - Developer Portal: `developer_portal_versioned_sidebars/version-X.X.X-sidebars.json`
+   - User Docs: `user_docs_versioned_sidebars/version-X.X.X-sidebars.json`
+   - Admin Docs: `admin_docs_versioned_sidebars/version-X.X.X-sidebars.json`
+   - Developer Docs: `developer_docs_versioned_sidebars/version-X.X.X-sidebars.json`
   - Components: `components_versioned_sidebars/version-X.X.X-sidebars.json`

 3. **Update the versions list file**:
-   - Main docs: `versions.json`
-   - Developer Portal: `developer_portal_versions.json`
+   - User Docs: `user_docs_versions.json`
+   - Admin Docs: `admin_docs_versions.json`
+   - Developer Docs: `developer_docs_versions.json`
   - Components: `components_versions.json`

 4. **Update configuration**:
@@ -144,12 +173,12 @@ docs: {
 }
 ```

-#### Developer Portal & Components (custom plugins)
+#### Developer Docs & Components (custom plugins)
 ```typescript
 {
-  id: 'developer_portal',
-  path: 'developer_portal',
-  routeBasePath: 'developer_portal',
+  id: 'developer_docs',
+  path: 'developer_docs',
+  routeBasePath: 'developer-docs',
  includeCurrentVersion: true,
  lastVersion: '1.1.0',  // Default version
  onlyIncludeVersions: ['current', '1.1.0', '1.0.0'],
@@ -183,8 +212,8 @@ docs: {
 If you accidentally used `yarn docusaurus docs:version` instead of `yarn version:add`:
 1. **Problem**: The version files were created but `versions-config.json` wasn't updated
 2. **Solution**: Either:
-   - Revert the changes: `git restore versions.json && rm -rf versioned_docs/ versioned_sidebars/`
-   - Then use the correct command: `yarn version:add:docs <version>`
+   - Revert the changes: `git restore user_docs_versions.json && rm -rf user_docs_versioned_docs/ user_docs_versioned_sidebars/`
+   - Then use the correct command: `yarn version:add:user_docs <version>`

 For other issues:
 - **Restart the server**: Changes to version configuration require a server restart
@@ -193,7 +222,7 @@ For other issues:

 #### Broken Links in Versioned Documentation
 When creating a new version, links in the documentation are preserved as-is. Common issues:
- **Cross-section links**: Links between sections (e.g., from developer_portal to docs) need to be version-aware
+- **Cross-section links**: Links between sections (e.g., from developer_docs to docs) need to be version-aware
 - **Absolute vs relative paths**: Use relative paths within the same section
 - **Version-specific URLs**: Update hardcoded URLs to use version variables

--- a/docs/admin_docs/configuration/alerts-reports.mdx
+++ b/docs/admin_docs/configuration/alerts-reports.mdx
@@ -0,0 +1,500 @@
+---
+title: Alerts and Reports
+hide_title: true
+sidebar_position: 2
+version: 2
+---
+
+# Alerts and Reports
+
+Users can configure automated alerts and reports to send dashboards or charts to an email recipient or Slack channel.
+
+- *Alerts* are sent when a SQL condition is reached
+- *Reports* are sent on a schedule
+
+Alerts and reports are disabled by default. To turn them on, you'll need to change configuration settings and install a suitable headless browser in your environment.
+
+## Requirements
+
+### Commons
+
+#### In your `superset_config.py` or `superset_config_docker.py`
+
+- `"ALERT_REPORTS"` [feature flag](/admin-docs/configuration/configuring-superset#feature-flags) must be turned to True.
+- `beat_schedule` in CeleryConfig must contain schedule for `reports.scheduler`.
+- At least one of those must be configured, depending on what you want to use:
+  - emails: `SMTP_*` settings
+  - Slack messages: `SLACK_API_TOKEN`
+- Users can customize the email subject by including date code placeholders, which will automatically be replaced with the corresponding UTC date when the email is sent. To enable this functionality, activate the `"DATE_FORMAT_IN_EMAIL_SUBJECT"` [feature flag](/admin-docs/configuration/configuring-superset#feature-flags). This enables date formatting in email subjects, preventing all reporting emails from being grouped into the same thread (optional for the reporting feature).
+    - Use date codes from [strftime.org](https://strftime.org/) to create the email subject.
+    - If no date code is provided, the original string will be used as the email subject.
+
+##### Disable dry-run mode
+
+Screenshots will be taken but no messages actually sent as long as `ALERT_REPORTS_NOTIFICATION_DRY_RUN = True`, its default value in `docker/pythonpath_dev/superset_config.py`.  To disable dry-run mode and start receiving email/Slack notifications, set `ALERT_REPORTS_NOTIFICATION_DRY_RUN` to `False` in [superset config](https://github.com/apache/superset/blob/master/docker/pythonpath_dev/superset_config.py).
+
+#### In your `Dockerfile`
+
+You'll need to extend the Superset image to include a headless browser. Your options include:
+- Use Playwright with Chromium: this is the recommended approach as of version 4.1.x or greater. Playwright always uses Chromium — the `WEBDRIVER_TYPE` config setting has no effect when Playwright is active. A working example of a Dockerfile that installs these tools is provided under "Building your own production Docker image" on the [Docker Builds](/admin-docs/installation/docker-builds#building-your-own-production-docker-image) page. Enable the `PLAYWRIGHT_REPORTS_AND_THUMBNAILS` feature flag in your config to activate it.
+- Use Firefox (Selenium): you'll need to install geckodriver and Firefox. Set `WEBDRIVER_TYPE` to `"firefox"` in your `superset_config.py`.
+- Use Chrome (Selenium): you'll need to install Chrome. Set `WEBDRIVER_TYPE` to `"chrome"` in your `superset_config.py`.
+
+In Superset versions &lt;=4.0x, users installed Firefox or Chrome and that was documented here.
+
+Only the worker container needs the browser.
+
+### Slack integration
+
+To send alerts and reports to Slack channels, you need to create a new Slack Application on your workspace.
+
+1. Connect to your Slack workspace, then head to [https://api.slack.com/apps].
+2. Create a new app.
+3. Go to "OAuth & Permissions" section, and give the following scopes to your app:
+   - `incoming-webhook`
+   - `files:write`
+   - `chat:write`
+   - `channels:read`
+   - `groups:read`
+4. At the top of the "OAuth and Permissions" section, click "install to workspace".
+5. Select a default channel for your app and continue.
+   (You can post to any channel by inviting your Superset app into that channel).
+6. The app should now be installed in your workspace, and a "Bot User OAuth Access Token" should have been created. Copy that token in the `SLACK_API_TOKEN` variable of your `superset_config.py`.
+7. Ensure the feature flag `ALERT_REPORT_SLACK_V2` is set to True in `superset_config.py`
+8. Restart the service (or run `superset init`) to pull in the new configuration.
+
+Note: when you configure an alert or a report, the Slack channel list takes channel names without the leading '#' e.g. use `alerts` instead of `#alerts`.
+
+#### Large Slack Workspaces (10k+ channels)
+
+For workspaces with many channels, fetching the complete channel list can take several minutes and may encounter Slack API rate limits. Add the following to your `superset_config.py`:
+
+```python
+from datetime import timedelta
+
+# Increase cache timeout to reduce API calls
+# Default: 1 day (86400 seconds)
+SLACK_CACHE_TIMEOUT = int(timedelta(days=2).total_seconds())
+
+# Increase retry count for rate limit errors
+# Default: 2
+SLACK_API_RATE_LIMIT_RETRY_COUNT = 5
+```
+
+### Webhook integration
+
+Superset can send alert and report notifications to any HTTP endpoint — useful for chat platforms, incident management tools, or custom automation.
+
+#### Enabling Webhooks
+
+Enable the feature flag in `superset_config.py`:
+
+```python
+FEATURE_FLAGS = {
+    "ALERT_REPORTS": True,
+    "ALERT_REPORT_WEBHOOK": True,
+}
+```
+
+#### Configuring a Webhook Recipient
+
+When creating or editing an alert or report, select **Webhook** as the notification method and enter your endpoint URL.
+
+#### Payload Format
+
+Superset sends an HTTP POST with `Content-Type: application/json`:
+
+```json
+{
+  "name": "My Alert",
+  "header": {
+    "notification_format": "JSON",
+    "notification_type": "Alert",
+    "notification_source": "Alert",
+    "chart_id": 42,
+    "dashboard_id": null
+  },
+  "text": "Alert condition met: value exceeded threshold",
+  "description": "Monthly revenue dropped below target",
+  "url": "https://your-superset-host/superset/dashboard/1/"
+}
+```
+
+When a report includes file attachments (CSV, PDF, or PNG screenshots), the request is sent as `multipart/form-data` instead. In that case, each top-level payload field (`name`, `text`, `description`, `url`) becomes its own form field, and nested structures like `header` are serialized as a JSON-encoded string in their own field. Every attachment is added as a repeated form field named `files`:
+
+```
+POST /webhook HTTP/1.1
+Content-Type: multipart/form-data; boundary=...
+
+--...
+Content-Disposition: form-data; name="name"
+
+My Alert
+--...
+Content-Disposition: form-data; name="header"
+
+{"notification_format": "JSON", "notification_type": "Alert", ...}
+--...
+Content-Disposition: form-data; name="text"
+
+Alert condition met: value exceeded threshold
+--...
+Content-Disposition: form-data; name="files"; filename="report.csv"
+Content-Type: text/csv
+
+<file bytes>
+--...
+```
+
+Webhook consumers should branch on `Content-Type`: parse the body as JSON when `application/json`, or read the individual form fields (decoding `header` as JSON) when `multipart/form-data`.
+
+#### HTTPS Enforcement
+
+To require HTTPS webhook URLs (recommended for production), set:
+
+```python
+ALERT_REPORTS_WEBHOOK_HTTPS_ONLY = True
+```
+
+When enabled, Superset rejects webhook configurations that use `http://` URLs.
+
+#### Retry Behavior
+
+Superset automatically retries webhook deliveries on `429 Too Many Requests` and `5xx` server errors using exponential backoff.
+
+### Kubernetes-specific
+
+- You must have a `celery beat` pod running. If you're using the chart included in the GitHub repository under [helm/superset](https://github.com/apache/superset/tree/master/helm/superset), you need to put `supersetCeleryBeat.enabled = true` in your values override.
+- You can see the dedicated docs about [Kubernetes installation](/admin-docs/installation/kubernetes) for more details.
+
+### Docker Compose specific
+
+#### You must have in your `docker-compose.yml`
+
+- A Redis message broker
+- PostgreSQL DB instead of SQLlite
+- One or more `celery worker`
+- A single `celery beat`
+
+This process also works in a Docker swarm environment, you would just need to add `Deploy:` to the Superset, Redis and Postgres services along with your specific configs for your swarm.
+
+### Detailed config
+
+The following configurations need to be added to the `superset_config.py` file. This file is loaded when the image runs, and any configurations in it will override the default configurations found in the `config.py`.
+
+You can find documentation about each field in the default `config.py` in the GitHub repository under [superset/config.py](https://github.com/apache/superset/blob/master/superset/config.py).
+
+You need to replace default values with your custom Redis, Slack and/or SMTP config.
+
+Superset uses Celery beat and Celery worker(s) to send alerts and reports.
+
+- The beat is the scheduler that tells the worker when to perform its tasks. This schedule is defined when you create the alert or report.
+- The worker will process the  tasks that need to be performed when an alert or report is fired.
+
+In the `CeleryConfig`, only the `beat_schedule` is relevant to this feature, the rest of the `CeleryConfig` can be changed for your needs.
+
+```python
+from celery.schedules import crontab
+
+FEATURE_FLAGS = {
+    "ALERT_REPORTS": True
+}
+
+REDIS_HOST = "superset_cache"
+REDIS_PORT = "6379"
+
+class CeleryConfig:
+    broker_url = f"redis://{REDIS_HOST}:{REDIS_PORT}/0"
+    imports = (
+        "superset.sql_lab",
+        "superset.tasks.scheduler",
+    )
+    result_backend = f"redis://{REDIS_HOST}:{REDIS_PORT}/0"
+    worker_prefetch_multiplier = 10
+    task_acks_late = True
+    task_annotations = {
+        "sql_lab.get_sql_results": {
+            "rate_limit": "100/s",
+        },
+    }
+    beat_schedule = {
+        "reports.scheduler": {
+            "task": "reports.scheduler",
+            "schedule": crontab(minute="*", hour="*"),
+        },
+        "reports.prune_log": {
+            "task": "reports.prune_log",
+            "schedule": crontab(minute=0, hour=0),
+        },
+    }
+CELERY_CONFIG = CeleryConfig
+
+SCREENSHOT_LOCATE_WAIT = 100
+SCREENSHOT_LOAD_WAIT = 600
+
+# Slack configuration
+SLACK_API_TOKEN = "xoxb-"
+
+# Email configuration
+SMTP_HOST = "smtp.sendgrid.net" # change to your host
+SMTP_PORT = 2525 # your port, e.g. 587
+SMTP_STARTTLS = True
+SMTP_SSL_SERVER_AUTH = True # If you're using an SMTP server with a valid certificate
+SMTP_SSL = False
+SMTP_USER = "your_user" # use the empty string "" if using an unauthenticated SMTP server
+SMTP_PASSWORD = "your_password" # use the empty string "" if using an unauthenticated SMTP server
+SMTP_MAIL_FROM = "noreply@youremail.com"
+EMAIL_REPORTS_SUBJECT_PREFIX = "[Superset] " # optional - overwrites default value in config.py of "[Report] "
+
+# WebDriver configuration
+# If you use Firefox or Playwright with Chrome, you can stick with default values
+# If you use Chrome and are *not* using Playwright, then add the following WEBDRIVER_TYPE and WEBDRIVER_OPTION_ARGS
+WEBDRIVER_TYPE = "chrome"
+WEBDRIVER_OPTION_ARGS = [
+    "--force-device-scale-factor=2.0",
+    "--high-dpi-support=2.0",
+    "--headless",
+    "--disable-gpu",
+    "--disable-dev-shm-usage",
+    "--no-sandbox",
+    "--disable-setuid-sandbox",
+    "--disable-extensions",
+]
+
+# This is for internal use, you can keep http
+WEBDRIVER_BASEURL = "http://superset:8088" # When running using docker compose use "http://superset_app:8088'
+# This is the link sent to the recipient. Change to your domain, e.g. https://superset.mydomain.com
+WEBDRIVER_BASEURL_USER_FRIENDLY = "http://localhost:8088"
+```
+
+You also need
+to specify on behalf of which username to render the dashboards. In general, dashboards and charts
+are not accessible to unauthorized requests, that is why the worker needs to take over credentials
+of an existing user to take a snapshot.
+
+By default, Alerts and Reports are executed as the owner of the alert/report object. To use a fixed user account,
+just change the config as follows (`admin` in this example):
+
+```python
+from superset.tasks.types import FixedExecutor
+
+ALERT_REPORTS_EXECUTORS = [FixedExecutor("admin")]
+```
+
+Please refer to `ExecutorType` in the codebase for other executor types.
+
+**Important notes**
+
+- Be mindful of the concurrency setting for celery (using `-c 4`). Selenium/webdriver instances can
+  consume a lot of CPU / memory on your servers.
+- In some cases, if you notice a lot of leaked geckodriver processes, try running your celery
+  processes with `celery worker --pool=prefork --max-tasks-per-child=128 ...`
+- It is recommended to run separate workers for the `sql_lab` and `email_reports` tasks. This can be
+  done using the `queue` field in `task_annotations`.
+- Adjust `WEBDRIVER_BASEURL` in your configuration file if celery workers can’t access Superset via
+  its default value of `http://0.0.0.0:8080/`.
+
+It's also possible to specify a minimum interval between each report's execution through the config file:
+
+``` python
+# Set a minimum interval threshold between executions (for each Alert/Report)
+# Value should be an integer
+ALERT_MINIMUM_INTERVAL = int(timedelta(minutes=10).total_seconds())
+REPORT_MINIMUM_INTERVAL = int(timedelta(minutes=5).total_seconds())
+```
+
+Alternatively, you can assign a function to `ALERT_MINIMUM_INTERVAL` and/or `REPORT_MINIMUM_INTERVAL`. This is useful to dynamically retrieve a value as needed:
+
+``` python
+def alert_dynamic_minimal_interval(**kwargs) -> int:
+    """
+    Define logic here to retrieve the value dynamically
+    """
+
+ALERT_MINIMUM_INTERVAL = alert_dynamic_minimal_interval
+```
+
+## External Link Redirection
+
+For security, Superset rewrites external links in alert/report email HTML so
+they go through a warning page before the user is navigated to the external
+site.  Internal links (matching your configured base URL) are not affected.
+
+```python
+# Disable external link redirection entirely (default: True)
+ALERT_REPORTS_ENABLE_LINK_REDIRECT = False
+```
+
+The feature uses `WEBDRIVER_BASEURL_USER_FRIENDLY` (or `WEBDRIVER_BASEURL`)
+to determine which hosts are internal.
+
+## Troubleshooting
+
+There are many reasons that reports might not be working.  Try these steps to check for specific issues.
+
+### Confirm feature flag is enabled and you have sufficient permissions
+
+If you don't see "Alerts & Reports" under the *Manage* section of the Settings dropdown in the Superset UI, you need to enable the `ALERT_REPORTS` feature flag (see above). Enable another feature flag and check to see that it took effect, to verify that your config file is getting loaded.
+
+Log in as an admin user to ensure you have adequate permissions.
+
+### Check the logs of your Celery worker
+
+This is the best source of information about the problem.  In a docker compose deployment, you can do this with a command like `docker logs superset_worker --since 1h`.
+
+### Check web browser and webdriver installation
+
+To take a screenshot, the worker visits the dashboard or chart using a headless browser, then takes a screenshot. If you are able to send a chart as CSV or text but can't send as PNG, your problem may lie with the browser.
+
+If you are handling the installation of the headless browser on your own, do your own verification to ensure that the headless browser opens successfully in the worker environment.
+
+### Send a test email
+
+One symptom of an invalid connection to an email server is receiving an error of `[Errno 110] Connection timed out` in your logs when the report tries to send.
+
+Confirm via testing that your outbound email configuration is correct.  Here is the simplest test, for an un-authenticated email SMTP email service running on port 25.  If you are sending over SSL, for instance, study how [Superset's codebase sends emails](https://github.com/apache/superset/blob/master/superset/utils/core.py#L818) and then test with those commands and arguments.
+
+Start Python in your worker environment, replace all example values, and run:
+
+```python
+import smtplib
+from email.mime.multipart import MIMEMultipart
+from email.mime.text import MIMEText
+
+from_email = 'superset_emails@example.com'
+to_email = 'your_email@example.com'
+msg = MIMEMultipart()
+msg['From'] = from_email
+msg['To'] = to_email
+msg['Subject'] = 'Superset SMTP config test'
+message = 'It worked'
+msg.attach(MIMEText(message))
+mailserver = smtplib.SMTP('smtpmail.example.com', 25)
+mailserver.sendmail(from_email, to_email, msg.as_string())
+mailserver.quit()
+```
+
+This should send an email.
+
+Possible fixes:
+
+- Some cloud hosts disable outgoing unauthenticated SMTP email to prevent spam.  For instance, [Azure blocks port 25 by default on some machines](https://learn.microsoft.com/en-us/azure/virtual-network/troubleshoot-outbound-smtp-connectivity). Enable that port or use another sending method.
+- Use another set of SMTP credentials that you verify works in this setup.
+
+### Browse to your report from the worker
+
+The worker may be unable to reach the report. It will use the value of `WEBDRIVER_BASEURL` to browse to the report.  If that route is invalid, or presents an authentication challenge that the worker can't pass, the report screenshot will fail.
+
+Check this by attempting to `curl` the URL of a report that you see in the error logs of your worker. For instance, from the worker environment, run `curl http://superset_app:8088/superset/dashboard/1/`. You may get different responses depending on whether the dashboard exists - for example, you may need to change the `1` in that URL. If there's a URL in your logs from a failed report screenshot, that's a good place to start. The goal is to determine a valid value for `WEBDRIVER_BASEURL` and determine if an issue like HTTPS or authentication is redirecting your worker.
+
+In a deployment with authentication measures enabled like HTTPS and Single Sign-On, it may make sense to have the worker navigate directly to the Superset application running in the same location, avoiding the need to sign in.  For instance, you could use `WEBDRIVER_BASEURL="http://superset_app:8088"` for a docker compose deployment, and set `"force_https": False,` in your `TALISMAN_CONFIG`.
+
+### Duplicate report deliveries
+
+In some deployment configurations a scheduled report can be delivered more than once around its planned time. This typically happens when more than one process is responsible for running the alerts & reports schedule (for example, multiple schedulers or Celery beat instances). To avoid duplicate emails or notifications:
+
+- Ensure that only a **single scheduler/beat process** is configured to trigger alerts and reports for a given environment.
+- If you run **multiple Celery workers**, verify that there is still only one component responsible for scheduling the report tasks (workers should execute tasks, not schedule them independently).
+- Review your deployment/orchestration setup (for example systemd, Docker, or Kubernetes) to make sure the alerts & reports scheduler is **not started from multiple places by accident**.
+
+## Scheduling Queries as Reports
+
+You can optionally allow your users to schedule queries directly in SQL Lab. This is done by adding
+extra metadata to saved queries, which are then picked up by an external scheduled (like
+[Apache Airflow](https://airflow.apache.org/)).
+
+To allow scheduled queries, add the following to `SCHEDULED_QUERIES` in your configuration file:
+
+```python
+SCHEDULED_QUERIES = {
+    # This information is collected when the user clicks "Schedule query",
+    # and saved into the `extra` field of saved queries.
+    # See: https://github.com/mozilla-services/react-jsonschema-form
+    'JSONSCHEMA': {
+        'title': 'Schedule',
+        'description': (
+            'In order to schedule a query, you need to specify when it '
+            'should start running, when it should stop running, and how '
+            'often it should run. You can also optionally specify '
+            'dependencies that should be met before the query is '
+            'executed. Please read the documentation for best practices '
+            'and more information on how to specify dependencies.'
+        ),
+        'type': 'object',
+        'properties': {
+            'output_table': {
+                'type': 'string',
+                'title': 'Output table name',
+            },
+            'start_date': {
+                'type': 'string',
+                'title': 'Start date',
+                # date-time is parsed using the chrono library, see
+                # https://www.npmjs.com/package/chrono-node#usage
+                'format': 'date-time',
+                'default': 'tomorrow at 9am',
+            },
+            'end_date': {
+                'type': 'string',
+                'title': 'End date',
+                # date-time is parsed using the chrono library, see
+                # https://www.npmjs.com/package/chrono-node#usage
+                'format': 'date-time',
+                'default': '9am in 30 days',
+            },
+            'schedule_interval': {
+                'type': 'string',
+                'title': 'Schedule interval',
+            },
+            'dependencies': {
+                'type': 'array',
+                'title': 'Dependencies',
+                'items': {
+                    'type': 'string',
+                },
+            },
+        },
+    },
+    'UISCHEMA': {
+        'schedule_interval': {
+            'ui:placeholder': '@daily, @weekly, etc.',
+        },
+        'dependencies': {
+            'ui:help': (
+                'Check the documentation for the correct format when '
+                'defining dependencies.'
+            ),
+        },
+    },
+    'VALIDATION': [
+        # ensure that start_date <= end_date
+        {
+            'name': 'less_equal',
+            'arguments': ['start_date', 'end_date'],
+            'message': 'End date cannot be before start date',
+            # this is where the error message is shown
+            'container': 'end_date',
+        },
+    ],
+    # link to the scheduler; this example links to an Airflow pipeline
+    # that uses the query id and the output table as its name
+    'linkback': (
+        'https://airflow.example.com/admin/airflow/tree?'
+        'dag_id=query_${id}_${extra_json.schedule_info.output_table}'
+    ),
+}
+```
+
+This configuration is based on
+[react-jsonschema-form](https://github.com/mozilla-services/react-jsonschema-form) and will add a
+menu item called “Schedule” to SQL Lab. When the menu item is clicked, a modal will show up where
+the user can add the metadata required for scheduling the query.
+
+This information can then be retrieved from the endpoint `/api/v1/saved_query/` and used to
+schedule the queries that have `schedule_info` in their JSON metadata. For schedulers other than
+Airflow, additional fields can be easily added to the configuration file above.
+
+:::resources
+- [Tutorial: Automated Alerts and Reporting via Slack/Email in Superset](https://dev.to/ngtduc693/apache-superset-topic-5-automated-alerts-and-reporting-via-slackemail-in-superset-2gbe)
+- [Blog: Integrating Slack alerts and Apache Superset for better data observability](https://medium.com/affinityanswers-tech/integrating-slack-alerts-and-apache-superset-for-better-data-observability-fd2f9a12c350)
+:::
--- a/docs/admin_docs/configuration/async-queries-celery.mdx
+++ b/docs/admin_docs/configuration/async-queries-celery.mdx
@@ -0,0 +1,108 @@
+---
+title: Async Queries via Celery
+hide_title: true
+sidebar_position: 4
+version: 1
+---
+
+# Async Queries via Celery
+
+## Celery
+
+On large analytic databases, it’s common to run queries that execute for minutes or hours. To enable
+support for long running queries that execute beyond the typical web request’s timeout (30-60
+seconds), it is necessary to configure an asynchronous backend for Superset which consists of:
+
+- one or many Superset workers (which is implemented as a Celery worker), and can be started with
+  the `celery worker` command, run `celery worker --help` to view the related options.
+- a celery broker (message queue) for which we recommend using Redis or RabbitMQ
+- a results backend that defines where the worker will persist the query results
+
+Configuring Celery requires defining a `CELERY_CONFIG` in your `superset_config.py`. Both the worker
+and web server processes should have the same configuration.
+
+```python
+class CeleryConfig(object):
+    broker_url = "redis://localhost:6379/0"
+    imports = (
+        "superset.sql_lab",
+        "superset.tasks.scheduler",
+    )
+    result_backend = "redis://localhost:6379/0"
+    worker_prefetch_multiplier = 10
+    task_acks_late = True
+    task_annotations = {
+        "sql_lab.get_sql_results": {
+            "rate_limit": "100/s",
+        },
+    }
+
+CELERY_CONFIG = CeleryConfig
+```
+
+To start a Celery worker to leverage the configuration, run the following command:
+
+```bash
+celery --app=superset.tasks.celery_app:app worker --pool=prefork -O fair -c 4
+```
+
+To start a job which schedules periodic background jobs, run the following command:
+
+```bash
+celery --app=superset.tasks.celery_app:app beat
+```
+
+To setup a result backend, you need to pass an instance of a derivative of `BaseCache` (`from
+flask_caching.backends.base import BaseCache`) to the RESULTS_BACKEND configuration key in your
+superset_config.py. You can use Memcached, Redis, S3 (https://pypi.python.org/pypi/s3werkzeugcache),
+memory or the file system (in a single server-type setup or for testing), or to write your own
+caching interface. Your `superset_config.py` may look something like:
+
+```python
+# On S3
+from s3cache.s3cache import S3Cache
+S3_CACHE_BUCKET = 'foobar-superset'
+S3_CACHE_KEY_PREFIX = 'sql_lab_result'
+RESULTS_BACKEND = S3Cache(S3_CACHE_BUCKET, S3_CACHE_KEY_PREFIX)
+
+# On Redis
+from flask_caching.backends.rediscache import RedisCache
+RESULTS_BACKEND = RedisCache(
+    host='localhost', port=6379, key_prefix='superset_results')
+```
+
+For performance gains, [MessagePack](https://github.com/msgpack/msgpack-python) and
+[PyArrow](https://arrow.apache.org/docs/python/) are now used for results serialization. This can be
+disabled by setting `RESULTS_BACKEND_USE_MSGPACK = False` in your `superset_config.py`, should any
+issues arise. Please clear your existing results cache store when upgrading an existing environment.
+
+**Important Notes**
+
+- It is important that all the worker nodes and web servers in the Superset cluster _share a common
+  metadata database_. This means that SQLite will not work in this context since it has limited
+  support for concurrency and typically lives on the local file system.
+
+- There should _only be one instance of celery beat running_ in your entire setup. If not,
+  background jobs can get scheduled multiple times resulting in weird behaviors like duplicate
+  delivery of reports, higher than expected load / traffic etc.
+
+- SQL Lab will _only run your queries asynchronously if_ you enable **Asynchronous Query Execution**
+  in your database settings (Sources > Databases > Edit record).
+
+## Celery Flower
+
+Flower is a web based tool for monitoring the Celery cluster which you can install from pip:
+
+```bash
+pip install flower
+```
+
+You can run flower using:
+
+```bash
+celery --app=superset.tasks.celery_app:app flower
+```
+
+:::resources
+- [Blog: How to Set Up Global Async Queries (GAQ) in Apache Superset](https://medium.com/@ngigilevis/how-to-set-up-global-async-queries-gaq-in-apache-superset-a-complete-guide-9d2f4a047559)
+:::
--- a/Show More
+++ b/Show More