Skip to content

chore(ci): silence zizmor adhoc-packages note for supersetbot install#41546

Merged
hainenber merged 1 commit into
masterfrom
chore/zizmor-adhoc-packages-supersetbot
Jun 30, 2026
Merged

chore(ci): silence zizmor adhoc-packages note for supersetbot install#41546
hainenber merged 1 commit into
masterfrom
chore/zizmor-adhoc-packages-supersetbot

Conversation

@rusackas

Copy link
Copy Markdown
Member

SUMMARY

Resolves code-scanning alert #2555 (zizmor adhoc-packages, severity: note) at .github/actions/setup-supersetbot/action.yml:20.

The adhoc-packages audit flags any run: step that installs a package outside a managed/locked manifest (e.g. npm install <pkg>). Its recommended remediation is to add the package to a package.json, commit a lockfile, and install via npm ci.

That remediation doesn't fit here: supersetbot is a first-party Apache CLI published from apache-superset/supersetbot and installed globally as a standalone tool for the workflow runner — there is no application manifest/lockfile context for a global CLI install, and the audit flags the install regardless of pinning anyway. This is therefore a benign case for the note.

The fix adds a scoped, justified # zizmor: ignore[adhoc-packages] comment, matching how other zizmor findings are already suppressed across this repo (e.g. the cache-poisoning ignores in tag-release.yml for the same supersetbot context).

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A

TESTING INSTRUCTIONS

pre-commit run --files .github/actions/setup-supersetbot/action.yml passes, including the zizmor (GHA security audit) hook. CI's github-action-validator (zizmor-action) re-runs the audit on the PR.

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration
  • Introduces new feature or API
  • Removes existing feature or API

🤖 Generated with Claude Code

@bito-code-review

bito-code-review Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bito Automatic Review Skipped - Files Excluded

Bito didn't auto-review this change because all changed files are in the exclusion list for automatic reviews. No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change the excluded files settings here, or contact your Bito workspace admin at evan@preset.io.

@github-actions github-actions Bot added the github_actions Pull requests that update GitHub Actions code label Jun 29, 2026
supersetbot is a first-party Apache CLI (apache-superset/supersetbot)
installed globally as a tool; a global CLI install has no application
manifest/lockfile context, so the lockfile-based remediation zizmor's
adhoc-packages audit recommends does not apply. Add a scoped, justified
ignore matching how other zizmor findings are suppressed in this repo.

Resolves code-scanning alert #2555

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@rusackas
rusackas force-pushed the chore/zizmor-adhoc-packages-supersetbot branch from 5d9f799 to 8f45ab9 Compare June 30, 2026 17:34
@rusackas rusackas added the merge-if-green If approved and tests are green, please go ahead and merge it for me label Jun 30, 2026
@hainenber
hainenber merged commit 42a5f64 into master Jun 30, 2026
52 checks passed
@hainenber
hainenber deleted the chore/zizmor-adhoc-packages-supersetbot branch June 30, 2026 17:43
@bito-code-review

Copy link
Copy Markdown
Contributor

Bito Automatic Review Skipped – PR Already Merged

Bito scheduled an automatic review for this pull request, but the review was skipped because this PR was merged before the review could be run.
No action is needed if you didn't intend to review it. To get a review, you can type /review in a comment and save it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

github_actions Pull requests that update GitHub Actions code merge-if-green If approved and tests are green, please go ahead and merge it for me size/XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants