Merge pull request #140 from apache/master

Merge Upstream
ranjitpatra · Oct 28, 2023 · 6ffa6c2 · 6ffa6c2
2 parents 877d8ba + ed14f36
commit 6ffa6c2
Show file tree

Hide file tree

Showing 2,346 changed files with 388,048 additions and 236,892 deletions.
diff --git a/.asf.yaml b/.asf.yaml
@@ -66,12 +66,12 @@ github:
           - cypress-matrix (3, chrome)
           - docker-build
           - frontend-build
-          - pre-commit (3.8)
-          - python-lint (3.8)
-          - test-mysql (3.8)
-          - test-postgres (3.8)
+          - pre-commit (3.9)
+          - python-lint (3.9)
+          - test-mysql (3.9)
           - test-postgres (3.9)
-          - test-sqlite (3.8)
+          - test-postgres (3.10)
+          - test-sqlite (3.9)
 
       required_pull_request_reviews:
         dismiss_stale_reviews: false

diff --git a/.flaskenv b/.flaskenv
@@ -15,4 +15,4 @@
 # limitations under the License.
 #
 FLASK_APP="superset.app:create_app()"
-FLASK_ENV="development"
+FLASK_DEBUG=true
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -12,9 +12,9 @@
 
 # Notify some committers of changes in the components
 
-/superset-frontend/src/components/Select/ @michael-s-molina @geido @ktmud
-/superset-frontend/src/components/MetadataBar/ @michael-s-molina
-/superset-frontend/src/components/DropdownContainer/ @michael-s-molina
+/superset-frontend/src/components/Select/ @michael-s-molina @geido @kgabryje
+/superset-frontend/src/components/MetadataBar/ @michael-s-molina @geido @kgabryje
+/superset-frontend/src/components/DropdownContainer/ @michael-s-molina @geido @kgabryje
 
 # Notify Helm Chart maintainers about changes in it
 
@@ -23,3 +23,7 @@
 # Notify E2E test maintainers of changes
 
 /superset-frontend/cypress-base/ @jinghua-qa @geido @eschutho @rusackas @betodealmeida
+
+# Notify PMC members of changes to GitHub Actions
+
+/.github/ @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @john-bodley @kgabryje
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md → .github/ISSUE_TEMPLATE/bug-report.md b/.github/ISSUE_TEMPLATE/bug_report.md → .github/ISSUE_TEMPLATE/bug-report.md
@@ -1,8 +1,7 @@
 ---
 name: Bug report
-about: Create a report to help us improve Superset's stability! For feature requests please open a discussion at https://github.com/apache/superset/discussions/categories/ideas
-labels: "#bug"
-
+about: "Create a report to help us improve Superset's stability! For feature requests please open a discussion [here](https://github.com/apache/superset/discussions/categories/ideas)."
+labels: bug
 ---
 
 A clear and concise description of what the bug is.

diff --git a/.github/ISSUE_TEMPLATE/cosmetic.md b/.github/ISSUE_TEMPLATE/cosmetic.md
@@ -2,7 +2,6 @@
 name: Cosmetic Issue
 about: Describe a cosmetic issue with CSS, positioning, layout, labeling, or similar
 labels: "cosmetic-issue"
-
 ---
 
 ## Screenshot

diff --git a/.github/ISSUE_TEMPLATE/sip.md b/.github/ISSUE_TEMPLATE/sip.md
@@ -1,10 +1,9 @@
 ---
 name: SIP
-about: Superset Improvement Proposal (See SIP-0: https://github.com/apache/superset/issues/5602)
-labels: "#SIP"
+about: "Superset Improvement Proposal. See [here](https://github.com/apache/superset/issues/5602) for details."
+labels: sip
 title: "[SIP] Your Title Here (do not add SIP number)"
-asignees: "apache/superset-committers"
-
+assignees: "apache/superset-committers"
 ---
 
 *Please make sure you are familiar with the SIP process documented*

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -0,0 +1,38 @@
+# Security Policy
+
+This is a project of the [Apache Software Foundation](https://apache.org) and follows the
+ASF [vulnerability handling process](https://apache.org/security/#vulnerability-handling).
+
+## Reporting Vulnerabilities
+
+**⚠️ Please do not file GitHub issues for security vulnerabilities as they are public! ⚠️**
+
+
+Apache Software Foundation takes a rigorous standpoint in annihilating the security issues
+in its software projects. Apache Superset is highly sensitive and forthcoming to issues
+pertaining to its features and functionality.
+If you have any concern or believe you have found a vulnerability in Apache Superset,
+please get in touch with the Apache Security Team privately at
+e-mail address [[email protected]](mailto:[email protected]).
+
+More details can be found on the ASF website at
+[ASF vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability)
+
+We kindly ask you to include the following information in your report:
+- Apache Superset version that you are using
+- A sanitized copy of your `superset_config.py` file or any config overrides
+- Detailed steps to reproduce the vulnerability
+
+Note that Apache Superset is not responsible for any third-party dependencies that may
+have security issues. Any vulnerabilities found in third-party dependencies should be
+reported to the maintainers of those projects. Results from security scans of Apache
+Superset dependencies found on its official Docker image can be remediated at release time
+by extending the image itself.
+
+**Your responsible disclosure and collaboration are invaluable.**
+
+## Extra Information
+
+ - [Apache Superset documentation](https://superset.apache.org/docs/security)
+ - [Common Vulnerabilities and Exposures by release](https://superset.apache.org/docs/security/cves)
+ - [How Security Vulnerabilities are Reported & Handled in Apache Superset (Blog)](https://preset.io/blog/how-security-vulnerabilities-are-reported-and-handled-in-apache-superset/)
diff --git a/.github/workflows/bashlib.sh b/.github/workflows/bashlib.sh
@@ -40,7 +40,8 @@ default-setup-command() {
 apt-get-install() {
   say "::group::apt-get install dependencies"
   sudo apt-get update && sudo apt-get install --yes \
-    libsasl2-dev
+    libsasl2-dev \
+    libldap2-dev
   say "::endgroup::"
 }
 
@@ -159,11 +160,11 @@ cypress-run() {
 
   say "::group::Run Cypress for [$page]"
   if [[ -z $CYPRESS_KEY ]]; then
-    $cypress --spec "cypress/integration/$page" --browser "$browser"
+    $cypress --spec "cypress/e2e/$page" --browser "$browser"
   else
     export CYPRESS_RECORD_KEY=$(echo $CYPRESS_KEY | base64 --decode)
     # additional flags for Cypress dashboard recording
-    $cypress --spec "cypress/integration/$page" --browser "$browser" \
+    $cypress --spec "cypress/e2e/$page" --browser "$browser" \
       --record --group "$group" --tag "${GITHUB_REPOSITORY},${GITHUB_EVENT_NAME}" \
       --parallel --ci-build-id "${GITHUB_SHA:0:8}-${NONCE}"
   fi
@@ -232,7 +233,7 @@ cypress-run-applitools() {
   nohup flask run --no-debugger -p $port >"$flasklog" 2>&1 </dev/null &
   local flaskProcessId=$!
 
-  $cypress --spec "cypress/integration/*/**/*.applitools.test.ts" --browser "$browser" --headless --config ignoreTestFiles="[]"
+  $cypress --spec "cypress/e2e/*/**/*.applitools.test.ts" --browser "$browser" --headless --config ignoreTestFiles="[]"
 
   codecov -c -F "cypress" || true
 

diff --git a/.github/workflows/cancel_duplicates.yml b/.github/workflows/cancel_duplicates.yml
@@ -10,11 +10,14 @@ jobs:
   cancel-duplicate-runs:
     name: Cancel duplicate workflow runs
     runs-on: ubuntu-20.04
+    permissions:
+      actions: write
+      contents: read
     steps:
       - name: Check number of queued tasks
         id: check_queued
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           GITHUB_REPO: ${{ github.repository }}
         run: |
           get_count() {
@@ -28,12 +31,12 @@ jobs:
 
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
         if: steps.check_queued.outputs.count >= 20
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Cancel duplicate workflow runs
         if: steps.check_queued.outputs.count >= 20
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           GITHUB_REPOSITORY: ${{ github.repository }}
         run: |
           pip install click requests typing_extensions python-dateutil

diff --git a/.github/workflows/check_db_migration_confict.yml b/.github/workflows/check_db_migration_confict.yml
@@ -8,13 +8,16 @@ jobs:
   check_db_migration_conflict:
     name: Check DB migration conflict
     runs-on: ubuntu-20.04
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Check and notify
         uses: actions/github-script@v3
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ github.token }}
           script: |
             // API reference: https://octokit.github.io/rest.js
             const currentBranch = context.ref.replace('refs/heads/', '');

diff --git a/.github/workflows/chromatic-master.yml b/.github/workflows/chromatic-master.yml
@@ -1,5 +1,5 @@
 # .github/workflows/chromatic.yml
-# seee https://www.chromatic.com/docs/github-actions
+# see https://www.chromatic.com/docs/github-actions
 #
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
@@ -32,12 +32,29 @@ on:
 
 # List of jobs
 jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.CHROMATIC_PROJECT_TOKEN != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
   chromatic-deployment:
+    needs: config
+    if: needs.config.outputs.has-secrets
     # Operating System
     runs-on: ubuntu-latest
     # Job steps
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # 👈 Required to retrieve git history
       - name: Install dependencies
         run: npm ci
         working-directory: superset-frontend

diff --git a/.github/workflows/codecov.sh b/.github/workflows/codecov.sh
@@ -174,7 +174,7 @@ cat << EOF
 
     -c           Move discovered coverage reports to the trash
     -z FILE      Upload specified file directly to Codecov and bypass all report generation.
-                 This is inteded to be used only with a pre-formatted Codecov report and is not
+                 This is intended to be used only with a pre-formatted Codecov report and is not
                  expected to work under any other circumstances.
     -Z           Exit with 1 if not successful. Default will Exit with 0
 
@@ -1152,7 +1152,7 @@ fi
 
 if [ "$ft_search" = "1" ];
 then
-  # detect bower comoponents location
+  # detect bower components location
   bower_components="bower_components"
   bower_rc=$(cd "$git_root" && cat .bowerrc 2>/dev/null || echo "")
   if [ "$bower_rc" != "" ];

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,50 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+    paths:
+      - 'superset/**'
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+    paths:
+      - 'superset/**'
+  schedule:
+    - cron: '0 4 * * *'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-22.04
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python', 'javascript' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,25 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v3
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v2
+        with:
+          fail-on-severity: high
+          # compatible/incompatible licenses addressed here: https://www.apache.org/legal/resolved.html
+          # find SPDX identifiers here: https://spdx.org/licenses/
+          deny-licenses: MS-LPL, BUSL-1.1, QPL-1.0, Sleepycat, SSPL-1.0, CPOL-1.02, AGPL-3.0, GPL-1.0+, BSD-4-Clause-UC, NPL-1.0, NPL-1.1, JSON