fix conficts

.asf.yaml

@@ -66,12 +66,12 @@ github:
  - cypress-matrix (3, chrome)
  - docker-build
  - frontend-build
- - pre-commit (3.8)
- - python-lint (3.8)
- - test-mysql (3.8)
- - test-postgres (3.8)
+ - pre-commit (3.9)
+ - python-lint (3.9)
+ - test-mysql (3.9)
  - test-postgres (3.9)
- - test-sqlite (3.8)
+ - test-postgres (3.10)
+ - test-sqlite (3.9)
 
  required_pull_request_reviews:
  dismiss_stale_reviews: false

.flaskenv

@@ -15,4 +15,4 @@
 # limitations under the License.
 #
 FLASK_APP="superset.app:create_app()"
-FLASK_ENV="development"
+FLASK_DEBUG=true

.github/CODEOWNERS

@@ -12,9 +12,9 @@
 
 # Notify some committers of changes in the components
 
-/superset-frontend/src/components/Select/ @michael-s-molina @geido @ktmud
-/superset-frontend/src/components/MetadataBar/ @michael-s-molina
-/superset-frontend/src/components/DropdownContainer/ @michael-s-molina
+/superset-frontend/src/components/Select/ @michael-s-molina @geido @kgabryje
+/superset-frontend/src/components/MetadataBar/ @michael-s-molina @geido @kgabryje
+/superset-frontend/src/components/DropdownContainer/ @michael-s-molina @geido @kgabryje
 
 # Notify Helm Chart maintainers about changes in it
 
@@ -24,6 +24,6 @@
 
 /superset-frontend/cypress-base/ @jinghua-qa @geido @eschutho @rusackas @betodealmeida
 
-# Notify PMC members of changes to Github Actions
+# Notify PMC members of changes to GitHub Actions
 
-/.github/ @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @john-bodley
+/.github/ @villebro @geido @eschutho @rusackas @betodealmeida @nytai @mistercrunch @craig-rueda @john-bodley @kgabryje

.github/ISSUE_TEMPLATE/bug_report.md → .github/ISSUE_TEMPLATE/bug-report.md

@@ -1,8 +1,7 @@
 ---
 name: Bug report
-about: Create a report to help us improve Superset's stability! For feature requests please open a discussion at https://github.com/apache/superset/discussions/categories/ideas
-labels: "#bug"
-
+about: "Create a report to help us improve Superset's stability! For feature requests please open a discussion [here](https://github.com/apache/superset/discussions/categories/ideas)."
+labels: bug
 ---
 
 A clear and concise description of what the bug is.

.github/ISSUE_TEMPLATE/cosmetic.md

@@ -2,7 +2,6 @@
 name: Cosmetic Issue
 about: Describe a cosmetic issue with CSS, positioning, layout, labeling, or similar
 labels: "cosmetic-issue"
-
 ---
 
 ## Screenshot

.github/ISSUE_TEMPLATE/sip.md

@@ -1,10 +1,9 @@
 ---
 name: SIP
-about: Superset Improvement Proposal (See SIP-0: https://github.com/apache/superset/issues/5602)
-labels: "#SIP"
+about: "Superset Improvement Proposal. See [here](https://github.com/apache/superset/issues/5602) for details."
+labels: sip
 title: "[SIP] Your Title Here (do not add SIP number)"
-asignees: "apache/superset-committers"
-
+assignees: "apache/superset-committers"
 ---
 
 *Please make sure you are familiar with the SIP process documented*

.github/SECURITY.md

@@ -0,0 +1,38 @@
+# Security Policy
+
+This is a project of the [Apache Software Foundation](https://apache.org) and follows the
+ASF [vulnerability handling process](https://apache.org/security/#vulnerability-handling).
+
+## Reporting Vulnerabilities
+
+**⚠️ Please do not file GitHub issues for security vulnerabilities as they are public! ⚠️**
+
+
+Apache Software Foundation takes a rigorous standpoint in annihilating the security issues
+in its software projects. Apache Superset is highly sensitive and forthcoming to issues
+pertaining to its features and functionality.
+If you have any concern or believe you have found a vulnerability in Apache Superset,
+please get in touch with the Apache Security Team privately at
+e-mail address [security@apache.org](mailto:security@apache.org).
+
+More details can be found on the ASF website at
+[ASF vulnerability reporting process](https://apache.org/security/#reporting-a-vulnerability)
+
+We kindly ask you to include the following information in your report:
+- Apache Superset version that you are using
+- A sanitized copy of your `superset_config.py` file or any config overrides
+- Detailed steps to reproduce the vulnerability
+
+Note that Apache Superset is not responsible for any third-party dependencies that may
+have security issues. Any vulnerabilities found in third-party dependencies should be
+reported to the maintainers of those projects. Results from security scans of Apache
+Superset dependencies found on its official Docker image can be remediated at release time
+by extending the image itself.
+
+**Your responsible disclosure and collaboration are invaluable.**
+
+## Extra Information
+
+ - [Apache Superset documentation](https://superset.apache.org/docs/security)
+ - [Common Vulnerabilities and Exposures by release](https://superset.apache.org/docs/security/cves)
+ - [How Security Vulnerabilities are Reported & Handled in Apache Superset (Blog)](https://preset.io/blog/how-security-vulnerabilities-are-reported-and-handled-in-apache-superset/)

.github/workflows/bashlib.sh

@@ -40,7 +40,8 @@ default-setup-command() {
 apt-get-install() {
  say "::group::apt-get install dependencies"
  sudo apt-get update && sudo apt-get install --yes \
- libsasl2-dev
+ libsasl2-dev \
+ libldap2-dev
  say "::endgroup::"
 }
 
@@ -159,11 +160,11 @@ cypress-run() {
 
  say "::group::Run Cypress for [$page]"
  if [[ -z $CYPRESS_KEY ]]; then
- $cypress --spec "cypress/integration/$page" --browser "$browser"
+ $cypress --spec "cypress/e2e/$page" --browser "$browser"
  else
  export CYPRESS_RECORD_KEY=$(echo $CYPRESS_KEY | base64 --decode)
  # additional flags for Cypress dashboard recording
- $cypress --spec "cypress/integration/$page" --browser "$browser" \
+ $cypress --spec "cypress/e2e/$page" --browser "$browser" \
  --record --group "$group" --tag "${GITHUB_REPOSITORY},${GITHUB_EVENT_NAME}" \
  --parallel --ci-build-id "${GITHUB_SHA:0:8}-${NONCE}"
  fi
@@ -232,7 +233,7 @@ cypress-run-applitools() {
  nohup flask run --no-debugger -p $port >"$flasklog" 2>&1 </dev/null &
  local flaskProcessId=$!
 
- $cypress --spec "cypress/integration/*/**/*.applitools.test.ts" --browser "$browser" --headless --config ignoreTestFiles="[]"
+ $cypress --spec "cypress/e2e/*/**/*.applitools.test.ts" --browser "$browser" --headless --config ignoreTestFiles="[]"
 
  codecov -c -F "cypress" || true
 

.github/workflows/cancel_duplicates.yml

@@ -10,11 +10,14 @@ jobs:
  cancel-duplicate-runs:
  name: Cancel duplicate workflow runs
  runs-on: ubuntu-20.04
+ permissions:
+ actions: write
+ contents: read
  steps:
  - name: Check number of queued tasks
  id: check_queued
  env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GITHUB_TOKEN: ${{ github.token }}
  GITHUB_REPO: ${{ github.repository }}
  run: |
  get_count() {
@@ -28,12 +31,12 @@ jobs:
 
  - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
  if: steps.check_queued.outputs.count >= 20
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
 
  - name: Cancel duplicate workflow runs
  if: steps.check_queued.outputs.count >= 20
  env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ GITHUB_TOKEN: ${{ github.token }}
  GITHUB_REPOSITORY: ${{ github.repository }}
  run: |
  pip install click requests typing_extensions python-dateutil

.github/workflows/check_db_migration_confict.yml

@@ -8,13 +8,16 @@ jobs:
  check_db_migration_conflict:
  name: Check DB migration conflict
  runs-on: ubuntu-20.04
+ permissions:
+ contents: read
+ pull-requests: write
  steps:
  - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
- uses: actions/checkout@v2
+ uses: actions/checkout@v3
  - name: Check and notify
  uses: actions/github-script@v3
  with:
- github-token: ${{ secrets.GITHUB_TOKEN }}
+ github-token: ${{ github.token }}
  script: |
  // API reference: https://octokit.github.io/rest.js
  const currentBranch = context.ref.replace('refs/heads/', '');

.github/workflows/chromatic-master.yml

@@ -1,5 +1,5 @@
 # .github/workflows/chromatic.yml
-# seee https://www.chromatic.com/docs/github-actions
+# see https://www.chromatic.com/docs/github-actions
 #
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements. See the NOTICE file distributed with
@@ -32,12 +32,29 @@ on:
 
 # List of jobs
 jobs:
+ config:
+ runs-on: "ubuntu-latest"
+ outputs:
+ has-secrets: ${{ steps.check.outputs.has-secrets }}
+ steps:
+ - name: "Check for secrets"
+ id: check
+ shell: bash
+ run: |
+ if [ -n "${{ (secrets.CHROMATIC_PROJECT_TOKEN != '') || '' }}" ]; then
+ echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+ fi
+
  chromatic-deployment:
+ needs: config
+ if: needs.config.outputs.has-secrets
  # Operating System
  runs-on: ubuntu-latest
  # Job steps
  steps:
- - uses: actions/checkout@v1
+ - uses: actions/checkout@v3
+ with:
+ fetch-depth: 0 # 👈 Required to retrieve git history
  - name: Install dependencies
  run: npm ci
  working-directory: superset-frontend

.github/workflows/codecov.sh

@@ -174,7 +174,7 @@ cat << EOF
 
  -c Move discovered coverage reports to the trash
  -z FILE Upload specified file directly to Codecov and bypass all report generation.
- This is inteded to be used only with a pre-formatted Codecov report and is not
+ This is intended to be used only with a pre-formatted Codecov report and is not
  expected to work under any other circumstances.
  -Z Exit with 1 if not successful. Default will Exit with 0
 
@@ -1152,7 +1152,7 @@ fi
 
 if [ "$ft_search" = "1" ];
 then
- # detect bower comoponents location
+ # detect bower components location
  bower_components="bower_components"
  bower_rc=$(cd "$git_root" && cat .bowerrc 2>/dev/null || echo "")
  if [ "$bower_rc" != "" ];

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,50 @@
+name: "CodeQL"
+
+on:
+ push:
+ branches: [ "master" ]
+ paths:
+ - 'superset/**'
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "master" ]
+ paths:
+ - 'superset/**'
+ schedule:
+ - cron: '0 4 * * *'
+
+jobs:
+ analyze:
+ name: Analyze
+ runs-on: ubuntu-22.04
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+ strategy:
+ fail-fast: false
+ matrix:
+ language: [ 'python', 'javascript' ]
+ # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v3
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v2
+ with:
+ languages: ${{ matrix.language }}
+ # If you wish to specify custom queries, you can do so here or in a config file.
+ # By default, queries listed here will override any specified in a config file.
+ # Prefix the list here with "+" to use these queries and those in the config file.
+
+ # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+ # queries: security-extended,security-and-quality
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v2
+ with:
+ category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -0,0 +1,25 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+ contents: read
+
+jobs:
+ dependency-review:
+ runs-on: ubuntu-latest
+ steps:
+ - name: 'Checkout Repository'
+ uses: actions/checkout@v3
+ - name: 'Dependency Review'
+ uses: actions/dependency-review-action@v2
+ with:
+ fail-on-severity: high
+ # compatible/incompatible licenses addressed here: https://www.apache.org/legal/resolved.html
+ # find SPDX identifiers here: https://spdx.org/licenses/
+ deny-licenses: MS-LPL, BUSL-1.1, QPL-1.0, Sleepycat, SSPL-1.0, CPOL-1.02, AGPL-3.0, GPL-1.0+, BSD-4-Clause-UC, NPL-1.0, NPL-1.1, JSON