feat: Add audit logging for maintainer deploy triggers

Implements @dpgaspar's suggestion from PR #34833 to add audit trail when maintainers trigger Showtime deployments. The workflow now logs which maintainer triggered the deploy and for which PR number. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-05-28 19:25:20 +00:00 · 2025-08-28 22:14:25 -07:00
parent 1bae0569ca
commit f9d157017e
1 changed files with 16 additions and 8 deletions
--- a/.github/workflows/showtime-trigger.yml
+++ b/.github/workflows/showtime-trigger.yml
@@ -17,17 +17,12 @@ on:
        required: false
        type: string

-# Common environment variables for all jobs
+# Common environment variables for all jobs (non-sensitive only)
 env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  AWS_REGION: us-west-2
  GITHUB_ORG: ${{ github.repository_owner }}
  GITHUB_REPO: ${{ github.event.repository.name }}
  GITHUB_ACTOR: ${{ github.actor }}
-  DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
-  DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

 jobs:
  sync:
@@ -43,6 +38,8 @@ jobs:
      - name: Security Check - Authorize Maintainers Only
        id: auth
        uses: actions/github-script@v7
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          script: |
            const actor = context.actor;
@@ -105,12 +102,17 @@ jobs:
      - name: Install Superset Showtime
        if: steps.auth.outputs.authorized == 'true'
        run: |
+          echo "::notice::Maintainer ${{ github.actor }} triggered deploy for PR ${{ github.event.pull_request.number || github.event.inputs.pr_number }}"
          pip install --upgrade superset-showtime
          showtime version

      - name: Check what actions are needed
        if: steps.auth.outputs.authorized == 'true'
        id: check
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          # Bulletproof PR number extraction
          if [[ -n "${{ github.event.pull_request.number }}" ]]; then
@@ -154,13 +156,19 @@ jobs:
        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.build_needed == 'true'
        uses: ./.github/actions/setup-docker
        with:
-          dockerhub-user: ${{ env.DOCKERHUB_USER }}
-          dockerhub-token: ${{ env.DOCKERHUB_TOKEN }}
+          dockerhub-user: ${{ secrets.DOCKERHUB_USER }}
+          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
          build: "true"
          install-docker-compose: "false"

      - name: Execute sync (handles everything)
        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.sync_needed == 'true'
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
        run: |
          PR_NUM="${{ steps.check.outputs.pr_number }}"
          TARGET_SHA="${{ steps.check.outputs.target_sha }}"