From fe642274f6041cdfd4d12e0736883043665caf91 Mon Sep 17 00:00:00 2001 From: Maxime Beauchemin Date: Wed, 3 Sep 2025 14:16:48 -0700 Subject: [PATCH] fix: only block synchronize events for unauthorized users MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously the logic was backwards - it was blocking synchronize events for AUTHORIZED maintainers and allowing them for unauthorized users. Now: - Authorized maintainers (write/admin) can push commits → automatic updates - Unauthorized users pushing to PRs with showtime environments → blocked This allows trusted maintainers like @mistercrunch to push changes and get automatic showtime environment updates without manual re-triggering. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- .github/workflows/showtime-trigger.yml | 63 +++++++++++++------------- 1 file changed, 32 insertions(+), 31 deletions(-) diff --git a/.github/workflows/showtime-trigger.yml b/.github/workflows/showtime-trigger.yml index bbea6c96b7b..ce2d3f9c9df 100644 --- a/.github/workflows/showtime-trigger.yml +++ b/.github/workflows/showtime-trigger.yml @@ -62,43 +62,44 @@ jobs: const authorized = ['write', 'admin'].includes(permission.permission); if (!authorized) { - console.log(`🚨 Unauthorized user ${actor} - skipping all operations`); + console.log(`🚨 Unauthorized user ${actor} - checking if we need to block operations`); + + // If this is a synchronize event with existing showtime environments, block it + if (context.eventName === 'pull_request_target' && context.payload.action === 'synchronize') { + console.log(`🔒 Unauthorized synchronize event detected - checking if Showtime is active`); + + // Check if PR has any circus tent labels (Showtime is in use) + const { data: issue } = await github.rest.issues.get({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.payload.pull_request.number + }); + + const hasCircusLabels = issue.labels.some(label => label.name.startsWith('đŸŽĒ ')); + + if (hasCircusLabels) { + console.log(`đŸŽĒ Circus labels found - setting blocked label to prevent unauthorized auto-deployment`); + + await github.rest.issues.addLabels({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.payload.pull_request.number, + labels: ['đŸŽĒ 🔒 showtime-blocked'] + }); + + console.log(`✅ Blocked label set - unauthorized user cannot auto-deploy changes`); + } else { + console.log(`ℹī¸ No circus labels found - Showtime not in use, skipping block`); + } + } + core.setOutput('authorized', 'false'); return; } - console.log(`✅ Authorized maintainer: ${actor}`); + console.log(`✅ Authorized maintainer: ${actor} - allowing all operations including synchronize`); core.setOutput('authorized', 'true'); - // If this is a synchronize event, check if Showtime is active and set blocked label - if (context.eventName === 'pull_request_target' && context.payload.action === 'synchronize') { - console.log(`🔒 Synchronize event detected - checking if Showtime is active`); - - // Check if PR has any circus tent labels (Showtime is in use) - const { data: issue } = await github.rest.issues.get({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.payload.pull_request.number - }); - - const hasCircusLabels = issue.labels.some(label => label.name.startsWith('đŸŽĒ ')); - - if (hasCircusLabels) { - console.log(`đŸŽĒ Circus labels found - setting blocked label to prevent auto-deployment`); - - await github.rest.issues.addLabels({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.payload.pull_request.number, - labels: ['đŸŽĒ 🔒 showtime-blocked'] - }); - - console.log(`✅ Blocked label set - Showtime will detect and skip operations`); - } else { - console.log(`ℹī¸ No circus labels found - Showtime not in use, skipping block`); - } - } - - name: Install Superset Showtime if: steps.auth.outputs.authorized == 'true' run: |