QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-05-28 19:25:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: only block synchronize events for unauthorized users

Browse Source 
Previously the logic was backwards - it was blocking synchronize events
for AUTHORIZED maintainers and allowing them for unauthorized users.

Now:
- Authorized maintainers (write/admin) can push commits → automatic updates
- Unauthorized users pushing to PRs with showtime environments → blocked

This allows trusted maintainers like @mistercrunch to push changes and
get automatic showtime environment updates without manual re-triggering.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Maxime Beauchemin
2025-09-03 14:16:48 -07:00
parent f9d157017e
commit fe642274f6
1 changed files with 32 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
.github/workflows/showtime-trigger.yml vendored
View File

@@ -62,43 +62,44 @@ jobs:
const authorized = ['write', 'admin'].includes(permission.permission);
if (!authorized) {
console.log(`🚨 Unauthorized user ${actor} - skipping all operations`);
console.log(`🚨 Unauthorized user ${actor} - checking if we need to block operations`);
// If this is a synchronize event with existing showtime environments, block it
if (context.eventName === 'pull_request_target' && context.payload.action === 'synchronize') {
console.log(`🔒 Unauthorized synchronize event detected - checking if Showtime is active`);
// Check if PR has any circus tent labels (Showtime is in use)
const { data: issue } = await github.rest.issues.get({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number
});
const hasCircusLabels = issue.labels.some(label => label.name.startsWith('🎪 '));
if (hasCircusLabels) {
console.log(`🎪 Circus labels found - setting blocked label to prevent unauthorized auto-deployment`);
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
labels: ['🎪 🔒 showtime-blocked']
});
console.log(`✅ Blocked label set - unauthorized user cannot auto-deploy changes`);
} else {
console.log(` No circus labels found - Showtime not in use, skipping block`);
}
}
core.setOutput('authorized', 'false');
return;
}
console.log(`✅ Authorized maintainer: ${actor}`);
console.log(`✅ Authorized maintainer: ${actor} - allowing all operations including synchronize`);
core.setOutput('authorized', 'true');
// If this is a synchronize event, check if Showtime is active and set blocked label
if (context.eventName === 'pull_request_target' && context.payload.action === 'synchronize') {
console.log(`🔒 Synchronize event detected - checking if Showtime is active`);
// Check if PR has any circus tent labels (Showtime is in use)
const { data: issue } = await github.rest.issues.get({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number
});
const hasCircusLabels = issue.labels.some(label => label.name.startsWith('🎪 '));
if (hasCircusLabels) {
console.log(`🎪 Circus labels found - setting blocked label to prevent auto-deployment`);
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
labels: ['🎪 🔒 showtime-blocked']
});
console.log(`✅ Blocked label set - Showtime will detect and skip operations`);
} else {
console.log(` No circus labels found - Showtime not in use, skipping block`);
}
}
- name: Install Superset Showtime
if: steps.auth.outputs.authorized == 'true'
run: |