Previously the logic was backwards - it was blocking synchronize events
for AUTHORIZED maintainers and allowing them for unauthorized users.
Now:
- Authorized maintainers (write/admin) can push commits → automatic updates
- Unauthorized users pushing to PRs with showtime environments → blocked
This allows trusted maintainers like @mistercrunch to push changes and
get automatic showtime environment updates without manual re-triggering.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implements @dpgaspar's suggestion from PR #34833 to add audit trail
when maintainers trigger Showtime deployments. The workflow now logs
which maintainer triggered the deploy and for which PR number.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
GitHub Actions workflow_dispatch inputs don't support the 'pattern'
property for input validation. Removed to fix workflow validation errors.
SHA validation will be handled by the showtime CLI instead.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add maintainer authorization check to prevent unauthorized workflow execution
- Validate SHA input format to prevent injection attacks
- Add 90-minute timeout protection against runaway jobs
- Implement automatic blocking for PR synchronize events when Showtime is active
- Add unlabeled trigger support for proper label removal handling
- Preserve local customizations (install-docker-compose: false, upgrade flag)
Security improvements protect against arbitrary code execution while maintaining
workflow_dispatch convenience for authorized maintainers.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
The push trigger was only needed for initial workflow registration.
Now that it exists, revert to schedule-only triggers.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Remove unsupported `pattern` property from workflow_dispatch inputs
- Add one-time push trigger to showtime-cleanup.yml for workflow registration
- Runtime validation still handled in bash steps
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Move checkout step before setup-docker to fix 'Can't find action.yml' error. Local actions require the repository to be checked out first.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Replace workflows with improved versions that properly handle showtime CLI output format and fix conditional step execution. Key fixes:
- Match sync_needed output from showtime CLI
- Use target_sha for proper SHA handling
- Remove invalid pattern properties
- Cleaner workflow structure
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Update output extraction to use 'sync_needed' and 'target_sha' to match what showtime CLI actually returns. This fixes the issue where sync steps were skipped despite sync_needed=true.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add install-docker-compose: false to setup-docker action since showtime workflows don't need Docker Compose. This saves 1-2 minutes by skipping unnecessary apt operations.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
For manual workflow_dispatch with PR number, fetch the latest SHA for that specific PR via GitHub API instead of using the current branch SHA. This ensures we build and deploy the actual PR code, not the workflow branch code.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
When no SHA is provided in workflow_dispatch and there's no PR context, fallback to github.sha (current commit). This fixes the 'No SHA available' error for manual triggers.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Reorder steps to check what's needed first, then only set up Docker environment if build is actually required. This avoids expensive Docker setup when only label changes occur.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Use github.sha for push events since they don't have pull_request context. This fixes the 'No SHA available' error when the workflow runs on push.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add fetch-depth: 1 to speed up repository checkout when accessing local actions. Only the latest commit is needed for workflow execution.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
The workflow needs to checkout the repository before using local actions like setup-docker. This resolves the 'Can't find action.yml' error.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
GitHub Actions workflow_dispatch inputs don't support the pattern property. SHA validation is now handled in the workflow logic instead.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Skip push events in the workflow logic since they're only used for workflow registration. This prevents errors when the workflow runs on push but has no PR context.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
The pattern property is not supported in workflow_dispatch inputs, causing GitHub Actions validation to fail. Input validation is now handled in the workflow logic instead.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
