mirror of
https://github.com/apache/superset.git
synced 2026-07-05 06:15:31 +00:00
Compare commits
25 Commits
chore/ci/s
...
showtime_g
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
fe642274f6 | ||
|
|
f9d157017e | ||
|
|
1bae0569ca | ||
|
|
7fbea466c9 | ||
|
|
2665c52c21 | ||
|
|
05bddd6bc3 | ||
|
|
1168475053 | ||
|
|
f9b4665525 | ||
|
|
0c9f60635c | ||
|
|
60c3b2971d | ||
|
|
6fe0655e72 | ||
|
|
d310dfdc79 | ||
|
|
e394f98687 | ||
|
|
180d5b70ce | ||
|
|
6ca977ddd5 | ||
|
|
e2a9e28313 | ||
|
|
390da591b1 | ||
|
|
acf7b61200 | ||
|
|
e19841fc46 | ||
|
|
71497054a8 | ||
|
|
9fd5815803 | ||
|
|
fefc2023a9 | ||
|
|
d521f61747 | ||
|
|
9f246ba559 | ||
|
|
91d0cc5805 |
10
.github/workflows/ephemeral-env-pr-close.yml
vendored
10
.github/workflows/ephemeral-env-pr-close.yml
vendored
@@ -1,4 +1,10 @@
|
|||||||
name: Cleanup ephemeral envs (PR close)
|
name: Cleanup ephemeral envs (PR close) [DEPRECATED]
|
||||||
|
|
||||||
|
# ⚠️ DEPRECATION NOTICE ⚠️
|
||||||
|
# This workflow is deprecated and will be removed in a future version.
|
||||||
|
# The new Superset Showtime workflow handles cleanup automatically.
|
||||||
|
# See .github/workflows/showtime.yml and showtime-cleanup.yml for replacements.
|
||||||
|
# Migration guide: https://github.com/mistercrunch/superset-showtime
|
||||||
|
|
||||||
on:
|
on:
|
||||||
pull_request_target:
|
pull_request_target:
|
||||||
@@ -71,5 +77,5 @@ jobs:
|
|||||||
issue_number: ${{ github.event.number }},
|
issue_number: ${{ github.event.number }},
|
||||||
owner: context.repo.owner,
|
owner: context.repo.owner,
|
||||||
repo: context.repo.repo,
|
repo: context.repo.repo,
|
||||||
body: 'Ephemeral environment shutdown and build artifacts deleted.'
|
body: '⚠️ **DEPRECATED WORKFLOW** - Ephemeral environment shutdown and build artifacts deleted. Please migrate to the new Superset Showtime system for future PRs.'
|
||||||
})
|
})
|
||||||
|
|||||||
17
.github/workflows/ephemeral-env.yml
vendored
17
.github/workflows/ephemeral-env.yml
vendored
@@ -1,4 +1,12 @@
|
|||||||
name: Ephemeral env workflow
|
name: Ephemeral env workflow [DEPRECATED]
|
||||||
|
|
||||||
|
# ⚠️ DEPRECATION NOTICE ⚠️
|
||||||
|
# This workflow is deprecated and will be removed in a future version.
|
||||||
|
# Please use the new Superset Showtime workflow instead:
|
||||||
|
# - Use label "🎪 trigger-start" instead of "testenv-up"
|
||||||
|
# - Showtime provides better reliability and easier management
|
||||||
|
# - See .github/workflows/showtime.yml for the replacement
|
||||||
|
# - Migration guide: https://github.com/mistercrunch/superset-showtime
|
||||||
|
|
||||||
# Example manual trigger:
|
# Example manual trigger:
|
||||||
# gh workflow run ephemeral-env.yml --ref fix_ephemerals --field label_name="testenv-up" --field issue_number=666
|
# gh workflow run ephemeral-env.yml --ref fix_ephemerals --field label_name="testenv-up" --field issue_number=666
|
||||||
@@ -126,8 +134,11 @@ jobs:
|
|||||||
throw new Error("Issue number is not available.");
|
throw new Error("Issue number is not available.");
|
||||||
}
|
}
|
||||||
|
|
||||||
const body = `@${user} Processing your ephemeral environment request [here](${workflowUrl}).` +
|
const body = `⚠️ **DEPRECATED WORKFLOW** ⚠️\n\n@${user} This workflow is deprecated! Please use the new **Superset Showtime** system instead:\n\n` +
|
||||||
` Action: **${action}**.` +
|
`- Replace "testenv-up" label with "🎪 trigger-start"\n` +
|
||||||
|
`- Better reliability and easier management\n` +
|
||||||
|
`- See https://github.com/mistercrunch/superset-showtime for details\n\n` +
|
||||||
|
`Processing your ephemeral environment request [here](${workflowUrl}). Action: **${action}**.` +
|
||||||
` More information on [how to use or configure ephemeral environments]` +
|
` More information on [how to use or configure ephemeral environments]` +
|
||||||
`(https://superset.apache.org/docs/contributing/howtos/#github-ephemeral-environments)`;
|
`(https://superset.apache.org/docs/contributing/howtos/#github-ephemeral-environments)`;
|
||||||
|
|
||||||
|
|||||||
50
.github/workflows/showtime-cleanup.yml
vendored
Normal file
50
.github/workflows/showtime-cleanup.yml
vendored
Normal file
@@ -0,0 +1,50 @@
|
|||||||
|
name: 🎪 Showtime Cleanup
|
||||||
|
|
||||||
|
# Scheduled cleanup of expired environments
|
||||||
|
on:
|
||||||
|
schedule:
|
||||||
|
- cron: '0 */6 * * *' # Every 6 hours
|
||||||
|
|
||||||
|
# Manual trigger for testing
|
||||||
|
workflow_dispatch:
|
||||||
|
inputs:
|
||||||
|
max_age_hours:
|
||||||
|
description: 'Maximum age in hours before cleanup'
|
||||||
|
required: false
|
||||||
|
default: '48'
|
||||||
|
type: string
|
||||||
|
|
||||||
|
# Common environment variables
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
||||||
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
||||||
|
AWS_REGION: ${{ vars.AWS_REGION || 'us-west-2' }}
|
||||||
|
GITHUB_ORG: ${{ github.repository_owner }}
|
||||||
|
GITHUB_REPO: ${{ github.event.repository.name }}
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
cleanup-expired:
|
||||||
|
name: Clean up expired showtime environments
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
pull-requests: write
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Install Superset Showtime
|
||||||
|
run: pip install superset-showtime
|
||||||
|
|
||||||
|
- name: Cleanup expired environments
|
||||||
|
run: |
|
||||||
|
MAX_AGE="${{ github.event.inputs.max_age_hours || '48' }}"
|
||||||
|
|
||||||
|
# Validate max_age is numeric
|
||||||
|
if [[ ! "$MAX_AGE" =~ ^[0-9]+$ ]]; then
|
||||||
|
echo "❌ Invalid max_age_hours format: $MAX_AGE (must be numeric)"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Cleaning up environments older than ${MAX_AGE}h"
|
||||||
|
python -m showtime cleanup --older-than "${MAX_AGE}h"
|
||||||
180
.github/workflows/showtime-trigger.yml
vendored
Normal file
180
.github/workflows/showtime-trigger.yml
vendored
Normal file
@@ -0,0 +1,180 @@
|
|||||||
|
name: 🎪 Superset Showtime
|
||||||
|
|
||||||
|
# Ultra-simple: just sync on any PR state change
|
||||||
|
on:
|
||||||
|
pull_request_target:
|
||||||
|
types: [labeled, unlabeled, synchronize, closed]
|
||||||
|
|
||||||
|
# Manual testing
|
||||||
|
workflow_dispatch:
|
||||||
|
inputs:
|
||||||
|
pr_number:
|
||||||
|
description: 'PR number to sync'
|
||||||
|
required: true
|
||||||
|
type: number
|
||||||
|
sha:
|
||||||
|
description: 'Specific SHA to deploy (optional, defaults to latest)'
|
||||||
|
required: false
|
||||||
|
type: string
|
||||||
|
|
||||||
|
# Common environment variables for all jobs (non-sensitive only)
|
||||||
|
env:
|
||||||
|
AWS_REGION: us-west-2
|
||||||
|
GITHUB_ORG: ${{ github.repository_owner }}
|
||||||
|
GITHUB_REPO: ${{ github.event.repository.name }}
|
||||||
|
GITHUB_ACTOR: ${{ github.actor }}
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
sync:
|
||||||
|
name: 🎪 Sync PR to desired state
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
timeout-minutes: 90
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
pull-requests: write
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Security Check - Authorize Maintainers Only
|
||||||
|
id: auth
|
||||||
|
uses: actions/github-script@v7
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
with:
|
||||||
|
script: |
|
||||||
|
const actor = context.actor;
|
||||||
|
console.log(`🔍 Checking authorization for ${actor}`);
|
||||||
|
|
||||||
|
// Early exit for workflow_dispatch - assume authorized since it's manually triggered
|
||||||
|
if (context.eventName === 'workflow_dispatch') {
|
||||||
|
console.log(`✅ Workflow dispatch event - assuming authorized for ${actor}`);
|
||||||
|
core.setOutput('authorized', 'true');
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
|
||||||
|
owner: context.repo.owner,
|
||||||
|
repo: context.repo.repo,
|
||||||
|
username: actor
|
||||||
|
});
|
||||||
|
|
||||||
|
console.log(`📊 Permission level for ${actor}: ${permission.permission}`);
|
||||||
|
const authorized = ['write', 'admin'].includes(permission.permission);
|
||||||
|
|
||||||
|
if (!authorized) {
|
||||||
|
console.log(`🚨 Unauthorized user ${actor} - checking if we need to block operations`);
|
||||||
|
|
||||||
|
// If this is a synchronize event with existing showtime environments, block it
|
||||||
|
if (context.eventName === 'pull_request_target' && context.payload.action === 'synchronize') {
|
||||||
|
console.log(`🔒 Unauthorized synchronize event detected - checking if Showtime is active`);
|
||||||
|
|
||||||
|
// Check if PR has any circus tent labels (Showtime is in use)
|
||||||
|
const { data: issue } = await github.rest.issues.get({
|
||||||
|
owner: context.repo.owner,
|
||||||
|
repo: context.repo.repo,
|
||||||
|
issue_number: context.payload.pull_request.number
|
||||||
|
});
|
||||||
|
|
||||||
|
const hasCircusLabels = issue.labels.some(label => label.name.startsWith('🎪 '));
|
||||||
|
|
||||||
|
if (hasCircusLabels) {
|
||||||
|
console.log(`🎪 Circus labels found - setting blocked label to prevent unauthorized auto-deployment`);
|
||||||
|
|
||||||
|
await github.rest.issues.addLabels({
|
||||||
|
owner: context.repo.owner,
|
||||||
|
repo: context.repo.repo,
|
||||||
|
issue_number: context.payload.pull_request.number,
|
||||||
|
labels: ['🎪 🔒 showtime-blocked']
|
||||||
|
});
|
||||||
|
|
||||||
|
console.log(`✅ Blocked label set - unauthorized user cannot auto-deploy changes`);
|
||||||
|
} else {
|
||||||
|
console.log(`ℹ️ No circus labels found - Showtime not in use, skipping block`);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
core.setOutput('authorized', 'false');
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
console.log(`✅ Authorized maintainer: ${actor} - allowing all operations including synchronize`);
|
||||||
|
core.setOutput('authorized', 'true');
|
||||||
|
|
||||||
|
- name: Install Superset Showtime
|
||||||
|
if: steps.auth.outputs.authorized == 'true'
|
||||||
|
run: |
|
||||||
|
echo "::notice::Maintainer ${{ github.actor }} triggered deploy for PR ${{ github.event.pull_request.number || github.event.inputs.pr_number }}"
|
||||||
|
pip install --upgrade superset-showtime
|
||||||
|
showtime version
|
||||||
|
|
||||||
|
- name: Check what actions are needed
|
||||||
|
if: steps.auth.outputs.authorized == 'true'
|
||||||
|
id: check
|
||||||
|
env:
|
||||||
|
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
||||||
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
run: |
|
||||||
|
# Bulletproof PR number extraction
|
||||||
|
if [[ -n "${{ github.event.pull_request.number }}" ]]; then
|
||||||
|
PR_NUM="${{ github.event.pull_request.number }}"
|
||||||
|
elif [[ -n "${{ github.event.inputs.pr_number }}" ]]; then
|
||||||
|
PR_NUM="${{ github.event.inputs.pr_number }}"
|
||||||
|
else
|
||||||
|
echo "❌ No PR number found in event or inputs"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Using PR number: $PR_NUM"
|
||||||
|
|
||||||
|
# Run sync check-only with optional SHA override
|
||||||
|
if [[ -n "${{ github.event.inputs.sha }}" ]]; then
|
||||||
|
OUTPUT=$(python -m showtime sync $PR_NUM --check-only --sha "${{ github.event.inputs.sha }}")
|
||||||
|
else
|
||||||
|
OUTPUT=$(python -m showtime sync $PR_NUM --check-only)
|
||||||
|
fi
|
||||||
|
echo "$OUTPUT"
|
||||||
|
|
||||||
|
# Extract the outputs we need for conditional steps
|
||||||
|
BUILD=$(echo "$OUTPUT" | grep "build_needed=" | cut -d'=' -f2)
|
||||||
|
SYNC=$(echo "$OUTPUT" | grep "sync_needed=" | cut -d'=' -f2)
|
||||||
|
PR_NUM_OUT=$(echo "$OUTPUT" | grep "pr_number=" | cut -d'=' -f2)
|
||||||
|
TARGET_SHA=$(echo "$OUTPUT" | grep "target_sha=" | cut -d'=' -f2)
|
||||||
|
|
||||||
|
echo "build_needed=$BUILD" >> $GITHUB_OUTPUT
|
||||||
|
echo "sync_needed=$SYNC" >> $GITHUB_OUTPUT
|
||||||
|
echo "pr_number=$PR_NUM_OUT" >> $GITHUB_OUTPUT
|
||||||
|
echo "target_sha=$TARGET_SHA" >> $GITHUB_OUTPUT
|
||||||
|
|
||||||
|
- name: Checkout PR code (only if build needed)
|
||||||
|
if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.build_needed == 'true'
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
ref: ${{ steps.check.outputs.target_sha }}
|
||||||
|
persist-credentials: false
|
||||||
|
|
||||||
|
- name: Setup Docker Environment (only if build needed)
|
||||||
|
if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.build_needed == 'true'
|
||||||
|
uses: ./.github/actions/setup-docker
|
||||||
|
with:
|
||||||
|
dockerhub-user: ${{ secrets.DOCKERHUB_USER }}
|
||||||
|
dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
|
||||||
|
build: "true"
|
||||||
|
install-docker-compose: "false"
|
||||||
|
|
||||||
|
- name: Execute sync (handles everything)
|
||||||
|
if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.sync_needed == 'true'
|
||||||
|
env:
|
||||||
|
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
||||||
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
|
||||||
|
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
|
||||||
|
run: |
|
||||||
|
PR_NUM="${{ steps.check.outputs.pr_number }}"
|
||||||
|
TARGET_SHA="${{ steps.check.outputs.target_sha }}"
|
||||||
|
if [[ -n "$TARGET_SHA" ]]; then
|
||||||
|
python -m showtime sync $PR_NUM --sha "$TARGET_SHA"
|
||||||
|
else
|
||||||
|
python -m showtime sync $PR_NUM
|
||||||
|
fi
|
||||||
Reference in New Issue
Block a user