superset-showtime 0.5.11__tar.gz → 0.5.18__tar.gz

{superset_showtime-0.5.11 → superset_showtime-0.5.18}/.claude/settings.local.json

@@ -50,7 +50,8 @@
     "ask": [],
     "additionalDirectories": [
       "/private/tmp",
-      "/Users/max/code/superset"
+      "/Users/max/code/superset",
+      "/Users/max/.claudette/worktrees/showtime_gha/.github/workflows"
     ]
   }
 }

{superset_showtime-0.5.11 → superset_showtime-0.5.18}/CLAUDE.md

@@ -84,6 +84,7 @@ The system uses GitHub labels as a distributed state machine:
 - `🎪 ⚡ showtime-trigger-start` - Create environment
 - `🎪 🛑 showtime-trigger-stop` - Destroy environment
 - `🎪 🧊 showtime-freeze` - Prevent auto-sync
+- `🎪 🔒 showtime-blocked` - Block ALL operations (maintenance mode)
 
 **State Labels (System Managed):**
 - `🎪 {sha} 🚦 {status}` - Environment status
@@ -177,7 +178,7 @@ Double triggers can create race conditions in two scenarios:
 ### Current Atomic Claim Mechanism
 
 The `PullRequest._atomic_claim()` method handles basic conflicts by:
-1. Checking if target SHA is already in progress states (`building`, `built`, `deploying`)  
+1. Checking if target SHA is already in progress states (`building`, `built`, `deploying`)
 2. Removing trigger labels atomically
 3. Setting building state immediately
 
@@ -198,7 +199,7 @@ def can_start_job(self, target_sha: str, action: str, use_cached: bool = True) -
     # Returns (can_start, reason)
 ```
 
-#### Phase 2: Recovery Path (5% of calls, ~500ms) 
+#### Phase 2: Recovery Path (5% of calls, ~500ms)
 ```python
 def double_check_and_cleanup_stale_locks(self, target_sha: str, stale_hours: int = 1, dry_run: bool = False) -> bool:
     """Expensive: refresh labels, detect stale locks (>1h), clean them up"""
@@ -211,11 +212,11 @@ def double_check_and_cleanup_stale_locks(self, target_sha: str, stale_hours: int
 def _atomic_claim(self, target_sha: str, action: str, dry_run: bool = False) -> bool:
     # 1. Fast check with cached labels
     can_start, reason = self.can_start_job(target_sha, action, use_cached=True)
-    
+
     if not can_start:
         # 2. Expensive double-check and cleanup
         can_start = self.double_check_and_cleanup_stale_locks(target_sha, stale_hours=1, dry_run=dry_run)
-    
+
     # 3. Continue with existing trigger removal + building setup
 ```
 

{superset_showtime-0.5.11 → superset_showtime-0.5.18}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: superset-showtime
-Version: 0.5.11
+Version: 0.5.18
 Summary: 🎪 Apache Superset ephemeral environment management with circus tent emoji state tracking
 Project-URL: Homepage, https://github.com/apache/superset-showtime
 Project-URL: Documentation, https://superset-showtime.readthedocs.io/

{superset_showtime-0.5.11 → superset_showtime-0.5.18}/showtime/__init__.py

@@ -4,7 +4,7 @@
 Circus tent emoji state tracking for Apache Superset ephemeral environments.
 """
 
-__version__ = "0.5.11"
+__version__ = "0.5.18"
 __author__ = "Maxime Beauchemin"
 __email__ = "maximebeauchemin@gmail.com"
 

{superset_showtime-0.5.11 → superset_showtime-0.5.18}/showtime/core/emojis.py

@@ -13,6 +13,7 @@ EMOJI_MEANINGS = {
     "🚦": "status",  # Traffic light for environment status
     "🏗️": "building",  # Construction for building environments
     "🎯": "active",  # Target for currently active environment
+    "🔒": "blocked",  # Lock for blocking all operations
     # Metadata
     "📅": "created_at",  # Calendar for creation timestamp
     "🌐": "ip",  # Globe for IP address

{superset_showtime-0.5.11 → superset_showtime-0.5.18}/showtime/core/git_validation.py

@@ -134,6 +134,9 @@ def _validate_sha_via_github_api(required_sha: str) -> Tuple[bool, Optional[str]
             # If status is 'ahead' or 'identical', required SHA is ancestor (good)
             # If status is 'behind', current is behind required (bad)
             if status in ["ahead", "identical"]:
+                print(
+                    f"✅ Validated that required SHA {required_sha[:7]} is included in current branch"
+                )
                 return True, None
             else:
                 return (

{superset_showtime-0.5.11 → superset_showtime-0.5.18}/showtime/core/github.py

@@ -111,14 +111,6 @@ class GitHubInterface:
             if response.status_code not in (200, 204, 404):
                 response.raise_for_status()
 
-    def set_labels(self, pr_number: int, labels: List[str]) -> None:
-        """Replace all labels on a PR"""
-        url = f"{self.base_url}/repos/{self.org}/{self.repo}/issues/{pr_number}/labels"
-
-        with httpx.Client() as client:
-            response = client.put(url, headers=self.headers, json={"labels": labels})
-            response.raise_for_status()
-
     def get_latest_commit_sha(self, pr_number: int) -> str:
         """Get the latest commit SHA for a PR"""
         pr_data = self.get_pr_data(pr_number)

{superset_showtime-0.5.11 → superset_showtime-0.5.18}/showtime/core/label_colors.py

@@ -31,6 +31,10 @@ LABEL_DEFINITIONS = {
         "color": "FFE4B5",  # Light orange
         "description": "Freeze PR - prevent auto-sync on new commits",
     },
+    "🎪 🔒 showtime-blocked": {
+        "color": "dc3545",  # Red - blocking/danger
+        "description": "Block all Showtime operations - maintenance mode",
+    },
 }
 
 # Status-specific label patterns (generated dynamically)

{superset_showtime-0.5.11 → superset_showtime-0.5.18}/showtime/core/pull_request.py

@@ -60,7 +60,7 @@ class PullRequest:
 
     def __init__(self, pr_number: int, labels: List[str]):
         self.pr_number = pr_number
-        self.labels = labels
+        self.labels = set(labels)  # Convert to set for O(1) operations
         self._shows = self._parse_shows_from_labels()
 
     @property
@@ -90,20 +90,10 @@ class PullRequest:
 
     @property
     def building_show(self) -> Optional[Show]:
-        """The currently building show (from 🏗️ label)"""
-        building_sha = None
-        for label in self.labels:
-            if label.startswith("🎪 🏗️ "):
-                building_sha = label.split(" ")[2]
-                break
-
-        if not building_sha:
-            return None
-
+        """The currently building show (from building/deploying status)"""
         for show in self.shows:
-            if show.sha == building_sha:
+            if show.status in ["building", "deploying"]:
                 return show
-
         return None
 
     @property
@@ -151,9 +141,122 @@ class PullRequest:
 
     def refresh_labels(self) -> None:
         """Refresh labels from GitHub and reparse shows"""
-        self.labels = get_github().get_labels(self.pr_number)
+        self.labels = set(get_github().get_labels(self.pr_number))
         self._shows = self._parse_shows_from_labels()
 
+    def add_label(self, label: str) -> None:
+        """Add label with logging and optimistic state update"""
+        print(f"🏷️ Added: {label}")
+        get_github().add_label(self.pr_number, label)
+        self.labels.add(label)
+
+    def remove_label(self, label: str) -> None:
+        """Remove label with logging and optimistic state update"""
+        print(f"🗑️ Removed: {label}")
+        get_github().remove_label(self.pr_number, label)
+        self.labels.discard(label)  # Safe - won't raise if not present
+
+    def remove_sha_labels(self, sha: str) -> None:
+        """Remove all labels for a specific SHA"""
+        sha_short = sha[:7]
+        labels_to_remove = [
+            label for label in self.labels if label.startswith("🎪") and sha_short in label
+        ]
+        if labels_to_remove:
+            print(f"🗑️ Removing SHA {sha_short} labels: {labels_to_remove}")
+            for label in labels_to_remove:
+                self.remove_label(label)
+
+    def remove_showtime_labels(self) -> None:
+        """Remove ALL circus tent labels"""
+        circus_labels = [label for label in self.labels if label.startswith("🎪 ")]
+        if circus_labels:
+            print(f"🎪 Removing all showtime labels: {circus_labels}")
+            for label in circus_labels:
+                self.remove_label(label)
+
+    def set_show_status(self, show: Show, new_status: str) -> None:
+        """Atomically update show status with thorough label cleanup"""
+        show.status = new_status
+
+        # 1. Refresh labels to get current GitHub state
+        self.refresh_labels()
+
+        # 2. Remove ALL existing status labels for this SHA (not just the "expected" one)
+        status_labels_to_remove = [
+            label for label in self.labels if label.startswith(f"🎪 {show.sha} 🚦 ")
+        ]
+
+        for label in status_labels_to_remove:
+            self.remove_label(label)
+
+        # 3. Add the new status label
+        new_status_label = f"🎪 {show.sha} 🚦 {new_status}"
+        self.add_label(new_status_label)
+
+    def set_active_show(self, show: Show) -> None:
+        """Atomically set this show as the active environment"""
+        from .emojis import CIRCUS_PREFIX, MEANING_TO_EMOJI
+
+        # 1. Refresh to get current state
+        self.refresh_labels()
+
+        # 2. Remove ALL existing active pointers (ensure only one)
+        active_emoji = MEANING_TO_EMOJI["active"]  # Gets 🎯
+        active_prefix = f"{CIRCUS_PREFIX} {active_emoji} "  # "🎪 🎯 "
+        active_pointers = [label for label in self.labels if label.startswith(active_prefix)]
+
+        for pointer in active_pointers:
+            self.remove_label(pointer)
+
+        # 3. Set this show as the new active one
+        active_pointer = f"{active_prefix}{show.sha}"  # "🎪 🎯 abc123f"
+        self.add_label(active_pointer)
+
+    def _check_authorization(self) -> bool:
+        """Check if current GitHub actor is authorized for operations"""
+        import os
+
+        import httpx
+
+        # Only check in GitHub Actions context
+        if os.getenv("GITHUB_ACTIONS") != "true":
+            return True
+
+        actor = os.getenv("GITHUB_ACTOR")
+        if not actor:
+            return True  # No actor info, allow operation
+
+        try:
+            # Use existing GitHubInterface for consistency
+            github = get_github()
+
+            # Check collaborator permissions
+            perm_url = f"{github.base_url}/repos/{github.org}/{github.repo}/collaborators/{actor}/permission"
+
+            with httpx.Client() as client:
+                response = client.get(perm_url, headers=github.headers)
+                if response.status_code == 404:
+                    return False  # Not a collaborator
+                response.raise_for_status()
+
+                data = response.json()
+                permission = data.get("permission", "none")
+
+                # Allow write and admin permissions only
+                authorized = permission in ["write", "admin"]
+
+                if not authorized:
+                    print(f"🚨 Unauthorized actor {actor} (permission: {permission})")
+                    # Set blocked label for security
+                    self.add_label("🎪 🔒 showtime-blocked")
+
+                return authorized
+
+        except Exception as e:
+            print(f"⚠️ Authorization check failed: {e}")
+            return True  # Fail open for non-security operations
+
     def analyze(self, target_sha: str, pr_state: str = "open") -> AnalysisResult:
         """Analyze what actions are needed (read-only, for --check-only)
 
@@ -177,7 +280,7 @@ class PullRequest:
         build_needed = action_needed in ["create_environment", "rolling_update", "auto_sync"]
 
         # Determine if sync execution is needed
-        sync_needed = action_needed != "no_action"
+        sync_needed = action_needed not in ["no_action", "blocked"]
 
         return AnalysisResult(
             action_needed=action_needed,
@@ -213,7 +316,15 @@ class PullRequest:
         # 1. Determine what action is needed
         action_needed = self._determine_action(target_sha)
 
-        # 2. Atomic claim for environment changes (PR-level lock)
+        # 2. Check for blocked state (fast bailout)
+        if action_needed == "blocked":
+            return SyncResult(
+                success=False,
+                action_taken="blocked",
+                error="🔒 Showtime operations are blocked for this PR. Remove '🎪 🔒 showtime-blocked' label to re-enable.",
+            )
+
+        # 3. Atomic claim for environment changes (PR-level lock)
         if action_needed in ["create_environment", "rolling_update", "auto_sync"]:
             print(f"🔒 Claiming environment for {action_needed}...")
             if not self._atomic_claim(target_sha, action_needed, dry_run_github):
@@ -235,20 +346,22 @@ class PullRequest:
                 # Phase 1: Docker build
                 print("🐳 Building Docker image...")
                 show.build_docker(dry_run_docker)
-                show.status = "built"
                 print("✅ Docker build completed")
-                self._update_show_labels(show, dry_run_github)
 
                 # Phase 2: AWS deployment
                 print("☁️ Deploying to AWS ECS...")
+                self.set_show_status(show, "deploying")
                 show.deploy_aws(dry_run_aws)
-                show.status = "running"
+                self.set_show_status(show, "running")
+                self.set_active_show(show)
                 print(f"✅ Deployment completed - environment running at {show.ip}:8080")
                 self._update_show_labels(show, dry_run_github)
-                
+
                 # Blue-green cleanup: stop all other environments for this PR
-                cleaned_count = self.stop_previous_environments(show.sha, dry_run_github, dry_run_aws)
-                
+                cleaned_count = self.stop_previous_environments(
+                    show.sha, dry_run_github, dry_run_aws
+                )
+
                 # Show AWS console URLs for monitoring
                 self._show_service_urls(show)
 
@@ -267,23 +380,25 @@ class PullRequest:
                 print(f"🔄 Rolling update: {old_show.sha} → {new_show.sha}")
                 self._post_rolling_start_comment(old_show, new_show, dry_run_github)
 
-                # Phase 1: Docker build  
+                # Phase 1: Docker build
                 print("🐳 Building updated Docker image...")
                 new_show.build_docker(dry_run_docker)
-                new_show.status = "built"
                 print("✅ Docker build completed")
-                self._update_show_labels(new_show, dry_run_github)
 
                 # Phase 2: Blue-green deployment
                 print("☁️ Deploying updated environment...")
+                self.set_show_status(new_show, "deploying")
                 new_show.deploy_aws(dry_run_aws)
-                new_show.status = "running"
+                self.set_show_status(new_show, "running")
+                self.set_active_show(new_show)
                 print(f"✅ Rolling update completed - new environment at {new_show.ip}:8080")
                 self._update_show_labels(new_show, dry_run_github)
-                
+
                 # Blue-green cleanup: stop all other environments for this PR
-                cleaned_count = self.stop_previous_environments(new_show.sha, dry_run_github, dry_run_aws)
-                
+                cleaned_count = self.stop_previous_environments(
+                    new_show.sha, dry_run_github, dry_run_aws
+                )
+
                 # Show AWS console URLs for monitoring
                 self._show_service_urls(new_show)
 
@@ -298,7 +413,7 @@ class PullRequest:
                     self._post_cleanup_comment(self.current_show, dry_run_github)
                     # Remove all circus labels after successful stop
                     if not dry_run_github:
-                        get_github().remove_circus_labels(self.pr_number)
+                        self.remove_showtime_labels()
                         print("🏷️ GitHub labels cleaned up")
                     print("✅ Environment destroyed")
                 return SyncResult(success=True, action_taken="destroy_environment")
@@ -330,7 +445,7 @@ class PullRequest:
             self.current_show.stop(**kwargs)
             # Remove all circus labels after successful stop
             if not kwargs.get("dry_run_github", False):
-                get_github().remove_circus_labels(self.pr_number)
+                self.remove_showtime_labels()
             return SyncResult(success=True, action_taken="stopped")
         except Exception as e:
             return SyncResult(success=False, action_taken="stop_failed", error=str(e))
@@ -366,15 +481,15 @@ class PullRequest:
             for show in pr.shows:
                 # Determine show type based on pointer presence
                 show_type = "orphaned"  # Default
-                
+
                 # Check for active pointer
                 if any(label == f"🎪 🎯 {show.sha}" for label in pr.labels):
                     show_type = "active"
-                # Check for building pointer  
-                elif any(label == f"🎪 🏗️ {show.sha}" for label in pr.labels):
+                # Check for building pointer
+                elif show.status in ["building", "deploying"]:
                     show_type = "building"
                 # No pointer = orphaned
-                
+
                 environment_data = {
                     "pr_number": pr_number,
                     "status": "active",  # Keep for compatibility
@@ -397,12 +512,20 @@ class PullRequest:
         """Determine what sync action is needed based on target SHA state"""
         # CRITICAL: Get fresh labels before any decisions
         self.refresh_labels()
-        
+
+        # Check for blocked state first (fast bailout)
+        if "🎪 🔒 showtime-blocked" in self.labels:
+            return "blocked"
+
+        # Check authorization (security layer)
+        if not self._check_authorization():
+            return "blocked"
+
         target_sha_short = target_sha[:7]  # Ensure we're working with short SHA
-        
+
         # Get the specific show for the target SHA
         target_show = self.get_show_by_sha(target_sha_short)
-        
+
         # Check for explicit trigger labels
         trigger_labels = [label for label in self.labels if "showtime-trigger-" in label]
 
@@ -440,16 +563,16 @@ class PullRequest:
         """Atomically claim this PR for the current job based on target SHA state"""
         # CRITICAL: Get fresh labels before any decisions
         self.refresh_labels()
-        
+
         target_sha_short = target_sha[:7]
         target_show = self.get_show_by_sha(target_sha_short)
-        
-        # 1. Validate current state allows this action for target SHA  
+
+        # 1. Validate current state allows this action for target SHA
         if action in ["create_environment", "rolling_update", "auto_sync"]:
             if target_show and target_show.status in [
                 "building",
-                "built", 
-                "deploying", 
+                "built",
+                "deploying",
             ]:
                 return False  # Target SHA already in progress - ONLY conflict case returns
 
@@ -462,7 +585,7 @@ class PullRequest:
         if trigger_labels:
             print(f"🏷️ Removing trigger labels: {trigger_labels}")
             for trigger_label in trigger_labels:
-                get_github().remove_label(self.pr_number, trigger_label)
+                self.remove_label(trigger_label)
         else:
             print("🏷️ No trigger labels to remove")
 
@@ -470,17 +593,16 @@ class PullRequest:
         if action in ["create_environment", "rolling_update", "auto_sync"]:
             building_show = self._create_new_show(target_sha)
             building_show.status = "building"
-            
-            # Update labels to reflect building state
-            print(f"🏷️ Removing existing circus labels...")
-            get_github().remove_circus_labels(self.pr_number)
-            
+
+            # Update labels to reflect building state - only remove for this SHA
+            print(f"🏷️ Removing labels for SHA {target_sha[:7]}...")
+            self.remove_sha_labels(target_sha)
+
             new_labels = building_show.to_circus_labels()
             print(f"🏷️ Creating new labels: {new_labels}")
             for label in new_labels:
                 try:
-                    get_github().add_label(self.pr_number, label)
-                    print(f"  ✅ Added: {label}")
+                    self.add_label(label)
                 except Exception as e:
                     print(f"  ❌ Failed to add {label}: {e}")
                     raise
@@ -583,23 +705,21 @@ class PullRequest:
 
         # First, remove any existing status labels for this SHA to ensure clean transitions
         sha_status_labels = [
-            label for label in self.labels 
-            if label.startswith(f"🎪 {show.sha} 🚦 ")
+            label for label in self.labels if label.startswith(f"🎪 {show.sha} 🚦 ")
         ]
         for old_status_label in sha_status_labels:
-            get_github().remove_label(self.pr_number, old_status_label)
+            self.remove_label(old_status_label)
 
         # For running environments, ensure only ONE active pointer exists
         if show.status == "running":
             # Remove ALL existing active pointers (there should only be one)
             existing_active_pointers = [
-                label for label in self.labels 
-                if label.startswith("🎪 🎯 ")
+                label for label in self.labels if label.startswith("🎪 🎯 ")
             ]
             for old_pointer in existing_active_pointers:
                 print(f"🎯 Removing old active pointer: {old_pointer}")
-                get_github().remove_label(self.pr_number, old_pointer)
-            
+                self.remove_label(old_pointer)
+
             # CRITICAL: Refresh after removals before differential calculation
             if existing_active_pointers:
                 print("🔄 Refreshing labels after pointer cleanup...")
@@ -607,11 +727,12 @@ class PullRequest:
 
         # Now do normal differential updates - only for this SHA
         current_sha_labels = {
-            label for label in self.labels 
-            if label.startswith("🎪") and (
-                label.startswith(f"🎪 {show.sha} ") or  # SHA-first format: 🎪 abc123f 📅 ...
-                label.startswith(f"🎪 🎯 {show.sha}") or  # Pointer format: 🎪 🎯 abc123f
-                label.startswith(f"🎪 🏗️ {show.sha}")    # Building pointer: 🎪 🏗️ abc123f
+            label
+            for label in self.labels
+            if label.startswith("🎪")
+            and (
+                label.startswith(f"🎪 {show.sha} ")  # SHA-first format: 🎪 abc123f 📅 ...
+                or label.startswith(f"🎪 🎯 {show.sha}")  # Pointer format: 🎪 🎯 abc123f
             )
         }
         desired_labels = set(show.to_circus_labels())
@@ -622,12 +743,12 @@ class PullRequest:
         # Only add labels that don't exist
         labels_to_add = desired_labels - current_sha_labels
         for label in labels_to_add:
-            get_github().add_label(self.pr_number, label)
+            self.add_label(label)
 
         # Only remove labels that shouldn't exist (excluding status labels already handled)
         labels_to_remove = current_sha_labels - desired_labels
         for label in labels_to_remove:
-            get_github().remove_label(self.pr_number, label)
+            self.remove_label(label)
 
         # Final refresh to update cache with all changes
         self.refresh_labels()
@@ -635,54 +756,55 @@ class PullRequest:
     def _show_service_urls(self, show: Show) -> None:
         """Show AWS console URLs for monitoring deployment"""
         from .github_messages import get_aws_console_urls
-        
+
         urls = get_aws_console_urls(show.ecs_service_name)
-        print(f"\n🎪 Monitor deployment progress:")
+        print("\n🎪 Monitor deployment progress:")
         print(f"📝 Logs: {urls['logs']}")
         print(f"📊 Service: {urls['service']}")
         print("")
 
-    def stop_previous_environments(self, keep_sha: str, dry_run_github: bool = False, dry_run_aws: bool = False) -> int:
+    def stop_previous_environments(
+        self, keep_sha: str, dry_run_github: bool = False, dry_run_aws: bool = False
+    ) -> int:
         """Stop all environments except the specified SHA (blue-green cleanup)
-        
+
         Args:
             keep_sha: SHA of environment to keep running
-            dry_run_github: Skip GitHub label operations  
+            dry_run_github: Skip GitHub label operations
             dry_run_aws: Skip AWS operations
-            
+
         Returns:
             Number of environments stopped
         """
         # Note: Labels should be fresh from recent _update_show_labels() call
         stopped_count = 0
-        
+
         for show in self.shows:
             if show.sha != keep_sha:
                 print(f"🧹 Cleaning up old environment: {show.sha} ({show.status})")
                 try:
                     show.stop(dry_run_github=dry_run_github, dry_run_aws=dry_run_aws)
-                    
+
                     # Remove ONLY existing labels for this old environment (not theoretical ones)
                     if not dry_run_github:
                         existing_labels = [
-                            label for label in self.labels 
-                            if label.startswith(f"🎪 {show.sha} ") or 
-                               label == f"🎪 🎯 {show.sha}" or 
-                               label == f"🎪 🏗️ {show.sha}"
+                            label
+                            for label in self.labels
+                            if label.startswith(f"🎪 {show.sha} ") or label == f"🎪 🎯 {show.sha}"
                         ]
                         print(f"🏷️ Removing existing labels for {show.sha}: {existing_labels}")
                         for label in existing_labels:
                             try:
-                                get_github().remove_label(self.pr_number, label)
+                                self.remove_label(label)
                             except Exception as e:
                                 print(f"⚠️ Failed to remove label {label}: {e}")
-                    
+
                     stopped_count += 1
                     print(f"✅ Stopped environment {show.sha}")
-                    
+
                 except Exception as e:
                     print(f"❌ Failed to stop environment {show.sha}: {e}")
-                    
+
         if stopped_count > 0:
             print(f"🧹 Blue-green cleanup: stopped {stopped_count} old environments")
             # Refresh labels after cleanup
@@ -690,5 +812,5 @@ class PullRequest:
                 self.refresh_labels()
         else:
             print("ℹ️ No old environments to clean up")
-            
+
         return stopped_count

{superset_showtime-0.5.11 → superset_showtime-0.5.18}/showtime/core/show.py

@@ -96,21 +96,24 @@ class Show:
 
     def to_circus_labels(self) -> List[str]:
         """Convert show state to circus tent emoji labels (per-SHA format)"""
+        from .emojis import CIRCUS_PREFIX, MEANING_TO_EMOJI
+
         if not self.created_at:
             self.created_at = datetime.utcnow().strftime("%Y-%m-%dT%H-%M")
 
         labels = [
-            f"🎪 {self.sha} 🚦 {self.status}",  # SHA-first status
-            f"🎪 🎯 {self.sha}",  # Active pointer (no value)
-            f"🎪 {self.sha} 📅 {self.created_at}",  # SHA-first timestamp
-            f"🎪 {self.sha} ⌛ {self.ttl}",  # SHA-first TTL
+            f"{CIRCUS_PREFIX} {self.sha} {MEANING_TO_EMOJI['status']} {self.status}",  # SHA-first status
+            f"{CIRCUS_PREFIX} {self.sha} {MEANING_TO_EMOJI['created_at']} {self.created_at}",  # SHA-first timestamp
+            f"{CIRCUS_PREFIX} {self.sha} {MEANING_TO_EMOJI['ttl']} {self.ttl}",  # SHA-first TTL
         ]
 
         if self.ip:
-            labels.append(f"🎪 {self.sha} 🌐 {self.ip}:8080")
+            labels.append(f"{CIRCUS_PREFIX} {self.sha} {MEANING_TO_EMOJI['ip']} {self.ip}:8080")
 
         if self.requested_by:
-            labels.append(f"🎪 {self.sha} 🤡 {self.requested_by}")
+            labels.append(
+                f"{CIRCUS_PREFIX} {self.sha} {MEANING_TO_EMOJI['requested_by']} {self.requested_by}"
+            )
 
         return labels
 
@@ -158,7 +161,6 @@ class Show:
     def _build_docker_image(self) -> None:
         """Build Docker image for this environment"""
         import os
-        import platform
         import subprocess
 
         tag = f"apache/superset:pr-{self.pr_number}-{self.sha}-ci"
@@ -187,19 +189,23 @@ class Show:
         # Add caching based on environment
         if is_ci:
             # Full registry caching in CI (Docker driver supports it)
-            cmd.extend([
-                "--cache-from",
-                "type=registry,ref=apache/superset-cache:showtime",
-                "--cache-to",
-                "type=registry,mode=max,ref=apache/superset-cache:showtime",
-            ])
+            cmd.extend(
+                [
+                    "--cache-from",
+                    "type=registry,ref=apache/superset-cache:showtime",
+                    "--cache-to",
+                    "type=registry,mode=max,ref=apache/superset-cache:showtime",
+                ]
+            )
             print("🐳 CI environment: Using full registry caching")
         else:
             # Local build: cache-from only (no cache export)
-            cmd.extend([
-                "--cache-from",
-                "type=registry,ref=apache/superset-cache:showtime",
-            ])
+            cmd.extend(
+                [
+                    "--cache-from",
+                    "type=registry,ref=apache/superset-cache:showtime",
+                ]
+            )
             print("🐳 Local environment: Using cache-from only (no export)")
 
         # Add --load only when explicitly requested for local testing

{superset_showtime-0.5.11 → superset_showtime-0.5.18}/showtime/data/ecs-task-definition.json

@@ -34,7 +34,7 @@
                 },
                 {
                     "name": "SUPERSET__SQLALCHEMY_EXAMPLES_URI",
-                    "value": "duckdb:////app/data/examples.duckdb"
+                    "value": "duckdb:////app/data/examples.duckdb?access_mode=read_only"
                 },
                 {
                     "name": "SUPERSET_LOG_LEVEL",

{superset_showtime-0.5.11 → superset_showtime-0.5.18}/tests/unit/test_pull_request.py

@@ -2,6 +2,7 @@
 Tests for PullRequest class - PR-level orchestration
 """
 
+import os
 from unittest.mock import Mock, patch
 
 from showtime.core.pull_request import AnalysisResult, PullRequest, SyncResult
@@ -15,7 +16,7 @@ def test_pullrequest_creation():
     pr = PullRequest(1234, labels)
 
     assert pr.pr_number == 1234
-    assert pr.labels == labels
+    assert pr.labels == set(labels)
     assert len(pr.shows) == 1
     assert pr.current_show is not None
     assert pr.current_show.sha == "abc123f"
@@ -127,7 +128,7 @@ def test_pullrequest_determine_action():
     # No triggers, but different SHA - create new environment (SHA-specific)
     pr_auto = PullRequest(1234, ["🎪 abc123f 🚦 running", "🎪 🎯 abc123f"])
     assert pr_auto._determine_action("def456a") == "create_environment"
-    
+
     # Failed environment, no triggers - create new (retry logic)
     pr_failed = PullRequest(1234, ["🎪 abc123f 🚦 failed", "🎪 🎯 abc123f"])
     assert pr_failed._determine_action("abc123f") == "create_environment"
@@ -452,11 +453,7 @@ def test_pullrequest_sync_same_sha_no_action(mock_get_github):
     mock_get_github.return_value = mock_github
 
     # PR with existing healthy environment, same SHA, no triggers
-    pr = PullRequest(1234, [
-        "🎪 abc123f 🚦 running",
-        "🎪 🎯 abc123f",
-        "bug", "enhancement"
-    ])
+    pr = PullRequest(1234, ["🎪 abc123f 🚦 running", "🎪 🎯 abc123f", "bug", "enhancement"])
 
     result = pr.sync("abc123f")  # Same SHA as current
 
@@ -631,20 +628,23 @@ def test_pullrequest_update_show_labels(mock_get_github):
         mock_github.remove_label.assert_called()
 
 
-@patch('showtime.core.pull_request.get_github')
+@patch("showtime.core.pull_request.get_github")
 def test_pullrequest_update_show_labels_status_replacement(mock_get_github):
     """Test that status updates properly remove old status labels"""
     mock_github = Mock()
     mock_get_github.return_value = mock_github
-    
+
     # PR with multiple status labels (the bug scenario)
-    pr = PullRequest(1234, [
-        "🎪 abc123f 🚦 building",   # Old status
-        "🎪 abc123f 🚦 failed",    # Another old status  
-        "🎪 🎯 abc123f",           # Pointer
-        "🎪 abc123f 📅 2024-01-15T14-30",
-    ])
-    
+    pr = PullRequest(
+        1234,
+        [
+            "🎪 abc123f 🚦 building",  # Old status
+            "🎪 abc123f 🚦 failed",  # Another old status
+            "🎪 🎯 abc123f",  # Pointer
+            "🎪 abc123f 📅 2024-01-15T14-30",
+        ],
+    )
+
     # Show transitioning to running
     show = Show(
         pr_number=1234,
@@ -652,15 +652,291 @@ def test_pullrequest_update_show_labels_status_replacement(mock_get_github):
         status="running",  # New status
         created_at="2024-01-15T14-30",
     )
-    
-    with patch.object(pr, 'refresh_labels'):
+
+    with patch.object(pr, "refresh_labels"):
         pr._update_show_labels(show, dry_run=False)
-        
+
         # Should remove BOTH old status labels
         remove_calls = [call.args[1] for call in mock_github.remove_label.call_args_list]
         assert "🎪 abc123f 🚦 building" in remove_calls
         assert "🎪 abc123f 🚦 failed" in remove_calls
-        
+
         # Should add new status label
         add_calls = [call.args[1] for call in mock_github.add_label.call_args_list]
         assert "🎪 abc123f 🚦 running" in add_calls
+
+
+# Test new centralized label management methods
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_add_label_with_logging(mock_get_github):
+    """Test PullRequest.add_label() with logging and state update"""
+    mock_github = Mock()
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, ["existing-label"])
+
+    # Test adding new label
+    pr.add_label("new-label")
+
+    # Should call GitHub API
+    mock_github.add_label.assert_called_once_with(1234, "new-label")
+
+    # Should update local state
+    assert "new-label" in pr.labels
+    assert "existing-label" in pr.labels
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_remove_label_with_logging(mock_get_github):
+    """Test PullRequest.remove_label() with logging and state update"""
+    mock_github = Mock()
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, ["label1", "label2"])
+
+    # Test removing existing label
+    pr.remove_label("label1")
+
+    # Should call GitHub API
+    mock_github.remove_label.assert_called_once_with(1234, "label1")
+
+    # Should update local state
+    assert "label1" not in pr.labels
+    assert "label2" in pr.labels
+
+    # Test removing non-existent label (should be safe)
+    pr.remove_label("nonexistent")
+    assert len(mock_github.remove_label.call_args_list) == 2
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_remove_sha_labels(mock_get_github):
+    """Test PullRequest.remove_sha_labels() for SHA-specific cleanup"""
+    mock_github = Mock()
+    mock_github.get_labels.return_value = [
+        "🎪 abc123f 🚦 building",
+        "🎪 abc123f 📅 2025-08-26",
+        "🎪 def456a 🚦 running",  # Different SHA
+        "🎪 🎯 def456a",  # Different SHA
+        "regular-label",
+    ]
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, [])
+
+    # Test removing labels for specific SHA
+    pr.remove_sha_labels("abc123f789")  # Full SHA
+
+    # Should call GitHub API for abc123f labels only
+    remove_calls = [call.args[1] for call in mock_github.remove_label.call_args_list]
+    assert "🎪 abc123f 🚦 building" in remove_calls
+    assert "🎪 abc123f 📅 2025-08-26" in remove_calls
+    assert "🎪 def456a 🚦 running" not in remove_calls
+    assert "🎪 🎯 def456a" not in remove_calls
+    assert "regular-label" not in remove_calls
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_remove_showtime_labels(mock_get_github):
+    """Test PullRequest.remove_showtime_labels() for complete cleanup"""
+    mock_github = Mock()
+    mock_github.get_labels.return_value = [
+        "🎪 abc123f 🚦 running",
+        "🎪 🎯 abc123f",
+        "🎪 def456a 🚦 building",
+        "regular-label",
+        "bug",
+    ]
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, [])
+
+    # Test removing all showtime labels
+    pr.remove_showtime_labels()
+
+    # Should call GitHub API for all circus labels
+    remove_calls = [call.args[1] for call in mock_github.remove_label.call_args_list]
+    assert "🎪 abc123f 🚦 running" in remove_calls
+    assert "🎪 🎯 abc123f" in remove_calls
+    assert "🎪 def456a 🚦 building" in remove_calls
+    assert "regular-label" not in remove_calls
+    assert "bug" not in remove_calls
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_set_show_status(mock_get_github):
+    """Test PullRequest.set_show_status() atomic status transitions"""
+    mock_github = Mock()
+    mock_github.get_labels.return_value = [
+        "🎪 abc123f 🚦 building",
+        "🎪 abc123f 🚦 failed",  # Duplicate/stale status
+        "🎪 abc123f 📅 2025-08-26",
+    ]
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, [])
+    show = Show(pr_number=1234, sha="abc123f", status="building")
+
+    # Test status transition with cleanup
+    pr.set_show_status(show, "deploying")
+
+    # Should remove all existing status labels
+    remove_calls = [call.args[1] for call in mock_github.remove_label.call_args_list]
+    assert "🎪 abc123f 🚦 building" in remove_calls
+    assert "🎪 abc123f 🚦 failed" in remove_calls
+
+    # Should add new status label
+    add_calls = [call.args[1] for call in mock_github.add_label.call_args_list]
+    assert "🎪 abc123f 🚦 deploying" in add_calls
+
+    # Should update show status
+    assert show.status == "deploying"
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_set_active_show(mock_get_github):
+    """Test PullRequest.set_active_show() atomic active pointer management"""
+    mock_github = Mock()
+    mock_github.get_labels.return_value = [
+        "🎪 🎯 old123f",  # Old active pointer
+        "🎪 🎯 other456",  # Another old pointer
+        "🎪 abc123f 🚦 running",
+    ]
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, [])
+    show = Show(pr_number=1234, sha="abc123f", status="running")
+
+    # Test setting active show
+    pr.set_active_show(show)
+
+    # Should remove all existing active pointers
+    remove_calls = [call.args[1] for call in mock_github.remove_label.call_args_list]
+    assert "🎪 🎯 old123f" in remove_calls
+    assert "🎪 🎯 other456" in remove_calls
+
+    # Should add new active pointer
+    add_calls = [call.args[1] for call in mock_github.add_label.call_args_list]
+    assert "🎪 🎯 abc123f" in add_calls
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_blocked_state(mock_get_github):
+    """Test that blocked state prevents all operations"""
+    mock_github = Mock()
+    mock_github.get_labels.return_value = [
+        "🎪 🔒 showtime-blocked",
+        "🎪 abc123f 🚦 running",  # Existing environment
+        "🎪 ⚡ showtime-trigger-start",  # Trigger should be ignored
+    ]
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, [])
+
+    # Test sync with blocked state
+    result = pr.sync("def456a")
+
+    # Should fail with blocked error
+    assert result.success is False
+    assert result.action_taken == "blocked"
+    assert "🔒 Showtime operations are blocked" in result.error
+    assert "showtime-blocked" in result.error
+
+    # Should not perform any operations
+    assert not mock_github.add_label.called
+    assert not mock_github.remove_label.called
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_determine_action_blocked(mock_get_github):
+    """Test _determine_action returns 'blocked' when blocked label present"""
+    mock_github = Mock()
+    mock_github.get_labels.return_value = ["🎪 🔒 showtime-blocked", "🎪 ⚡ showtime-trigger-start"]
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, [])
+
+    action = pr._determine_action("abc123f")
+
+    assert action == "blocked"
+
+
+@patch.dict(os.environ, {"GITHUB_ACTIONS": "true", "GITHUB_ACTOR": "external-user"})
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_authorization_check_unauthorized(mock_get_github):
+    """Test authorization check blocks unauthorized users"""
+    mock_github = Mock()
+    mock_github.base_url = "https://api.github.com"
+    mock_github.org = "apache"
+    mock_github.repo = "superset"
+    mock_github.headers = {"Authorization": "Bearer token"}
+
+    # Mock unauthorized response
+    mock_response = Mock()
+    mock_response.status_code = 200
+    mock_response.json.return_value = {"permission": "read"}  # Not write/admin
+
+    with patch("httpx.Client") as mock_client_class:
+        mock_client = Mock()
+        mock_client.get.return_value = mock_response
+        mock_client.__enter__.return_value = mock_client
+        mock_client.__exit__.return_value = None
+        mock_client_class.return_value = mock_client
+
+        mock_get_github.return_value = mock_github
+
+        pr = PullRequest(1234, [])
+
+        # Test unauthorized actor
+        authorized = pr._check_authorization()
+
+        assert authorized is False
+        # Should have added blocked label
+        mock_github.add_label.assert_called_once_with(1234, "🎪 🔒 showtime-blocked")
+
+
+@patch.dict(os.environ, {"GITHUB_ACTIONS": "true", "GITHUB_ACTOR": "maintainer-user"})
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_authorization_check_authorized(mock_get_github):
+    """Test authorization check allows authorized users"""
+    mock_github = Mock()
+    mock_github.base_url = "https://api.github.com"
+    mock_github.org = "apache"
+    mock_github.repo = "superset"
+    mock_github.headers = {"Authorization": "Bearer token"}
+
+    # Mock authorized response
+    mock_response = Mock()
+    mock_response.status_code = 200
+    mock_response.json.return_value = {"permission": "write"}  # Authorized
+
+    with patch("httpx.Client") as mock_client_class:
+        mock_client = Mock()
+        mock_client.get.return_value = mock_response
+        mock_client.__enter__.return_value = mock_client
+        mock_client.__exit__.return_value = None
+        mock_client_class.return_value = mock_client
+
+        mock_get_github.return_value = mock_github
+
+        pr = PullRequest(1234, [])
+
+        # Test authorized actor
+        authorized = pr._check_authorization()
+
+        assert authorized is True
+        # Should not add blocked label
+        assert not mock_github.add_label.called
+
+
+@patch.dict(os.environ, {"GITHUB_ACTIONS": "false"})
+def test_pullrequest_authorization_check_local():
+    """Test authorization check skipped in non-GHA environment"""
+    pr = PullRequest(1234, [])
+
+    # Should always return True for local development
+    authorized = pr._check_authorization()
+
+    assert authorized is True

{superset_showtime-0.5.11 → superset_showtime-0.5.18}/tests/unit/test_show.py

@@ -290,3 +290,36 @@ def test_show_to_circus_labels_auto_timestamp():
         # Should auto-generate timestamp
         assert show.created_at == "2024-01-15T14-30"
         assert any("📅 2024-01-15T14-30" in label for label in labels)
+
+
+def test_show_to_circus_labels_no_active_pointer():
+    """Test that to_circus_labels() does not include active pointer"""
+    show = Show(
+        pr_number=1234, sha="abc123f", status="running", ip="1.2.3.4", requested_by="testuser"
+    )
+
+    labels = show.to_circus_labels()
+
+    # Should include status, timestamp, TTL, IP, requester
+    assert any("🎪 abc123f 🚦 running" in label for label in labels)
+    assert any("🎪 abc123f 📅" in label for label in labels)
+    assert any("🎪 abc123f ⌛ 24h" in label for label in labels)
+    assert any("🎪 abc123f 🌐 1.2.3.4:8080" in label for label in labels)
+    assert any("🎪 abc123f 🤡 testuser" in label for label in labels)
+
+    # Should NOT include active pointer
+    assert not any("🎪 🎯" in label for label in labels)
+
+
+def test_show_to_circus_labels_building_status():
+    """Test to_circus_labels() for building status"""
+    show = Show(pr_number=1234, sha="def456a", status="building")
+
+    labels = show.to_circus_labels()
+
+    # Should include building status
+    assert any("🎪 def456a 🚦 building" in label for label in labels)
+
+    # Should NOT include active pointer or building pointer
+    assert not any("🎪 🎯" in label for label in labels)
+    assert not any("🎪 🏗️" in label for label in labels)

{superset_showtime-0.5.11 → superset_showtime-0.5.18}/workflows-reference/showtime-cleanup.yml

@@ -13,7 +13,6 @@ on:
         required: false
         default: '48'
         type: string
-        pattern: '^[0-9]+$'
 
 # Common environment variables
 env:

{superset_showtime-0.5.11 → superset_showtime-0.5.18}/workflows-reference/showtime-trigger.yml

@@ -41,10 +41,76 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Security Check - Authorize Maintainers Only
+        id: auth
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const actor = context.actor;
+            console.log(`🔍 Checking authorization for ${actor}`);
+
+            // Early exit for workflow_dispatch - assume authorized since it's manually triggered
+            if (context.eventName === 'workflow_dispatch') {
+              console.log(`✅ Workflow dispatch event - assuming authorized for ${actor}`);
+              core.setOutput('authorized', 'true');
+              return;
+            }
+
+            const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              username: actor
+            });
+
+            console.log(`📊 Permission level for ${actor}: ${permission.permission}`);
+            const authorized = ['write', 'admin'].includes(permission.permission);
+
+            if (!authorized) {
+              console.log(`🚨 Unauthorized user ${actor} - skipping all operations`);
+              core.setOutput('authorized', 'false');
+              return;
+            }
+
+            console.log(`✅ Authorized maintainer: ${actor}`);
+            core.setOutput('authorized', 'true');
+
+            // If this is a synchronize event, check if Showtime is active and set blocked label
+            if (context.eventName === 'pull_request_target' && context.payload.action === 'synchronize') {
+              console.log(`🔒 Synchronize event detected - checking if Showtime is active`);
+
+              // Check if PR has any circus tent labels (Showtime is in use)
+              const { data: issue } = await github.rest.issues.get({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.pull_request.number
+              });
+
+              const hasCircusLabels = issue.labels.some(label => label.name.startsWith('🎪 '));
+
+              if (hasCircusLabels) {
+                console.log(`🎪 Circus labels found - setting blocked label to prevent auto-deployment`);
+
+                await github.rest.issues.addLabels({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: context.payload.pull_request.number,
+                  labels: ['🎪 🔒 showtime-blocked']
+                });
+
+                console.log(`✅ Blocked label set - Showtime will detect and skip operations`);
+              } else {
+                console.log(`ℹ️ No circus labels found - Showtime not in use, skipping block`);
+              }
+            }
+
       - name: Install Superset Showtime
-        run: pip install superset-showtime
+        if: steps.auth.outputs.authorized == 'true'
+        run: |
+          pip install --upgrade superset-showtime
+          showtime version
 
       - name: Check what actions are needed
+        if: steps.auth.outputs.authorized == 'true'
         id: check
         run: |
           # Bulletproof PR number extraction
@@ -79,22 +145,23 @@ jobs:
           echo "target_sha=$TARGET_SHA" >> $GITHUB_OUTPUT
 
       - name: Checkout PR code (only if build needed)
-        if: steps.check.outputs.build_needed == 'true'
+        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.build_needed == 'true'
         uses: actions/checkout@v4
         with:
           ref: ${{ steps.check.outputs.target_sha }}
           persist-credentials: false
 
       - name: Setup Docker Environment (only if build needed)
-        if: steps.check.outputs.build_needed == 'true'
+        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.build_needed == 'true'
         uses: ./.github/actions/setup-docker
         with:
           dockerhub-user: ${{ env.DOCKERHUB_USER }}
           dockerhub-token: ${{ env.DOCKERHUB_TOKEN }}
           build: "true"
+          install-docker-compose: "false"
 
       - name: Execute sync (handles everything)
-        if: steps.check.outputs.sync_needed == 'true'
+        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.sync_needed == 'true'
         run: |
           PR_NUM="${{ steps.check.outputs.pr_number }}"
           TARGET_SHA="${{ steps.check.outputs.target_sha }}"