superset-showtime 0.5.12__py3-none-any.whl → 0.5.18__py3-none-any.whl

showtime/__init__.py

@@ -4,7 +4,7 @@
 Circus tent emoji state tracking for Apache Superset ephemeral environments.
 """
 
-__version__ = "0.5.12"
+__version__ = "0.5.18"
 __author__ = "Maxime Beauchemin"
 __email__ = "maximebeauchemin@gmail.com"
 

showtime/core/emojis.py

@@ -13,6 +13,7 @@ EMOJI_MEANINGS = {
     "🚦": "status",  # Traffic light for environment status
     "🏗️": "building",  # Construction for building environments
     "🎯": "active",  # Target for currently active environment
+    "🔒": "blocked",  # Lock for blocking all operations
     # Metadata
     "📅": "created_at",  # Calendar for creation timestamp
     "🌐": "ip",  # Globe for IP address

showtime/core/label_colors.py

@@ -31,6 +31,10 @@ LABEL_DEFINITIONS = {
         "color": "FFE4B5",  # Light orange
         "description": "Freeze PR - prevent auto-sync on new commits",
     },
+    "🎪 🔒 showtime-blocked": {
+        "color": "dc3545",  # Red - blocking/danger
+        "description": "Block all Showtime operations - maintenance mode",
+    },
 }
 
 # Status-specific label patterns (generated dynamically)

showtime/core/pull_request.py

@@ -90,20 +90,10 @@ class PullRequest:
 
     @property
     def building_show(self) -> Optional[Show]:
-        """The currently building show (from 🏗️ label)"""
-        building_sha = None
-        for label in self.labels:
-            if label.startswith("🎪 🏗️ "):
-                building_sha = label.split(" ")[2]
-                break
-
-        if not building_sha:
-            return None
-
+        """The currently building show (from building/deploying status)"""
         for show in self.shows:
-            if show.sha == building_sha:
+            if show.status in ["building", "deploying"]:
                 return show
-
         return None
 
     @property
@@ -185,6 +175,88 @@ class PullRequest:
             for label in circus_labels:
                 self.remove_label(label)
 
+    def set_show_status(self, show: Show, new_status: str) -> None:
+        """Atomically update show status with thorough label cleanup"""
+        show.status = new_status
+
+        # 1. Refresh labels to get current GitHub state
+        self.refresh_labels()
+
+        # 2. Remove ALL existing status labels for this SHA (not just the "expected" one)
+        status_labels_to_remove = [
+            label for label in self.labels if label.startswith(f"🎪 {show.sha} 🚦 ")
+        ]
+
+        for label in status_labels_to_remove:
+            self.remove_label(label)
+
+        # 3. Add the new status label
+        new_status_label = f"🎪 {show.sha} 🚦 {new_status}"
+        self.add_label(new_status_label)
+
+    def set_active_show(self, show: Show) -> None:
+        """Atomically set this show as the active environment"""
+        from .emojis import CIRCUS_PREFIX, MEANING_TO_EMOJI
+
+        # 1. Refresh to get current state
+        self.refresh_labels()
+
+        # 2. Remove ALL existing active pointers (ensure only one)
+        active_emoji = MEANING_TO_EMOJI["active"]  # Gets 🎯
+        active_prefix = f"{CIRCUS_PREFIX} {active_emoji} "  # "🎪 🎯 "
+        active_pointers = [label for label in self.labels if label.startswith(active_prefix)]
+
+        for pointer in active_pointers:
+            self.remove_label(pointer)
+
+        # 3. Set this show as the new active one
+        active_pointer = f"{active_prefix}{show.sha}"  # "🎪 🎯 abc123f"
+        self.add_label(active_pointer)
+
+    def _check_authorization(self) -> bool:
+        """Check if current GitHub actor is authorized for operations"""
+        import os
+
+        import httpx
+
+        # Only check in GitHub Actions context
+        if os.getenv("GITHUB_ACTIONS") != "true":
+            return True
+
+        actor = os.getenv("GITHUB_ACTOR")
+        if not actor:
+            return True  # No actor info, allow operation
+
+        try:
+            # Use existing GitHubInterface for consistency
+            github = get_github()
+
+            # Check collaborator permissions
+            perm_url = f"{github.base_url}/repos/{github.org}/{github.repo}/collaborators/{actor}/permission"
+
+            with httpx.Client() as client:
+                response = client.get(perm_url, headers=github.headers)
+                if response.status_code == 404:
+                    return False  # Not a collaborator
+                response.raise_for_status()
+
+                data = response.json()
+                permission = data.get("permission", "none")
+
+                # Allow write and admin permissions only
+                authorized = permission in ["write", "admin"]
+
+                if not authorized:
+                    print(f"🚨 Unauthorized actor {actor} (permission: {permission})")
+                    # Set blocked label for security
+                    self.add_label("🎪 🔒 showtime-blocked")
+
+                return authorized
+
+        except Exception as e:
+            print(f"⚠️ Authorization check failed: {e}")
+            return True  # Fail open for non-security operations
+
     def analyze(self, target_sha: str, pr_state: str = "open") -> AnalysisResult:
         """Analyze what actions are needed (read-only, for --check-only)
 
@@ -208,7 +280,7 @@ class PullRequest:
         build_needed = action_needed in ["create_environment", "rolling_update", "auto_sync"]
 
         # Determine if sync execution is needed
-        sync_needed = action_needed != "no_action"
+        sync_needed = action_needed not in ["no_action", "blocked"]
 
         return AnalysisResult(
             action_needed=action_needed,
@@ -244,7 +316,15 @@ class PullRequest:
         # 1. Determine what action is needed
         action_needed = self._determine_action(target_sha)
 
-        # 2. Atomic claim for environment changes (PR-level lock)
+        # 2. Check for blocked state (fast bailout)
+        if action_needed == "blocked":
+            return SyncResult(
+                success=False,
+                action_taken="blocked",
+                error="🔒 Showtime operations are blocked for this PR. Remove '🎪 🔒 showtime-blocked' label to re-enable.",
+            )
+
+        # 3. Atomic claim for environment changes (PR-level lock)
         if action_needed in ["create_environment", "rolling_update", "auto_sync"]:
             print(f"🔒 Claiming environment for {action_needed}...")
             if not self._atomic_claim(target_sha, action_needed, dry_run_github):
@@ -266,14 +346,14 @@ class PullRequest:
                 # Phase 1: Docker build
                 print("🐳 Building Docker image...")
                 show.build_docker(dry_run_docker)
-                show.status = "built"
                 print("✅ Docker build completed")
-                self._update_show_labels(show, dry_run_github)
 
                 # Phase 2: AWS deployment
                 print("☁️ Deploying to AWS ECS...")
+                self.set_show_status(show, "deploying")
                 show.deploy_aws(dry_run_aws)
-                show.status = "running"
+                self.set_show_status(show, "running")
+                self.set_active_show(show)
                 print(f"✅ Deployment completed - environment running at {show.ip}:8080")
                 self._update_show_labels(show, dry_run_github)
 
@@ -303,14 +383,14 @@ class PullRequest:
                 # Phase 1: Docker build
                 print("🐳 Building updated Docker image...")
                 new_show.build_docker(dry_run_docker)
-                new_show.status = "built"
                 print("✅ Docker build completed")
-                self._update_show_labels(new_show, dry_run_github)
 
                 # Phase 2: Blue-green deployment
                 print("☁️ Deploying updated environment...")
+                self.set_show_status(new_show, "deploying")
                 new_show.deploy_aws(dry_run_aws)
-                new_show.status = "running"
+                self.set_show_status(new_show, "running")
+                self.set_active_show(new_show)
                 print(f"✅ Rolling update completed - new environment at {new_show.ip}:8080")
                 self._update_show_labels(new_show, dry_run_github)
 
@@ -406,7 +486,7 @@ class PullRequest:
                 if any(label == f"🎪 🎯 {show.sha}" for label in pr.labels):
                     show_type = "active"
                 # Check for building pointer
-                elif any(label == f"🎪 🏗️ {show.sha}" for label in pr.labels):
+                elif show.status in ["building", "deploying"]:
                     show_type = "building"
                 # No pointer = orphaned
 
@@ -433,6 +513,14 @@ class PullRequest:
         # CRITICAL: Get fresh labels before any decisions
         self.refresh_labels()
 
+        # Check for blocked state first (fast bailout)
+        if "🎪 🔒 showtime-blocked" in self.labels:
+            return "blocked"
+
+        # Check authorization (security layer)
+        if not self._check_authorization():
+            return "blocked"
+
         target_sha_short = target_sha[:7]  # Ensure we're working with short SHA
 
         # Get the specific show for the target SHA
@@ -515,7 +603,6 @@ class PullRequest:
             for label in new_labels:
                 try:
                     self.add_label(label)
-                    print(f"  ✅ Added: {label}")
                 except Exception as e:
                     print(f"  ❌ Failed to add {label}: {e}")
                     raise
@@ -646,7 +733,6 @@ class PullRequest:
             and (
                 label.startswith(f"🎪 {show.sha} ")  # SHA-first format: 🎪 abc123f 📅 ...
                 or label.startswith(f"🎪 🎯 {show.sha}")  # Pointer format: 🎪 🎯 abc123f
-                or label.startswith(f"🎪 🏗️ {show.sha}")  # Building pointer: 🎪 🏗️ abc123f
             )
         }
         desired_labels = set(show.to_circus_labels())
@@ -704,9 +790,7 @@ class PullRequest:
                         existing_labels = [
                             label
                             for label in self.labels
-                            if label.startswith(f"🎪 {show.sha} ")
-                            or label == f"🎪 🎯 {show.sha}"
-                            or label == f"🎪 🏗️ {show.sha}"
+                            if label.startswith(f"🎪 {show.sha} ") or label == f"🎪 🎯 {show.sha}"
                         ]
                         print(f"🏷️ Removing existing labels for {show.sha}: {existing_labels}")
                         for label in existing_labels:

showtime/core/show.py

@@ -96,21 +96,24 @@ class Show:
 
     def to_circus_labels(self) -> List[str]:
         """Convert show state to circus tent emoji labels (per-SHA format)"""
+        from .emojis import CIRCUS_PREFIX, MEANING_TO_EMOJI
+
         if not self.created_at:
             self.created_at = datetime.utcnow().strftime("%Y-%m-%dT%H-%M")
 
         labels = [
-            f"🎪 {self.sha} 🚦 {self.status}",  # SHA-first status
-            f"🎪 🎯 {self.sha}",  # Active pointer (no value)
-            f"🎪 {self.sha} 📅 {self.created_at}",  # SHA-first timestamp
-            f"🎪 {self.sha} ⌛ {self.ttl}",  # SHA-first TTL
+            f"{CIRCUS_PREFIX} {self.sha} {MEANING_TO_EMOJI['status']} {self.status}",  # SHA-first status
+            f"{CIRCUS_PREFIX} {self.sha} {MEANING_TO_EMOJI['created_at']} {self.created_at}",  # SHA-first timestamp
+            f"{CIRCUS_PREFIX} {self.sha} {MEANING_TO_EMOJI['ttl']} {self.ttl}",  # SHA-first TTL
         ]
 
         if self.ip:
-            labels.append(f"🎪 {self.sha} 🌐 {self.ip}:8080")
+            labels.append(f"{CIRCUS_PREFIX} {self.sha} {MEANING_TO_EMOJI['ip']} {self.ip}:8080")
 
         if self.requested_by:
-            labels.append(f"🎪 {self.sha} 🤡 {self.requested_by}")
+            labels.append(
+                f"{CIRCUS_PREFIX} {self.sha} {MEANING_TO_EMOJI['requested_by']} {self.requested_by}"
+            )
 
         return labels
 
@@ -158,7 +161,6 @@ class Show:
     def _build_docker_image(self) -> None:
         """Build Docker image for this environment"""
         import os
-        import platform
         import subprocess
 
         tag = f"apache/superset:pr-{self.pr_number}-{self.sha}-ci"
@@ -187,19 +189,23 @@ class Show:
         # Add caching based on environment
         if is_ci:
             # Full registry caching in CI (Docker driver supports it)
-            cmd.extend([
-                "--cache-from",
-                "type=registry,ref=apache/superset-cache:showtime",
-                "--cache-to",
-                "type=registry,mode=max,ref=apache/superset-cache:showtime",
-            ])
+            cmd.extend(
+                [
+                    "--cache-from",
+                    "type=registry,ref=apache/superset-cache:showtime",
+                    "--cache-to",
+                    "type=registry,mode=max,ref=apache/superset-cache:showtime",
+                ]
+            )
             print("🐳 CI environment: Using full registry caching")
         else:
             # Local build: cache-from only (no cache export)
-            cmd.extend([
-                "--cache-from",
-                "type=registry,ref=apache/superset-cache:showtime",
-            ])
+            cmd.extend(
+                [
+                    "--cache-from",
+                    "type=registry,ref=apache/superset-cache:showtime",
+                ]
+            )
             print("🐳 Local environment: Using cache-from only (no export)")
 
         # Add --load only when explicitly requested for local testing

{superset_showtime-0.5.12.dist-info → superset_showtime-0.5.18.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: superset-showtime
-Version: 0.5.12
+Version: 0.5.18
 Summary: 🎪 Apache Superset ephemeral environment management with circus tent emoji state tracking
 Project-URL: Homepage, https://github.com/apache/superset-showtime
 Project-URL: Documentation, https://superset-showtime.readthedocs.io/

{superset_showtime-0.5.12.dist-info → superset_showtime-0.5.18.dist-info}/RECORD

@@ -1,17 +1,17 @@
-showtime/__init__.py,sha256=Rdi2WLB7sEHeBvwFnKdebcbskh9xDjmvIwxcOs9VU_0,449
+showtime/__init__.py,sha256=apR60gqUgO9WuV06_c-B1cXzwzdQRcEaY-uYSPrrX0A,449
 showtime/__main__.py,sha256=EVaDaTX69yIhCzChg99vqvFSCN4ELstEt7Mpb9FMZX8,109
 showtime/cli.py,sha256=8vIJT5TiqXuHDGxRBg6jV3oNv5nKrmDOs5OgltycPeI,31664
 showtime/core/__init__.py,sha256=54hbdFNGrzuNMBdraezfjT8Zi6g221pKlJ9mREnKwCw,34
 showtime/core/aws.py,sha256=uTjJAvEBQMyTccS93WZeNPhfeKQhJgOQQ0BJdnQjvCU,35007
-showtime/core/emojis.py,sha256=MHEDuPIdfNiop4zbNLuviz3eY05QiftYSHHCVbkfKhw,2129
+showtime/core/emojis.py,sha256=arK0N5Q5FLkvOkci-lacb3WS56LTvY8NjYRqt_lhP9s,2188
 showtime/core/git_validation.py,sha256=3dmSGpMDplDAmKWHUyoUEPgt3__8oTuBZxbfuhocT00,6831
 showtime/core/github.py,sha256=gMPJ5TOT6DdZk4y0XqW-C69I7O8A4eI40TgT4IFPqhQ,9623
 showtime/core/github_messages.py,sha256=MfgwCukrEsWWesMsuL8saciDgP4nS-gijzu8DXr-Alg,7450
-showtime/core/label_colors.py,sha256=efhbFnz_3nqEnEqmgyF6_hZbxtCu_fmb68BIIUpSsnk,3895
-showtime/core/pull_request.py,sha256=L9d0gHJihc6GYDWWM3oK-sGNu-yysUopMGXnqwP6I_4,28748
-showtime/core/show.py,sha256=FpxDm52LASCJvf8UF998AtNiVzfdYIwNEsPAsOAAwL0,9701
+showtime/core/label_colors.py,sha256=gSe7EIMl4YjWkIgKHUvuaRSwgEB_B-NYQBxFFlF8Z3s,4065
+showtime/core/pull_request.py,sha256=r-4tCjEjsZOcTk4cjw57yyhNzq1sLPt4SYa1S7RcDlQ,31998
+showtime/core/show.py,sha256=sOgZvGXwdcNDsidF1F_XwPXlSeTb8-Zeqhqb8w1pqAM,9973
 showtime/data/ecs-task-definition.json,sha256=d-NLkIhvr4C6AnwDfDIwUTx-6KFMH9wRkt6pVCbqZY4,2365
-superset_showtime-0.5.12.dist-info/METADATA,sha256=orUqMEiS9J1OUBm2uH7o-7aHfIEKvp1CZ4e7z5gk70I,12053
-superset_showtime-0.5.12.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-superset_showtime-0.5.12.dist-info/entry_points.txt,sha256=rDW7oZ57mqyBUS4N_3_R7bZNGVHB-104jwmY-hHC_ck,85
-superset_showtime-0.5.12.dist-info/RECORD,,
+superset_showtime-0.5.18.dist-info/METADATA,sha256=aTfADzrQ7S-eVsJJDlOvIOaDeSJ4WHqdfW0MtKsqFpg,12053
+superset_showtime-0.5.18.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+superset_showtime-0.5.18.dist-info/entry_points.txt,sha256=rDW7oZ57mqyBUS4N_3_R7bZNGVHB-104jwmY-hHC_ck,85
+superset_showtime-0.5.18.dist-info/RECORD,,