superset-showtime 0.5.12__tar.gz → 0.5.18__tar.gz

{superset_showtime-0.5.12 → superset_showtime-0.5.18}/.claude/settings.local.json

@@ -50,7 +50,8 @@
     "ask": [],
     "additionalDirectories": [
       "/private/tmp",
-      "/Users/max/code/superset"
+      "/Users/max/code/superset",
+      "/Users/max/.claudette/worktrees/showtime_gha/.github/workflows"
     ]
   }
 }

{superset_showtime-0.5.12 → superset_showtime-0.5.18}/CLAUDE.md

@@ -84,6 +84,7 @@ The system uses GitHub labels as a distributed state machine:
 - `🎪 ⚡ showtime-trigger-start` - Create environment
 - `🎪 🛑 showtime-trigger-stop` - Destroy environment
 - `🎪 🧊 showtime-freeze` - Prevent auto-sync
+- `🎪 🔒 showtime-blocked` - Block ALL operations (maintenance mode)
 
 **State Labels (System Managed):**
 - `🎪 {sha} 🚦 {status}` - Environment status

{superset_showtime-0.5.12 → superset_showtime-0.5.18}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: superset-showtime
-Version: 0.5.12
+Version: 0.5.18
 Summary: 🎪 Apache Superset ephemeral environment management with circus tent emoji state tracking
 Project-URL: Homepage, https://github.com/apache/superset-showtime
 Project-URL: Documentation, https://superset-showtime.readthedocs.io/

{superset_showtime-0.5.12 → superset_showtime-0.5.18}/showtime/__init__.py

@@ -4,7 +4,7 @@
 Circus tent emoji state tracking for Apache Superset ephemeral environments.
 """
 
-__version__ = "0.5.12"
+__version__ = "0.5.18"
 __author__ = "Maxime Beauchemin"
 __email__ = "maximebeauchemin@gmail.com"
 

{superset_showtime-0.5.12 → superset_showtime-0.5.18}/showtime/core/emojis.py

@@ -13,6 +13,7 @@ EMOJI_MEANINGS = {
     "🚦": "status",  # Traffic light for environment status
     "🏗️": "building",  # Construction for building environments
     "🎯": "active",  # Target for currently active environment
+    "🔒": "blocked",  # Lock for blocking all operations
     # Metadata
     "📅": "created_at",  # Calendar for creation timestamp
     "🌐": "ip",  # Globe for IP address

{superset_showtime-0.5.12 → superset_showtime-0.5.18}/showtime/core/label_colors.py

@@ -31,6 +31,10 @@ LABEL_DEFINITIONS = {
         "color": "FFE4B5",  # Light orange
         "description": "Freeze PR - prevent auto-sync on new commits",
     },
+    "🎪 🔒 showtime-blocked": {
+        "color": "dc3545",  # Red - blocking/danger
+        "description": "Block all Showtime operations - maintenance mode",
+    },
 }
 
 # Status-specific label patterns (generated dynamically)

{superset_showtime-0.5.12 → superset_showtime-0.5.18}/showtime/core/pull_request.py

@@ -90,20 +90,10 @@ class PullRequest:
 
     @property
     def building_show(self) -> Optional[Show]:
-        """The currently building show (from 🏗️ label)"""
-        building_sha = None
-        for label in self.labels:
-            if label.startswith("🎪 🏗️ "):
-                building_sha = label.split(" ")[2]
-                break
-
-        if not building_sha:
-            return None
-
+        """The currently building show (from building/deploying status)"""
         for show in self.shows:
-            if show.sha == building_sha:
+            if show.status in ["building", "deploying"]:
                 return show
-
         return None
 
     @property
@@ -185,6 +175,88 @@ class PullRequest:
             for label in circus_labels:
                 self.remove_label(label)
 
+    def set_show_status(self, show: Show, new_status: str) -> None:
+        """Atomically update show status with thorough label cleanup"""
+        show.status = new_status
+
+        # 1. Refresh labels to get current GitHub state
+        self.refresh_labels()
+
+        # 2. Remove ALL existing status labels for this SHA (not just the "expected" one)
+        status_labels_to_remove = [
+            label for label in self.labels if label.startswith(f"🎪 {show.sha} 🚦 ")
+        ]
+
+        for label in status_labels_to_remove:
+            self.remove_label(label)
+
+        # 3. Add the new status label
+        new_status_label = f"🎪 {show.sha} 🚦 {new_status}"
+        self.add_label(new_status_label)
+
+    def set_active_show(self, show: Show) -> None:
+        """Atomically set this show as the active environment"""
+        from .emojis import CIRCUS_PREFIX, MEANING_TO_EMOJI
+
+        # 1. Refresh to get current state
+        self.refresh_labels()
+
+        # 2. Remove ALL existing active pointers (ensure only one)
+        active_emoji = MEANING_TO_EMOJI["active"]  # Gets 🎯
+        active_prefix = f"{CIRCUS_PREFIX} {active_emoji} "  # "🎪 🎯 "
+        active_pointers = [label for label in self.labels if label.startswith(active_prefix)]
+
+        for pointer in active_pointers:
+            self.remove_label(pointer)
+
+        # 3. Set this show as the new active one
+        active_pointer = f"{active_prefix}{show.sha}"  # "🎪 🎯 abc123f"
+        self.add_label(active_pointer)
+
+    def _check_authorization(self) -> bool:
+        """Check if current GitHub actor is authorized for operations"""
+        import os
+
+        import httpx
+
+        # Only check in GitHub Actions context
+        if os.getenv("GITHUB_ACTIONS") != "true":
+            return True
+
+        actor = os.getenv("GITHUB_ACTOR")
+        if not actor:
+            return True  # No actor info, allow operation
+
+        try:
+            # Use existing GitHubInterface for consistency
+            github = get_github()
+
+            # Check collaborator permissions
+            perm_url = f"{github.base_url}/repos/{github.org}/{github.repo}/collaborators/{actor}/permission"
+
+            with httpx.Client() as client:
+                response = client.get(perm_url, headers=github.headers)
+                if response.status_code == 404:
+                    return False  # Not a collaborator
+                response.raise_for_status()
+
+                data = response.json()
+                permission = data.get("permission", "none")
+
+                # Allow write and admin permissions only
+                authorized = permission in ["write", "admin"]
+
+                if not authorized:
+                    print(f"🚨 Unauthorized actor {actor} (permission: {permission})")
+                    # Set blocked label for security
+                    self.add_label("🎪 🔒 showtime-blocked")
+
+                return authorized
+
+        except Exception as e:
+            print(f"⚠️ Authorization check failed: {e}")
+            return True  # Fail open for non-security operations
+
     def analyze(self, target_sha: str, pr_state: str = "open") -> AnalysisResult:
         """Analyze what actions are needed (read-only, for --check-only)
 
@@ -208,7 +280,7 @@ class PullRequest:
         build_needed = action_needed in ["create_environment", "rolling_update", "auto_sync"]
 
         # Determine if sync execution is needed
-        sync_needed = action_needed != "no_action"
+        sync_needed = action_needed not in ["no_action", "blocked"]
 
         return AnalysisResult(
             action_needed=action_needed,
@@ -244,7 +316,15 @@ class PullRequest:
         # 1. Determine what action is needed
         action_needed = self._determine_action(target_sha)
 
-        # 2. Atomic claim for environment changes (PR-level lock)
+        # 2. Check for blocked state (fast bailout)
+        if action_needed == "blocked":
+            return SyncResult(
+                success=False,
+                action_taken="blocked",
+                error="🔒 Showtime operations are blocked for this PR. Remove '🎪 🔒 showtime-blocked' label to re-enable.",
+            )
+
+        # 3. Atomic claim for environment changes (PR-level lock)
         if action_needed in ["create_environment", "rolling_update", "auto_sync"]:
             print(f"🔒 Claiming environment for {action_needed}...")
             if not self._atomic_claim(target_sha, action_needed, dry_run_github):
@@ -266,14 +346,14 @@ class PullRequest:
                 # Phase 1: Docker build
                 print("🐳 Building Docker image...")
                 show.build_docker(dry_run_docker)
-                show.status = "built"
                 print("✅ Docker build completed")
-                self._update_show_labels(show, dry_run_github)
 
                 # Phase 2: AWS deployment
                 print("☁️ Deploying to AWS ECS...")
+                self.set_show_status(show, "deploying")
                 show.deploy_aws(dry_run_aws)
-                show.status = "running"
+                self.set_show_status(show, "running")
+                self.set_active_show(show)
                 print(f"✅ Deployment completed - environment running at {show.ip}:8080")
                 self._update_show_labels(show, dry_run_github)
 
@@ -303,14 +383,14 @@ class PullRequest:
                 # Phase 1: Docker build
                 print("🐳 Building updated Docker image...")
                 new_show.build_docker(dry_run_docker)
-                new_show.status = "built"
                 print("✅ Docker build completed")
-                self._update_show_labels(new_show, dry_run_github)
 
                 # Phase 2: Blue-green deployment
                 print("☁️ Deploying updated environment...")
+                self.set_show_status(new_show, "deploying")
                 new_show.deploy_aws(dry_run_aws)
-                new_show.status = "running"
+                self.set_show_status(new_show, "running")
+                self.set_active_show(new_show)
                 print(f"✅ Rolling update completed - new environment at {new_show.ip}:8080")
                 self._update_show_labels(new_show, dry_run_github)
 
@@ -406,7 +486,7 @@ class PullRequest:
                 if any(label == f"🎪 🎯 {show.sha}" for label in pr.labels):
                     show_type = "active"
                 # Check for building pointer
-                elif any(label == f"🎪 🏗️ {show.sha}" for label in pr.labels):
+                elif show.status in ["building", "deploying"]:
                     show_type = "building"
                 # No pointer = orphaned
 
@@ -433,6 +513,14 @@ class PullRequest:
         # CRITICAL: Get fresh labels before any decisions
         self.refresh_labels()
 
+        # Check for blocked state first (fast bailout)
+        if "🎪 🔒 showtime-blocked" in self.labels:
+            return "blocked"
+
+        # Check authorization (security layer)
+        if not self._check_authorization():
+            return "blocked"
+
         target_sha_short = target_sha[:7]  # Ensure we're working with short SHA
 
         # Get the specific show for the target SHA
@@ -515,7 +603,6 @@ class PullRequest:
             for label in new_labels:
                 try:
                     self.add_label(label)
-                    print(f"  ✅ Added: {label}")
                 except Exception as e:
                     print(f"  ❌ Failed to add {label}: {e}")
                     raise
@@ -646,7 +733,6 @@ class PullRequest:
             and (
                 label.startswith(f"🎪 {show.sha} ")  # SHA-first format: 🎪 abc123f 📅 ...
                 or label.startswith(f"🎪 🎯 {show.sha}")  # Pointer format: 🎪 🎯 abc123f
-                or label.startswith(f"🎪 🏗️ {show.sha}")  # Building pointer: 🎪 🏗️ abc123f
             )
         }
         desired_labels = set(show.to_circus_labels())
@@ -704,9 +790,7 @@ class PullRequest:
                         existing_labels = [
                             label
                             for label in self.labels
-                            if label.startswith(f"🎪 {show.sha} ")
-                            or label == f"🎪 🎯 {show.sha}"
-                            or label == f"🎪 🏗️ {show.sha}"
+                            if label.startswith(f"🎪 {show.sha} ") or label == f"🎪 🎯 {show.sha}"
                         ]
                         print(f"🏷️ Removing existing labels for {show.sha}: {existing_labels}")
                         for label in existing_labels:

{superset_showtime-0.5.12 → superset_showtime-0.5.18}/showtime/core/show.py

@@ -96,21 +96,24 @@ class Show:
 
     def to_circus_labels(self) -> List[str]:
         """Convert show state to circus tent emoji labels (per-SHA format)"""
+        from .emojis import CIRCUS_PREFIX, MEANING_TO_EMOJI
+
         if not self.created_at:
             self.created_at = datetime.utcnow().strftime("%Y-%m-%dT%H-%M")
 
         labels = [
-            f"🎪 {self.sha} 🚦 {self.status}",  # SHA-first status
-            f"🎪 🎯 {self.sha}",  # Active pointer (no value)
-            f"🎪 {self.sha} 📅 {self.created_at}",  # SHA-first timestamp
-            f"🎪 {self.sha} ⌛ {self.ttl}",  # SHA-first TTL
+            f"{CIRCUS_PREFIX} {self.sha} {MEANING_TO_EMOJI['status']} {self.status}",  # SHA-first status
+            f"{CIRCUS_PREFIX} {self.sha} {MEANING_TO_EMOJI['created_at']} {self.created_at}",  # SHA-first timestamp
+            f"{CIRCUS_PREFIX} {self.sha} {MEANING_TO_EMOJI['ttl']} {self.ttl}",  # SHA-first TTL
         ]
 
         if self.ip:
-            labels.append(f"🎪 {self.sha} 🌐 {self.ip}:8080")
+            labels.append(f"{CIRCUS_PREFIX} {self.sha} {MEANING_TO_EMOJI['ip']} {self.ip}:8080")
 
         if self.requested_by:
-            labels.append(f"🎪 {self.sha} 🤡 {self.requested_by}")
+            labels.append(
+                f"{CIRCUS_PREFIX} {self.sha} {MEANING_TO_EMOJI['requested_by']} {self.requested_by}"
+            )
 
         return labels
 
@@ -158,7 +161,6 @@ class Show:
     def _build_docker_image(self) -> None:
         """Build Docker image for this environment"""
         import os
-        import platform
         import subprocess
 
         tag = f"apache/superset:pr-{self.pr_number}-{self.sha}-ci"
@@ -187,19 +189,23 @@ class Show:
         # Add caching based on environment
         if is_ci:
             # Full registry caching in CI (Docker driver supports it)
-            cmd.extend([
-                "--cache-from",
-                "type=registry,ref=apache/superset-cache:showtime",
-                "--cache-to",
-                "type=registry,mode=max,ref=apache/superset-cache:showtime",
-            ])
+            cmd.extend(
+                [
+                    "--cache-from",
+                    "type=registry,ref=apache/superset-cache:showtime",
+                    "--cache-to",
+                    "type=registry,mode=max,ref=apache/superset-cache:showtime",
+                ]
+            )
             print("🐳 CI environment: Using full registry caching")
         else:
             # Local build: cache-from only (no cache export)
-            cmd.extend([
-                "--cache-from",
-                "type=registry,ref=apache/superset-cache:showtime",
-            ])
+            cmd.extend(
+                [
+                    "--cache-from",
+                    "type=registry,ref=apache/superset-cache:showtime",
+                ]
+            )
             print("🐳 Local environment: Using cache-from only (no export)")
 
         # Add --load only when explicitly requested for local testing

{superset_showtime-0.5.12 → superset_showtime-0.5.18}/tests/unit/test_pull_request.py

@@ -2,6 +2,7 @@
 Tests for PullRequest class - PR-level orchestration
 """
 
+import os
 from unittest.mock import Mock, patch
 
 from showtime.core.pull_request import AnalysisResult, PullRequest, SyncResult
@@ -15,7 +16,7 @@ def test_pullrequest_creation():
     pr = PullRequest(1234, labels)
 
     assert pr.pr_number == 1234
-    assert pr.labels == labels
+    assert pr.labels == set(labels)
     assert len(pr.shows) == 1
     assert pr.current_show is not None
     assert pr.current_show.sha == "abc123f"
@@ -127,7 +128,7 @@ def test_pullrequest_determine_action():
     # No triggers, but different SHA - create new environment (SHA-specific)
     pr_auto = PullRequest(1234, ["🎪 abc123f 🚦 running", "🎪 🎯 abc123f"])
     assert pr_auto._determine_action("def456a") == "create_environment"
-    
+
     # Failed environment, no triggers - create new (retry logic)
     pr_failed = PullRequest(1234, ["🎪 abc123f 🚦 failed", "🎪 🎯 abc123f"])
     assert pr_failed._determine_action("abc123f") == "create_environment"
@@ -452,11 +453,7 @@ def test_pullrequest_sync_same_sha_no_action(mock_get_github):
     mock_get_github.return_value = mock_github
 
     # PR with existing healthy environment, same SHA, no triggers
-    pr = PullRequest(1234, [
-        "🎪 abc123f 🚦 running",
-        "🎪 🎯 abc123f",
-        "bug", "enhancement"
-    ])
+    pr = PullRequest(1234, ["🎪 abc123f 🚦 running", "🎪 🎯 abc123f", "bug", "enhancement"])
 
     result = pr.sync("abc123f")  # Same SHA as current
 
@@ -631,20 +628,23 @@ def test_pullrequest_update_show_labels(mock_get_github):
         mock_github.remove_label.assert_called()
 
 
-@patch('showtime.core.pull_request.get_github')
+@patch("showtime.core.pull_request.get_github")
 def test_pullrequest_update_show_labels_status_replacement(mock_get_github):
     """Test that status updates properly remove old status labels"""
     mock_github = Mock()
     mock_get_github.return_value = mock_github
-    
+
     # PR with multiple status labels (the bug scenario)
-    pr = PullRequest(1234, [
-        "🎪 abc123f 🚦 building",   # Old status
-        "🎪 abc123f 🚦 failed",    # Another old status  
-        "🎪 🎯 abc123f",           # Pointer
-        "🎪 abc123f 📅 2024-01-15T14-30",
-    ])
-    
+    pr = PullRequest(
+        1234,
+        [
+            "🎪 abc123f 🚦 building",  # Old status
+            "🎪 abc123f 🚦 failed",  # Another old status
+            "🎪 🎯 abc123f",  # Pointer
+            "🎪 abc123f 📅 2024-01-15T14-30",
+        ],
+    )
+
     # Show transitioning to running
     show = Show(
         pr_number=1234,
@@ -652,15 +652,291 @@ def test_pullrequest_update_show_labels_status_replacement(mock_get_github):
         status="running",  # New status
         created_at="2024-01-15T14-30",
     )
-    
-    with patch.object(pr, 'refresh_labels'):
+
+    with patch.object(pr, "refresh_labels"):
         pr._update_show_labels(show, dry_run=False)
-        
+
         # Should remove BOTH old status labels
         remove_calls = [call.args[1] for call in mock_github.remove_label.call_args_list]
         assert "🎪 abc123f 🚦 building" in remove_calls
         assert "🎪 abc123f 🚦 failed" in remove_calls
-        
+
         # Should add new status label
         add_calls = [call.args[1] for call in mock_github.add_label.call_args_list]
         assert "🎪 abc123f 🚦 running" in add_calls
+
+
+# Test new centralized label management methods
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_add_label_with_logging(mock_get_github):
+    """Test PullRequest.add_label() with logging and state update"""
+    mock_github = Mock()
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, ["existing-label"])
+
+    # Test adding new label
+    pr.add_label("new-label")
+
+    # Should call GitHub API
+    mock_github.add_label.assert_called_once_with(1234, "new-label")
+
+    # Should update local state
+    assert "new-label" in pr.labels
+    assert "existing-label" in pr.labels
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_remove_label_with_logging(mock_get_github):
+    """Test PullRequest.remove_label() with logging and state update"""
+    mock_github = Mock()
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, ["label1", "label2"])
+
+    # Test removing existing label
+    pr.remove_label("label1")
+
+    # Should call GitHub API
+    mock_github.remove_label.assert_called_once_with(1234, "label1")
+
+    # Should update local state
+    assert "label1" not in pr.labels
+    assert "label2" in pr.labels
+
+    # Test removing non-existent label (should be safe)
+    pr.remove_label("nonexistent")
+    assert len(mock_github.remove_label.call_args_list) == 2
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_remove_sha_labels(mock_get_github):
+    """Test PullRequest.remove_sha_labels() for SHA-specific cleanup"""
+    mock_github = Mock()
+    mock_github.get_labels.return_value = [
+        "🎪 abc123f 🚦 building",
+        "🎪 abc123f 📅 2025-08-26",
+        "🎪 def456a 🚦 running",  # Different SHA
+        "🎪 🎯 def456a",  # Different SHA
+        "regular-label",
+    ]
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, [])
+
+    # Test removing labels for specific SHA
+    pr.remove_sha_labels("abc123f789")  # Full SHA
+
+    # Should call GitHub API for abc123f labels only
+    remove_calls = [call.args[1] for call in mock_github.remove_label.call_args_list]
+    assert "🎪 abc123f 🚦 building" in remove_calls
+    assert "🎪 abc123f 📅 2025-08-26" in remove_calls
+    assert "🎪 def456a 🚦 running" not in remove_calls
+    assert "🎪 🎯 def456a" not in remove_calls
+    assert "regular-label" not in remove_calls
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_remove_showtime_labels(mock_get_github):
+    """Test PullRequest.remove_showtime_labels() for complete cleanup"""
+    mock_github = Mock()
+    mock_github.get_labels.return_value = [
+        "🎪 abc123f 🚦 running",
+        "🎪 🎯 abc123f",
+        "🎪 def456a 🚦 building",
+        "regular-label",
+        "bug",
+    ]
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, [])
+
+    # Test removing all showtime labels
+    pr.remove_showtime_labels()
+
+    # Should call GitHub API for all circus labels
+    remove_calls = [call.args[1] for call in mock_github.remove_label.call_args_list]
+    assert "🎪 abc123f 🚦 running" in remove_calls
+    assert "🎪 🎯 abc123f" in remove_calls
+    assert "🎪 def456a 🚦 building" in remove_calls
+    assert "regular-label" not in remove_calls
+    assert "bug" not in remove_calls
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_set_show_status(mock_get_github):
+    """Test PullRequest.set_show_status() atomic status transitions"""
+    mock_github = Mock()
+    mock_github.get_labels.return_value = [
+        "🎪 abc123f 🚦 building",
+        "🎪 abc123f 🚦 failed",  # Duplicate/stale status
+        "🎪 abc123f 📅 2025-08-26",
+    ]
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, [])
+    show = Show(pr_number=1234, sha="abc123f", status="building")
+
+    # Test status transition with cleanup
+    pr.set_show_status(show, "deploying")
+
+    # Should remove all existing status labels
+    remove_calls = [call.args[1] for call in mock_github.remove_label.call_args_list]
+    assert "🎪 abc123f 🚦 building" in remove_calls
+    assert "🎪 abc123f 🚦 failed" in remove_calls
+
+    # Should add new status label
+    add_calls = [call.args[1] for call in mock_github.add_label.call_args_list]
+    assert "🎪 abc123f 🚦 deploying" in add_calls
+
+    # Should update show status
+    assert show.status == "deploying"
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_set_active_show(mock_get_github):
+    """Test PullRequest.set_active_show() atomic active pointer management"""
+    mock_github = Mock()
+    mock_github.get_labels.return_value = [
+        "🎪 🎯 old123f",  # Old active pointer
+        "🎪 🎯 other456",  # Another old pointer
+        "🎪 abc123f 🚦 running",
+    ]
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, [])
+    show = Show(pr_number=1234, sha="abc123f", status="running")
+
+    # Test setting active show
+    pr.set_active_show(show)
+
+    # Should remove all existing active pointers
+    remove_calls = [call.args[1] for call in mock_github.remove_label.call_args_list]
+    assert "🎪 🎯 old123f" in remove_calls
+    assert "🎪 🎯 other456" in remove_calls
+
+    # Should add new active pointer
+    add_calls = [call.args[1] for call in mock_github.add_label.call_args_list]
+    assert "🎪 🎯 abc123f" in add_calls
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_blocked_state(mock_get_github):
+    """Test that blocked state prevents all operations"""
+    mock_github = Mock()
+    mock_github.get_labels.return_value = [
+        "🎪 🔒 showtime-blocked",
+        "🎪 abc123f 🚦 running",  # Existing environment
+        "🎪 ⚡ showtime-trigger-start",  # Trigger should be ignored
+    ]
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, [])
+
+    # Test sync with blocked state
+    result = pr.sync("def456a")
+
+    # Should fail with blocked error
+    assert result.success is False
+    assert result.action_taken == "blocked"
+    assert "🔒 Showtime operations are blocked" in result.error
+    assert "showtime-blocked" in result.error
+
+    # Should not perform any operations
+    assert not mock_github.add_label.called
+    assert not mock_github.remove_label.called
+
+
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_determine_action_blocked(mock_get_github):
+    """Test _determine_action returns 'blocked' when blocked label present"""
+    mock_github = Mock()
+    mock_github.get_labels.return_value = ["🎪 🔒 showtime-blocked", "🎪 ⚡ showtime-trigger-start"]
+    mock_get_github.return_value = mock_github
+
+    pr = PullRequest(1234, [])
+
+    action = pr._determine_action("abc123f")
+
+    assert action == "blocked"
+
+
+@patch.dict(os.environ, {"GITHUB_ACTIONS": "true", "GITHUB_ACTOR": "external-user"})
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_authorization_check_unauthorized(mock_get_github):
+    """Test authorization check blocks unauthorized users"""
+    mock_github = Mock()
+    mock_github.base_url = "https://api.github.com"
+    mock_github.org = "apache"
+    mock_github.repo = "superset"
+    mock_github.headers = {"Authorization": "Bearer token"}
+
+    # Mock unauthorized response
+    mock_response = Mock()
+    mock_response.status_code = 200
+    mock_response.json.return_value = {"permission": "read"}  # Not write/admin
+
+    with patch("httpx.Client") as mock_client_class:
+        mock_client = Mock()
+        mock_client.get.return_value = mock_response
+        mock_client.__enter__.return_value = mock_client
+        mock_client.__exit__.return_value = None
+        mock_client_class.return_value = mock_client
+
+        mock_get_github.return_value = mock_github
+
+        pr = PullRequest(1234, [])
+
+        # Test unauthorized actor
+        authorized = pr._check_authorization()
+
+        assert authorized is False
+        # Should have added blocked label
+        mock_github.add_label.assert_called_once_with(1234, "🎪 🔒 showtime-blocked")
+
+
+@patch.dict(os.environ, {"GITHUB_ACTIONS": "true", "GITHUB_ACTOR": "maintainer-user"})
+@patch("showtime.core.pull_request.get_github")
+def test_pullrequest_authorization_check_authorized(mock_get_github):
+    """Test authorization check allows authorized users"""
+    mock_github = Mock()
+    mock_github.base_url = "https://api.github.com"
+    mock_github.org = "apache"
+    mock_github.repo = "superset"
+    mock_github.headers = {"Authorization": "Bearer token"}
+
+    # Mock authorized response
+    mock_response = Mock()
+    mock_response.status_code = 200
+    mock_response.json.return_value = {"permission": "write"}  # Authorized
+
+    with patch("httpx.Client") as mock_client_class:
+        mock_client = Mock()
+        mock_client.get.return_value = mock_response
+        mock_client.__enter__.return_value = mock_client
+        mock_client.__exit__.return_value = None
+        mock_client_class.return_value = mock_client
+
+        mock_get_github.return_value = mock_github
+
+        pr = PullRequest(1234, [])
+
+        # Test authorized actor
+        authorized = pr._check_authorization()
+
+        assert authorized is True
+        # Should not add blocked label
+        assert not mock_github.add_label.called
+
+
+@patch.dict(os.environ, {"GITHUB_ACTIONS": "false"})
+def test_pullrequest_authorization_check_local():
+    """Test authorization check skipped in non-GHA environment"""
+    pr = PullRequest(1234, [])
+
+    # Should always return True for local development
+    authorized = pr._check_authorization()
+
+    assert authorized is True

{superset_showtime-0.5.12 → superset_showtime-0.5.18}/tests/unit/test_show.py

@@ -290,3 +290,36 @@ def test_show_to_circus_labels_auto_timestamp():
         # Should auto-generate timestamp
         assert show.created_at == "2024-01-15T14-30"
         assert any("📅 2024-01-15T14-30" in label for label in labels)
+
+
+def test_show_to_circus_labels_no_active_pointer():
+    """Test that to_circus_labels() does not include active pointer"""
+    show = Show(
+        pr_number=1234, sha="abc123f", status="running", ip="1.2.3.4", requested_by="testuser"
+    )
+
+    labels = show.to_circus_labels()
+
+    # Should include status, timestamp, TTL, IP, requester
+    assert any("🎪 abc123f 🚦 running" in label for label in labels)
+    assert any("🎪 abc123f 📅" in label for label in labels)
+    assert any("🎪 abc123f ⌛ 24h" in label for label in labels)
+    assert any("🎪 abc123f 🌐 1.2.3.4:8080" in label for label in labels)
+    assert any("🎪 abc123f 🤡 testuser" in label for label in labels)
+
+    # Should NOT include active pointer
+    assert not any("🎪 🎯" in label for label in labels)
+
+
+def test_show_to_circus_labels_building_status():
+    """Test to_circus_labels() for building status"""
+    show = Show(pr_number=1234, sha="def456a", status="building")
+
+    labels = show.to_circus_labels()
+
+    # Should include building status
+    assert any("🎪 def456a 🚦 building" in label for label in labels)
+
+    # Should NOT include active pointer or building pointer
+    assert not any("🎪 🎯" in label for label in labels)
+    assert not any("🎪 🏗️" in label for label in labels)

{superset_showtime-0.5.12 → superset_showtime-0.5.18}/workflows-reference/showtime-cleanup.yml

@@ -13,7 +13,6 @@ on:
         required: false
         default: '48'
         type: string
-        pattern: '^[0-9]+$'
 
 # Common environment variables
 env:

{superset_showtime-0.5.12 → superset_showtime-0.5.18}/workflows-reference/showtime-trigger.yml

@@ -41,10 +41,76 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Security Check - Authorize Maintainers Only
+        id: auth
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const actor = context.actor;
+            console.log(`🔍 Checking authorization for ${actor}`);
+
+            // Early exit for workflow_dispatch - assume authorized since it's manually triggered
+            if (context.eventName === 'workflow_dispatch') {
+              console.log(`✅ Workflow dispatch event - assuming authorized for ${actor}`);
+              core.setOutput('authorized', 'true');
+              return;
+            }
+
+            const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              username: actor
+            });
+
+            console.log(`📊 Permission level for ${actor}: ${permission.permission}`);
+            const authorized = ['write', 'admin'].includes(permission.permission);
+
+            if (!authorized) {
+              console.log(`🚨 Unauthorized user ${actor} - skipping all operations`);
+              core.setOutput('authorized', 'false');
+              return;
+            }
+
+            console.log(`✅ Authorized maintainer: ${actor}`);
+            core.setOutput('authorized', 'true');
+
+            // If this is a synchronize event, check if Showtime is active and set blocked label
+            if (context.eventName === 'pull_request_target' && context.payload.action === 'synchronize') {
+              console.log(`🔒 Synchronize event detected - checking if Showtime is active`);
+
+              // Check if PR has any circus tent labels (Showtime is in use)
+              const { data: issue } = await github.rest.issues.get({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.pull_request.number
+              });
+
+              const hasCircusLabels = issue.labels.some(label => label.name.startsWith('🎪 '));
+
+              if (hasCircusLabels) {
+                console.log(`🎪 Circus labels found - setting blocked label to prevent auto-deployment`);
+
+                await github.rest.issues.addLabels({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: context.payload.pull_request.number,
+                  labels: ['🎪 🔒 showtime-blocked']
+                });
+
+                console.log(`✅ Blocked label set - Showtime will detect and skip operations`);
+              } else {
+                console.log(`ℹ️ No circus labels found - Showtime not in use, skipping block`);
+              }
+            }
+
       - name: Install Superset Showtime
-        run: pip install superset-showtime
+        if: steps.auth.outputs.authorized == 'true'
+        run: |
+          pip install --upgrade superset-showtime
+          showtime version
 
       - name: Check what actions are needed
+        if: steps.auth.outputs.authorized == 'true'
         id: check
         run: |
           # Bulletproof PR number extraction
@@ -79,22 +145,23 @@ jobs:
           echo "target_sha=$TARGET_SHA" >> $GITHUB_OUTPUT
 
       - name: Checkout PR code (only if build needed)
-        if: steps.check.outputs.build_needed == 'true'
+        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.build_needed == 'true'
         uses: actions/checkout@v4
         with:
           ref: ${{ steps.check.outputs.target_sha }}
           persist-credentials: false
 
       - name: Setup Docker Environment (only if build needed)
-        if: steps.check.outputs.build_needed == 'true'
+        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.build_needed == 'true'
         uses: ./.github/actions/setup-docker
         with:
           dockerhub-user: ${{ env.DOCKERHUB_USER }}
           dockerhub-token: ${{ env.DOCKERHUB_TOKEN }}
           build: "true"
+          install-docker-compose: "false"
 
       - name: Execute sync (handles everything)
-        if: steps.check.outputs.sync_needed == 'true'
+        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.sync_needed == 'true'
         run: |
           PR_NUM="${{ steps.check.outputs.pr_number }}"
           TARGET_SHA="${{ steps.check.outputs.target_sha }}"