superset-showtime 0.5.12__tar.gz → 0.6.3__tar.gz

{superset_showtime-0.5.12 → superset_showtime-0.6.3}/.claude/settings.local.json

@@ -44,13 +44,16 @@
       "Bash(AWS_PROFILE=\"\" showtime sync 34831 --dry-run-aws --dry-run-github)",
       "Bash(git stash:*)",
       "Bash(showtime list:*)",
-      "Bash(showtime git-check)"
+      "Bash(showtime git-check)",
+      "Read(//^def aws_cleanup/,/**)",
+      "WebFetch(domain:github.com)"
     ],
     "deny": [],
     "ask": [],
     "additionalDirectories": [
       "/private/tmp",
-      "/Users/max/code/superset"
+      "/Users/max/code/superset",
+      "/Users/max/.claudette/worktrees/showtime_gha/.github/workflows"
     ]
   }
 }

{superset_showtime-0.5.12 → superset_showtime-0.6.3}/CLAUDE.md

@@ -84,6 +84,7 @@ The system uses GitHub labels as a distributed state machine:
 - `🎪 ⚡ showtime-trigger-start` - Create environment
 - `🎪 🛑 showtime-trigger-stop` - Destroy environment
 - `🎪 🧊 showtime-freeze` - Prevent auto-sync
+- `🎪 🔒 showtime-blocked` - Block ALL operations (maintenance mode)
 
 **State Labels (System Managed):**
 - `🎪 {sha} 🚦 {status}` - Environment status

{superset_showtime-0.5.12 → superset_showtime-0.6.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: superset-showtime
-Version: 0.5.12
+Version: 0.6.3
 Summary: 🎪 Apache Superset ephemeral environment management with circus tent emoji state tracking
 Project-URL: Homepage, https://github.com/apache/superset-showtime
 Project-URL: Documentation, https://superset-showtime.readthedocs.io/

{superset_showtime-0.5.12 → superset_showtime-0.6.3}/showtime/__init__.py

@@ -4,7 +4,7 @@
 Circus tent emoji state tracking for Apache Superset ephemeral environments.
 """
 
-__version__ = "0.5.12"
+__version__ = "0.6.3"
 __author__ = "Maxime Beauchemin"
 __email__ = "maximebeauchemin@gmail.com"
 

{superset_showtime-0.5.12 → superset_showtime-0.6.3}/showtime/cli.py

@@ -584,36 +584,6 @@ def sync(
         raise typer.Exit(1) from e
 
 
-@app.command()
-def handle_sync(pr_number: int) -> None:
-    """🎪 Handle new commit sync (called by GitHub Actions on PR synchronize)"""
-    try:
-        pr = PullRequest.from_id(pr_number)
-
-        # Only sync if there's an active environment
-        if not pr.current_show:
-            p(f"🎪 No active environment for PR #{pr_number} - skipping sync")
-            return
-
-        # Get latest commit SHA
-        from .core.pull_request import get_github
-
-        latest_sha = get_github().get_latest_commit_sha(pr_number)
-
-        # Check if update is needed
-        if not pr.current_show.needs_update(latest_sha):
-            p(f"🎪 Environment already up to date for PR #{pr_number}")
-            return
-
-        p(f"🎪 Syncing PR #{pr_number} to commit {latest_sha[:7]}")
-
-        # TODO: Implement rolling update logic
-        p("🎪 [bold yellow]Sync logic not yet implemented[/bold yellow]")
-
-    except Exception as e:
-        p(f"🎪 [bold red]Error handling sync:[/bold red] {e}")
-
-
 @app.command()
 def setup_labels(
     dry_run: bool = typer.Option(False, "--dry-run", help="Show what labels would be created"),
@@ -662,107 +632,10 @@ def setup_labels(
         p(f"🎪 [bold red]Error setting up labels:[/bold red] {e}")
 
 
-@app.command()
-def aws_cleanup(
-    dry_run: bool = typer.Option(False, "--dry-run", help="Show what would be cleaned"),
-    force: bool = typer.Option(False, "--force", help="Delete all showtime AWS resources"),
-) -> None:
-    """🧹 Clean up orphaned AWS resources without GitHub labels"""
-    try:
-        from .core.aws import AWSInterface
-
-        aws = AWSInterface()
-
-        p("🔍 [bold blue]Scanning for orphaned AWS resources...[/bold blue]")
-
-        # 1. Get all GitHub PRs with circus labels
-        github_services = set()
-        try:
-            all_pr_numbers = PullRequest.find_all_with_environments()
-            p(f"📋 Found {len(all_pr_numbers)} PRs with circus labels:")
-
-            for pr_number in all_pr_numbers:
-                pr = PullRequest.from_id(pr_number)
-                p(
-                    f"  🎪 PR #{pr_number}: {len(pr.shows)} shows, {len(pr.circus_labels)} circus labels"
-                )
-
-                for show in pr.shows:
-                    service_name = show.ecs_service_name
-                    github_services.add(service_name)
-                    p(f"    📝 Expected service: {service_name}")
-
-                # Show labels for debugging
-                if not pr.shows:
-                    p(f"    ⚠️ No shows found, labels: {pr.circus_labels[:3]}...")  # First 3 labels
-
-        except Exception as e:
-            p(f"⚠️ GitHub scan failed: {e}")
-            github_services = set()
-
-        # 2. Get all AWS ECS services matching showtime pattern
-        p("\n☁️ [bold blue]Scanning AWS ECS services...[/bold blue]")
-        try:
-            aws_services = aws.find_showtime_services()
-            p(f"🔍 Found {len(aws_services)} AWS services with pr-* pattern")
-
-            for service in aws_services:
-                p(f"  ☁️ AWS: {service}")
-        except Exception as e:
-            p(f"❌ AWS scan failed: {e}")
-            return
-
-        # 3. Find orphaned services
-        orphaned = [service for service in aws_services if service not in github_services]
-
-        if not orphaned:
-            p("\n✅ [bold green]No orphaned AWS resources found![/bold green]")
-            return
-
-        p(f"\n🚨 [bold red]Found {len(orphaned)} orphaned AWS resources:[/bold red]")
-        for service in orphaned:
-            p(f"  💰 {service} (consuming resources)")
-
-        if dry_run:
-            p(f"\n🎪 [bold yellow]DRY RUN[/bold yellow] - Would delete {len(orphaned)} services")
-            return
-
-        if not force:
-            confirm = typer.confirm(f"Delete {len(orphaned)} orphaned AWS services?")
-            if not confirm:
-                p("🎪 Cancelled")
-                return
-
-        # 4. Delete orphaned resources
-        deleted_count = 0
-        for service in orphaned:
-            p(f"🗑️ Deleting {service}...")
-            try:
-                # Extract PR number for delete_environment call
-                pr_match = service.replace("pr-", "").replace("-service", "")
-                parts = pr_match.split("-")
-                if len(parts) >= 2:
-                    pr_number = int(parts[0])
-                    success = aws.delete_environment(service, pr_number)
-                    if success:
-                        p(f"✅ Deleted {service}")
-                        deleted_count += 1
-                    else:
-                        p(f"❌ Failed to delete {service}")
-                else:
-                    p(f"❌ Invalid service name format: {service}")
-            except Exception as e:
-                p(f"❌ Error deleting {service}: {e}")
-
-        p(f"\n🎪 ✅ Cleanup complete: deleted {deleted_count}/{len(orphaned)} services")
-
-    except Exception as e:
-        p(f"❌ AWS cleanup failed: {e}")
-
-
 @app.command()
 def cleanup(
     dry_run: bool = typer.Option(False, "--dry-run", help="Show what would be cleaned"),
+    force: bool = typer.Option(False, "--force", help="Skip interactive prompts"),
     older_than: str = typer.Option(
         "48h", "--older-than", help="Clean environments older than this (ignored if --respect-ttl)"
     ),
@@ -777,6 +650,11 @@ def cleanup(
         "--cleanup-labels/--no-cleanup-labels",
         help="Also cleanup SHA-based label definitions from repository",
     ),
+    cleanup_aws_orphans: bool = typer.Option(
+        True,
+        "--cleanup-aws-orphans/--no-cleanup-aws-orphans",
+        help="Also cleanup orphaned AWS resources",
+    ),
 ) -> None:
     """🎪 Clean up orphaned or expired environments and labels"""
     try:
@@ -811,6 +689,106 @@ def cleanup(
         else:
             p("🎪 No expired environments found")
 
+        # Phase 2: AWS orphan cleanup
+        aws_cleaned_count = 0
+        if cleanup_aws_orphans:
+            from .core.aws import AWSInterface
+
+            p("\n☁️ [bold blue]Scanning for orphaned AWS resources...[/bold blue]")
+            aws = AWSInterface()
+
+            try:
+                # Get expected services from GitHub
+                github_services = set()
+                for pr_number in pr_numbers:
+                    pr = PullRequest.from_id(pr_number)
+                    for show in pr.shows:
+                        github_services.add(show.ecs_service_name)
+
+                # Find AWS orphans
+                aws_services = aws.list_circus_environments()
+                aws_orphans = [
+                    svc for svc in aws_services if svc.get("service_name") not in github_services
+                ]
+
+                if aws_orphans:
+                    p(f"☁️ Found {len(aws_orphans)} orphaned AWS resources:")
+                    for orphan in aws_orphans[:3]:
+                        p(f"  • {orphan['service_name']}")
+                    if len(aws_orphans) > 3:
+                        p(f"  ... and {len(aws_orphans) - 3} more")
+
+                    if not force and not dry_run:
+                        if typer.confirm(f"Delete {len(aws_orphans)} orphaned AWS resources?"):
+                            # Clean up AWS orphans
+                            for orphan in aws_orphans:
+                                if not dry_run:
+                                    aws.delete_service(orphan["service_name"])
+                                aws_cleaned_count += 1
+                        else:
+                            p("❌ Skipping AWS orphan cleanup")
+                    elif force or dry_run:
+                        aws_cleaned_count = len(aws_orphans)
+                        if not dry_run:
+                            for orphan in aws_orphans:
+                                aws.delete_service(orphan["service_name"])
+
+                if aws_cleaned_count > 0:
+                    p(f"☁️ ✅ Cleaned up {aws_cleaned_count} orphaned AWS resources")
+                else:
+                    p("☁️ No orphaned AWS resources found")
+
+            except Exception as e:
+                p(f"⚠️ AWS orphan scan failed: {e}")
+
+        # Phase 3: Repository label cleanup
+        label_cleaned_count = 0
+        if cleanup_labels:
+            from .core.pull_request import get_github
+
+            p("\n🏷️ [bold blue]Scanning for orphaned repository labels...[/bold blue]")
+            github = get_github()
+
+            try:
+                orphaned_labels = github.find_orphaned_labels(dry_run=True)  # Preview
+
+                if orphaned_labels:
+                    p(f"🏷️ Found {len(orphaned_labels)} orphaned repository labels:")
+                    for label in orphaned_labels[:3]:
+                        p(f"  • {label}")
+                    if len(orphaned_labels) > 3:
+                        p(f"  ... and {len(orphaned_labels) - 3} more")
+
+                    if not force and not dry_run:
+                        if typer.confirm(
+                            f"Delete {len(orphaned_labels)} orphaned labels from repository?"
+                        ):
+                            deleted_labels = github.find_orphaned_labels(dry_run=False)
+                            label_cleaned_count = len(deleted_labels)
+                        else:
+                            p("❌ Skipping repository label cleanup")
+                    elif force or dry_run:
+                        label_cleaned_count = len(orphaned_labels)
+                        if not dry_run:
+                            github.find_orphaned_labels(dry_run=False)
+
+                if label_cleaned_count > 0:
+                    p(f"🏷️ ✅ Cleaned up {label_cleaned_count} orphaned repository labels")
+                else:
+                    p("🏷️ No orphaned repository labels found")
+
+            except Exception as e:
+                p(f"⚠️ Repository label scan failed: {e}")
+
+        # Final summary
+        total_cleaned = cleaned_count + aws_cleaned_count + label_cleaned_count
+        if total_cleaned > 0:
+            p(
+                f"\n🎉 [bold green]Total cleanup: {cleaned_count} environments + {aws_cleaned_count} AWS orphans + {label_cleaned_count} labels[/bold green]"
+            )
+        else:
+            p("\n✨ [bold green]No cleanup needed - everything is clean![/bold green]")
+
     except Exception as e:
         p(f"❌ Cleanup failed: {e}")
 

{superset_showtime-0.5.12 → superset_showtime-0.6.3}/showtime/core/emojis.py

@@ -13,6 +13,7 @@ EMOJI_MEANINGS = {
     "🚦": "status",  # Traffic light for environment status
     "🏗️": "building",  # Construction for building environments
     "🎯": "active",  # Target for currently active environment
+    "🔒": "blocked",  # Lock for blocking all operations
     # Metadata
     "📅": "created_at",  # Calendar for creation timestamp
     "🌐": "ip",  # Globe for IP address

{superset_showtime-0.5.12 → superset_showtime-0.6.3}/showtime/core/github.py

@@ -143,9 +143,9 @@ class GitHubInterface:
         url = f"{self.base_url}/search/issues"
         # Search for PRs with any circus tent labels
         params = {
-            "q": f"repo:{self.org}/{self.repo} is:pr 🎪",
+            "q": f"repo:{self.org}/{self.repo} is:pr is:open 🎪",
             "per_page": "100",
-        }  # Include closed PRs
+        }  # Only open PRs - closed PRs should have cleaned up labels
 
         with httpx.Client() as client:
             response = client.get(url, headers=self.headers, params=params)
@@ -209,8 +209,8 @@ class GitHubInterface:
         all_labels = self.get_repository_labels()
         sha_labels = []
 
-        # Find labels with SHA patterns (7+ hex chars after 🎪)
-        sha_pattern = re.compile(r"^🎪 .* [a-f0-9]{7,}( .*)?$")
+        # Find labels with SHA patterns (7+ hex chars anywhere in label)
+        sha_pattern = re.compile(r"^🎪 .*[a-f0-9]{7,}.*$")
 
         for label in all_labels:
             if sha_pattern.match(label):
@@ -225,6 +225,69 @@ class GitHubInterface:
 
         return sha_labels
 
+    def find_orphaned_labels(self, dry_run: bool = False) -> List[str]:
+        """Find labels that exist in repository but aren't used on any PR"""
+        import re
+
+        print("🔍 Scanning repository labels...")
+
+        # 1. Get all repository labels with SHA patterns
+        all_repo_labels = self.get_repository_labels()
+        sha_pattern = re.compile(r"^🎪 .*[a-f0-9]{7,}.*$")
+        sha_repo_labels = {label for label in all_repo_labels if sha_pattern.match(label)}
+
+        print(f"📋 Found {len(sha_repo_labels)} SHA-containing labels in repository")
+
+        # 2. Get all labels actually used on PRs with circus labels
+        print("🔍 Scanning PRs with circus labels...")
+
+        # Import here to avoid circular import
+        import importlib
+
+        pull_request_module = importlib.import_module("showtime.core.pull_request")
+        PullRequest = pull_request_module.PullRequest
+
+        try:
+            pr_numbers = PullRequest.find_all_with_environments()
+            print(f"📋 Found {len(pr_numbers)} PRs with circus labels")
+
+            used_labels = set()
+            for pr_number in pr_numbers:
+                pr_labels = self.get_labels(pr_number)
+                circus_labels = {label for label in pr_labels if label.startswith("🎪 ")}
+                used_labels.update(circus_labels)
+
+            print(f"📋 Found {len(used_labels)} circus labels actually used on PRs")
+
+            # 3. Set difference to find orphaned labels
+            orphaned_labels = sha_repo_labels - used_labels
+
+            print(f"🗑️ Found {len(orphaned_labels)} truly orphaned labels")
+
+            # Debug: Show some examples if in dry run
+            if dry_run and orphaned_labels:
+                print("🔍 Examples of orphaned labels:")
+                for label in list(orphaned_labels)[:5]:
+                    print(f"  • {label}")
+            if dry_run and used_labels:
+                print("🔍 Examples of used labels:")
+                for label in list(used_labels)[:5]:
+                    print(f"  • {label}")
+
+            if not dry_run and orphaned_labels:
+                deleted_labels = []
+                for label in orphaned_labels:
+                    if self.delete_repository_label(label):
+                        deleted_labels.append(label)
+                return deleted_labels
+
+            return list(orphaned_labels)
+
+        except Exception as e:
+            print(f"⚠️ Error during orphan detection: {e}")
+            # Fallback to old pattern-based method
+            return self.cleanup_sha_labels(dry_run)
+
     def create_or_update_label(self, name: str, color: str, description: str) -> bool:
         """Create or update a label with color and description"""
         import urllib.parse

{superset_showtime-0.5.12 → superset_showtime-0.6.3}/showtime/core/label_colors.py

@@ -31,6 +31,10 @@ LABEL_DEFINITIONS = {
         "color": "FFE4B5",  # Light orange
         "description": "Freeze PR - prevent auto-sync on new commits",
     },
+    "🎪 🔒 showtime-blocked": {
+        "color": "dc3545",  # Red - blocking/danger
+        "description": "Block all Showtime operations - maintenance mode",
+    },
 }
 
 # Status-specific label patterns (generated dynamically)

{superset_showtime-0.5.12 → superset_showtime-0.6.3}/showtime/core/pull_request.py

@@ -90,20 +90,10 @@ class PullRequest:
 
     @property
     def building_show(self) -> Optional[Show]:
-        """The currently building show (from 🏗️ label)"""
-        building_sha = None
-        for label in self.labels:
-            if label.startswith("🎪 🏗️ "):
-                building_sha = label.split(" ")[2]
-                break
-
-        if not building_sha:
-            return None
-
+        """The currently building show (from building/deploying status)"""
         for show in self.shows:
-            if show.sha == building_sha:
+            if show.status in ["building", "deploying"]:
                 return show
-
         return None
 
     @property
@@ -185,6 +175,88 @@ class PullRequest:
             for label in circus_labels:
                 self.remove_label(label)
 
+    def set_show_status(self, show: Show, new_status: str) -> None:
+        """Atomically update show status with thorough label cleanup"""
+        show.status = new_status
+
+        # 1. Refresh labels to get current GitHub state
+        self.refresh_labels()
+
+        # 2. Remove ALL existing status labels for this SHA (not just the "expected" one)
+        status_labels_to_remove = [
+            label for label in self.labels if label.startswith(f"🎪 {show.sha} 🚦 ")
+        ]
+
+        for label in status_labels_to_remove:
+            self.remove_label(label)
+
+        # 3. Add the new status label
+        new_status_label = f"🎪 {show.sha} 🚦 {new_status}"
+        self.add_label(new_status_label)
+
+    def set_active_show(self, show: Show) -> None:
+        """Atomically set this show as the active environment"""
+        from .emojis import CIRCUS_PREFIX, MEANING_TO_EMOJI
+
+        # 1. Refresh to get current state
+        self.refresh_labels()
+
+        # 2. Remove ALL existing active pointers (ensure only one)
+        active_emoji = MEANING_TO_EMOJI["active"]  # Gets 🎯
+        active_prefix = f"{CIRCUS_PREFIX} {active_emoji} "  # "🎪 🎯 "
+        active_pointers = [label for label in self.labels if label.startswith(active_prefix)]
+
+        for pointer in active_pointers:
+            self.remove_label(pointer)
+
+        # 3. Set this show as the new active one
+        active_pointer = f"{active_prefix}{show.sha}"  # "🎪 🎯 abc123f"
+        self.add_label(active_pointer)
+
+    def _check_authorization(self) -> bool:
+        """Check if current GitHub actor is authorized for operations"""
+        import os
+
+        import httpx
+
+        # Only check in GitHub Actions context
+        if os.getenv("GITHUB_ACTIONS") != "true":
+            return True
+
+        actor = os.getenv("GITHUB_ACTOR")
+        if not actor:
+            return True  # No actor info, allow operation
+
+        try:
+            # Use existing GitHubInterface for consistency
+            github = get_github()
+
+            # Check collaborator permissions
+            perm_url = f"{github.base_url}/repos/{github.org}/{github.repo}/collaborators/{actor}/permission"
+
+            with httpx.Client() as client:
+                response = client.get(perm_url, headers=github.headers)
+                if response.status_code == 404:
+                    return False  # Not a collaborator
+                response.raise_for_status()
+
+                data = response.json()
+                permission = data.get("permission", "none")
+
+                # Allow write and admin permissions only
+                authorized = permission in ["write", "admin"]
+
+                if not authorized:
+                    print(f"🚨 Unauthorized actor {actor} (permission: {permission})")
+                    # Set blocked label for security
+                    self.add_label("🎪 🔒 showtime-blocked")
+
+                return authorized
+
+        except Exception as e:
+            print(f"⚠️ Authorization check failed: {e}")
+            return True  # Fail open for non-security operations
+
     def analyze(self, target_sha: str, pr_state: str = "open") -> AnalysisResult:
         """Analyze what actions are needed (read-only, for --check-only)
 
@@ -208,7 +280,7 @@ class PullRequest:
         build_needed = action_needed in ["create_environment", "rolling_update", "auto_sync"]
 
         # Determine if sync execution is needed
-        sync_needed = action_needed != "no_action"
+        sync_needed = action_needed not in ["no_action", "blocked"]
 
         return AnalysisResult(
             action_needed=action_needed,
@@ -244,8 +316,21 @@ class PullRequest:
         # 1. Determine what action is needed
         action_needed = self._determine_action(target_sha)
 
-        # 2. Atomic claim for environment changes (PR-level lock)
-        if action_needed in ["create_environment", "rolling_update", "auto_sync"]:
+        # 2. Check for blocked state (fast bailout)
+        if action_needed == "blocked":
+            return SyncResult(
+                success=False,
+                action_taken="blocked",
+                error="🔒 Showtime operations are blocked for this PR. Remove '🎪 🔒 showtime-blocked' label to re-enable.",
+            )
+
+        # 3. Atomic claim for environment changes (PR-level lock)
+        if action_needed in [
+            "create_environment",
+            "rolling_update",
+            "auto_sync",
+            "destroy_environment",
+        ]:
             print(f"🔒 Claiming environment for {action_needed}...")
             if not self._atomic_claim(target_sha, action_needed, dry_run_github):
                 print("❌ Claim failed - another job is active")
@@ -266,14 +351,14 @@ class PullRequest:
                 # Phase 1: Docker build
                 print("🐳 Building Docker image...")
                 show.build_docker(dry_run_docker)
-                show.status = "built"
                 print("✅ Docker build completed")
-                self._update_show_labels(show, dry_run_github)
 
                 # Phase 2: AWS deployment
                 print("☁️ Deploying to AWS ECS...")
+                self.set_show_status(show, "deploying")
                 show.deploy_aws(dry_run_aws)
-                show.status = "running"
+                self.set_show_status(show, "running")
+                self.set_active_show(show)
                 print(f"✅ Deployment completed - environment running at {show.ip}:8080")
                 self._update_show_labels(show, dry_run_github)
 
@@ -303,14 +388,14 @@ class PullRequest:
                 # Phase 1: Docker build
                 print("🐳 Building updated Docker image...")
                 new_show.build_docker(dry_run_docker)
-                new_show.status = "built"
                 print("✅ Docker build completed")
-                self._update_show_labels(new_show, dry_run_github)
 
                 # Phase 2: Blue-green deployment
                 print("☁️ Deploying updated environment...")
+                self.set_show_status(new_show, "deploying")
                 new_show.deploy_aws(dry_run_aws)
-                new_show.status = "running"
+                self.set_show_status(new_show, "running")
+                self.set_active_show(new_show)
                 print(f"✅ Rolling update completed - new environment at {new_show.ip}:8080")
                 self._update_show_labels(new_show, dry_run_github)
 
@@ -406,7 +491,7 @@ class PullRequest:
                 if any(label == f"🎪 🎯 {show.sha}" for label in pr.labels):
                     show_type = "active"
                 # Check for building pointer
-                elif any(label == f"🎪 🏗️ {show.sha}" for label in pr.labels):
+                elif show.status in ["building", "deploying"]:
                     show_type = "building"
                 # No pointer = orphaned
 
@@ -433,6 +518,14 @@ class PullRequest:
         # CRITICAL: Get fresh labels before any decisions
         self.refresh_labels()
 
+        # Check for blocked state first (fast bailout)
+        if "🎪 🔒 showtime-blocked" in self.labels:
+            return "blocked"
+
+        # Check authorization (security layer)
+        if not self._check_authorization():
+            return "blocked"
+
         target_sha_short = target_sha[:7]  # Ensure we're working with short SHA
 
         # Get the specific show for the target SHA
@@ -455,10 +548,14 @@ class PullRequest:
                 elif "showtime-trigger-stop" in trigger:
                     return "destroy_environment"
 
-        # No explicit triggers - check target SHA state
+        # No explicit triggers - only auto-create if there's ANY previous environment
         if not target_show:
-            # Target SHA doesn't exist - create it
-            return "create_environment"
+            # Target SHA doesn't exist - only create if there's any previous environment
+            if self.shows:  # Any previous environment exists
+                return "create_environment"
+            else:
+                # No previous environments - don't auto-create without explicit trigger
+                return "no_action"
         elif target_show.status == "failed":
             # Target SHA failed - rebuild it
             return "create_environment"
@@ -515,7 +612,6 @@ class PullRequest:
             for label in new_labels:
                 try:
                     self.add_label(label)
-                    print(f"  ✅ Added: {label}")
                 except Exception as e:
                     print(f"  ❌ Failed to add {label}: {e}")
                     raise
@@ -646,7 +742,6 @@ class PullRequest:
             and (
                 label.startswith(f"🎪 {show.sha} ")  # SHA-first format: 🎪 abc123f 📅 ...
                 or label.startswith(f"🎪 🎯 {show.sha}")  # Pointer format: 🎪 🎯 abc123f
-                or label.startswith(f"🎪 🏗️ {show.sha}")  # Building pointer: 🎪 🏗️ abc123f
             )
         }
         desired_labels = set(show.to_circus_labels())
@@ -704,9 +799,7 @@ class PullRequest:
                         existing_labels = [
                             label
                             for label in self.labels
-                            if label.startswith(f"🎪 {show.sha} ")
-                            or label == f"🎪 🎯 {show.sha}"
-                            or label == f"🎪 🏗️ {show.sha}"
+                            if label.startswith(f"🎪 {show.sha} ") or label == f"🎪 🎯 {show.sha}"
                         ]
                         print(f"🏷️ Removing existing labels for {show.sha}: {existing_labels}")
                         for label in existing_labels: