superset/.github/workflows/showtime-trigger.yml

name: 🎪 Superset Showtime

# Ultra-simple: just sync on any PR state change
on:
  pull_request_target:
    types: [labeled, unlabeled, synchronize, closed]

  # Manual testing
  workflow_dispatch:
    inputs:
      pr_number:
        description: 'PR number to sync'
        required: true
        type: number
      sha:
        description: 'Specific SHA to deploy (optional, defaults to latest)'
        required: false
        type: string

# Common environment variables for all jobs (non-sensitive only)
env:
  AWS_REGION: us-west-2
  GITHUB_ORG: ${{ github.repository_owner }}
  GITHUB_REPO: ${{ github.event.repository.name }}
  GITHUB_ACTOR: ${{ github.actor }}

jobs:
  sync:
    name: 🎪 Sync PR to desired state
    runs-on: ubuntu-latest
    timeout-minutes: 90

    permissions:
      contents: read
      pull-requests: write

    steps:
      - name: Security Check - Authorize Maintainers Only
        id: auth
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          script: |
            const actor = context.actor;
            console.log(`🔍 Checking authorization for ${actor}`);

            // Early exit for workflow_dispatch - assume authorized since it's manually triggered
            if (context.eventName === 'workflow_dispatch') {
              console.log(`✅ Workflow dispatch event - assuming authorized for ${actor}`);
              core.setOutput('authorized', 'true');
              return;
            }

            const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
              owner: context.repo.owner,
              repo: context.repo.repo,
              username: actor
            });

            console.log(`📊 Permission level for ${actor}: ${permission.permission}`);
            const authorized = ['write', 'admin'].includes(permission.permission);

            // If this is a synchronize event from unauthorized user, check if Showtime is active and set blocked label
            if (!authorized && context.eventName === 'pull_request_target' && context.payload.action === 'synchronize') {
              console.log(`🔒 Synchronize event detected - checking if Showtime is active`);

              // Check if PR has any circus tent labels (Showtime is in use)
              const { data: issue } = await github.rest.issues.get({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: context.payload.pull_request.number
              });

              const hasCircusLabels = issue.labels.some(label => label.name.startsWith('🎪 '));

              if (hasCircusLabels) {
                console.log(`🎪 Circus labels found - setting blocked label to prevent auto-deployment`);

                await github.rest.issues.addLabels({
                  owner: context.repo.owner,
                  repo: context.repo.repo,
                  issue_number: context.payload.pull_request.number,
                  labels: ['🎪 🔒 showtime-blocked']
                });

                console.log(`✅ Blocked label set - Showtime will detect and skip operations`);
              } else {
                console.log(`ℹ️ No circus labels found - Showtime not in use, skipping block`);
              }
            }

            if (!authorized) {
              console.log(`🚨 Unauthorized user ${actor} - skipping all operations`);
              core.setOutput('authorized', 'false');
              return;
            }

            console.log(`✅ Authorized maintainer: ${actor}`);
            core.setOutput('authorized', 'true');

      - name: Install Superset Showtime
        if: steps.auth.outputs.authorized == 'true'
        run: |
          echo "::notice::Maintainer ${{ github.actor }} triggered deploy for PR ${PULL_REQUEST_NUMBER}"
          pip install --upgrade superset-showtime
          showtime version

        env:
          PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number || github.event.inputs.pr_number }}
      - name: Check what actions are needed
        if: steps.auth.outputs.authorized == 'true'
        id: check
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          INPUT_PR_NUMBER: ${{ github.event.inputs.pr_number }}
          INPUT_SHA: ${{ github.event.inputs.sha }}
        run: |
          # Bulletproof PR number extraction
          if [[ -n "${{ github.event.pull_request.number }}" ]]; then
            PR_NUM="${{ github.event.pull_request.number }}"
          elif [[ -n "${INPUT_PR_NUMBER}" ]]; then
            PR_NUM="${INPUT_PR_NUMBER}"
          else
            echo "❌ No PR number found in event or inputs"
            exit 1
          fi

          echo "Using PR number: $PR_NUM"

          # Run sync check-only with optional SHA override
          if [[ -n "${INPUT_SHA}" ]]; then
            OUTPUT=$(python -m showtime sync $PR_NUM --check-only --sha "${INPUT_SHA}")
          else
            OUTPUT=$(python -m showtime sync $PR_NUM --check-only)
          fi
          echo "$OUTPUT"

          # Extract the outputs we need for conditional steps
          BUILD=$(echo "$OUTPUT" | grep "build_needed=" | cut -d'=' -f2)
          SYNC=$(echo "$OUTPUT" | grep "sync_needed=" | cut -d'=' -f2)
          PR_NUM_OUT=$(echo "$OUTPUT" | grep "pr_number=" | cut -d'=' -f2)
          TARGET_SHA=$(echo "$OUTPUT" | grep "target_sha=" | cut -d'=' -f2)

          echo "build_needed=$BUILD" >> $GITHUB_OUTPUT
          echo "sync_needed=$SYNC" >> $GITHUB_OUTPUT
          echo "pr_number=$PR_NUM_OUT" >> $GITHUB_OUTPUT
          echo "target_sha=$TARGET_SHA" >> $GITHUB_OUTPUT

      - name: Checkout PR code (only if build needed)
        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.build_needed == 'true'
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          ref: ${{ steps.check.outputs.target_sha }}
          persist-credentials: false

      - name: Setup Docker Environment (only if build needed)
        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.build_needed == 'true'
        uses: ./.github/actions/setup-docker
        with:
          dockerhub-user: ${{ secrets.DOCKERHUB_USER }}
          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
          build: "true"
          install-docker-compose: "false"

      - name: Execute sync (handles everything)
        if: steps.auth.outputs.authorized == 'true' && steps.check.outputs.sync_needed == 'true'
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
        run: |
          PR_NUM="${{ steps.check.outputs.pr_number }}"
          TARGET_SHA="${{ steps.check.outputs.target_sha }}"
          if [[ -n "$TARGET_SHA" ]]; then
            python -m showtime sync $PR_NUM --sha "$TARGET_SHA"
          else
            python -m showtime sync $PR_NUM
          fi