dpgaspar commented on code in PR #34833:
URL: https://github.com/apache/superset/pull/34833#discussion_r2300169569
##########
.github/workflows/showtime-trigger.yml:
##########
@@ -0,0 +1,106 @@
+name: 🎪 Superset Showtime
+
+# Ultra-simple: just sync on any PR state change
+on:
+ pull_request_target:
+ types: [labeled, synchronize, closed]
+
+ # Manual testing
+ workflow_dispatch:
+ inputs:
+ pr_number:
+ description: 'PR number to sync'
+ required: true
+ type: number
+ sha:
+ description: 'Specific SHA to deploy (optional, defaults to latest)'
+ required: false
+ type: string
+
+# Common environment variables for all jobs
+env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ AWS_REGION: us-west-2
+ GITHUB_ORG: ${{ github.repository_owner }}
+ GITHUB_REPO: ${{ github.event.repository.name }}
+ GITHUB_ACTOR: ${{ github.actor }}
+ DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
+ DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+
+jobs:
+ sync:
+ name: 🎪 Sync PR to desired state
+ runs-on: ubuntu-latest
+
+ permissions:
+ contents: read
+ pull-requests: write
+
+ steps:
+ - name: Install Superset Showtime
+ run: |
+ pip install --upgrade superset-showtime
+ showtime version
+
+ - name: Check what actions are needed
+ id: check
+ run: |
+ # Bulletproof PR number extraction
+ if [[ -n "${{ github.event.pull_request.number }}" ]]; then
+ PR_NUM="${{ github.event.pull_request.number }}"
+ elif [[ -n "${{ github.event.inputs.pr_number }}" ]]; then
+ PR_NUM="${{ github.event.inputs.pr_number }}"
+ else
+ echo "❌ No PR number found in event or inputs"
+ exit 1
+ fi
+
+ echo "Using PR number: $PR_NUM"
+
+ # Run sync check-only with optional SHA override
+ if [[ -n "${{ github.event.inputs.sha }}" ]]; then
+ OUTPUT=$(python -m showtime sync $PR_NUM --check-only --sha "${{
github.event.inputs.sha }}")
Review Comment:
Assuming a normal user can't trigger a workflow using a custom SHA, this is
ok.
Being super cautious let's make sure that showtime validates SHA and PR_NUM
##########
.github/workflows/showtime-trigger.yml:
##########
@@ -0,0 +1,106 @@
+name: 🎪 Superset Showtime
+
+# Ultra-simple: just sync on any PR state change
+on:
+ pull_request_target:
+ types: [labeled, synchronize, closed]
Review Comment:
`synchronize` can be dangerous.
- Attacker submits a PR, without issues
- Maintainer labels the PR and spins an ephemeral env
- Attacker pushes a new change that contains malicious code (XSS for example)
- sync kicks in and updates the ephemeral env with this code
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
