Refresh cpflow workflow generator output

Author: justin808

.controlplane/readme.md

@@ -419,7 +419,7 @@ repository variables, secrets, and docs aligned with `.controlplane/controlplane
 For this app, validate a regenerated flow with:
 
 ```bash
-bundle exec ruby /path/to/control-plane-flow/bin/cpflow generate-github-actions
+bundle exec ruby /path/to/control-plane-flow/bin/cpflow generate-github-actions --staging-branch master
 bundle exec ruby /path/to/control-plane-flow/bin/cpflow github-flow-readiness
 actionlint .github/workflows/cpflow-*.yml
 bundle exec rubocop

.controlplane/shakacode-team.md

@@ -48,6 +48,9 @@ Optional repository settings:
 - `DOCKER_BUILD_SSH_KEY`: secret for private SSH dependencies during Docker builds.
 - `DOCKER_BUILD_EXTRA_ARGS`: newline-delimited Docker build tokens, such as `--build-arg=FOO=bar`.
 - `DOCKER_BUILD_SSH_KNOWN_HOSTS`: custom `known_hosts` entries when SSH build hosts are not GitHub.com.
+- `CPLN_CLI_VERSION`: pin a specific `@controlplane/cli` version; defaults to the generated action pin.
+- `CPFLOW_VERSION`: pin a specific cpflow gem version; defaults to the generated action pin.
+- `HEALTH_CHECK_ACCEPTED_STATUSES`: production promotion health statuses; defaults to `200 301 302`.
 
 If staging moves off `master`, update both `STAGING_APP_BRANCH` and the branch
 filter in `.github/workflows/cpflow-deploy-staging.yml`.
@@ -56,8 +59,8 @@ filter in `.github/workflows/cpflow-deploy-staging.yml`.
 
 When the upstream `control-plane-flow` repo changes the generated GitHub Actions
 flow, regenerate the `cpflow-*` actions/workflows in this repo from the target
-`cpflow` version or branch, review the diff, and keep the repository variables
-above aligned with `.controlplane/controlplane.yml`. Validate with
+`cpflow` version or branch using `--staging-branch master`, review the diff, and
+keep the repository variables above aligned with `.controlplane/controlplane.yml`. Validate with
 `cpflow github-flow-readiness`, `actionlint .github/workflows/cpflow-*.yml`, and
 the normal CI checks before merging.
 

.github/actions/cpflow-detect-release-phase/action.yml

@@ -0,0 +1,32 @@
+name: Detect release phase support
+description: >-
+  Inspects the cpflow config for an app and emits `flag=--run-release-phase`
+  when a `release_script:` is configured. Outputs an empty `flag` otherwise.
+
+inputs:
+  app_name:
+    description: cpflow app name to inspect
+    required: true
+
+outputs:
+  flag:
+    description: Either `--run-release-phase` or empty
+    value: ${{ steps.detect.outputs.flag }}
+
+runs:
+  using: composite
+  steps:
+    - name: Detect release phase support
+      id: detect
+      shell: bash
+      env:
+        APP_NAME: ${{ inputs.app_name }}
+      run: |
+        set -euo pipefail
+
+        # Anchor to start-of-line so commented-out release_script: entries don't enable --run-release-phase.
+        if cpflow config -a "${APP_NAME}" | grep -qE '^[[:space:]]*release_script:'; then
+          echo "flag=--run-release-phase" >> "$GITHUB_OUTPUT"
+        else
+          echo "flag=" >> "$GITHUB_OUTPUT"
+        fi

.github/actions/cpflow-setup-environment/action.yml

@@ -15,14 +15,17 @@ inputs:
     required: false
     default: ""
   cpln_cli_version:
-    # Bump this default when a new @controlplane/cli release lands that you want to roll out.
-    description: "@controlplane/cli version"
+    description: >-
+      @controlplane/cli version. Empty string falls back to the action's pinned default
+      so callers can pass `${{ vars.CPLN_CLI_VERSION }}` unconditionally.
     required: false
-    default: "3.3.1"
+    default: ""
   cpflow_version:
-    description: cpflow gem version
+    description: >-
+      cpflow gem version. Empty string falls back to the action's pinned default
+      so callers can pass `${{ vars.CPFLOW_VERSION }}` unconditionally.
     required: false
-    default: "4.2.0"
+    default: ""
 
 runs:
   using: composite
@@ -34,13 +37,25 @@ runs:
 
     - name: Install Control Plane CLI and cpflow gem
       shell: bash
+      env:
+        CPLN_CLI_VERSION: ${{ inputs.cpln_cli_version }}
+        CPFLOW_VERSION: ${{ inputs.cpflow_version }}
       run: |
         set -euo pipefail
 
-        sudo npm install -g @controlplane/cli@${{ inputs.cpln_cli_version }}
+        # Bump these defaults when a new release lands that you want to roll out by default.
+        # Override per-repo by setting `CPLN_CLI_VERSION` / `CPFLOW_VERSION` repo variables;
+        # an empty input falls back to the action's pinned default below.
+        default_cpln_cli_version="3.3.1"
+        default_cpflow_version="4.2.0"
+
+        CPLN_CLI_VERSION="${CPLN_CLI_VERSION:-${default_cpln_cli_version}}"
+        CPFLOW_VERSION="${CPFLOW_VERSION:-${default_cpflow_version}}"
+
+        sudo npm install -g "@controlplane/cli@${CPLN_CLI_VERSION}"
         cpln --version
 
-        gem install cpflow -v ${{ inputs.cpflow_version }} --no-document
+        gem install cpflow -v "${CPFLOW_VERSION}" --no-document
         cpflow --version
 
     - name: Setup Control Plane profile and registry login

.github/actions/cpflow-validate-config/action.yml

@@ -0,0 +1,75 @@
+name: Validate cpflow GitHub configuration
+description: >-
+  Validates that required secrets and repository variables are set before a workflow
+  proceeds. Pass each value via `env:` with the same NAME as the secret or variable,
+  then list the required entries in `required` as `type:NAME` pairs (type is `secret`
+  or `variable`). When `pull_request_friendly: true` and the current event is a
+  `pull_request`, missing config writes a step summary and exits 0 with `ready=false`
+  instead of failing the job.
+
+inputs:
+  required:
+    description: |
+      Newline-separated `type:NAME` pairs. Type is `secret` or `variable`. The
+      caller MUST export the matching values via `env:` using the same NAME.
+    required: true
+  pull_request_friendly:
+    description: When "true" and event is pull_request, write summary and exit 0 with ready=false.
+    required: false
+    default: "false"
+
+outputs:
+  ready:
+    description: '"true" when all values are set, "false" when missing in PR-friendly mode.'
+    value: ${{ steps.check.outputs.ready }}
+
+runs:
+  using: composite
+  steps:
+    - name: Check required secrets and variables
+      id: check
+      shell: bash
+      env:
+        CPFLOW_REQUIRED: ${{ inputs.required }}
+        CPFLOW_PR_FRIENDLY: ${{ inputs.pull_request_friendly }}
+        CPFLOW_EVENT_NAME: ${{ github.event_name }}
+      run: |
+        set -euo pipefail
+
+        missing=()
+        while IFS= read -r entry; do
+          entry="${entry%$'\r'}"
+          entry="${entry## }"
+          entry="${entry%% }"
+          [[ -z "${entry}" ]] && continue
+
+          type="${entry%%:*}"
+          name="${entry#*:}"
+
+          # Indirect bash lookup: reads the env var named by ${name} (e.g. CPLN_TOKEN_STAGING)
+          # so the value never has to round-trip through workflow logs.
+          if [[ -z "${!name:-}" ]]; then
+            missing+=("${type}:${name}")
+          fi
+        done <<< "${CPFLOW_REQUIRED}"
+
+        if [[ ${#missing[@]} -eq 0 ]]; then
+          echo "ready=true" >> "$GITHUB_OUTPUT"
+          exit 0
+        fi
+
+        if [[ "${CPFLOW_PR_FRIENDLY}" == "true" && "${CPFLOW_EVENT_NAME}" == "pull_request" ]]; then
+          echo "ready=false" >> "$GITHUB_OUTPUT"
+          {
+            echo "Control Plane review app automation is not configured yet."
+            echo
+            echo "Missing required GitHub configuration:"
+            printf -- '- `%s`\n' "${missing[@]}"
+            echo
+            echo "Pushes to this pull request will skip review app deploys until the repository is configured."
+          } >> "$GITHUB_STEP_SUMMARY"
+          exit 0
+        fi
+
+        printf 'Missing required GitHub configuration:\n- %s\n' "${missing[@]}" >&2
+        exit 1

.github/actions/cpflow-wait-for-health/action.yml

@@ -0,0 +1,83 @@
+name: Wait for Control Plane workload health
+description: >-
+  Polls the workload's status endpoint with curl and exits success when the
+  HTTP response status is in the accepted list. Fails non-zero (and reports
+  `healthy=false`) once retries are exhausted.
+
+inputs:
+  workload_name:
+    description: Workload to query (e.g. `rails`).
+    required: true
+  app_name:
+    description: GVC / Control Plane app name the workload belongs to.
+    required: true
+  org:
+    description: Control Plane organization.
+    required: true
+  max_retries:
+    description: Number of attempts before giving up.
+    required: false
+    default: "24"
+  interval_seconds:
+    description: Seconds to sleep between attempts.
+    required: false
+    default: "15"
+  accepted_statuses:
+    description: >-
+      Space-separated list of HTTP status codes considered healthy. The default
+      `200 301 302` accepts redirects because curl is invoked without `-L`, so a
+      root path that auth-redirects looks like a redirect, not a failure.
+    required: false
+    default: "200 301 302"
+  curl_max_time:
+    description: Per-request curl timeout, seconds.
+    required: false
+    default: "10"
+
+outputs:
+  healthy:
+    description: '"true" once a healthy response was observed; "false" otherwise.'
+    value: ${{ steps.poll.outputs.healthy }}
+
+runs:
+  using: composite
+  steps:
+    - name: Poll workload endpoint
+      id: poll
+      shell: bash
+      env:
+        CPFLOW_WORKLOAD_NAME: ${{ inputs.workload_name }}
+        CPFLOW_APP_NAME: ${{ inputs.app_name }}
+        CPFLOW_ORG: ${{ inputs.org }}
+        CPFLOW_MAX_RETRIES: ${{ inputs.max_retries }}
+        CPFLOW_INTERVAL_SECONDS: ${{ inputs.interval_seconds }}
+        CPFLOW_ACCEPTED_STATUSES: ${{ inputs.accepted_statuses }}
+        CPFLOW_CURL_MAX_TIME: ${{ inputs.curl_max_time }}
+      run: |
+        set -euo pipefail
+
+        read -r -a accepted_statuses <<< "${CPFLOW_ACCEPTED_STATUSES}"
+
+        for attempt in $(seq 1 "${CPFLOW_MAX_RETRIES}"); do
+          echo "Health check attempt ${attempt}/${CPFLOW_MAX_RETRIES}"
+
+          endpoint="$(cpln workload get "${CPFLOW_WORKLOAD_NAME}" --gvc "${CPFLOW_APP_NAME}" --org "${CPFLOW_ORG}" -o json | jq -r '.status.endpoint // empty')"
+          if [[ -n "${endpoint}" ]]; then
+            http_status="$(curl -s -o /dev/null -w '%{http_code}' --max-time "${CPFLOW_CURL_MAX_TIME}" "${endpoint}" 2>/dev/null || echo 000)"
+            echo "Endpoint: ${endpoint}, HTTP status: ${http_status}"
+
+            for accepted in "${accepted_statuses[@]}"; do
+              if [[ "${http_status}" == "${accepted}" ]]; then
+                echo "healthy=true" >> "$GITHUB_OUTPUT"
+                exit 0
+              fi
+            done
+          fi
+
+          if [[ "${attempt}" -lt "${CPFLOW_MAX_RETRIES}" ]]; then
+            sleep "${CPFLOW_INTERVAL_SECONDS}"
+          fi
+        done
+
+        echo "healthy=false" >> "$GITHUB_OUTPUT"
+        exit 1

.github/cpflow-help.md

@@ -0,0 +1,45 @@
+# Control Plane GitHub Flow
+
+## PR commands
+
+`/deploy-review-app`
+- Creates the review app if it does not exist
+- Builds the PR commit image
+- Deploys the image and comments with the review URL
+
+`/delete-review-app`
+- Deletes the review app when the PR is done
+- This also runs automatically when the PR closes
+
+## Repository secrets
+
+| Name | Required | Notes |
+| --- | --- | --- |
+| `CPLN_TOKEN_STAGING` | yes | Service-account token scoped to the staging org. |
+| `CPLN_TOKEN_PRODUCTION` | yes (for promote) | Service-account token scoped to the production org. |
+| `DOCKER_BUILD_SSH_KEY` | optional | Private SSH key used when Docker builds fetch private deps via `RUN --mount=type=ssh`. |
+
+## Repository variables
+
+| Name | Required | Notes |
+| --- | --- | --- |
+| `CPLN_ORG_STAGING` | yes | Control Plane org for staging and review apps. |
+| `CPLN_ORG_PRODUCTION` | yes (for promote) | Control Plane org for production. |
+| `STAGING_APP_NAME` | yes | App name in `controlplane.yml` used as the staging deploy target. |
+| `PRODUCTION_APP_NAME` | yes (for promote) | App name in `controlplane.yml` used as the production deploy target. |
+| `REVIEW_APP_PREFIX` | yes | Prefix for per-PR review app names (e.g. `review-app`). |
+| `STAGING_APP_BRANCH` | optional | Custom staging branch. Custom branches must also appear in `cpflow-deploy-staging.yml`'s push filter. |
+| `PRIMARY_WORKLOAD` | optional | Workload polled for health and rollback (defaults to `rails`). |
+| `DOCKER_BUILD_EXTRA_ARGS` | optional | Newline-delimited extra docker build tokens (e.g. `--build-arg=FOO=bar`). |
+| `DOCKER_BUILD_SSH_KNOWN_HOSTS` | optional | SSH known_hosts entries when SSH build hosts are not GitHub.com. |
+| `HEALTH_CHECK_ACCEPTED_STATUSES` | optional | Space-separated HTTP statuses considered healthy on promote (default `200 301 302`). |
+| `CPLN_CLI_VERSION` | optional | Pin a specific `@controlplane/cli` version; falls back to the action default when unset. |
+| `CPFLOW_VERSION` | optional | Pin a specific cpflow gem version; falls back to the generated default when unset. |
+
+## Workflow behavior
+
+- Review apps are opt-in and created with `/deploy-review-app`
+- New commits redeploy existing review apps automatically
+- Pushes to the staging branch deploy staging automatically
+- Promotion to production is manual via the Actions tab
+- A nightly workflow removes stale review apps

.github/workflows/cpflow-cleanup-stale-review-apps.yml

@@ -9,36 +9,40 @@ permissions:
   contents: read
 
 concurrency:
+  # Single global group: only one cleanup sweep at a time. Independent of review-app
+  # deploy/delete groups (different keys), so cleanup will not block per-PR work.
   group: cpflow-cleanup-stale-review-apps
+  # A cancelled `cpflow cleanup-stale-apps` can leave half-deleted review apps; let
+  # the in-flight run finish before the next scheduled tick begins.
   cancel-in-progress: false
 
 jobs:
   cleanup:
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
       - name: Validate required secrets and variables
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          missing=()
-          [[ -n "${{ secrets.CPLN_TOKEN_STAGING }}" ]] || missing+=("secret:CPLN_TOKEN_STAGING")
-          [[ -n "${{ vars.CPLN_ORG_STAGING }}" ]] || missing+=("variable:CPLN_ORG_STAGING")
-          [[ -n "${{ vars.REVIEW_APP_PREFIX }}" ]] || missing+=("variable:REVIEW_APP_PREFIX")
-
-          if [[ ${#missing[@]} -gt 0 ]]; then
-            printf 'Missing required GitHub configuration:\n- %s\n' "${missing[@]}" >&2
-            exit 1
-          fi
+        uses: ./.github/actions/cpflow-validate-config
+        env:
+          CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
+          CPLN_ORG_STAGING: ${{ vars.CPLN_ORG_STAGING }}
+          REVIEW_APP_PREFIX: ${{ vars.REVIEW_APP_PREFIX }}
+        with:
+          required: |
+            secret:CPLN_TOKEN_STAGING
+            variable:CPLN_ORG_STAGING
+            variable:REVIEW_APP_PREFIX
 
       - name: Setup environment
         uses: ./.github/actions/cpflow-setup-environment
         with:
           token: ${{ secrets.CPLN_TOKEN_STAGING }}
           org: ${{ vars.CPLN_ORG_STAGING }}
+          cpln_cli_version: ${{ vars.CPLN_CLI_VERSION }}
+          cpflow_version: ${{ vars.CPFLOW_VERSION }}
 
       - name: Remove stale review apps
         shell: bash