Address latest cpflow review polish

Author: justin808

.controlplane/readme.md

@@ -380,6 +380,9 @@ After the review app exists, new pushes to the PR redeploy it automatically.
 Use `/delete-review-app` to delete it manually; closing the PR deletes it
 automatically. Pushes to the staging branch deploy staging, and production
 promotion is manual from the `cpflow-promote-staging-to-production` workflow.
+If staging moves off `master`, update both the `STAGING_APP_BRANCH` repository
+variable and the `branches:` filter in `.github/workflows/cpflow-deploy-staging.yml`;
+GitHub does not allow repository variables in trigger branch filters.
 The production promotion workflow checks that production has all environment
 variable names present in staging; it does not compare secret values, workload
 environment variables, or Control Plane secret references.

.github/actions/cpflow-build-docker-image/action.yml

@@ -21,7 +21,7 @@ inputs:
     description: Optional private SSH key used for Docker builds that fetch private dependencies with RUN --mount=type=ssh
     required: false
   docker_build_ssh_known_hosts:
-    description: Optional SSH known_hosts entries used with docker_build_ssh_key. Defaults to pinned GitHub.com host keys.
+    description: Optional SSH known_hosts entries used with docker_build_ssh_key. Defaults to pinned GitHub.com host keys; override if GitHub rotates keys or your build uses another SSH host.
     required: false
 
 runs:
@@ -50,6 +50,8 @@ runs:
         if [[ -n "${DOCKER_BUILD_SSH_KNOWN_HOSTS}" ]]; then
           printf '%s\n' "${DOCKER_BUILD_SSH_KNOWN_HOSTS}" > ~/.ssh/known_hosts
         else
+          # GitHub.com host keys verified against GitHub's published keys on 2026-05-01.
+          # Override docker_build_ssh_known_hosts if GitHub rotates keys again.
           printf '%s\n' \
             'github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl' \
             'github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=' \

.github/workflows/cpflow-deploy-review-app.yml

@@ -6,6 +6,9 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
   issue_comment:
+    # Slash-command workflow changes run from the default branch until merged.
+    # Test PR-branch edits with:
+    # gh workflow run cpflow-deploy-review-app.yml --ref <branch> -f pr_number=<pr-number>
     types: [created]
   workflow_dispatch:
     inputs:
@@ -282,6 +285,8 @@ jobs:
               ref: process.env.PR_SHA,
               environment: `review/${process.env.APP_NAME}`,
               auto_merge: false,
+              // Review apps intentionally deploy on demand regardless of CI status;
+              // they are ephemeral feedback environments, not branch-protection gates.
               required_contexts: [],
               description: `Control Plane review app for PR #${process.env.PR_NUMBER}`
             });

.github/workflows/cpflow-promote-staging-to-production.yml

@@ -40,8 +40,24 @@ concurrency:
   cancel-in-progress: false
 
 jobs:
+  validate-confirmation:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Validate promotion confirmation
+        env:
+          CONFIRM_PROMOTION: ${{ github.event.inputs.confirm_promotion }}
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          if [[ "${CONFIRM_PROMOTION}" != "promote" ]]; then
+            echo "::error::Promotion confirmation must be exactly 'promote'."
+            exit 1
+          fi
+
   promote-to-production:
-    if: github.event.inputs.confirm_promotion == 'promote'
+    needs: validate-confirmation
     runs-on: ubuntu-latest
     timeout-minutes: 45
 
@@ -175,7 +191,9 @@ jobs:
             [[ -n "${workload_name}" ]] || continue
 
             workload_json="$(cpln workload get "${workload_name}" --gvc "${PRODUCTION_APP_NAME}" --org "${CPLN_ORG_PRODUCTION}" -o json)"
-            workload_image="$(echo "${workload_json}" | jq -r '.spec.containers[0].image')"
+          # current_image/current_version are summary fields for the first container
+          # of the selected workload; rollback_state below captures all containers.
+          workload_image="$(echo "${workload_json}" | jq -r '.spec.containers[0].image')"
             workload_containers="$(echo "${workload_json}" | jq -c '.spec.containers | map({name, image})')"
             workload_version="$(echo "${workload_json}" | jq -r '.version')"
 
@@ -215,15 +233,14 @@ jobs:
 
       - name: Copy image from staging
         env:
-          # cpflow 4.2.x requires the upstream token flag; keep the secret sourced
-          # from env so it is still masked by GitHub logs.
+          # cpflow reads this env var directly, avoiding token exposure in argv.
           CPLN_UPSTREAM_TOKEN: ${{ secrets.CPLN_TOKEN_STAGING }}
           PRODUCTION_APP_NAME: ${{ vars.PRODUCTION_APP_NAME }}
           CPLN_ORG_PRODUCTION: ${{ vars.CPLN_ORG_PRODUCTION }}
         shell: bash
         run: |
           set -euo pipefail
-          cpflow copy-image-from-upstream -a "${PRODUCTION_APP_NAME}" -t "${CPLN_UPSTREAM_TOKEN}" --org "${CPLN_ORG_PRODUCTION}"
+          cpflow copy-image-from-upstream -a "${PRODUCTION_APP_NAME}" --org "${CPLN_ORG_PRODUCTION}"
 
       - name: Deploy image to production
         env:
@@ -390,6 +407,6 @@ jobs:
               echo "❌ Status: deployment failed"
             fi
             echo
-            echo "Previous image: \`${PREVIOUS_IMAGE}\`"
+            echo "Previous image (first container of selected/first workload): \`${PREVIOUS_IMAGE}\`"
             echo "Previous version: ${PREVIOUS_VERSION}"
           } >> "$GITHUB_STEP_SUMMARY"

.github/workflows/cpflow-review-app-help.yml

@@ -9,6 +9,7 @@ on:
     types: [opened]
 
 permissions:
+  contents: read
   issues: write
   pull-requests: write