cpflow 5.0.0.rc.1 → 5.0.0

data/lib/core/controlplane_api_direct.rb

@@ -1,28 +1,45 @@
 # frozen_string_literal: true
 
-class RedactedDebugOutput
-  SAFE_HEADERS = %w[Content-Type Content-Length Accept Host Date Cache-Control Connection].freeze
-  HEADER_REGEX = /^([A-Za-z-]+): (.+)$/
+class ControlplaneApiDirect
+  class RedactedDebugOutput
+    SAFE_HEADERS = %w[Content-Type Content-Length Accept Host Date Cache-Control Connection].freeze
+    HEADER_REGEX = /^([A-Za-z-]+): (.+)$/
 
-  def <<(msg)
-    $stdout << redact(msg)
-  end
+    def <<(msg)
+      $stdout << redact(msg)
+    end
+
+    private
 
-  private
+    def redact(msg)
+      msg.lines.map { |line| redact_line(line) }.join
+    end
+
+    def redact_line(line)
+      match = line.match(HEADER_REGEX)
+      return line.gsub(/[\w\-._]{50,}/, "[REDACTED]") unless match
 
-  def redact(msg)
-    msg.lines.map { |line| redact_line(line) }.join
+      SAFE_HEADERS.any? { |h| h.casecmp(match[1]).zero? } ? line : "#{match[1]}: [REDACTED]\n"
+    end
   end
 
-  def redact_line(line)
-    match = line.match(HEADER_REGEX)
-    return line.gsub(/[\w\-._]{50,}/, "[REDACTED]") unless match
+  class ForbiddenError < StandardError
+    attr_reader :url
+
+    def initialize(url:, response:)
+      @url = url
+      org = ControlplaneApiDirect.parse_org(url)
+      message =
+        if org
+          "Double check your org #{org}. #{response}"
+        else
+          "Control Plane API request to #{url} was forbidden. #{response}"
+        end
 
-    SAFE_HEADERS.any? { |h| h.casecmp(match[1]).zero? } ? line : "#{match[1]}: [REDACTED]\n"
+      super(message)
+    end
   end
-end
 
-class ControlplaneApiDirect
   API_METHODS = {
     get: Net::HTTP::Get,
     patch: Net::HTTP::Patch,
@@ -32,12 +49,6 @@ class ControlplaneApiDirect
   }.freeze
   API_HOSTS = { api: "https://api.cpln.io", logs: "https://logs.cpln.io" }.freeze
 
-  # API_TOKEN_REGEX = Regexp.union(
-  #  /^[\w.]{155}$/, # CPLN_TOKEN format
-  #  /^[\w\-._]{1134}$/ # 'cpln profile token' format
-  # ).freeze
-
-  API_TOKEN_REGEX = /^[\w\-._]+$/
   API_TOKEN_EXPIRY_SECONDS = 300
 
   class << self
@@ -52,7 +63,7 @@ class ControlplaneApiDirect
 
     refresh_api_token if should_refresh_api_token?
 
-    request["Authorization"] = api_token[:token]
+    request["Authorization"] = authorization_header
     request.body = body.to_json if body
 
     Shell.debug(method.upcase, "#{uri} #{body&.to_json}")
@@ -71,8 +82,7 @@ class ControlplaneApiDirect
     when Net::HTTPNotFound
       nil
     when Net::HTTPForbidden
-      org = self.class.parse_org(url)
-      raise("Double check your org #{org}. #{response} #{response.body}")
+      raise ForbiddenError.new(url: url, response: response)
     else
       raise("#{response} #{response.body}")
     end
@@ -87,6 +97,13 @@ class ControlplaneApiDirect
     end
   end
 
+  def authorization_header
+    token = api_token[:token]
+    return token if token.match?(/\ABearer\s+/i)
+
+    "Bearer #{token}"
+  end
+
   # rubocop:disable Style/ClassVars
   def api_token # rubocop:disable Metrics/MethodLength
     return @@api_token if defined?(@@api_token)
@@ -101,7 +118,11 @@ class ControlplaneApiDirect
         comes_from_profile: true
       }
     end
-    return @@api_token if @@api_token[:token].match?(API_TOKEN_REGEX)
+    token = @@api_token[:token]
+    # Allow any token that does not contain line breaks. Scoped service-account
+    # tokens include punctuation such as '/', '+', ':', and '=', so format
+    # validation is deferred to the Control Plane API.
+    return @@api_token if token && !token.empty? && !token.match?(/[\r\n]/)
 
     raise "Unknown API token format. " \
           "Please re-run 'cpln profile login' or set the correct CPLN_TOKEN env variable."
@@ -112,7 +133,9 @@ class ControlplaneApiDirect
     return false unless api_token[:comes_from_profile]
 
     payload, = JWT.decode(api_token[:token], nil, false, algorithms: [])
-    difference_in_seconds = payload["exp"] - Time.now.to_i
+    return false unless payload.is_a?(Hash) && payload["exp"]
+
+    difference_in_seconds = payload["exp"].to_i - Time.now.to_i
 
     difference_in_seconds <= API_TOKEN_EXPIRY_SECONDS
   rescue JWT::DecodeError
@@ -129,6 +152,6 @@ class ControlplaneApiDirect
   # rubocop:enable Style/ClassVars
 
   def self.parse_org(url)
-    url.match(%r{^/org/([^/]+)})[1]
+    url.match(%r{^/org/([^/]+)})&.[](1)
   end
 end

data/lib/core/doctor_service.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
-class ValidationError < StandardError; end
-
 class DoctorService
+  class ValidationError < StandardError; end
+
   extend Forwardable
 
   def_delegators :@command, :config, :progress

data/lib/core/github_flow_readiness_service.rb

@@ -3,6 +3,7 @@
 require "bundler"
 require "cgi"
 require "net/http"
+require "uri"
 require "yaml"
 
 require_relative "repo_introspection"
@@ -225,6 +226,9 @@ class GithubFlowReadinessService # rubocop:disable Metrics/ClassLength
     version.is_a?(String) && version.match?(/\A\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?\z/)
   end
 
+  # Returns true/false/nil — `nil` means "registry lookup failed" so partition_dependencies
+  # can route those into :unknown rather than :unavailable.
+  # rubocop:disable Style/ReturnNilInPredicateMethodDefinition, Naming/PredicateMethod
   def rubygems_requirement_available?(dependency)
     versions = fetch_rubygems_versions(dependency[:name])
     return nil unless versions
@@ -232,13 +236,19 @@ class GithubFlowReadinessService # rubocop:disable Metrics/ClassLength
     requirement = dependency[:requirement]
     versions.any? { |version| requirement.satisfied_by?(Gem::Version.new(version)) }
   end
+  # rubocop:enable Style/ReturnNilInPredicateMethodDefinition, Naming/PredicateMethod
 
+  # Same tri-state semantics as rubygems_requirement_available? — `nil` means lookup failed.
+  # The body is a single `include?` call, which `Naming/PredicateMethod` recognises as
+  # boolean-safe, so only the nil-return cop needs suppressing here.
+  # rubocop:disable Style/ReturnNilInPredicateMethodDefinition
   def npm_dependency_available?(dependency)
     versions = fetch_npm_versions(dependency[:name])
     return nil unless versions
 
     versions.include?(dependency[:exact_version])
   end
+  # rubocop:enable Style/ReturnNilInPredicateMethodDefinition
 
   # Fan out registry lookups across a small thread pool. Each HTTP call has a 5s timeout
   # (see `http_get`), and the join deadline below bounds cases such as DNS resolution
@@ -368,8 +378,8 @@ class GithubFlowReadinessService # rubocop:disable Metrics/ClassLength
   end
 
   def http_get(uri)
-    http = Net::HTTP.new(uri.host, uri.port)
-    http.use_ssl = true
+    http = build_http_client(uri)
+    http.use_ssl = uri.scheme == "https"
     http.open_timeout = 5
     http.read_timeout = 5
     http.get(uri.request_uri)
@@ -378,6 +388,20 @@ class GithubFlowReadinessService # rubocop:disable Metrics/ClassLength
     nil
   end
 
+  def build_http_client(uri)
+    proxy_uri = uri.find_proxy
+    return Net::HTTP.new(uri.host, uri.port) unless proxy_uri
+
+    Net::HTTP.new(
+      uri.host,
+      uri.port,
+      proxy_uri.hostname,
+      proxy_uri.port,
+      proxy_uri.user,
+      proxy_uri.password
+    )
+  end
+
   def load_gem_dependencies
     lockfile_path = root_path.join("Gemfile.lock")
     return [] unless lockfile_path.file?

data/lib/core/repo_introspection.rb

@@ -45,7 +45,7 @@ module RepoIntrospection
     path = File.join(root, "Gemfile")
     return unless File.file?(path)
 
-    ruby_lines = File.readlines(path, chomp: true).select { |line| line.match?(RUBY_VERSION_DIRECTIVE_PREFIX) }
+    ruby_lines = File.readlines(path, chomp: true).grep(RUBY_VERSION_DIRECTIVE_PREFIX)
     ruby_line = ruby_lines.find { |line| line.match?(RUBY_VERSION_DIRECTIVE_PATTERN) }
     warn_dynamic_ruby_directive if ruby_lines.any? && ruby_line.nil?
     return unless ruby_line
@@ -84,10 +84,48 @@ module RepoIntrospection
     production = parsed["production"]
     return false unless production.is_a?(Hash)
 
-    url = production["url"]
+    sqlite_database_config?(production)
+  end
+
+  # Determines whether a database config hash uses SQLite. Handles both
+  # the single-database shape (top-level `adapter`/`url`) and Rails 6.1+ multi-database
+  # shape where each connection sits one level deeper (`primary:`, `cache:`, etc.).
+  # Returns false on any explicit non-SQLite adapter so a mixed config (e.g. Postgres
+  # primary + SQLite cache) keeps the Postgres scaffold rather than a volume scaffold.
+  def self.sqlite_database_config?(config)
+    return false unless config.is_a?(Hash)
+
+    direct_result = direct_sqlite_database_config?(config)
+    return direct_result unless direct_result.nil?
+
+    nested_sqlite_database_config?(config)
+  end
+
+  # Returns true/false when a direct `url` or `adapter` key is conclusive, or nil
+  # when neither key is present so the caller can check nested sub-configs.
+  # rubocop:disable Style/ReturnNilInPredicateMethodDefinition -- ternary nil/true/false is load-bearing for the caller
+  def self.direct_sqlite_database_config?(config)
+    url = config["url"]
     return sqlite_database_url?(url) if url.is_a?(String) && !url.strip.empty?
 
-    sqlite_adapter_in_hash?(production)
+    return sqlite_adapter_in_hash?(config) if config["adapter"].is_a?(String)
+
+    nil
+  end
+  # rubocop:enable Style/ReturnNilInPredicateMethodDefinition
+
+  def self.nested_sqlite_database_config?(config)
+    # In Rails multi-database configs, hash values with adapter/url keys are named
+    # connections such as primary:, cache:, or queue:. Scalar and incidental hash
+    # settings are ignored.
+    sub_configs = config.values.select { |value| database_connection_config?(value) }
+    return false if sub_configs.empty?
+
+    sub_configs.all? { |sub| sqlite_database_config?(sub) }
+  end
+
+  def self.database_connection_config?(config)
+    config.is_a?(Hash) && (config.key?("adapter") || config.key?("url"))
   end
 
   def self.safe_load_database_yml(raw_contents)

data/lib/core/shell.rb

@@ -27,7 +27,9 @@ class Shell
     shell.set_color(message, color_key)
   end
 
-  def self.confirm(message)
+  # Prompts the user and returns whether they confirmed. Side-effecting on stdout/stdin,
+  # so the method name intentionally lacks `?` despite returning a boolean.
+  def self.confirm(message) # rubocop:disable Naming/PredicateMethod
     shell.yes?("#{message} (y/N)")
   end
 

data/lib/core/terraform_config/policy.rb

@@ -141,7 +141,7 @@ module TerraformConfig
     end
 
     def validate_term!(term)
-      return if (%i[property rel tag] & term.keys).count == 1
+      return if (%i[property rel tag] & term.keys).one?
 
       raise ArgumentError,
             "Each term in `target_query.spec.terms` must contain exactly one of the following attributes: " \

data/lib/cpflow/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
 module Cpflow
-  VERSION = "5.0.0.rc.1"
+  VERSION = "5.0.0"
   MIN_CPLN_VERSION = "3.1.0"
 end

data/lib/cpflow.rb

@@ -307,7 +307,7 @@ module Cpflow
         end
 
         begin
-          Cpflow::Cli.validate_options!(options)
+          Cpflow::Cli.validate_options!(options, command_options: command_options)
 
           config = Config.new(args, options, required_options)
 
@@ -333,25 +333,39 @@ module Cpflow
     check_unknown_options!(except: @commands_with_extra_options)
     stop_on_unknown_option!
 
-    def self.validate_options!(options) # rubocop:disable Metrics/MethodLength
+    def self.validate_options!(options, command_options: ::Command::Base.all_options)
+      option_definitions = option_definitions_for(command_options)
+
       options.each do |name, value|
         normalized_name = ::Helpers.normalize_option_name(name)
         raise "No value provided for option #{normalized_name}." if value.to_s.strip.empty?
 
-        option = ::Command::Base.all_options.find { |current_option| current_option[:name].to_s == name }
-        if option[:new_name]
-          normalized_new_name = ::Helpers.normalize_option_name(option[:new_name])
-          ::Shell.warn_deprecated("Option #{normalized_name} is deprecated, " \
-                                  "please use #{normalized_new_name} instead.")
-          $stderr.puts
-        end
+        option = option_definitions.find { |current_option| current_option[:name].to_s == name }
+        validate_option!(option, normalized_name, value) if option
+      end
+    end
+
+    def self.option_definitions_for(command_options)
+      (::Command::Base.common_options + command_options).uniq { |option| option[:name] }
+    end
+    private_class_method :option_definitions_for
 
-        params = option[:params]
-        next unless params[:valid_regex]
+    def self.validate_option!(option, normalized_name, value)
+      warn_deprecated_option(option, normalized_name) if option[:new_name]
 
-        raise "Invalid value provided for option #{normalized_name}." unless value.match?(params[:valid_regex])
-      end
+      params = option[:params]
+      return unless params[:valid_regex]
+
+      raise "Invalid value provided for option #{normalized_name}." unless value.match?(params[:valid_regex])
+    end
+    private_class_method :validate_option!
+
+    def self.warn_deprecated_option(option, normalized_name)
+      normalized_new_name = ::Helpers.normalize_option_name(option[:new_name])
+      ::Shell.warn_deprecated("Option #{normalized_name} is deprecated, please use #{normalized_new_name} instead.")
+      $stderr.puts
     end
+    private_class_method :warn_deprecated_option
 
     def self.show_info_header(config) # rubocop:disable Metrics/MethodLength
       return if @showed_info_header

data/lib/generator_templates/templates/rails.yml

@@ -12,6 +12,10 @@ spec:
       memory: 512Mi
       ports:
         - number: 3000
+          # Keep this as `http` even when fronting Rails with Thruster — the Control Plane
+          # load balancer still serves HTTP/2 to end users. Setting `http2` here causes
+          # `502 Bad Gateway` with "protocol error".
+          # See https://www.shakacode.com/control-plane-flow/docs/thruster/ for details.
           protocol: http
   defaultOptions:
     autoscaling:

data/lib/generator_templates_sqlite/templates/rails.yml

@@ -10,6 +10,10 @@ spec:
       memory: 512Mi
       ports:
         - number: 3000
+          # Keep this as `http` even when fronting Rails with Thruster — the Control Plane
+          # load balancer still serves HTTP/2 to end users. Setting `http2` here causes
+          # `502 Bad Gateway` with "protocol error".
+          # See https://www.shakacode.com/control-plane-flow/docs/thruster/ for details.
           protocol: http
       volumes:
         - path: /app/db

data/lib/github_flow_templates/.github/cpflow-help.md

@@ -47,13 +47,42 @@ You asked for review app help. These commands are generated by [cpflow](https://
 | `STAGING_APP_NAME` | yes | App name in `controlplane.yml` used as the staging deploy target. |
 | `PRODUCTION_APP_NAME` | yes (for promote) | App name in `controlplane.yml` used as the production deploy target. |
 | `REVIEW_APP_PREFIX` | yes | Prefix for per-PR review app names (e.g. `review-app`). |
+| `REVIEW_APP_DEPLOYING_ICON_URL` | optional | Custom image URL for the animated deploying icon in review-app PR comments. Set to `none` to use the text fallback icon. |
 | `STAGING_APP_BRANCH` | optional | Custom staging branch. Custom branches must also appear in `cpflow-deploy-staging.yml`'s push filter. |
 | `PRIMARY_WORKLOAD` | optional | Workload polled for health and rollback (defaults to `rails`). |
 | `DOCKER_BUILD_EXTRA_ARGS` | optional | Newline-delimited extra docker build tokens (e.g. `--build-arg=FOO=bar`). |
 | `DOCKER_BUILD_SSH_KNOWN_HOSTS` | optional | SSH known_hosts entries when SSH build hosts are not GitHub.com. |
 | `HEALTH_CHECK_ACCEPTED_STATUSES` | optional | Space-separated HTTP statuses considered healthy on promote (default `200 301 302`). |
 | `CPLN_CLI_VERSION` | optional | Pin a specific `@controlplane/cli` version; falls back to the action default when unset. |
-| `CPFLOW_VERSION` | optional | Pin a specific cpflow gem version; falls back to the generated default when unset. |
+| `CPFLOW_VERSION` | optional | Pin a published RubyGems version such as `5.0.0`. Leave unset for normal generated workflows so the setup action builds `cpflow` from the same `control-plane-flow` GitHub ref used by the reusable workflow. |
+
+</details>
+
+<details>
+<summary>Advanced: testing unreleased control-plane-flow changes</summary>
+
+Generated workflow wrappers have two related pins:
+
+- The `uses: shakacode/control-plane-flow/...@<ref>` GitHub ref selects the reusable workflow code.
+- The `control_plane_flow_ref: <ref>` input tells the setup action which `control-plane-flow` source to check out and build when `CPFLOW_VERSION` is empty.
+
+For normal releases, point both pins at a release tag such as `v5.0.0`.
+You may leave `CPFLOW_VERSION` unset, or set it to the matching RubyGems version
+without the leading `v`, such as `5.0.0`.
+
+For temporary downstream testing of an upstream PR before a gem is released, pin
+both values to the exact 40-character commit SHA and leave `CPFLOW_VERSION`
+unset:
+
+```sh
+bin/pin-cpflow-github-ref <40-character-control-plane-flow-commit-sha>
+bin/test-cpflow-github-flow ruby /path/to/control-plane-flow/bin/cpflow
+```
+
+Do not leave downstream apps pinned to a moving branch such as `main`. A branch
+can pick up beta or work-in-progress changes without a downstream PR changing.
+Use commit SHAs for short-lived PR testing, then switch to the release tag once
+the gem and tag exist.
 
 </details>
 

data/lib/github_flow_templates/.github/workflows/cpflow-cleanup-stale-review-apps.yml

@@ -8,49 +8,15 @@ on:
 permissions:
   contents: read
 
-concurrency:
-  # Single global group: only one cleanup sweep at a time. Independent of review-app
-  # deploy/delete groups (different keys), so cleanup will not block per-PR work.
-  group: cpflow-cleanup-stale-review-apps
-  # A cancelled `cpflow cleanup-stale-apps` can leave half-deleted review apps; let
-  # the in-flight run finish before the next scheduled tick begins.
-  cancel-in-progress: false
-
 jobs:
   cleanup:
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-
-      - name: Validate required secrets and variables
-        uses: ./.github/actions/cpflow-validate-config
-        env:
-          CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
-          CPLN_ORG_STAGING: ${{ vars.CPLN_ORG_STAGING }}
-          REVIEW_APP_PREFIX: ${{ vars.REVIEW_APP_PREFIX }}
-        with:
-          required: |
-            secret:CPLN_TOKEN_STAGING
-            variable:CPLN_ORG_STAGING
-            variable:REVIEW_APP_PREFIX
-
-      - name: Setup environment
-        uses: ./.github/actions/cpflow-setup-environment
-        with:
-          token: ${{ secrets.CPLN_TOKEN_STAGING }}
-          org: ${{ vars.CPLN_ORG_STAGING }}
-          cpln_cli_version: ${{ vars.CPLN_CLI_VERSION }}
-          cpflow_version: ${{ vars.CPFLOW_VERSION }}
-
-      - name: Remove stale review apps
-        env:
-          REVIEW_APP_PREFIX: ${{ vars.REVIEW_APP_PREFIX }}
-          CPLN_ORG_STAGING: ${{ vars.CPLN_ORG_STAGING }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          cpflow cleanup-stale-apps -a "${REVIEW_APP_PREFIX}" --org "${CPLN_ORG_STAGING}" --yes
+    # Keep the @ref in `uses:` and `control_plane_flow_ref` below in sync: the
+    # first selects the reusable workflow, the second selects its shared actions.
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-cleanup-stale-review-apps.yml@__CPFLOW_GITHUB_ACTIONS_REF__
+    with:
+      control_plane_flow_ref: __CPFLOW_GITHUB_ACTIONS_REF__
+    # `secrets: inherit` passes all caller repository secrets to the trusted
+    # upstream workflow. The upstream workflow only reads the named secrets it
+    # references, but GitHub does not enforce that boundary. Strict consumers can
+    # set CPFLOW_GITHUB_ACTIONS_REF to an immutable commit SHA.
+    secrets: inherit

data/lib/github_flow_templates/.github/workflows/cpflow-delete-review-app.yml

@@ -17,19 +17,11 @@ permissions:
   issues: write
   pull-requests: write
 
-concurrency:
-  group: cpflow-delete-review-app-${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
-  # Deletions must not cancel each other mid-flight — a cancelled `cpln` delete can leave
-  # partial state behind. Let the in-progress deletion finish before the next run starts.
-  cancel-in-progress: false
-
-env:
-  APP_NAME: ${{ vars.REVIEW_APP_PREFIX }}-${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
-  CPLN_ORG: ${{ vars.CPLN_ORG_STAGING }}
-  PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
-
 jobs:
   delete-review-app:
+    # pull_request_target is intentional: fork PR-close events need access to
+    # staging secrets to delete review apps and update PR comments. The upstream
+    # reusable workflow checks out trusted base-branch action code, not fork code.
     if: |
       (github.event_name == 'issue_comment' &&
        github.event.issue.pull_request &&
@@ -37,106 +29,15 @@ jobs:
        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
       (github.event_name == 'pull_request_target' && github.event.action == 'closed') ||
       github.event_name == 'workflow_dispatch'
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-
-    steps:
-      # pull_request_target is intentional: PR-close events from forks need access
-      # to staging secrets so this workflow can delete review apps and update PR
-      # comments. This checkout is safe because it does not set `ref:`; GitHub checks
-      # out the base branch's trusted workflow code, not the fork head. Do not add
-      # `ref: ${{ github.event.pull_request.head.sha }}` here without re-evaluating
-      # the trust boundary. All local composite actions below are therefore loaded from
-      # trusted base-branch code; keep them that way when changing this workflow.
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          # Delete only invokes `cpln`/`cpflow`; no git push happens, so drop the
-          # GITHUB_TOKEN credential helper to keep the token out of .git/config under
-          # `pull_request_target`, which has access to repository secrets.
-          persist-credentials: false
-
-      - name: Validate required secrets and variables
-        uses: ./.github/actions/cpflow-validate-config
-        env:
-          CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
-          CPLN_ORG_STAGING: ${{ vars.CPLN_ORG_STAGING }}
-          REVIEW_APP_PREFIX: ${{ vars.REVIEW_APP_PREFIX }}
-        with:
-          required: |
-            secret:CPLN_TOKEN_STAGING
-            variable:CPLN_ORG_STAGING
-            variable:REVIEW_APP_PREFIX
-          pull_request_friendly: "true"
-
-      - name: Setup environment
-        uses: ./.github/actions/cpflow-setup-environment
-        with:
-          token: ${{ secrets.CPLN_TOKEN_STAGING }}
-          org: ${{ vars.CPLN_ORG_STAGING }}
-          cpln_cli_version: ${{ vars.CPLN_CLI_VERSION }}
-          cpflow_version: ${{ vars.CPFLOW_VERSION }}
-
-      - name: Set workflow links
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const workflowUrl = `${process.env.GITHUB_SERVER_URL}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
-            core.exportVariable("WORKFLOW_URL", workflowUrl);
-            core.exportVariable(
-              "CONSOLE_URL",
-              `https://console.cpln.io/console/org/${process.env.CPLN_ORG}/-info`
-            );
-
-      - name: Create initial PR comment
-        id: create-comment
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const comment = await github.rest.issues.createComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: Number(process.env.PR_NUMBER),
-              body: "🗑️ Deleting Control Plane review app..."
-            });
-            core.setOutput("comment-id", comment.data.id);
-
-      - name: Delete review app
-        uses: ./.github/actions/cpflow-delete-control-plane-app
-        with:
-          app_name: ${{ env.APP_NAME }}
-          cpln_org: ${{ vars.CPLN_ORG_STAGING }}
-          review_app_prefix: ${{ vars.REVIEW_APP_PREFIX }}
-
-      - name: Finalize delete status
-        if: always()
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const commentId = Number("${{ steps.create-comment.outputs.comment-id }}");
-            const success = "${{ job.status }}" === "success";
-            const body = success
-              ? [
-                  `✅ Review app for PR #${process.env.PR_NUMBER} is deleted`,
-                  "",
-                  `[Open organization console](${process.env.CONSOLE_URL})`,
-                  `[View workflow logs](${process.env.WORKFLOW_URL})`
-                ].join("\n")
-              : [
-                  `❌ Failed to delete review app for PR #${process.env.PR_NUMBER}`,
-                  "",
-                  `[Open organization console](${process.env.CONSOLE_URL})`,
-                  `[View workflow logs](${process.env.WORKFLOW_URL})`
-                ].join("\n");
-
-            if (!Number.isFinite(commentId) || commentId <= 0) {
-              core.warning("Skipping delete status comment update because no comment id was created.");
-              return;
-            }
-
-            await github.rest.issues.updateComment({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              comment_id: commentId,
-              body
-            });
+    # This `if:` mirrors the upstream job guard to avoid a billable workflow_call
+    # when the event does not match. Keep both conditions in sync.
+    # Keep the @ref in `uses:` and `control_plane_flow_ref` below in sync: the
+    # first selects the reusable workflow, the second selects its shared actions.
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-delete-review-app.yml@__CPFLOW_GITHUB_ACTIONS_REF__
+    with:
+      control_plane_flow_ref: __CPFLOW_GITHUB_ACTIONS_REF__
+    # `secrets: inherit` passes all caller repository secrets to the trusted
+    # upstream workflow. The upstream workflow only reads the named secrets it
+    # references, but GitHub does not enforce that boundary. Strict consumers can
+    # set CPFLOW_GITHUB_ACTIONS_REF to an immutable commit SHA.
+    secrets: inherit