cpflow 5.0.0 → 5.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1c17c05bff512134eb30334102939a75447792daaad19e4c77a04c5f9df60c32
-  data.tar.gz: 382adbb86b322355500791f24aa2e2ce3937917d327fe64ffe7fd231d46ab612
+  metadata.gz: e1371f70bf636d92e0dacd78322ad6ef7d87e29fbec6c853e487a01205be1528
+  data.tar.gz: 9ad5116ccb84cc7e3757922c3c0580785caa1cfff96aed768c65d63c7ff01e93
 SHA512:
-  metadata.gz: abd5e5788bfae7f2b42a85ec50abf557d2807d9f45544b78a95f50fc131d90d05918ca6d9e208b336c59ba628b0f5fe938b2d87aafc542e1549e173394ff96d3
-  data.tar.gz: 0a3382ea577d7f563b7ae41d7977ae1a642c80cbf0487793a987faa1ed7634b40f1b38138a2202711f379f87ed6a8bafbd5a29755d8a11633f5ec811ab469d6e
+  metadata.gz: 6c96a1db55e94a5e22efa0640d51129566aa6afb16c8ea9887f5cf709a313ef3b1a690d5b64ba932b50cb1fb72efe85e7fa3371f8941b60242486d6fc1322566
+  data.tar.gz: 5a91cc36014d13c3b36ea3af7620758821d1fa0000bab12b1742d47fe0240015353c59b5dae6d981680b7746bcaa9154bd44f00a1fc240dce651cd57926a253b

data/.claude/commands/update-changelog.md

@@ -166,13 +166,16 @@ This repo does **not** have an `update_changelog` rake task — the slash comman
      ```
 
      Note: this repo uses `...HEAD`, not `...main`. Match the existing convention.
-   - Add a new compare link for the stamped version, comparing the previous tag to the new one:
+   - Add a new compare link for the stamped version:
 
      ```markdown
      [4.3.0]: https://github.com/shakacode/control-plane-flow/compare/v4.2.0...v4.3.0
      ```
 
-3. **For `rc`/`beta` modes**: collapse prior prerelease sections of the same base version into a single section (see "For Prerelease Versions" below). Remove the orphaned compare links for the collapsed prerelease versions.
+     - **For stable releases**, skip prerelease tags — compare from the previous **stable** tag. A stable release that coalesces prior RCs (e.g., `v5.0.0.rc.0`, `v5.0.0.rc.1`) still uses the last stable tag as the left side (e.g., `v4.2.0...v5.0.0`), not the latest RC tag.
+     - **For prereleases**, compare from the immediately previous tag (which may be a prior RC/beta or the last stable tag).
+
+3. **For `rc`/`beta` modes**: Insert the new RC/beta section above any prior prereleases — do NOT collapse them. Each RC/beta is a separately-tagged release that users install, and they need to see what changed between, say, `rc.0` and `rc.1`. See "For Prerelease Versions" below. Coalescing happens only at the stable release.
 
 The `rake release` task reads the first `## [VERSION]` header (skipping `Unreleased`) and uses it as the target version when newer than the current gem version. So once the changelog PR merges, `bundle exec rake release` (no args) will pick up the version automatically.
 
@@ -267,9 +270,11 @@ If the user passed `release`, `rc`, `beta`, or an explicit version string as an
    - Update `[Unreleased]` to compare from the new tag to `HEAD`
    - Add a new compare link for the stamped version
 
-5. **For `rc`/`beta`**: collapse prior prerelease sections of the same base version (see below) and remove their orphaned compare links.
+5. **For `rc`/`beta`**: Do NOT collapse prior prerelease sections — each RC/beta gets its own section so users can see what changed between prereleases. Just insert the new section above the prior ones and add a new compare link. See "For Prerelease Versions" below.
+
+6. **For stable `release` (or explicit stable version) when prior `rc`/`beta` sections exist for the same base version**: Do NOT just stamp `## [5.0.0]` above the prior RC sections. Instead, follow the "For Prerelease to Stable Version Release" process below — it replaces steps 3–4 here with the coalesce + curate flow (combine all RC sections into the new stable section, move any matching `[Unreleased]` entries in, drop prerelease-only noise, and use the previous **stable** tag in the compare link).
 
-6. **Verify** the stamped header and diff links match the requested version. If anything looks off, fix it before continuing.
+7. **Verify** the stamped header and diff links match the requested version. If anything looks off, fix it before continuing.
 
 If no argument was passed, skip this step -- entries stay in `## [Unreleased]`.
 
@@ -310,32 +315,92 @@ When the user passes `rc` or `beta` as an argument:
 
 2. **Auto-compute the next prerelease version** using the process in "Auto-Computing the Next Version" above. Use RubyGems format (`5.0.0.rc.0`), not `5.0.0-rc.0`.
 
-3. **Always collapse prior prereleases into the current prerelease** (this is the default behavior):
-   - Combine all prior prerelease changelog entries into the new prerelease version section
-   - Remove previous prerelease version sections (e.g., remove `## [5.0.0.rc.0]` when creating `## [5.0.0.rc.1]`)
-   - When collapsing, **consolidate duplicate category headings** — if both the Unreleased section and a prior prerelease section have `### Fixed`, merge all entries under a single `### Fixed` heading
-   - **Remove orphaned version diff links** at the bottom of the file for collapsed prerelease sections
-   - Add any new user-visible changes from commits since the last prerelease
-   - Update version diff links to point from the last stable version to the new prerelease
-   - This keeps the changelog clean with a single prerelease section that accumulates all changes since the last stable release
+3. **Do NOT collapse prior prereleases.** Each RC/beta is a separately-tagged release that users install — they need to see what changed between, for example, `rc.0` and `rc.1` (especially when diagnosing a regression in a specific RC). Each successive `bundle exec rake release` reads only the top-most `## [VERSION]` section (the RC you just stamped — see the "Version Stamping" section above), so as long as each RC has its own section the corresponding GitHub release gets its own focused notes. Instead:
+
+   - Insert the new prerelease version section immediately after `## [Unreleased]`, **above** any prior prerelease sections (preserves newest-first ordering)
+   - Move any entries from `## [Unreleased]` that belong to this prerelease into the new section
+   - Leave prior prerelease sections (e.g., `## [5.0.0.rc.0]`) untouched — keep their entries and their compare links at the bottom of the file
+   - Add any new user-visible changes from commits since the last prerelease tag to the new section only
+   - Add a new compare link at the bottom comparing the previous prerelease tag (or the last stable tag if this is the first RC) to the new prerelease tag
+   - Update the `[Unreleased]` compare link to point from the new prerelease tag to `HEAD`
+
+**Resulting structure** after stamping `5.0.0.rc.1` (with `5.0.0.rc.0` already shipped on top of stable `4.2.0`):
+
+```markdown
+## [Unreleased]
+
+## [5.0.0.rc.1] - 2026-05-25
+
+### Fixed
+
+- **Fix regression introduced in rc.0**. [PR 320](https://github.com/shakacode/control-plane-flow/pull/320) by [Justin Gordon](https://github.com/justin808).
+
+## [5.0.0.rc.0] - 2026-05-10
+
+### Added
+
+- **New feature**. [PR 315](https://github.com/shakacode/control-plane-flow/pull/315) by [Justin Gordon](https://github.com/justin808).
+
+## [4.2.0] - 2026-04-01
+
+...
+
+[Unreleased]: https://github.com/shakacode/control-plane-flow/compare/v5.0.0.rc.1...HEAD
+[5.0.0.rc.1]: https://github.com/shakacode/control-plane-flow/compare/v5.0.0.rc.0...v5.0.0.rc.1
+[5.0.0.rc.0]: https://github.com/shakacode/control-plane-flow/compare/v4.2.0...v5.0.0.rc.0
+[4.2.0]: https://github.com/shakacode/control-plane-flow/compare/v4.1.1...v4.2.0
+```
 
-**Note**: The new version header must be inserted **immediately after `## [Unreleased]`** (see Step 4). This ensures correct ordering of version headers.
+Both RC sections remain intact with their own compare links until the stable release coalesces them.
+
+**Coalescing happens only at the stable release** — see "For Prerelease to Stable Version Release" below.
+
+**Note**: The new version header must be inserted **immediately after `## [Unreleased]`** (see Step 4). This ensures correct newest-first ordering of version headers.
 
 ### For Prerelease to Stable Version Release
 
-When releasing from prerelease to a stable version (e.g., `v5.0.0.rc.1` -> `v5.0.0`):
+When releasing from prerelease to a stable version (e.g., `v5.0.0.rc.2` -> `v5.0.0`), this is where the accumulated prerelease sections get coalesced into one stable section. **Curate carefully** — users landing on the stable version don't care about intermediate prerelease state, and noise here makes the upgrade story harder to read.
+
+#### Step 1: Coalesce all prerelease sections into one stable section
+
+- Replace `## [5.0.0.rc.0]`, `## [5.0.0.rc.1]`, `## [5.0.0.beta.1]`, etc. with a single `## [5.0.0] - YYYY-MM-DD` section
+- **Move any remaining entries from `## [Unreleased]` into the new stable section** — anything still under `[Unreleased]` at stable-release time is shipping in this stable version. Leave `## [Unreleased]` with only its header (no entries).
+- Combine entries from all prerelease sections and the moved `[Unreleased]` entries, consolidating duplicate category headings (e.g., merge multiple `### Fixed` sections into one under the preferred order from "Category Organization")
+- Remove the orphaned compare links at the bottom of the file for the coalesced prerelease versions
+- Add the `[5.0.0]` compare link pointing from the previous stable tag (e.g., `v4.2.0`) to `v5.0.0` — **not** from the latest RC tag
+- Update the `[Unreleased]` compare link to point from `v5.0.0` to `HEAD`
+
+#### Step 2: Curate the entries — REMOVE these
+
+1. **Prerelease-only fixes** — bugs introduced during the prerelease cycle and fixed in a later RC. If the bug never shipped in a stable release, the fix is noise to stable users.
+   - Investigate when a bug was introduced: `git log --oneline v<last_stable>..v<rc_that_fixed_the_bug>` — if this commit range doesn't contain the bug's introduction (i.e., the introducing commit predates the RC cycle), the bug was already in the last stable release and the fix belongs in the stable section. If the introduction *is* in this range, the bug never shipped in stable, so drop the fix.
+   - Check the PR description for what was broken and when
+
+2. **Refinements to prerelease-only features** — if a new feature was introduced in `rc.0` and then iterated in `rc.1`/`rc.2`, keep only the final description and drop the iteration history
+
+3. **Internal/contributor-only tooling** — CI tweaks, build script changes, generator handling of prerelease version formats, local-dev tooling fixes. These don't belong in a user-facing changelog.
+
+#### Step 3: Curate the entries — KEEP these
+
+1. **User-facing fixes for bugs that existed in the previous stable** — if `rc.2` fixes a bug that was in `4.2.0`, that fix matters to stable users upgrading
+
+2. **Compatibility fixes** — Ruby/Rails version support, dependency relaxations, etc.
+
+3. **All breaking changes** — API/CLI changes, removed methods, configuration changes, exit code changes, generator output changes. Even if a breaking change was introduced and refined across multiple prereleases, the final breaking change description belongs in stable.
+
+4. **Performance/security improvements affecting all users**
+
+#### Step 4: Investigation process for each entry
+
+For each entry from a prerelease section, ask:
 
-1. **Remove all prerelease version labels** from the changelog:
-   - Change `## [5.0.0.rc.0]`, `## [5.0.0.rc.1]`, etc. to a single `## [5.0.0]` section
-   - Also handle beta versions: `## [5.0.0.beta.1]` etc.
-   - Combine all prerelease entries into the stable release section
+- Was this bug present in the last stable release? If no, drop.
+- Was this feature introduced in an earlier prerelease and then superseded? If yes, keep only the final state.
+- Does this matter to someone upgrading from the last stable to this stable? If no, drop.
 
-2. **Consolidate duplicate entries**:
-   - If bug fixes or changes were made to features introduced in earlier prereleases, keep only the final state
-   - Remove redundant changelog entries for fixes to prerelease features
-   - Keep the most recent/accurate description of each change
+#### Step 5: Final read-through
 
-3. **Update version diff links** at the bottom to point to the stable version (and remove the orphaned prerelease compare links)
+Read the resulting stable section as if you're a user upgrading from the previous stable. Every entry should be something you'd want to know about. If an entry only makes sense to someone who tracked the RC cycle, drop it.
 
 ## Examples
 

data/.github/actions/cpflow-resolve-review-config/action.yml

@@ -0,0 +1,137 @@
+name: Resolve Review App Config
+description: Infers review app prefix and Control Plane org from controlplane.yml
+
+inputs:
+  configured_cpln_org_staging:
+    description: Optional override for the staging Control Plane org.
+    required: false
+    default: ""
+  configured_review_app_prefix:
+    description: Optional override for the review app prefix.
+    required: false
+    default: ""
+  pr_number:
+    description: Pull request number used to build the review app name.
+    required: false
+    default: ""
+  working_directory:
+    description: Directory containing .controlplane/controlplane.yml.
+    required: false
+    default: "."
+
+outputs:
+  review_app_prefix:
+    description: Resolved review app prefix.
+    value: ${{ steps.resolve.outputs.review_app_prefix }}
+  cpln_org:
+    description: Resolved Control Plane org.
+    value: ${{ steps.resolve.outputs.cpln_org }}
+  app_name:
+    description: Resolved review app name when pr_number is present; omitted when pr_number is empty.
+    value: ${{ steps.resolve.outputs.app_name }}
+
+runs:
+  using: composite
+  steps:
+    - name: Resolve review app config
+      id: resolve
+      shell: bash
+      working-directory: ${{ inputs.working_directory }}
+      env:
+        CONFIGURED_CPLN_ORG_STAGING: ${{ inputs.configured_cpln_org_staging }}
+        CONFIGURED_REVIEW_APP_PREFIX: ${{ inputs.configured_review_app_prefix }}
+        PR_NUMBER: ${{ inputs.pr_number }}
+      run: |
+        set -euo pipefail
+
+        ruby <<'RUBY'
+        require "yaml"
+
+        def safe_load_yaml_file(path)
+          contents = File.read(path)
+
+          if YAML.method(:safe_load).parameters.any? { |type, name| type == :key && name == :aliases }
+            YAML.safe_load(contents, aliases: true)
+          else
+            YAML.safe_load(contents, [], [], true)
+          end
+        end
+
+        def validate_github_env_value!(name, value)
+          return if value.match?(/\A[A-Za-z0-9-]+\z/)
+
+          warn "::error::#{name} must contain only letters, numbers, and hyphens so it is a valid Control Plane name and can be safely written to GitHub environment files."
+          exit 1
+        end
+
+        begin
+          config = safe_load_yaml_file(".controlplane/controlplane.yml")
+          unless config.is_a?(Hash)
+            warn "::error::.controlplane/controlplane.yml must be a YAML mapping; got #{config.class}: #{config.inspect}"
+            exit 1
+          end
+
+          apps = config["apps"]
+          unless apps.is_a?(Hash)
+            warn "::error::.controlplane/controlplane.yml must define an apps mapping; got #{apps.class}: #{apps.inspect}"
+            exit 1
+          end
+
+          review_apps = apps.select do |_name, app_config|
+            app_config.is_a?(Hash) && app_config["match_if_app_name_starts_with"] == true
+          end
+
+          prefix = ENV.fetch("CONFIGURED_REVIEW_APP_PREFIX", "").strip
+          if prefix.empty?
+            if review_apps.length == 1
+              prefix = review_apps.keys.first
+            elsif review_apps.empty?
+              warn "::error::Set REVIEW_APP_PREFIX or define exactly one app with match_if_app_name_starts_with: true in .controlplane/controlplane.yml."
+              exit 1
+            else
+              warn "::error::Set REVIEW_APP_PREFIX because .controlplane/controlplane.yml defines multiple review app prefixes: #{review_apps.keys.sort.join(', ')}."
+              exit 1
+            end
+          end
+
+          app_config = apps[prefix]
+          unless app_config.is_a?(Hash) && app_config["match_if_app_name_starts_with"] == true
+            warn "::error::Review app prefix '#{prefix}' must match an app in .controlplane/controlplane.yml with match_if_app_name_starts_with: true."
+            exit 1
+          end
+
+          cpln_org = ENV.fetch("CONFIGURED_CPLN_ORG_STAGING", "").strip
+          cpln_org = app_config["cpln_org"].to_s.strip if cpln_org.empty?
+          if cpln_org.empty?
+            warn "::error::Set CPLN_ORG_STAGING or cpln_org for review app prefix '#{prefix}' in .controlplane/controlplane.yml."
+            exit 1
+          end
+
+          pr_number = ENV.fetch("PR_NUMBER", "").strip
+          unless pr_number.empty? || pr_number.match?(/\A[1-9][0-9]*\z/)
+            warn "::error::PR_NUMBER must be a positive integer; got: #{pr_number.inspect}"
+            exit 1
+          end
+
+          app_name = pr_number.empty? ? "" : "#{prefix}-#{pr_number}"
+
+          validate_github_env_value!("REVIEW_APP_PREFIX", prefix)
+          validate_github_env_value!("CPLN_ORG", cpln_org)
+          validate_github_env_value!("APP_NAME", app_name) unless app_name.empty?
+
+          File.open(ENV.fetch("GITHUB_ENV"), "a") do |file|
+            file.puts "REVIEW_APP_PREFIX=#{prefix}"
+            file.puts "CPLN_ORG=#{cpln_org}"
+            file.puts "APP_NAME=#{app_name}" unless app_name.empty?
+          end
+
+          File.open(ENV.fetch("GITHUB_OUTPUT"), "a") do |file|
+            file.puts "review_app_prefix=#{prefix}"
+            file.puts "cpln_org=#{cpln_org}"
+            file.puts "app_name=#{app_name}" unless app_name.empty?
+          end
+        rescue StandardError => e
+          warn "::error::Could not resolve review app config from .controlplane/controlplane.yml: #{e.class}: #{e.message}"
+          exit 1
+        end
+        RUBY

data/.github/actions/cpflow-setup-environment/action.yml

@@ -37,6 +37,13 @@ inputs:
       without publishing a release.
     required: false
     default: ""
+  control_plane_flow_ref:
+    description: >-
+      Full GitHub workflow ref for the control-plane-flow reusable workflow, for
+      example shakacode/control-plane-flow/.github/workflows/deploy.yml@refs/tags/v5.0.1.
+      When cpflow_version is set, this must point at the matching release tag.
+    required: false
+    default: ""
 
 runs:
   using: composite
@@ -83,6 +90,7 @@ runs:
     - name: Install Control Plane CLI and cpflow gem
       shell: bash
       env:
+        CONTROL_PLANE_FLOW_REF: ${{ inputs.control_plane_flow_ref }}
         CPLN_CLI_VERSION: ${{ inputs.cpln_cli_version }}
         CPFLOW_VERSION: ${{ inputs.cpflow_version }}
         CPFLOW_SOURCE_DIR: ${{ github.action_path }}/../../..
@@ -95,6 +103,116 @@ runs:
 
         CPLN_CLI_VERSION="${CPLN_CLI_VERSION:-${default_cpln_cli_version}}"
 
+        normalize_version() {
+          local version="${1#v}"
+          version="${version//-/.}"
+
+          if [[ "${version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+(\.[0-9A-Za-z]+)*$ ]]; then
+            echo "${version}"
+          fi
+          # Empty output means an unrecognized format; callers check for that.
+        }
+
+        extract_ref_name() {
+          local ref="${1##*@}"
+          ref="${ref#refs/tags/}"
+          echo "${ref}"
+        }
+
+        normalize_release_ref() {
+          local ref
+          ref="$(extract_ref_name "$1")"
+
+          # Intentional: non-v refs return success with empty stdout; callers
+          # treat empty output as "not a release tag".
+          [[ "${ref}" == v* ]] || return 0
+          normalize_version "${ref}"
+        }
+
+        verify_release_ref_matches_checkout() {
+          local ref
+          local remote_url="https://github.com/shakacode/control-plane-flow.git"
+          local tag_refs
+          local tag_commit=""
+          local checkout_commit
+
+          ref="$(extract_ref_name "$1")"
+          [[ "${ref}" == v* ]] || return 1
+
+          git_ls_remote_tag() {
+            if command -v timeout >/dev/null 2>&1; then
+              timeout 20 git ls-remote --tags "${remote_url}" "refs/tags/${ref}" "refs/tags/${ref}^{}"
+            else
+              git ls-remote --tags "${remote_url}" "refs/tags/${ref}" "refs/tags/${ref}^{}"
+            fi
+          }
+
+          if ! tag_refs="$(git_ls_remote_tag 2>&1)"; then
+            echo "::error::Could not verify the control-plane-flow workflow ref against ${remote_url}. Runners that set CPFLOW_VERSION need outbound HTTPS access to GitHub for this tag check. Leave CPFLOW_VERSION unset when testing a commit SHA or branch. Details: ${tag_refs}"
+            exit 1
+          fi
+
+          if [[ -z "${tag_refs}" ]]; then
+            echo "::error::CPFLOW_VERSION can only be used with an existing control-plane-flow release tag. No remote tag found for workflow ref ${CONTROL_PLANE_FLOW_REF}."
+            exit 1
+          fi
+
+          while read -r sha tag_ref; do
+            if [[ "${tag_ref}" == "refs/tags/${ref}^{}" ]]; then
+              tag_commit="${sha}"
+              break
+            fi
+
+            if [[ "${tag_ref}" == "refs/tags/${ref}" ]]; then
+              tag_commit="${sha}"
+            fi
+          done <<< "${tag_refs}"
+
+          if [[ -z "${tag_commit}" ]]; then
+            echo "::error::Could not resolve the commit for release tag ${ref}."
+            exit 1
+          fi
+
+          checkout_commit="$(git -C "${CPFLOW_SOURCE_DIR}" rev-parse HEAD)"
+          if [[ "${checkout_commit}" != "${tag_commit}" ]]; then
+            echo "::error::control-plane-flow workflow ref ${CONTROL_PLANE_FLOW_REF} resolved to ${checkout_commit}, but release tag ${ref} points to ${tag_commit}. Use the real release tag ref, not a moving branch, or leave CPFLOW_VERSION unset."
+            exit 1
+          fi
+        }
+
+        is_rubygems_version() {
+          [[ "${1}" =~ ^[0-9]+\.[0-9]+\.[0-9]+(\.[0-9A-Za-z]+)*$ ]]
+        }
+
+        validate_cpflow_version_pin() {
+          [[ -z "${CPFLOW_VERSION}" ]] && return 0
+
+          local actual_version
+          local expected_version
+
+          if ! is_rubygems_version "${CPFLOW_VERSION}"; then
+            echo "::error::CPFLOW_VERSION must be a RubyGems version usable by 'gem install cpflow -v', such as 5.0.0 or 5.0.0.rc.1. Do not include a leading v, and use dot-separated prereleases instead of dash-separated prereleases."
+            exit 1
+          fi
+
+          actual_version="$(normalize_version "${CPFLOW_VERSION}")"
+          expected_version="$(normalize_release_ref "${CONTROL_PLANE_FLOW_REF}")"
+
+          if [[ -z "${expected_version}" ]]; then
+            echo "::error::CPFLOW_VERSION can only be used when the control-plane-flow reusable workflow is pinned to a release tag like v${CPFLOW_VERSION}. Dot and dash prerelease tags are accepted, for example v5.0.0.rc.1 or v5.0.0-rc.1. Current workflow ref: ${CONTROL_PLANE_FLOW_REF:-<empty>}. Leave CPFLOW_VERSION unset when testing a commit SHA or branch so cpflow is built from the same source as the reusable workflow."
+            exit 1
+          fi
+
+          verify_release_ref_matches_checkout "${CONTROL_PLANE_FLOW_REF}"
+
+          if [[ "${actual_version}" != "${expected_version}" ]]; then
+            echo "::error::CPFLOW_VERSION must match the control-plane-flow reusable workflow tag. CPFLOW_VERSION=${CPFLOW_VERSION}, normalized CPFLOW_VERSION=${actual_version}, workflow ref=${CONTROL_PLANE_FLOW_REF}, expected CPFLOW_VERSION=${expected_version}."
+            exit 1
+          fi
+        }
+
+        validate_cpflow_version_pin
+
         npm_global_prefix="${HOME}/.npm-global"
         mkdir -p "${npm_global_prefix}"
         echo "${npm_global_prefix}/bin" >> "$GITHUB_PATH"

data/.github/workflows/cpflow-cleanup-stale-review-apps.yml

@@ -2,12 +2,10 @@ name: Cleanup Stale Review Apps
 
 on:
   workflow_call:
-    inputs:
-      control_plane_flow_ref:
-        description: Git ref used to load shared cpflow composite actions.
-        required: false
-        type: string
-        default: main
+    secrets:
+      CPLN_TOKEN_STAGING:
+        description: Control Plane token for the staging org that owns review apps.
+        required: true
 
 permissions:
   contents: read
@@ -28,8 +26,8 @@ jobs:
       - name: Checkout control-plane-flow actions
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
-          repository: shakacode/control-plane-flow
-          ref: ${{ inputs.control_plane_flow_ref }}
+          repository: ${{ job.workflow_repository }}
+          ref: ${{ job.workflow_sha }}
           path: .cpflow
           persist-credentials: false
 
@@ -37,33 +35,40 @@ jobs:
         uses: ./.cpflow/.github/actions/cpflow-validate-config
         env:
           CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
-          CPLN_ORG_STAGING: ${{ vars.CPLN_ORG_STAGING }}
-          REVIEW_APP_PREFIX: ${{ vars.REVIEW_APP_PREFIX }}
         with:
           required: |
             secret:CPLN_TOKEN_STAGING
-            variable:CPLN_ORG_STAGING
-            variable:REVIEW_APP_PREFIX
+
+      - name: Checkout caller repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          path: app
+          persist-credentials: false
+
+      - name: Resolve review app config
+        id: review-config
+        uses: ./.cpflow/.github/actions/cpflow-resolve-review-config
+        with:
+          working_directory: app
+          configured_cpln_org_staging: ${{ vars.CPLN_ORG_STAGING }}
+          configured_review_app_prefix: ${{ vars.REVIEW_APP_PREFIX }}
 
       - name: Setup environment
         uses: ./.cpflow/.github/actions/cpflow-setup-environment
         with:
           token: ${{ secrets.CPLN_TOKEN_STAGING }}
-          org: ${{ vars.CPLN_ORG_STAGING }}
+          org: ${{ steps.review-config.outputs.cpln_org }}
           working_directory: .cpflow
           cpln_cli_version: ${{ vars.CPLN_CLI_VERSION }}
           cpflow_version: ${{ vars.CPFLOW_VERSION }}
-
-      - name: Checkout caller repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          persist-credentials: false
+          control_plane_flow_ref: ${{ job.workflow_ref }}
 
       - name: Remove stale review apps
+        working-directory: app
         env:
-          REVIEW_APP_PREFIX: ${{ vars.REVIEW_APP_PREFIX }}
-          CPLN_ORG_STAGING: ${{ vars.CPLN_ORG_STAGING }}
+          REVIEW_APP_PREFIX: ${{ steps.review-config.outputs.review_app_prefix }}
+          CPLN_ORG: ${{ steps.review-config.outputs.cpln_org }}
         shell: bash
         run: |
           set -euo pipefail
-          cpflow cleanup-stale-apps -a "${REVIEW_APP_PREFIX}" --org "${CPLN_ORG_STAGING}" --yes
+          cpflow cleanup-stale-apps -a "${REVIEW_APP_PREFIX}" --org "${CPLN_ORG}" --yes

data/.github/workflows/cpflow-delete-review-app.yml

@@ -2,12 +2,10 @@ name: Delete Review App
 
 on:
   workflow_call:
-    inputs:
-      control_plane_flow_ref:
-        description: Git ref used to load shared cpflow composite actions.
-        required: false
-        type: string
-        default: main
+    secrets:
+      CPLN_TOKEN_STAGING:
+        description: Control Plane token for the staging org that owns review apps.
+        required: true
 
 permissions:
   contents: read
@@ -21,8 +19,6 @@ concurrency:
   cancel-in-progress: false
 
 env:
-  APP_NAME: ${{ vars.REVIEW_APP_PREFIX }}-${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
-  CPLN_ORG: ${{ vars.CPLN_ORG_STAGING }}
   PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
 
 jobs:
@@ -62,8 +58,8 @@ jobs:
       - name: Checkout control-plane-flow actions
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
-          repository: shakacode/control-plane-flow
-          ref: ${{ inputs.control_plane_flow_ref }}
+          repository: ${{ job.workflow_repository }}
+          ref: ${{ job.workflow_sha }}
           path: .cpflow
           persist-credentials: false
 
@@ -72,13 +68,9 @@ jobs:
         uses: ./.cpflow/.github/actions/cpflow-validate-config
         env:
           CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
-          CPLN_ORG_STAGING: ${{ vars.CPLN_ORG_STAGING }}
-          REVIEW_APP_PREFIX: ${{ vars.REVIEW_APP_PREFIX }}
         with:
           required: |
             secret:CPLN_TOKEN_STAGING
-            variable:CPLN_ORG_STAGING
-            variable:REVIEW_APP_PREFIX
           pull_request_friendly: "true"
 
       - name: Checkout repository
@@ -88,15 +80,26 @@ jobs:
           path: app
           persist-credentials: false
 
+      - name: Resolve review app config
+        if: steps.config.outputs.ready == 'true'
+        id: review-config
+        uses: ./.cpflow/.github/actions/cpflow-resolve-review-config
+        with:
+          working_directory: app
+          configured_cpln_org_staging: ${{ vars.CPLN_ORG_STAGING }}
+          configured_review_app_prefix: ${{ vars.REVIEW_APP_PREFIX }}
+          pr_number: ${{ env.PR_NUMBER }}
+
       - name: Setup environment
         if: steps.config.outputs.ready == 'true'
         uses: ./.cpflow/.github/actions/cpflow-setup-environment
         with:
           token: ${{ secrets.CPLN_TOKEN_STAGING }}
-          org: ${{ vars.CPLN_ORG_STAGING }}
+          org: ${{ steps.review-config.outputs.cpln_org }}
           working_directory: app
           cpln_cli_version: ${{ vars.CPLN_CLI_VERSION }}
           cpflow_version: ${{ vars.CPFLOW_VERSION }}
+          control_plane_flow_ref: ${{ job.workflow_ref }}
 
       - name: Set workflow links
         if: steps.config.outputs.ready == 'true'
@@ -134,9 +137,9 @@ jobs:
         if: steps.config.outputs.ready == 'true'
         uses: ./.cpflow/.github/actions/cpflow-delete-control-plane-app
         with:
-          app_name: ${{ env.APP_NAME }}
-          cpln_org: ${{ vars.CPLN_ORG_STAGING }}
-          review_app_prefix: ${{ vars.REVIEW_APP_PREFIX }}
+          app_name: ${{ steps.review-config.outputs.app_name }}
+          cpln_org: ${{ steps.review-config.outputs.cpln_org }}
+          review_app_prefix: ${{ steps.review-config.outputs.review_app_prefix }}
           working_directory: app
 
       # Finalizer still runs after delete failures, but only after config validation