cpflow 5.0.0 → 5.0.1

data/lib/github_flow_templates/.github/workflows/cpflow-help-command.yml

@@ -23,13 +23,4 @@ jobs:
        contains(fromJson('["+review-app-help","+review-app-help\n","+review-app-help\r\n"]'), github.event.comment.body) &&
        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
       github.event_name == 'workflow_dispatch'
-    # control_plane_flow_ref is accepted by the upstream workflow for wrapper
-    # consistency; this helper checks out caller content only.
     uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@__CPFLOW_GITHUB_ACTIONS_REF__
-    with:
-      control_plane_flow_ref: __CPFLOW_GITHUB_ACTIONS_REF__
-    # `secrets: inherit` passes all caller repository secrets to the trusted
-    # upstream workflow. This helper does not read them, but GitHub does not
-    # enforce that boundary. Strict consumers can set CPFLOW_GITHUB_ACTIONS_REF
-    # to an immutable commit SHA.
-    secrets: inherit

data/lib/github_flow_templates/.github/workflows/cpflow-promote-staging-to-production.yml

@@ -16,13 +16,15 @@ permissions:
 jobs:
   promote-to-production:
     if: github.event.inputs.confirm_promotion == 'promote'
-    # Keep the @ref in `uses:` and `control_plane_flow_ref` below in sync: the
-    # first selects the reusable workflow, the second selects its shared actions.
     uses: shakacode/control-plane-flow/.github/workflows/cpflow-promote-staging-to-production.yml@__CPFLOW_GITHUB_ACTIONS_REF__
     with:
-      control_plane_flow_ref: __CPFLOW_GITHUB_ACTIONS_REF__
-    # `secrets: inherit` passes all caller repository secrets to the trusted
-    # upstream workflow. The upstream workflow only reads the named secrets it
-    # references, but GitHub does not enforce that boundary. Strict consumers can
-    # set CPFLOW_GITHUB_ACTIONS_REF to an immutable commit SHA.
-    secrets: inherit
+      # Keep CPLN_TOKEN_PRODUCTION as a secret on this protected GitHub
+      # Environment. The caller passes the environment name, the upstream
+      # reusable workflow runs its production job in that environment, and
+      # GitHub exposes environment secrets only after required reviewers approve.
+      production_environment: production
+    # Only pass the staging token explicitly. CPLN_TOKEN_PRODUCTION must live on
+    # the protected production Environment, where GitHub exposes it only after
+    # the required reviewers approve this job.
+    secrets:
+      CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}

data/lib/github_flow_templates/.github/workflows/cpflow-review-app-help.yml

@@ -14,14 +14,8 @@ permissions:
 
 jobs:
   show-help:
-    if: vars.REVIEW_APP_PREFIX != ''
-    # control_plane_flow_ref is accepted by the upstream workflow for wrapper
-    # consistency; this helper does not check out shared actions.
+    # This is intentionally unconditional: committing this wrapper opts the repo in
+    # to PR-open help. Remove it, or uncomment and adapt this guard, if forks or
+    # clones should stay quiet until Control Plane is configured:
+    #   if: vars.REVIEW_APP_PREFIX != '' || vars.CPLN_ORG_STAGING != ''
     uses: shakacode/control-plane-flow/.github/workflows/cpflow-review-app-help.yml@__CPFLOW_GITHUB_ACTIONS_REF__
-    with:
-      control_plane_flow_ref: __CPFLOW_GITHUB_ACTIONS_REF__
-    # `secrets: inherit` passes all caller repository secrets to the trusted
-    # upstream workflow. This helper does not read them, but GitHub does not
-    # enforce that boundary. Strict consumers can set CPFLOW_GITHUB_ACTIONS_REF
-    # to an immutable commit SHA.
-    secrets: inherit

data/lib/github_flow_templates/bin/pin-cpflow-github-ref

@@ -8,6 +8,9 @@ USAGE = <<~USAGE
 
   Use a release tag for normal operation, e.g. v5.0.0.
   Use a full 40-character commit SHA for temporary unreleased upstream testing.
+  This only updates generated reusable-workflow `uses:` refs. The called
+  workflows load their own matching shared actions from that same workflow
+  commit automatically. Regenerate from the cpflow gem when templates changed.
   Use --allow-moving-ref only for short-lived local branch/ref experiments.
 USAGE
 
@@ -56,7 +59,6 @@ workflow_paths.each do |path|
   text = File.read(path)
   updated = text
             .gsub(%r{(uses:\s+shakacode/control-plane-flow/\.github/workflows/[^@\s]+@)[^\s]+}, "\\1#{ref}")
-            .gsub(/(\bcontrol_plane_flow_ref:\s*)\S+/, "\\1#{ref}")
 
   next if updated == text
 

data/lib/github_flow_templates/bin/test-cpflow-github-flow

@@ -43,6 +43,7 @@ ruby <<'RUBY'
 require "yaml"
 
 CONTROL_PLANE_FLOW_WORKFLOW = %r{\Ashakacode/control-plane-flow/\.github/workflows/[^@\s]+@([^\s]+)\z}
+PROMOTE_WORKFLOW = %r{\Ashakacode/control-plane-flow/\.github/workflows/cpflow-promote-staging-to-production\.yml@[^\s]+\z}
 
 refs = Hash.new { |hash, key| hash[key] = [] }
 
@@ -55,21 +56,32 @@ Dir[".github/workflows/cpflow-*.yml"].sort.each do |path|
     input_ref = with["control_plane_flow_ref"]
     uses_match = job["uses"].to_s.match(CONTROL_PLANE_FLOW_WORKFLOW)
 
-    unless uses_match
-      abort "#{path}:#{job_name} has control_plane_flow_ref but no control-plane-flow reusable workflow" if input_ref
+    if job["secrets"] == "inherit"
+      abort "#{path}:#{job_name} uses secrets: inherit; pass only the named secrets the upstream workflow needs"
+    end
+
+    if input_ref
+      abort "#{path}:#{job_name} passes obsolete control_plane_flow_ref. Remove it; the upstream reusable workflow checks out its own source from GitHub's job.workflow_* context."
+    end
 
+    unless uses_match
       next
     end
 
     uses_ref = uses_match[1]
     refs[uses_ref] << "#{path}:#{job_name}"
 
-    if input_ref
-      refs[input_ref] << "#{path}:#{job_name}"
-      abort "#{path}:#{job_name} mismatched cpflow refs: #{uses_ref}, #{input_ref}" if uses_ref != input_ref
-    elsif job.key?("secrets")
-      abort "#{path}:#{job_name} inherits secrets but is missing control_plane_flow_ref for #{uses_ref}"
+    if job["uses"].to_s.match?(PROMOTE_WORKFLOW)
+      if with["production_environment"].to_s.strip.empty?
+        abort "#{path}:#{job_name} must set production_environment so GitHub can expose production environment secrets after approval"
+      end
+
+      secrets = job["secrets"].is_a?(Hash) ? job["secrets"] : {}
+      if secrets.key?("CPLN_TOKEN_PRODUCTION")
+        abort "#{path}:#{job_name} must not pass CPLN_TOKEN_PRODUCTION as a caller secret; store it on the protected production environment"
+      end
     end
+
   end
 end
 
@@ -86,4 +98,7 @@ end
 RUBY
 
 echo "==> actionlint"
-actionlint -ignore "SC2129" .github/workflows/cpflow-*.yml
+actionlint \
+  -ignore "SC2129" \
+  -ignore 'property "workflow_(ref|sha|repository|file_path)" is not defined in object type' \
+  .github/workflows/cpflow-*.yml

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cpflow
 version: !ruby/object:Gem::Version
-  version: 5.0.0
+  version: 5.0.1
 platform: ruby
 authors:
 - Justin Gordon
@@ -82,6 +82,7 @@ files:
 - ".github/actions/cpflow-delete-control-plane-app/action.yml"
 - ".github/actions/cpflow-delete-control-plane-app/delete-app.sh"
 - ".github/actions/cpflow-detect-release-phase/action.yml"
+- ".github/actions/cpflow-resolve-review-config/action.yml"
 - ".github/actions/cpflow-setup-environment/action.yml"
 - ".github/actions/cpflow-validate-config/action.yml"
 - ".github/actions/cpflow-wait-for-health/action.yml"