cpflow 5.0.0 → 5.0.2

data/lib/generator_templates_sqlite/templates/rails.yml

@@ -6,7 +6,7 @@ spec:
     - name: rails
       cpu: 300m
       inheritEnv: true
-      image: {{APP_IMAGE_LINK}}
+      image: "{{APP_IMAGE_LINK}}"
       memory: 512Mi
       ports:
         - number: 3000
@@ -34,3 +34,5 @@ spec:
         - 0.0.0.0/0
       outboundAllowCIDR:
         - 0.0.0.0/0
+  # cpflow apply-template replaces {{APP_IDENTITY_LINK}} with the app workload identity link.
+  identityLink: "{{APP_IDENTITY_LINK}}"

data/lib/github_flow_templates/.github/cpflow-help.md

@@ -1,102 +1,118 @@
-# Review app help
+# Review App Commands
 
-You asked for review app help. These commands are generated by [cpflow](https://github.com/shakacode/control-plane-flow).
+These commands are generated by [cpflow](https://github.com/shakacode/control-plane-flow).
+For full setup, version-pinning, and troubleshooting details, see the upstream
+[CI automation guide](https://github.com/shakacode/control-plane-flow/blob/__CPFLOW_GITHUB_ACTIONS_REF__/docs/ci-automation.md).
 
-## PR commands
+## Pull Request Commands
 
-`+review-app-deploy`
-- Creates the review app if it does not exist
-- Builds the PR commit image
-- Deploys the image and comments with the review URL
-- Comment body must be exactly `+review-app-deploy`, with no surrounding text or trailing spaces. A single trailing newline from GitHub's comment editor is accepted. Comments like `please +review-app-deploy now` or `+review-app-deploy ` (with a trailing space) silently no-op.
+Comment with exactly one command, with no surrounding text or trailing spaces.
+A single trailing newline from GitHub's comment editor is accepted.
 
-`+review-app-delete`
-- Deletes the review app when the PR is done
-- This also runs automatically when the PR closes
-- Comment body must be exactly `+review-app-delete`, with no surrounding text or trailing spaces. A single trailing newline from GitHub's comment editor is accepted. Same command-match rule as `+review-app-deploy`.
+| Command | What it does |
+| --- | --- |
+| `+review-app-deploy` | Builds the PR image, creates the review app if needed, deploys, and comments with the review URL. |
+| `+review-app-delete` | Deletes the review app. This also runs automatically when the PR closes. |
+| `+review-app-help` | Posts this help message on the PR. |
 
-`+review-app-help`
-- Posts this message on the PR.
-- Comment body must be exactly `+review-app-help`, with no surrounding text or trailing spaces. A single trailing newline from GitHub's comment editor is accepted. Same command-match rule as `+review-app-deploy`.
+## Standard Setup
 
-## Workflow behavior
+For the normal generated review-app path, GitHub needs one repository secret:
 
-- Review apps are opt-in and created with `+review-app-deploy`
-- New commits redeploy existing review apps automatically
-- Pushes to the staging branch deploy staging automatically
-- Promotion to production is manual via the Actions tab
-- A nightly workflow removes stale review apps
+| Name | Where | Notes |
+| --- | --- | --- |
+| `CPLN_TOKEN_STAGING` | Repository secret | Control Plane service-account token for the staging/review org. |
 
-<details>
-<summary>Advanced: GitHub Actions secrets and variables</summary>
+No repository variables are required for the standard review-app path when
+`.controlplane/controlplane.yml` has exactly one review app entry with
+`match_if_app_name_starts_with: true`. cpflow infers the review-app prefix and
+staging org from that config.
 
-### GitHub Actions secrets
+Optional overrides exist for forks, clones, and unusual apps:
 
-| Name | Required | Notes |
-| --- | --- | --- |
-| `CPLN_TOKEN_STAGING` | yes | Service-account token scoped to the staging Control Plane org on controlplane.com. |
-| `CPLN_TOKEN_PRODUCTION` | yes (for promote) | Service-account token scoped to the production Control Plane org on controlplane.com. |
-| `DOCKER_BUILD_SSH_KEY` | optional | Private SSH key used when Docker builds fetch private deps via `RUN --mount=type=ssh`. |
+| Name | Notes |
+| --- | --- |
+| `CPLN_ORG_STAGING` | Override the staging/review Control Plane org inferred from `controlplane.yml`. |
+| `REVIEW_APP_PREFIX` | Override the review-app prefix inferred from `controlplane.yml`. |
+| `PRIMARY_WORKLOAD` | Public workload used for review URLs and health checks; defaults to `rails`. |
 
-### GitHub Actions variables
+## Staging And Production
 
-| Name | Required | Notes |
-| --- | --- | --- |
-| `CPLN_ORG_STAGING` | yes | Control Plane org on controlplane.com for staging and review apps. |
-| `CPLN_ORG_PRODUCTION` | yes (for promote) | Control Plane org on controlplane.com for production. |
-| `STAGING_APP_NAME` | yes | App name in `controlplane.yml` used as the staging deploy target. |
-| `PRODUCTION_APP_NAME` | yes (for promote) | App name in `controlplane.yml` used as the production deploy target. |
-| `REVIEW_APP_PREFIX` | yes | Prefix for per-PR review app names (e.g. `review-app`). |
-| `REVIEW_APP_DEPLOYING_ICON_URL` | optional | Custom image URL for the animated deploying icon in review-app PR comments. Set to `none` to use the text fallback icon. |
-| `STAGING_APP_BRANCH` | optional | Custom staging branch. Custom branches must also appear in `cpflow-deploy-staging.yml`'s push filter. |
-| `PRIMARY_WORKLOAD` | optional | Workload polled for health and rollback (defaults to `rails`). |
-| `DOCKER_BUILD_EXTRA_ARGS` | optional | Newline-delimited extra docker build tokens (e.g. `--build-arg=FOO=bar`). |
-| `DOCKER_BUILD_SSH_KNOWN_HOSTS` | optional | SSH known_hosts entries when SSH build hosts are not GitHub.com. |
-| `HEALTH_CHECK_ACCEPTED_STATUSES` | optional | Space-separated HTTP statuses considered healthy on promote (default `200 301 302`). |
-| `CPLN_CLI_VERSION` | optional | Pin a specific `@controlplane/cli` version; falls back to the action default when unset. |
-| `CPFLOW_VERSION` | optional | Pin a published RubyGems version such as `5.0.0`. Leave unset for normal generated workflows so the setup action builds `cpflow` from the same `control-plane-flow` GitHub ref used by the reusable workflow. |
-
-</details>
-
-<details>
-<summary>Advanced: testing unreleased control-plane-flow changes</summary>
-
-Generated workflow wrappers have two related pins:
-
-- The `uses: shakacode/control-plane-flow/...@<ref>` GitHub ref selects the reusable workflow code.
-- The `control_plane_flow_ref: <ref>` input tells the setup action which `control-plane-flow` source to check out and build when `CPFLOW_VERSION` is empty.
-
-For normal releases, point both pins at a release tag such as `v5.0.0`.
-You may leave `CPFLOW_VERSION` unset, or set it to the matching RubyGems version
-without the leading `v`, such as `5.0.0`.
-
-For temporary downstream testing of an upstream PR before a gem is released, pin
-both values to the exact 40-character commit SHA and leave `CPFLOW_VERSION`
-unset:
+Staging deploys use the same `CPLN_TOKEN_STAGING` secret plus `STAGING_APP_NAME`.
+Before the first staging deploy, bootstrap the persistent staging app once:
 
 ```sh
-bin/pin-cpflow-github-ref <40-character-control-plane-flow-commit-sha>
-bin/test-cpflow-github-flow ruby /path/to/control-plane-flow/bin/cpflow
+cpflow setup-app -a "$STAGING_APP_NAME" --org "$CPLN_ORG_STAGING" --skip-post-creation-hook
 ```
 
-Do not leave downstream apps pinned to a moving branch such as `main`. A branch
-can pick up beta or work-in-progress changes without a downstream PR changing.
-Use commit SHAs for short-lived PR testing, then switch to the release tag once
-the gem and tag exist.
+`setup-app` reads `.controlplane/controlplane.yml`'s `setup_app_templates` and
+creates the app identity, app secret dictionary, app secret policy, policy
+binding, and template resources. Use `--skip-post-creation-hook` so first-time
+bootstrap does not try to run database setup before an image exists. For later
+template updates on an existing persistent app, use `cpflow apply-template`
+with the same template list and make sure the app identity has `reveal`
+permission on the app secret policy.
+
+Review apps are temporary and are created by the `+review-app-deploy` workflow,
+but staging and production are persistent apps and should be bootstrapped
+explicitly.
 
-</details>
+Production promotion is part of the generated flow, but keep it protected:
+
+| Name | Where | Notes |
+| --- | --- | --- |
+| `CPLN_TOKEN_PRODUCTION` | `production` GitHub Environment secret | Do not store this as a repository or organization secret. |
+| `CPLN_ORG_PRODUCTION` | Prefer `production` Environment variable | Production Control Plane org. |
+| `PRODUCTION_APP_NAME` | Prefer `production` Environment variable | Production app name from `controlplane.yml`. |
 
-<details>
-<summary>Advanced: testing changes to generated workflows</summary>
+Configure the `production` GitHub Environment with required reviewers and
+prevent self-review. The generated promotion wrapper passes only the staging
+token from repository secrets; GitHub injects `CPLN_TOKEN_PRODUCTION` only after
+the environment approval gate passes.
 
-When iterating on the generated workflow YAML on a PR branch, comment-triggered runs (`+review-app-deploy`, `+review-app-delete`, `+review-app-help`) execute the workflow code from the repository's default branch — not your PR branch. To exercise the PR-branch workflow code before merging, dispatch the workflow manually with `gh`:
+Before the first promotion, bootstrap the production app the same way in the
+production org, using production-only secrets and values.
+
+## Version Locking
+
+Generated wrappers pin Control Plane Flow once with the reusable workflow
+`uses:` ref, for example `@__CPFLOW_GITHUB_ACTIONS_REF__`. For stable releases,
+this ref should be a release tag. The upstream reusable workflow automatically
+loads its matching shared actions from GitHub's workflow context, so downstream
+wrappers should not pass a duplicate Control Plane Flow ref input. If your
+generated wrappers still include a `with:` block whose only purpose is to repeat
+the same ref, regenerate them with a newer `cpflow`.
+
+Leave `CPFLOW_VERSION` unset so the workflow builds cpflow from the same
+checked-out upstream source. If you set `CPFLOW_VERSION`, it must match the
+release tag, for example `CPFLOW_VERSION=5.0.1` with a wrapper pinned to
+`uses: ...@v5.0.1`.
+
+Do not leave downstream apps pinned to a moving branch such as `main`. For a
+short-lived test of an unreleased upstream PR, pin to a full 40-character commit
+SHA and leave `CPFLOW_VERSION` unset:
 
 ```sh
-gh workflow run cpflow-deploy-review-app.yml --ref <your-pr-branch> -f pr_number=<pr-number>
-gh workflow run cpflow-delete-review-app.yml --ref <your-pr-branch> -f pr_number=<pr-number>
-gh workflow run cpflow-help-command.yml      --ref <your-pr-branch> -f pr_number=<pr-number>
+bin/pin-cpflow-github-ref <40-character-control-plane-flow-commit-sha>
+bin/test-cpflow-github-flow ruby /path/to/control-plane-flow/bin/cpflow
 ```
 
-`workflow_dispatch` runs use the workflow file from the `--ref` you pass, so this is the supported way to test PR-branch workflow edits before merge. After merge, comment triggers go back to running the default-branch workflow code as usual.
-
-</details>
+## Advanced Variables
+
+Most apps do not need these:
+
+| Name | Notes |
+| --- | --- |
+| `DOCKER_BUILD_EXTRA_ARGS` | Newline-delimited extra Docker build tokens. |
+| `DOCKER_BUILD_SSH_KEY` | Private SSH key for Docker builds that fetch private dependencies. |
+| `DOCKER_BUILD_SSH_KNOWN_HOSTS` | SSH known_hosts entries when SSH build hosts are not GitHub.com. |
+| `REVIEW_APP_DEPLOYING_ICON_URL` | Cosmetic custom image URL for the animated deploying icon. Set to `none` to use the text fallback icon. |
+| `STAGING_APP_BRANCH` | Custom staging branch. The branch must also appear in `cpflow-deploy-staging.yml`'s push filter. |
+| `CPLN_CLI_VERSION` | Pin a specific `@controlplane/cli` version; normally leave unset. |
+
+The PR-open help workflow posts a short command reference whenever the generated
+wrapper exists. That is intentional for configured demo repos. Forks or clones
+that copy the workflow before configuring Control Plane can remove
+`.github/workflows/cpflow-review-app-help.yml` or uncomment and adapt the
+wrapper-level `if:` guard shown in that file, for example
+`vars.REVIEW_APP_PREFIX != '' || vars.CPLN_ORG_STAGING != ''`.

data/lib/github_flow_templates/.github/workflows/cpflow-cleanup-stale-review-apps.yml

@@ -10,13 +10,8 @@ permissions:
 
 jobs:
   cleanup:
-    # Keep the @ref in `uses:` and `control_plane_flow_ref` below in sync: the
-    # first selects the reusable workflow, the second selects its shared actions.
+    # Cleanup targets the current inferred review-app prefix. If you changed
+    # naming conventions, manually delete review apps under the old prefix.
     uses: shakacode/control-plane-flow/.github/workflows/cpflow-cleanup-stale-review-apps.yml@__CPFLOW_GITHUB_ACTIONS_REF__
-    with:
-      control_plane_flow_ref: __CPFLOW_GITHUB_ACTIONS_REF__
-    # `secrets: inherit` passes all caller repository secrets to the trusted
-    # upstream workflow. The upstream workflow only reads the named secrets it
-    # references, but GitHub does not enforce that boundary. Strict consumers can
-    # set CPFLOW_GITHUB_ACTIONS_REF to an immutable commit SHA.
-    secrets: inherit
+    secrets:
+      CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}

data/lib/github_flow_templates/.github/workflows/cpflow-delete-review-app.yml

@@ -31,13 +31,6 @@ jobs:
       github.event_name == 'workflow_dispatch'
     # This `if:` mirrors the upstream job guard to avoid a billable workflow_call
     # when the event does not match. Keep both conditions in sync.
-    # Keep the @ref in `uses:` and `control_plane_flow_ref` below in sync: the
-    # first selects the reusable workflow, the second selects its shared actions.
     uses: shakacode/control-plane-flow/.github/workflows/cpflow-delete-review-app.yml@__CPFLOW_GITHUB_ACTIONS_REF__
-    with:
-      control_plane_flow_ref: __CPFLOW_GITHUB_ACTIONS_REF__
-    # `secrets: inherit` passes all caller repository secrets to the trusted
-    # upstream workflow. The upstream workflow only reads the named secrets it
-    # references, but GitHub does not enforce that boundary. Strict consumers can
-    # set CPFLOW_GITHUB_ACTIONS_REF to an immutable commit SHA.
-    secrets: inherit
+    secrets:
+      CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}

data/lib/github_flow_templates/.github/workflows/cpflow-deploy-review-app.yml

@@ -30,13 +30,7 @@ jobs:
        github.event.issue.pull_request &&
        contains(fromJson('["+review-app-deploy","+review-app-deploy\n","+review-app-deploy\r\n"]'), github.event.comment.body) &&
        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association))
-    # Keep the @ref in `uses:` and `control_plane_flow_ref` below in sync: the
-    # first selects the reusable workflow, the second selects its shared actions.
     uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-review-app.yml@__CPFLOW_GITHUB_ACTIONS_REF__
-    with:
-      control_plane_flow_ref: __CPFLOW_GITHUB_ACTIONS_REF__
-    # `secrets: inherit` passes all caller repository secrets to the trusted
-    # upstream workflow. The upstream workflow only reads the named secrets it
-    # references, but GitHub does not enforce that boundary. Strict consumers can
-    # set CPFLOW_GITHUB_ACTIONS_REF to an immutable commit SHA.
-    secrets: inherit
+    secrets:
+      CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
+      DOCKER_BUILD_SSH_KEY: ${{ secrets.DOCKER_BUILD_SSH_KEY }}

data/lib/github_flow_templates/.github/workflows/cpflow-deploy-staging.yml

@@ -16,14 +16,9 @@ permissions:
 
 jobs:
   deploy-staging:
-    # Keep the @ref in `uses:` and `control_plane_flow_ref` below in sync: the
-    # first selects the reusable workflow, the second selects its shared actions.
     uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-staging.yml@__CPFLOW_GITHUB_ACTIONS_REF__
     with:
-      control_plane_flow_ref: __CPFLOW_GITHUB_ACTIONS_REF__
       staging_app_branch_default: "__STAGING_BRANCH_DEFAULT__"
-    # `secrets: inherit` passes all caller repository secrets to the trusted
-    # upstream workflow. The upstream workflow only reads the named secrets it
-    # references, but GitHub does not enforce that boundary. Strict consumers can
-    # set CPFLOW_GITHUB_ACTIONS_REF to an immutable commit SHA.
-    secrets: inherit
+    secrets:
+      CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
+      DOCKER_BUILD_SSH_KEY: ${{ secrets.DOCKER_BUILD_SSH_KEY }}

data/lib/github_flow_templates/.github/workflows/cpflow-help-command.yml

@@ -23,13 +23,4 @@ jobs:
        contains(fromJson('["+review-app-help","+review-app-help\n","+review-app-help\r\n"]'), github.event.comment.body) &&
        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
       github.event_name == 'workflow_dispatch'
-    # control_plane_flow_ref is accepted by the upstream workflow for wrapper
-    # consistency; this helper checks out caller content only.
     uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@__CPFLOW_GITHUB_ACTIONS_REF__
-    with:
-      control_plane_flow_ref: __CPFLOW_GITHUB_ACTIONS_REF__
-    # `secrets: inherit` passes all caller repository secrets to the trusted
-    # upstream workflow. This helper does not read them, but GitHub does not
-    # enforce that boundary. Strict consumers can set CPFLOW_GITHUB_ACTIONS_REF
-    # to an immutable commit SHA.
-    secrets: inherit

data/lib/github_flow_templates/.github/workflows/cpflow-promote-staging-to-production.yml

@@ -16,13 +16,15 @@ permissions:
 jobs:
   promote-to-production:
     if: github.event.inputs.confirm_promotion == 'promote'
-    # Keep the @ref in `uses:` and `control_plane_flow_ref` below in sync: the
-    # first selects the reusable workflow, the second selects its shared actions.
     uses: shakacode/control-plane-flow/.github/workflows/cpflow-promote-staging-to-production.yml@__CPFLOW_GITHUB_ACTIONS_REF__
     with:
-      control_plane_flow_ref: __CPFLOW_GITHUB_ACTIONS_REF__
-    # `secrets: inherit` passes all caller repository secrets to the trusted
-    # upstream workflow. The upstream workflow only reads the named secrets it
-    # references, but GitHub does not enforce that boundary. Strict consumers can
-    # set CPFLOW_GITHUB_ACTIONS_REF to an immutable commit SHA.
-    secrets: inherit
+      # Keep CPLN_TOKEN_PRODUCTION as a secret on this protected GitHub
+      # Environment. The caller passes the environment name, the upstream
+      # reusable workflow runs its production job in that environment, and
+      # GitHub exposes environment secrets only after required reviewers approve.
+      production_environment: production
+    # Only pass the staging token explicitly. CPLN_TOKEN_PRODUCTION must live on
+    # the protected production Environment, where GitHub exposes it only after
+    # the required reviewers approve this job.
+    secrets:
+      CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}

data/lib/github_flow_templates/.github/workflows/cpflow-review-app-help.yml

@@ -14,14 +14,8 @@ permissions:
 
 jobs:
   show-help:
-    if: vars.REVIEW_APP_PREFIX != ''
-    # control_plane_flow_ref is accepted by the upstream workflow for wrapper
-    # consistency; this helper does not check out shared actions.
+    # This is intentionally unconditional: committing this wrapper opts the repo in
+    # to PR-open help. Remove it, or uncomment and adapt this guard, if forks or
+    # clones should stay quiet until Control Plane is configured:
+    #   if: vars.REVIEW_APP_PREFIX != '' || vars.CPLN_ORG_STAGING != ''
     uses: shakacode/control-plane-flow/.github/workflows/cpflow-review-app-help.yml@__CPFLOW_GITHUB_ACTIONS_REF__
-    with:
-      control_plane_flow_ref: __CPFLOW_GITHUB_ACTIONS_REF__
-    # `secrets: inherit` passes all caller repository secrets to the trusted
-    # upstream workflow. This helper does not read them, but GitHub does not
-    # enforce that boundary. Strict consumers can set CPFLOW_GITHUB_ACTIONS_REF
-    # to an immutable commit SHA.
-    secrets: inherit

data/lib/github_flow_templates/bin/pin-cpflow-github-ref

@@ -8,6 +8,9 @@ USAGE = <<~USAGE
 
   Use a release tag for normal operation, e.g. v5.0.0.
   Use a full 40-character commit SHA for temporary unreleased upstream testing.
+  This only updates generated reusable-workflow `uses:` refs. The called
+  workflows load their own matching shared actions from that same workflow
+  commit automatically. Regenerate from the cpflow gem when templates changed.
   Use --allow-moving-ref only for short-lived local branch/ref experiments.
 USAGE
 
@@ -56,7 +59,6 @@ workflow_paths.each do |path|
   text = File.read(path)
   updated = text
             .gsub(%r{(uses:\s+shakacode/control-plane-flow/\.github/workflows/[^@\s]+@)[^\s]+}, "\\1#{ref}")
-            .gsub(/(\bcontrol_plane_flow_ref:\s*)\S+/, "\\1#{ref}")
 
   next if updated == text
 

data/lib/github_flow_templates/bin/test-cpflow-github-flow

@@ -43,6 +43,7 @@ ruby <<'RUBY'
 require "yaml"
 
 CONTROL_PLANE_FLOW_WORKFLOW = %r{\Ashakacode/control-plane-flow/\.github/workflows/[^@\s]+@([^\s]+)\z}
+PROMOTE_WORKFLOW = %r{\Ashakacode/control-plane-flow/\.github/workflows/cpflow-promote-staging-to-production\.yml@[^\s]+\z}
 
 refs = Hash.new { |hash, key| hash[key] = [] }
 
@@ -55,21 +56,32 @@ Dir[".github/workflows/cpflow-*.yml"].sort.each do |path|
     input_ref = with["control_plane_flow_ref"]
     uses_match = job["uses"].to_s.match(CONTROL_PLANE_FLOW_WORKFLOW)
 
-    unless uses_match
-      abort "#{path}:#{job_name} has control_plane_flow_ref but no control-plane-flow reusable workflow" if input_ref
+    if job["secrets"] == "inherit"
+      abort "#{path}:#{job_name} uses secrets: inherit; pass only the named secrets the upstream workflow needs"
+    end
+
+    if input_ref
+      abort "#{path}:#{job_name} passes obsolete control_plane_flow_ref. Remove it; the upstream reusable workflow checks out its own source from GitHub's job.workflow_* context."
+    end
 
+    unless uses_match
       next
     end
 
     uses_ref = uses_match[1]
     refs[uses_ref] << "#{path}:#{job_name}"
 
-    if input_ref
-      refs[input_ref] << "#{path}:#{job_name}"
-      abort "#{path}:#{job_name} mismatched cpflow refs: #{uses_ref}, #{input_ref}" if uses_ref != input_ref
-    elsif job.key?("secrets")
-      abort "#{path}:#{job_name} inherits secrets but is missing control_plane_flow_ref for #{uses_ref}"
+    if job["uses"].to_s.match?(PROMOTE_WORKFLOW)
+      if with["production_environment"].to_s.strip.empty?
+        abort "#{path}:#{job_name} must set production_environment so GitHub can expose production environment secrets after approval"
+      end
+
+      secrets = job["secrets"].is_a?(Hash) ? job["secrets"] : {}
+      if secrets.key?("CPLN_TOKEN_PRODUCTION")
+        abort "#{path}:#{job_name} must not pass CPLN_TOKEN_PRODUCTION as a caller secret; store it on the protected production environment"
+      end
     end
+
   end
 end
 
@@ -86,4 +98,7 @@ end
 RUBY
 
 echo "==> actionlint"
-actionlint -ignore "SC2129" .github/workflows/cpflow-*.yml
+actionlint \
+  -ignore "SC2129" \
+  -ignore 'property "workflow_(ref|sha|repository|file_path)" is not defined in object type' \
+  .github/workflows/cpflow-*.yml

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cpflow
 version: !ruby/object:Gem::Version
-  version: 5.0.0
+  version: 5.0.2
 platform: ruby
 authors:
 - Justin Gordon
@@ -82,6 +82,7 @@ files:
 - ".github/actions/cpflow-delete-control-plane-app/action.yml"
 - ".github/actions/cpflow-delete-control-plane-app/delete-app.sh"
 - ".github/actions/cpflow-detect-release-phase/action.yml"
+- ".github/actions/cpflow-resolve-review-config/action.yml"
 - ".github/actions/cpflow-setup-environment/action.yml"
 - ".github/actions/cpflow-validate-config/action.yml"
 - ".github/actions/cpflow-wait-for-health/action.yml"