RubyGems - cpflow - Versions diffs - 5.0.4 → 5.1.1 - Mend

cpflow 5.0.4 → 5.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

checksums.yaml +4 -4
data/.github/actions/cpflow-wait-for-health/action.yml +11 -4
data/.github/workflows/cpflow-promote-staging-to-production.yml +269 -43
data/.github/workflows/rspec-shared.yml +8 -1
data/CHANGELOG.md +28 -1
data/Gemfile.lock +1 -1
data/README.md +36 -11
data/docs/ai-github-flow-prompt.md +1 -1
data/docs/assets/logo/favicon.ico +0 -0
data/docs/assets/logo/icon-1024.png +0 -0
data/docs/assets/logo/icon-128.png +0 -0
data/docs/assets/logo/icon-16.png +0 -0
data/docs/assets/logo/icon-192.png +0 -0
data/docs/assets/logo/icon-24.png +0 -0
data/docs/assets/logo/icon-32.png +0 -0
data/docs/assets/logo/icon-48.png +0 -0
data/docs/assets/logo/icon-512.png +0 -0
data/docs/assets/logo/icon-64.png +0 -0
data/docs/assets/logo/icon-tile.svg +17 -0
data/docs/assets/logo/mark-transparent.svg +16 -0
data/docs/ci-automation.md +137 -47
data/docs/commands.md +13 -3
data/docs/postgres.md +6 -0
data/docs/rds-private-networking.md +649 -0
data/docs/secrets-and-env-values.md +49 -0
data/docs/tips.md +256 -10
data/examples/controlplane.yml +8 -0
data/lib/command/ai_github_flow_prompt.rb +1 -1
data/lib/command/apply_template.rb +3 -0
data/lib/command/base.rb +69 -0
data/lib/command/cleanup_stale_apps.rb +1 -1
data/lib/command/delete.rb +85 -10
data/lib/command/deploy_image.rb +30 -8
data/lib/command/generate_github_actions.rb +6 -0
data/lib/command/maintenance_off.rb +1 -0
data/lib/command/maintenance_on.rb +1 -0
data/lib/command/run.rb +25 -5
data/lib/command/setup_app.rb +11 -2
data/lib/core/config.rb +81 -0
data/lib/core/controlplane.rb +15 -5
data/lib/core/maintenance_mode.rb +93 -6
data/lib/core/template_parser.rb +4 -0
data/lib/cpflow/version.rb +1 -1
data/lib/generator_templates/controlplane.yml +7 -0
data/lib/generator_templates_sqlite/controlplane.yml +7 -0
data/lib/github_flow_templates/.github/cpflow-help.md +48 -13
data/lib/github_flow_templates/.github/workflows/cpflow-promote-staging-to-production.yml +768 -15
data/lib/github_flow_templates/bin/pin-cpflow-github-ref +17 -3
data/lib/github_flow_templates/bin/test-cpflow-github-flow +61 -9
metadata +15 -2

data/lib/github_flow_templates/bin/pin-cpflow-github-ref CHANGED Viewed

@@ -8,15 +8,25 @@ USAGE = <<~USAGE
   Use a release tag for normal operation, e.g. v5.0.0.
   Use a full 40-character commit SHA for temporary unreleased upstream testing.
-  This only updates generated reusable-workflow `uses:` refs. The called
-  workflows load their own matching shared actions from that same workflow
-  commit automatically. Regenerate from the cpflow gem when templates changed.
+  This updates generated reusable-workflow `uses:` refs plus the production
+  workflow's pinned control-plane-flow checkout and setup validation ref.
+  Regenerate from the cpflow gem when templates changed.
   Use --allow-moving-ref only for short-lived local branch/ref experiments.
 USAGE
 ALLOWED_OPTIONS = ["--allow-moving-ref"].freeze
 FULL_COMMIT_SHA = /\A[0-9a-f]{40}\z/i
 RELEASE_TAG = /\Av\d+\.\d+\.\d+(?:[-.][0-9A-Za-z][0-9A-Za-z.-]*)?\z/
+PRODUCTION_WORKFLOW_REF = "shakacode/control-plane-flow/.github/workflows/" \
+                          "cpflow-promote-staging-to-production.yml"
+CPFLOW_CHECKOUT_REF_PATTERN = %r{
+  (^\s*-\s+name:\s+Checkout\ control-plane-flow\ actions\s*\n
+    (?:(?!^\s*-\s+name:).)*?
+    ^\s+repository:\s+shakacode/control-plane-flow\s*\n
+    (?:(?!^\s*-\s+name:).)*?
+    ^\s+ref:\s+)
+  [^\s]+
+}mx
 options, positional = ARGV.partition { |arg| arg.start_with?("--") }
 unknown_options = options - ALLOWED_OPTIONS
@@ -57,8 +67,12 @@ end
 changed = []
 workflow_paths.each do |path|
   text = File.read(path)
+  production_setup_ref_pattern =
+    /(control_plane_flow_ref:\s+#{Regexp.escape(PRODUCTION_WORKFLOW_REF)}@)[^\s]+/
   updated = text
             .gsub(%r{(uses:\s+shakacode/control-plane-flow/\.github/workflows/[^@\s]+@)[^\s]+}, "\\1#{ref}")
+            .gsub(production_setup_ref_pattern, "\\1#{ref}")
+            .gsub(CPFLOW_CHECKOUT_REF_PATTERN, "\\1#{ref}")
   next if updated == text

data/lib/github_flow_templates/bin/test-cpflow-github-flow CHANGED Viewed

@@ -43,7 +43,10 @@ ruby <<'RUBY'
 require "yaml"
 CONTROL_PLANE_FLOW_WORKFLOW = %r{\Ashakacode/control-plane-flow/\.github/workflows/[^@\s]+@([^\s]+)\z}
-PROMOTE_WORKFLOW = %r{\Ashakacode/control-plane-flow/\.github/workflows/cpflow-promote-staging-to-production\.yml@[^\s]+\z}
+PROMOTE_WORKFLOW = %r{\Ashakacode/control-plane-flow/\.github/workflows/cpflow-promote-staging-to-production\.yml@([^\s]+)\z}
+EXPECTED_PROMOTE_WORKFLOW_REF_FORMAT = "shakacode/control-plane-flow/.github/workflows/cpflow-promote-staging-to-production.yml@vX.Y.Z"
+EXPECTED_CPFLOW_CHECKOUT_ACTION = "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+EXPECTED_CPFLOW_CHECKOUT_REPOSITORY = "shakacode/control-plane-flow"
 refs = Hash.new { |hash, key| hash[key] = [] }
@@ -72,19 +75,68 @@ Dir[".github/workflows/cpflow-*.yml"].sort.each do |path|
     refs[uses_ref] << "#{path}:#{job_name}"
     if job["uses"].to_s.match?(PROMOTE_WORKFLOW)
-      if with["production_environment"].to_s.strip.empty?
-        abort "#{path}:#{job_name} must set production_environment so GitHub can expose production environment secrets after approval"
-      end
-      secrets = job["secrets"].is_a?(Hash) ? job["secrets"] : {}
-      if secrets.key?("CPLN_TOKEN_PRODUCTION")
-        abort "#{path}:#{job_name} must not pass CPLN_TOKEN_PRODUCTION as a caller secret; store it on the protected production environment"
-      end
+      abort "#{path}:#{job_name} must not call the cross-repo production reusable workflow; use a normal caller-repo job with environment: production"
     end
   end
 end
+promote_path = ".github/workflows/cpflow-promote-staging-to-production.yml"
+promote_doc = YAML.load_file(promote_path, aliases: true)
+promote_job = promote_doc.fetch("jobs", {})["promote-to-production"]
+unless promote_job
+  abort "#{promote_path}:promote-to-production job is missing"
+end
+if promote_job.key?("uses")
+  abort "#{promote_path}:promote-to-production must run as a normal caller-repo job, not a reusable workflow, so GitHub can expose production environment secrets"
+end
+unless promote_job["environment"].to_s == "production"
+  abort "#{promote_path}:promote-to-production must declare environment: production"
+end
+checkout_step = Array(promote_job["steps"]).find { |step| step["name"] == "Checkout control-plane-flow actions" }
+unless checkout_step
+  abort "#{promote_path}:promote-to-production must include a Checkout control-plane-flow actions step"
+end
+unless checkout_step["uses"] == EXPECTED_CPFLOW_CHECKOUT_ACTION
+  abort "#{promote_path}:promote-to-production must use #{EXPECTED_CPFLOW_CHECKOUT_ACTION} for the Checkout control-plane-flow actions step"
+end
+checkout_with = checkout_step.fetch("with", {})
+checkout_repository = checkout_with["repository"]
+checkout_ref = checkout_with["ref"]
+unless checkout_repository == EXPECTED_CPFLOW_CHECKOUT_REPOSITORY
+  abort "#{promote_path}:promote-to-production must check out #{EXPECTED_CPFLOW_CHECKOUT_REPOSITORY}"
+end
+if checkout_ref.to_s.strip.empty?
+  abort "#{promote_path}:promote-to-production must pin the Checkout control-plane-flow actions step"
+end
+refs[checkout_ref] << "#{promote_path}:promote-to-production"
+setup_step = Array(promote_job["steps"]).find { |step| step["name"] == "Setup production environment" }
+unless setup_step
+  abort "#{promote_path}:promote-to-production must include a Setup production environment step"
+end
+setup_ref = setup_step.fetch("with", {})["control_plane_flow_ref"]
+setup_match = setup_ref.to_s.match(PROMOTE_WORKFLOW)
+unless setup_match
+  abort "#{promote_path}:promote-to-production must pass a pinned production control_plane_flow_ref to setup, " \
+        "for example #{EXPECTED_PROMOTE_WORKFLOW_REF_FORMAT}"
+end
+refs[setup_match[1]] << "#{promote_path}:promote-to-production setup"
 if refs.empty?
   puts "no upstream cpflow reusable workflow refs found"
 elsif refs.length > 1

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cpflow
 version: !ruby/object:Gem::Version
-  version: 5.0.4
+  version: 5.1.1
 platform: ruby
 authors:
 - Justin Gordon
@@ -120,6 +120,18 @@ files:
 - docs/ai-github-flow-prompt.md
 - docs/assets/cpflow-deploying.svg
 - docs/assets/grafana-alert.png
+- docs/assets/logo/favicon.ico
+- docs/assets/logo/icon-1024.png
+- docs/assets/logo/icon-128.png
+- docs/assets/logo/icon-16.png
+- docs/assets/logo/icon-192.png
+- docs/assets/logo/icon-24.png
+- docs/assets/logo/icon-32.png
+- docs/assets/logo/icon-48.png
+- docs/assets/logo/icon-512.png
+- docs/assets/logo/icon-64.png
+- docs/assets/logo/icon-tile.svg
+- docs/assets/logo/mark-transparent.svg
 - docs/assets/memcached.png
 - docs/assets/sidekiq-pre-stop-hook.png
 - docs/ci-automation.md
@@ -127,6 +139,7 @@ files:
 - docs/dns.md
 - docs/migrating-heroku-to-control-plane.md
 - docs/postgres.md
+- docs/rds-private-networking.md
 - docs/redis.md
 - docs/releasing.md
 - docs/secrets-and-env-values.md
@@ -271,7 +284,7 @@ licenses:
 metadata:
   rubygems_mfa_required: 'true'
 post_install_message: |
-  cpflow 5.0.4 installed.
+  cpflow 5.1.1 installed.
   If this repository already uses generated cpflow GitHub Actions, update the
   checked-in wrappers so GitHub loads the matching control-plane-flow release tag: