cpflow 5.0.0.rc.1 → 5.0.0.rc.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 789ef352119854bd9daa4adba73e82eb156ac81c830ecb128506df228a83c8d5
-  data.tar.gz: '039a0591791642b586b0658235c1ce61bd87b79e9a638c8c1c0a7bb7c99438ba'
+  metadata.gz: 8841c9270ad57971f444915cadf8c8572c815423a82871c8c03d85195a70764f
+  data.tar.gz: 9e480ccf6654b9bdd6229816d32ee5a2961607104c71c3b9ead8e263d10b529d
 SHA512:
-  metadata.gz: ef26969b2637b60bed3ab00a88b3d087a700ceef4299b6e9722ab61ef542fdb4a44af2684f50a4fda4e236e81c2192f2bff419c802efed20456401948c0e3fe7
-  data.tar.gz: 867da23be041326b04c4c793d8e67d14b903a1f17198b70148c408068d31e326fa338f6ac2eedcba7c8c72582cb962799cdc050ad8f2423de56739767850b830
+  metadata.gz: 6b83fb9da2665e47b6f5e518ab857883d4607f99f401573b5a4967f5050bdf79bd018ff5411b3f01336a26a06274cec42fe10353d83d28d1f725b7f60557df94
+  data.tar.gz: fb52b9cc15d8d89685b5830a67ad7bc95f08e128539c6c002a74fcde72691883a5afd40ddb61b3b7eff3695684f7816a2f2db9ca082085bb720e7a3399a98f7e

data/{lib/github_flow_templates/.github → .github}/actions/cpflow-delete-control-plane-app/action.yml

@@ -11,12 +11,17 @@ inputs:
   review_app_prefix:
     description: Prefix used for review app names
     required: true
+  working_directory:
+    description: Directory containing the downstream project's .controlplane/controlplane.yml
+    required: false
+    default: "."
 
 runs:
   using: composite
   steps:
     - name: Delete application
       shell: bash
+      working-directory: ${{ inputs.working_directory }}
       run: ${{ github.action_path }}/delete-app.sh
       env:
         APP_NAME: ${{ inputs.app_name }}

data/{lib/github_flow_templates/.github → .github}/actions/cpflow-detect-release-phase/action.yml

@@ -34,6 +34,13 @@ runs:
         require "yaml"
 
         app_name = ARGV.fetch(0)
+
+        unless File.file?(".controlplane/controlplane.yml")
+          warn "Error: `.controlplane/controlplane.yml` is missing. " \
+               "cpflow-detect-release-phase must be invoked from a cpflow-configured project."
+          exit 1
+        end
+
         data = YAML.safe_load(File.read(".controlplane/controlplane.yml"), aliases: true)
         apps = data["apps"] || {}
         app_config = apps[app_name]

data/.github/actions/cpflow-setup-environment/action.yml

@@ -0,0 +1,161 @@
+name: Setup Control Plane Environment
+description: Sets up Ruby, installs the Control Plane CLI and cpflow, and configures a default profile
+
+inputs:
+  token:
+    description: Control Plane token
+    required: true
+  org:
+    description: Control Plane organization
+    required: true
+  ruby_version:
+    description: >-
+      Ruby version used for cpflow. When empty (the default), ruby/setup-ruby
+      auto-detects from .ruby-version, .tool-versions, mise.toml, or a Gemfile
+      ruby directive, then falls back to the action's pinned default.
+    required: false
+    default: ""
+  working_directory:
+    description: Directory where ruby/setup-ruby should detect Ruby version files.
+    required: false
+    default: "."
+  # GitHub parses double-brace expression snippets inside action metadata (including
+  # `description:`) while loading the composite action, and the `vars` context is not
+  # available in that phase. Keep these descriptions in plain prose - reference repo
+  # variables by NAME only, never with literal GitHub Actions expression syntax.
+  cpln_cli_version:
+    description: >-
+      @controlplane/cli version. Empty string falls back to the action's pinned default,
+      so callers can wire this input to the CPLN_CLI_VERSION repository variable
+      unconditionally.
+    required: false
+    default: ""
+  cpflow_version:
+    description: >-
+      cpflow gem version to install from RubyGems. Empty string installs cpflow from
+      the checked-out control-plane-flow repository, so callers can test a GitHub ref
+      without publishing a release.
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  # ruby/setup-ruby tracks Ruby/toolcache updates on a major tag. The privileged
+  # reusable workflows pin GitHub-owned actions to immutable SHAs.
+  steps:
+    - name: Resolve Ruby setup version
+      id: ruby-version
+      shell: bash
+      env:
+        INPUT_RUBY_VERSION: ${{ inputs.ruby_version }}
+        INPUT_WORKING_DIRECTORY: ${{ inputs.working_directory }}
+      run: |
+        set -euo pipefail
+
+        ruby_version="${INPUT_RUBY_VERSION}"
+        working_directory="${INPUT_WORKING_DIRECTORY:-.}"
+        # Bump when the project's minimum-supported Ruby advances.
+        default_ruby_version="3.2"
+
+        if [[ -z "${ruby_version}" ]]; then
+          if [[ -f "${working_directory}/.ruby-version" ]] ||
+             { [[ -f "${working_directory}/.tool-versions" ]] && grep -Eq "^[[:space:]]*ruby[[:space:]]+" "${working_directory}/.tool-versions"; } ||
+             { [[ -f "${working_directory}/mise.toml" ]] && grep -Eq "^[[:space:]]*ruby[[:space:]]*=" "${working_directory}/mise.toml"; } ||
+             { [[ -f "${working_directory}/.mise.toml" ]] && grep -Eq "^[[:space:]]*ruby[[:space:]]*=" "${working_directory}/.mise.toml"; }; then
+            : # keep empty; ruby/setup-ruby will auto-detect
+          elif [[ -f "${working_directory}/Gemfile" ]] && grep -Eq "^[[:space:]]*ruby[[:space:]]*(\(|file:|['\"])" "${working_directory}/Gemfile"; then
+            : # keep empty; ruby/setup-ruby will read Gemfile
+          else
+            ruby_version="${default_ruby_version}"
+          fi
+        fi
+
+        echo "ruby_version=${ruby_version}" >> "$GITHUB_OUTPUT"
+
+    - name: Set up Ruby
+      # ruby/setup-ruby intentionally tracks the v1 tag so Ruby/toolcache updates
+      # roll out automatically; Dependabot/Renovate can manage this non-GitHub action.
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ steps.ruby-version.outputs.ruby_version }}
+        working-directory: ${{ inputs.working_directory }}
+
+    - name: Install Control Plane CLI and cpflow gem
+      shell: bash
+      env:
+        CPLN_CLI_VERSION: ${{ inputs.cpln_cli_version }}
+        CPFLOW_VERSION: ${{ inputs.cpflow_version }}
+        CPFLOW_SOURCE_DIR: ${{ github.action_path }}/../../..
+      run: |
+        set -euo pipefail
+
+        # Bump this default when a new Control Plane CLI release should roll out by default.
+        # Override per-repo by setting the `CPLN_CLI_VERSION` repo variable.
+        default_cpln_cli_version="3.10.2"
+
+        CPLN_CLI_VERSION="${CPLN_CLI_VERSION:-${default_cpln_cli_version}}"
+
+        npm_global_prefix="${HOME}/.npm-global"
+        mkdir -p "${npm_global_prefix}"
+        echo "${npm_global_prefix}/bin" >> "$GITHUB_PATH"
+        export PATH="${npm_global_prefix}/bin:${PATH}"
+
+        npm install --global --prefix "${npm_global_prefix}" "@controlplane/cli@${CPLN_CLI_VERSION}"
+        cpln --version
+
+        if [[ -n "${CPFLOW_VERSION}" ]]; then
+          gem install cpflow -v "${CPFLOW_VERSION}" --no-document
+        else
+          cpflow_source_dir="$(cd "${CPFLOW_SOURCE_DIR}" && pwd)"
+          if [[ ! -f "${cpflow_source_dir}/cpflow.gemspec" ]]; then
+            echo "::error::CPFLOW_SOURCE_DIR (${cpflow_source_dir}) does not contain cpflow.gemspec" >&2
+            exit 1
+          fi
+
+          cpflow_gem="$(mktemp -t cpflow-XXXXXX.gem)"
+          trap 'rm -f "${cpflow_gem}"' EXIT
+          (
+            cd "${cpflow_source_dir}"
+            gem build cpflow.gemspec --output "${cpflow_gem}"
+          )
+          gem install "${cpflow_gem}" --no-document
+        fi
+
+        cpflow --version
+
+    - name: Setup Control Plane profile and registry login
+      shell: bash
+      env:
+        # Pass the token via CPLN_TOKEN so cpln picks it up from the environment
+        # rather than `--token`, which would leak it into /proc/<pid>/cmdline and ps output.
+        CPLN_TOKEN: ${{ inputs.token }}
+        ORG: ${{ inputs.org }}
+      run: |
+        set -euo pipefail
+
+        if [[ -z "$CPLN_TOKEN" ]]; then
+          echo "Error: Control Plane token not provided" >&2
+          exit 1
+        fi
+
+        if [[ -z "$ORG" ]]; then
+          echo "Error: Control Plane organization not provided" >&2
+          exit 1
+        fi
+
+        # `cpln profile update` lists `create` as an alias (cpln profile --help) and is
+        # idempotent: it creates the profile if missing and updates it otherwise. Calling
+        # update directly avoids parsing the CLI's "already exists" English error text,
+        # which would silently swallow a real failure if the wording ever changed.
+        cpln profile update default --org "$ORG"
+        cpln image docker-login --org "$ORG"
+
+        # Keep the token available to later cpflow/cpln steps without passing it
+        # on the command line. GitHub masks secret values in logs, and the env file
+        # itself is not echoed.
+        delim="CPLN_TOKEN_DELIM_$(openssl rand -hex 8)"
+        {
+          echo "CPLN_TOKEN<<${delim}"
+          echo "${CPLN_TOKEN}"
+          echo "${delim}"
+        } >> "$GITHUB_ENV"

data/.github/workflows/cpflow-cleanup-stale-review-apps.yml

@@ -0,0 +1,69 @@
+name: Cleanup Stale Review Apps
+
+on:
+  workflow_call:
+    inputs:
+      control_plane_flow_ref:
+        description: Git ref used to load shared cpflow composite actions.
+        required: false
+        type: string
+        default: main
+
+permissions:
+  contents: read
+
+concurrency:
+  # Single global group: only one cleanup sweep at a time. Independent of review-app
+  # deploy/delete groups (different keys), so cleanup will not block per-PR work.
+  group: cpflow-cleanup-stale-review-apps
+  # A cancelled `cpflow cleanup-stale-apps` can leave half-deleted review apps; let
+  # the in-flight run finish before the next scheduled tick begins.
+  cancel-in-progress: false
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout control-plane-flow actions
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          repository: shakacode/control-plane-flow
+          ref: ${{ inputs.control_plane_flow_ref }}
+          path: .cpflow
+          persist-credentials: false
+
+      - name: Validate required secrets and variables
+        uses: ./.cpflow/.github/actions/cpflow-validate-config
+        env:
+          CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
+          CPLN_ORG_STAGING: ${{ vars.CPLN_ORG_STAGING }}
+          REVIEW_APP_PREFIX: ${{ vars.REVIEW_APP_PREFIX }}
+        with:
+          required: |
+            secret:CPLN_TOKEN_STAGING
+            variable:CPLN_ORG_STAGING
+            variable:REVIEW_APP_PREFIX
+
+      - name: Setup environment
+        uses: ./.cpflow/.github/actions/cpflow-setup-environment
+        with:
+          token: ${{ secrets.CPLN_TOKEN_STAGING }}
+          org: ${{ vars.CPLN_ORG_STAGING }}
+          working_directory: .cpflow
+          cpln_cli_version: ${{ vars.CPLN_CLI_VERSION }}
+          cpflow_version: ${{ vars.CPFLOW_VERSION }}
+
+      - name: Checkout caller repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
+
+      - name: Remove stale review apps
+        env:
+          REVIEW_APP_PREFIX: ${{ vars.REVIEW_APP_PREFIX }}
+          CPLN_ORG_STAGING: ${{ vars.CPLN_ORG_STAGING }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          cpflow cleanup-stale-apps -a "${REVIEW_APP_PREFIX}" --org "${CPLN_ORG_STAGING}" --yes

data/.github/workflows/cpflow-delete-review-app.yml

@@ -0,0 +1,182 @@
+name: Delete Review App
+
+on:
+  workflow_call:
+    inputs:
+      control_plane_flow_ref:
+        description: Git ref used to load shared cpflow composite actions.
+        required: false
+        type: string
+        default: main
+
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
+concurrency:
+  group: cpflow-delete-review-app-${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
+  # Deletions must not cancel each other mid-flight — a cancelled `cpln` delete can leave
+  # partial state behind. Let the in-progress deletion finish before the next run starts.
+  cancel-in-progress: false
+
+env:
+  APP_NAME: ${{ vars.REVIEW_APP_PREFIX }}-${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
+  CPLN_ORG: ${{ vars.CPLN_ORG_STAGING }}
+  PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
+
+jobs:
+  delete-review-app:
+    if: |
+      (github.event_name == 'issue_comment' &&
+       github.event.issue.pull_request &&
+       contains(fromJson('["+review-app-delete","+review-app-delete\n","+review-app-delete\r\n"]'), github.event.comment.body) &&
+       contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
+      (github.event_name == 'pull_request_target' && github.event.action == 'closed') ||
+      github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: React to delete command
+        if: github.event_name == 'issue_comment'
+        continue-on-error: true
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
+        with:
+          script: |
+            try {
+              await github.rest.reactions.createForIssueComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: context.payload.comment.id,
+                content: "eyes"
+              });
+            } catch (error) {
+              if (error.status === 422) {
+                core.info("Delete command reaction already exists.");
+              } else {
+                throw error;
+              }
+            }
+
+      - name: Checkout control-plane-flow actions
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          repository: shakacode/control-plane-flow
+          ref: ${{ inputs.control_plane_flow_ref }}
+          path: .cpflow
+          persist-credentials: false
+
+      - name: Validate required secrets and variables
+        id: config
+        uses: ./.cpflow/.github/actions/cpflow-validate-config
+        env:
+          CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
+          CPLN_ORG_STAGING: ${{ vars.CPLN_ORG_STAGING }}
+          REVIEW_APP_PREFIX: ${{ vars.REVIEW_APP_PREFIX }}
+        with:
+          required: |
+            secret:CPLN_TOKEN_STAGING
+            variable:CPLN_ORG_STAGING
+            variable:REVIEW_APP_PREFIX
+          pull_request_friendly: "true"
+
+      - name: Checkout repository
+        if: steps.config.outputs.ready == 'true'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          path: app
+          persist-credentials: false
+
+      - name: Setup environment
+        if: steps.config.outputs.ready == 'true'
+        uses: ./.cpflow/.github/actions/cpflow-setup-environment
+        with:
+          token: ${{ secrets.CPLN_TOKEN_STAGING }}
+          org: ${{ vars.CPLN_ORG_STAGING }}
+          working_directory: app
+          cpln_cli_version: ${{ vars.CPLN_CLI_VERSION }}
+          cpflow_version: ${{ vars.CPFLOW_VERSION }}
+
+      - name: Set workflow links
+        if: steps.config.outputs.ready == 'true'
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
+        with:
+          script: |
+            const workflowUrl = `${process.env.GITHUB_SERVER_URL}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`;
+            core.exportVariable("WORKFLOW_URL", workflowUrl);
+            core.exportVariable(
+              "CONSOLE_URL",
+              `https://console.cpln.io/console/org/${process.env.CPLN_ORG}/-info`
+            );
+
+      - name: Create initial PR comment
+        if: steps.config.outputs.ready == 'true'
+        id: create-comment
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
+        with:
+          script: |
+            const body = [
+              "## 🗑️ Deleting review app...",
+              "",
+              `_Removing the review app for PR #${process.env.PR_NUMBER}_`
+            ].join("\n");
+
+            const comment = await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: Number(process.env.PR_NUMBER),
+              body
+            });
+            core.setOutput("comment-id", comment.data.id);
+
+      - name: Delete review app
+        if: steps.config.outputs.ready == 'true'
+        uses: ./.cpflow/.github/actions/cpflow-delete-control-plane-app
+        with:
+          app_name: ${{ env.APP_NAME }}
+          cpln_org: ${{ vars.CPLN_ORG_STAGING }}
+          review_app_prefix: ${{ vars.REVIEW_APP_PREFIX }}
+          working_directory: app
+
+      # Finalizer still runs after delete failures, but only after config validation
+      # created the initial PR comment and workflow link env vars it updates.
+      - name: Finalize delete status
+        if: always() && steps.config.outputs.ready == 'true'
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
+        env:
+          COMMENT_ID: ${{ steps.create-comment.outputs.comment-id }}
+          JOB_STATUS: ${{ job.status }}
+        with:
+          script: |
+            const commentId = Number(process.env.COMMENT_ID);
+            const success = process.env.JOB_STATUS === "success";
+            const body = success
+              ? [
+                  "## ✅ Review App Deleted",
+                  "",
+                  `_Review app for PR #${process.env.PR_NUMBER} is deleted_`,
+                  "",
+                  `🎮 [Control Plane Console](${process.env.CONSOLE_URL})`,
+                  `📋 [View Workflow Logs](${process.env.WORKFLOW_URL})`
+                ].join("\n")
+              : [
+                  "## ❌ Failed to Delete Review App",
+                  "",
+                  `_Failed to delete review app for PR #${process.env.PR_NUMBER}_`,
+                  "",
+                  `🎮 [Control Plane Console](${process.env.CONSOLE_URL})`,
+                  `📋 [View Workflow Logs](${process.env.WORKFLOW_URL})`
+                ].join("\n");
+
+            if (!Number.isFinite(commentId) || commentId <= 0) {
+              core.warning("Skipping delete status comment update because no comment id was created.");
+              return;
+            }
+
+            await github.rest.issues.updateComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: commentId,
+              body
+            });