Tighten cpflow workflow permissions and triggers

Author: justin808

.github/actions/cpflow-setup-environment/action.yml

@@ -83,8 +83,8 @@ runs:
           exit 1
         fi
 
-        # Persist the token for later cpflow/cpln steps via env. Use a randomized
-        # delimiter so a multiline token cannot terminate the heredoc early.
+        # Persist the token because later cpflow/cpln steps read CPLN_TOKEN directly.
+        # Use a randomized delimiter so a multiline token cannot terminate the heredoc early.
         delim="CPLN_TOKEN_$(openssl rand -hex 8)"
         {
           echo "CPLN_TOKEN<<${delim}"

.github/workflows/cpflow-deploy-review-app.yml

@@ -4,7 +4,7 @@ run-name: "Deploy Review App - PR #${{ github.event.pull_request.number || githu
 
 on:
   pull_request:
-    types: [opened, synchronize, reopened]
+    types: [synchronize, reopened]
   issue_comment:
     # Slash-command workflow changes run from the default branch until merged.
     # Test PR-branch edits with:

.github/workflows/cpflow-promote-staging-to-production.yml

@@ -9,7 +9,7 @@ on:
         type: string
 
 permissions:
-  contents: write  # Required for `gh release create` in the "Create GitHub release" step.
+  contents: read
 
 env:
   # Override these by editing this file or by setting the matching repository variable.
@@ -383,25 +383,6 @@ jobs:
             fi
           done
 
-      - name: Create GitHub release
-        if: success() && steps.health-check.outputs.healthy == 'true'
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_RUN_ID: ${{ github.run_id }}
-          STAGING_APP_NAME: ${{ vars.STAGING_APP_NAME }}
-          PRODUCTION_APP_NAME: ${{ vars.PRODUCTION_APP_NAME }}
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          release_date="$(date '+%Y-%m-%d')"
-          timestamp="$(date '+%H%M%S')"
-          release_tag="production-${release_date}-${timestamp}-${GITHUB_RUN_ID}"
-
-          gh release create "${release_tag}" \
-            --title "Production Release ${release_date} ${timestamp}" \
-            --notes "Promoted ${STAGING_APP_NAME} to ${PRODUCTION_APP_NAME} on ${release_date} at ${timestamp}."
-
       - name: Promotion summary
         if: always()
         env:
@@ -422,3 +403,31 @@ jobs:
             echo "Previous image (first container of selected/first workload): \`${PREVIOUS_IMAGE}\`"
             echo "Previous version: ${PREVIOUS_VERSION}"
           } >> "$GITHUB_STEP_SUMMARY"
+
+  create-release:
+    needs: promote-to-production
+    if: needs.promote-to-production.result == 'success'
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: write
+
+    steps:
+      - name: Create GitHub release
+        env:
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_RUN_ID: ${{ github.run_id }}
+          STAGING_APP_NAME: ${{ vars.STAGING_APP_NAME }}
+          PRODUCTION_APP_NAME: ${{ vars.PRODUCTION_APP_NAME }}
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          release_date="$(date '+%Y-%m-%d')"
+          timestamp="$(date '+%H%M%S')"
+          release_tag="production-${release_date}-${timestamp}-${GITHUB_RUN_ID}"
+
+          gh release create "${release_tag}" \
+            --title "Production Release ${release_date} ${timestamp}" \
+            --notes "Promoted ${STAGING_APP_NAME} to ${PRODUCTION_APP_NAME} on ${release_date} at ${timestamp}."