Address cpflow review workflow feedback

Author: justin808

.github/cpflow-help.md

@@ -44,6 +44,7 @@
 
 - Review apps are opt-in and created with `/deploy-review-app`
 - New commits redeploy existing review apps automatically
+- Slash command workflows run from the default branch until merged. Test PR-branch edits with `gh workflow run cpflow-deploy-review-app.yml --ref <branch> -f pr_number=<pr-number>`.
 - Pushes to the staging branch deploy staging automatically
 - Promotion to production is manual via the Actions tab
 - A nightly workflow removes stale review apps

.github/workflows/cpflow-delete-review-app.yml

@@ -1,6 +1,9 @@
 name: Delete Review App
 
 on:
+  # SECURITY: pull_request_target is intentional for PR-close cleanup from forks.
+  # This workflow must keep checking out trusted base-branch code only; do not
+  # change checkout to a PR head ref without re-evaluating secret exposure.
   pull_request_target:
     types: [closed]
   issue_comment:
@@ -53,6 +56,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Validate required secrets and variables
+        id: config
         uses: ./.github/actions/cpflow-validate-config
         env:
           CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
@@ -66,6 +70,7 @@ jobs:
           pull_request_friendly: "true"
 
       - name: Setup environment
+        if: steps.config.outputs.ready == 'true'
         uses: ./.github/actions/cpflow-setup-environment
         with:
           token: ${{ secrets.CPLN_TOKEN_STAGING }}
@@ -74,6 +79,7 @@ jobs:
           cpflow_version: ${{ vars.CPFLOW_VERSION }}
 
       - name: Set workflow links
+        if: steps.config.outputs.ready == 'true'
         uses: actions/github-script@v7
         with:
           script: |
@@ -85,6 +91,7 @@ jobs:
             );
 
       - name: Create initial PR comment
+        if: steps.config.outputs.ready == 'true'
         id: create-comment
         uses: actions/github-script@v7
         with:
@@ -98,13 +105,15 @@ jobs:
             core.setOutput("comment-id", comment.data.id);
 
       - name: Delete review app
+        if: steps.config.outputs.ready == 'true'
         uses: ./.github/actions/cpflow-delete-control-plane-app
         with:
           app_name: ${{ env.APP_NAME }}
           cpln_org: ${{ vars.CPLN_ORG_STAGING }}
           review_app_prefix: ${{ vars.REVIEW_APP_PREFIX }}
 
       - name: Mark GitHub deployment inactive
+        if: steps.config.outputs.ready == 'true'
         uses: actions/github-script@v7
         with:
           script: |
@@ -132,7 +141,7 @@ jobs:
             }
 
       - name: Finalize delete status
-        if: always()
+        if: always() && steps.config.outputs.ready == 'true'
         uses: actions/github-script@v7
         with:
           script: |

.github/workflows/cpflow-deploy-review-app.yml

@@ -126,6 +126,7 @@ jobs:
         id: source
         env:
           EVENT_NAME: ${{ github.event_name }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SAME_REPO: ${{ steps.resolve-pr.outputs.same_repo }}
         shell: bash
         run: |
@@ -147,10 +148,14 @@ jobs:
 
           if [[ "${EVENT_NAME}" == "issue_comment" ]]; then
             echo "allowed=false" >> "$GITHUB_OUTPUT"
+            message="Review app deploys from fork pull requests require a branch in ${GITHUB_REPOSITORY}. This workflow builds Docker images with repository secrets, so comment-triggered deploys only run for branches in the base repository."
             {
               echo "Review app deploys from fork pull requests require a branch in ${GITHUB_REPOSITORY}."
               echo "This workflow builds Docker images with repository secrets, so comment-triggered deploys only run for branches in the base repository."
             } >> "$GITHUB_STEP_SUMMARY"
+            if ! gh pr comment "${PR_NUMBER}" --body "${message}"; then
+              echo "::warning::Could not post fork-PR deployment rejection comment."
+            fi
             exit 0
           fi
 

.github/workflows/cpflow-deploy-staging.yml

@@ -29,7 +29,7 @@ concurrency:
 jobs:
   validate-branch:
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 10
     outputs:
       is_deployable: ${{ steps.check-branch.outputs.is_deployable }}
     steps:

.github/workflows/cpflow-promote-staging-to-production.yml

@@ -26,6 +26,8 @@ env:
   # (e.g. "200" for a plain /health, or "200 401 403" for apps that auth-gate / without
   # redirecting).
   HEALTH_CHECK_ACCEPTED_STATUSES: ${{ vars.HEALTH_CHECK_ACCEPTED_STATUSES || '200 301 302' }}
+  # Rollback readiness checks run per workload in sequence, so worst-case wait is
+  # workload count times ROLLBACK_READINESS_RETRIES times ROLLBACK_READINESS_INTERVAL.
   ROLLBACK_READINESS_RETRIES: ${{ vars.ROLLBACK_READINESS_RETRIES || 24 }}
   ROLLBACK_READINESS_INTERVAL: ${{ vars.ROLLBACK_READINESS_INTERVAL || 15 }}
   PRIMARY_WORKLOAD: ${{ vars.PRIMARY_WORKLOAD }}
@@ -287,8 +289,11 @@ jobs:
         run: |
           # Best-effort rollback: try every workload, aggregate failures, exit non-zero at the end
           # if any failed. A single cpln hiccup shouldn't leave other workloads mid-promotion.
+          # Intentionally omit -e so one workload failure does not skip the rest.
           set -uo pipefail
 
+          echo "::warning::Rollback restores workload images only. Database migrations and release_script side effects are not reversed; verify database state manually before re-promoting."
+
           rollback_failures=0
           if ! rollback_entries="$(echo "${ROLLBACK_STATE}" | jq -r 'to_entries[] | "\(.key)\t\(.value.containers | @json)"')"; then
             echo "::error::Could not parse rollback state; manual recovery may be required." >&2