Address latest cpflow flow review updates

justin808 · justin808 · commit fdda08db1e7d · 2026-05-01T12:25:37.000-10:00
diff --git a/.github/actions/cpflow-delete-control-plane-app/delete-app.sh b/.github/actions/cpflow-delete-control-plane-app/delete-app.sh
@@ -14,8 +14,9 @@ if [[ "$APP_NAME" != "${expected_prefix}"* ]]; then
   exit 1
 fi
 
-# Guard against a misconfigured REVIEW_APP_PREFIX that would otherwise match
-# a well-known shared environment.
+# Guard against a misconfigured REVIEW_APP_PREFIX that would otherwise match a
+# well-known shared environment. This intentionally rejects review-app prefixes
+# containing these word segments; failing closed is safer for deletion.
 if echo "$APP_NAME" | grep -iqE '(^|-)(production|staging)(-|$)'; then
   echo "❌ ERROR: refusing to delete an app whose name contains 'production' or 'staging'" >&2
   echo "App name: $APP_NAME" >&2
diff --git a/.github/actions/cpflow-validate-config/action.yml b/.github/actions/cpflow-validate-config/action.yml
@@ -4,8 +4,8 @@ description: >-
   proceeds. Pass each value via `env:` with the same NAME as the secret or variable,
   then list the required entries in `required` as `type:NAME` pairs (type is `secret`
   or `variable`). When `pull_request_friendly: true` and the current event is a
-  `pull_request`, missing config writes a step summary and exits 0 with `ready=false`
-  instead of failing the job.
+  pull request event, missing config writes a step summary and exits 0 with
+  `ready=false` instead of failing the job.
 
 inputs:
   required:
@@ -14,7 +14,7 @@ inputs:
       caller MUST export the matching values via `env:` using the same NAME.
     required: true
   pull_request_friendly:
-    description: When "true" and event is pull_request, write summary and exit 0 with ready=false.
+    description: When "true" and event is pull_request/pull_request_target, write summary and exit 0 with ready=false.
     required: false
     default: "false"
 
@@ -58,7 +58,7 @@ runs:
           exit 0
         fi
 
-        if [[ "${CPFLOW_PR_FRIENDLY}" == "true" && "${CPFLOW_EVENT_NAME}" == "pull_request" ]]; then
+        if [[ "${CPFLOW_PR_FRIENDLY}" == "true" && ( "${CPFLOW_EVENT_NAME}" == "pull_request" || "${CPFLOW_EVENT_NAME}" == "pull_request_target" ) ]]; then
           echo "ready=false" >> "$GITHUB_OUTPUT"
           {
             echo "Control Plane review app automation is not configured yet."
diff --git a/.github/workflows/cpflow-cleanup-stale-review-apps.yml b/.github/workflows/cpflow-cleanup-stale-review-apps.yml
@@ -52,3 +52,4 @@ jobs:
         run: |
           set -euo pipefail
           cpflow cleanup-stale-apps -a "${REVIEW_APP_PREFIX}" --org "${CPLN_ORG_STAGING}" --yes
+          echo "Stale review apps under prefix '${REVIEW_APP_PREFIX}' have been cleaned up." >> "$GITHUB_STEP_SUMMARY"
diff --git a/.github/workflows/cpflow-delete-review-app.yml b/.github/workflows/cpflow-delete-review-app.yml
@@ -14,6 +14,7 @@ on:
 
 permissions:
   contents: read
+  deployments: write
   issues: write
   pull-requests: write
 
@@ -46,7 +47,8 @@ jobs:
       # comments. This checkout is safe because it does not set `ref:`; GitHub checks
       # out the base branch's trusted workflow code, not the fork head. Do not add
       # `ref: ${{ github.event.pull_request.head.sha }}` here without re-evaluating
-      # the trust boundary.
+      # the trust boundary. All local composite actions below are therefore loaded from
+      # trusted base-branch code; keep them that way when changing this workflow.
       - name: Checkout repository
         uses: actions/checkout@v4
 
@@ -61,6 +63,7 @@ jobs:
             secret:CPLN_TOKEN_STAGING
             variable:CPLN_ORG_STAGING
             variable:REVIEW_APP_PREFIX
+          pull_request_friendly: "true"
 
       - name: Setup environment
         uses: ./.github/actions/cpflow-setup-environment
@@ -101,6 +104,33 @@ jobs:
           cpln_org: ${{ vars.CPLN_ORG_STAGING }}
           review_app_prefix: ${{ vars.REVIEW_APP_PREFIX }}
 
+      - name: Mark GitHub deployment inactive
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const environment = `review/${process.env.APP_NAME}`;
+            const deployments = await github.paginate(github.rest.repos.listDeployments, {
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              environment,
+              per_page: 100
+            });
+
+            if (deployments.length === 0) {
+              core.info(`No GitHub deployments found for ${environment}.`);
+              return;
+            }
+
+            for (const deployment of deployments) {
+              await github.rest.repos.createDeploymentStatus({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                deployment_id: deployment.id,
+                state: "inactive",
+                description: `Review app ${process.env.APP_NAME} was deleted`
+              });
+            }
+
       - name: Finalize delete status
         if: always()
         uses: actions/github-script@v7
diff --git a/.github/workflows/cpflow-deploy-staging.yml b/.github/workflows/cpflow-deploy-staging.yml
@@ -92,7 +92,7 @@ jobs:
 
   deploy:
     needs: [validate-branch, build]
-    if: needs.validate-branch.outputs.is_deployable == 'true'
+    if: needs.validate-branch.outputs.is_deployable == 'true' && needs.build.result == 'success'
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
diff --git a/.github/workflows/cpflow-promote-staging-to-production.yml b/.github/workflows/cpflow-promote-staging-to-production.yml
@@ -148,6 +148,13 @@ jobs:
           staging_vars="$(CPLN_TOKEN="${CPLN_TOKEN_STAGING}" cpln gvc get "${STAGING_APP_NAME}" --org "${CPLN_ORG_STAGING}" -o json | jq -r '.spec.env // [] | .[].name' | sort)"
           production_vars="$(CPLN_TOKEN="${CPLN_TOKEN_PRODUCTION}" cpln gvc get "${PRODUCTION_APP_NAME}" --org "${CPLN_ORG_PRODUCTION}" -o json | jq -r '.spec.env // [] | .[].name' | sort)"
 
+          {
+            echo "### Environment parity scope"
+            echo "This check compares GVC-level environment variable names only."
+            echo "Workload-level env vars and cpln:// secret references are not compared."
+            echo
+          } >> "$GITHUB_STEP_SUMMARY"
+
           if [[ -z "${staging_vars}" ]]; then
             echo "Staging GVC exposes no environment variables; skipping parity check."
             exit 0
@@ -191,9 +198,9 @@ jobs:
             [[ -n "${workload_name}" ]] || continue
 
             workload_json="$(cpln workload get "${workload_name}" --gvc "${PRODUCTION_APP_NAME}" --org "${CPLN_ORG_PRODUCTION}" -o json)"
-          # current_image/current_version are summary fields for the first container
-          # of the selected workload; rollback_state below captures all containers.
-          workload_image="$(echo "${workload_json}" | jq -r '.spec.containers[0].image')"
+            # current_image/current_version are summary fields for the first container
+            # of the selected workload; rollback_state below captures all containers.
+            workload_image="$(echo "${workload_json}" | jq -r '.spec.containers[0].image')"
             workload_containers="$(echo "${workload_json}" | jq -c '.spec.containers | map({name, image})')"
             workload_version="$(echo "${workload_json}" | jq -r '.version')"
 
