shakacode
diff --git a/‎…ons/cpflow-build-docker-image/action.yml‎ ‎…ons/cpflow-build-docker-image/action.yml‎lib/github_flow_templates/.github/actions/cpflow-build-docker-image/action.yml renamed to .github/actions/cpflow-build-docker-image/action.yml b/‎…ons/cpflow-build-docker-image/action.yml‎ ‎…ons/cpflow-build-docker-image/action.yml‎lib/github_flow_templates/.github/actions/cpflow-build-docker-image/action.yml renamed to .github/actions/cpflow-build-docker-image/action.yml
diff --git a/‎…flow-delete-control-plane-app/action.yml‎ ‎…flow-delete-control-plane-app/action.yml‎lib/github_flow_templates/.github/actions/cpflow-delete-control-plane-app/action.yml renamed to .github/actions/cpflow-delete-control-plane-app/action.yml
Lines changed: 5 additions & 0 deletions b/‎…flow-delete-control-plane-app/action.yml‎ ‎…flow-delete-control-plane-app/action.yml‎lib/github_flow_templates/.github/actions/cpflow-delete-control-plane-app/action.yml renamed to .github/actions/cpflow-delete-control-plane-app/action.yml
Lines changed: 5 additions & 0 deletions
diff --git a/‎…w-delete-control-plane-app/delete-app.sh‎ ‎…w-delete-control-plane-app/delete-app.sh‎lib/github_flow_templates/.github/actions/cpflow-delete-control-plane-app/delete-app.sh renamed to .github/actions/cpflow-delete-control-plane-app/delete-app.sh b/‎…w-delete-control-plane-app/delete-app.sh‎ ‎…w-delete-control-plane-app/delete-app.sh‎lib/github_flow_templates/.github/actions/cpflow-delete-control-plane-app/delete-app.sh renamed to .github/actions/cpflow-delete-control-plane-app/delete-app.sh
diff --git a/‎…s/cpflow-detect-release-phase/action.yml‎ ‎…s/cpflow-detect-release-phase/action.yml‎lib/github_flow_templates/.github/actions/cpflow-detect-release-phase/action.yml renamed to .github/actions/cpflow-detect-release-phase/action.yml
Lines changed: 7 additions & 0 deletions b/‎…s/cpflow-detect-release-phase/action.yml‎ ‎…s/cpflow-detect-release-phase/action.yml‎lib/github_flow_templates/.github/actions/cpflow-detect-release-phase/action.yml renamed to .github/actions/cpflow-detect-release-phase/action.yml
Lines changed: 7 additions & 0 deletions
diff --git a/‎.github/actions/cpflow-setup-environment/action.yml‎
Lines changed: 161 additions & 0 deletions b/‎.github/actions/cpflow-setup-environment/action.yml‎
Lines changed: 161 additions & 0 deletions
diff --git a/‎…ctions/cpflow-validate-config/action.yml‎ ‎…ctions/cpflow-validate-config/action.yml‎lib/github_flow_templates/.github/actions/cpflow-validate-config/action.yml renamed to .github/actions/cpflow-validate-config/action.yml b/‎…ctions/cpflow-validate-config/action.yml‎ ‎…ctions/cpflow-validate-config/action.yml‎lib/github_flow_templates/.github/actions/cpflow-validate-config/action.yml renamed to .github/actions/cpflow-validate-config/action.yml
diff --git a/‎…ctions/cpflow-wait-for-health/action.yml‎ ‎…ctions/cpflow-wait-for-health/action.yml‎lib/github_flow_templates/.github/actions/cpflow-wait-for-health/action.yml renamed to .github/actions/cpflow-wait-for-health/action.yml b/‎…ctions/cpflow-wait-for-health/action.yml‎ ‎…ctions/cpflow-wait-for-health/action.yml‎lib/github_flow_templates/.github/actions/cpflow-wait-for-health/action.yml renamed to .github/actions/cpflow-wait-for-health/action.yml
diff --git a/‎.github/workflows/cpflow-cleanup-stale-review-apps.yml‎
Lines changed: 69 additions & 0 deletions b/‎.github/workflows/cpflow-cleanup-stale-review-apps.yml‎
Lines changed: 69 additions & 0 deletions
@@ -11,12 +11,17 @@ inputs:
   review_app_prefix:
     description: Prefix used for review app names
     required: true
+  working_directory:
+    description: Directory containing the downstream project's .controlplane/controlplane.yml
+    required: false
+    default: "."
 
 runs:
   using: composite
   steps:
     - name: Delete application
       shell: bash
+      working-directory: ${{ inputs.working_directory }}
       run: ${{ github.action_path }}/delete-app.sh
       env:
         APP_NAME: ${{ inputs.app_name }}
 
@@ -34,6 +34,13 @@ runs:
         require "yaml"
 
         app_name = ARGV.fetch(0)
+
+        unless File.file?(".controlplane/controlplane.yml")
+          warn "Error: `.controlplane/controlplane.yml` is missing. " \
+               "cpflow-detect-release-phase must be invoked from a cpflow-configured project."
+          exit 1
+        end
+
         data = YAML.safe_load(File.read(".controlplane/controlplane.yml"), aliases: true)
         apps = data["apps"] || {}
         app_config = apps[app_name]
 
@@ -0,0 +1,161 @@
+name: Setup Control Plane Environment
+description: Sets up Ruby, installs the Control Plane CLI and cpflow, and configures a default profile
+
+inputs:
+  token:
+    description: Control Plane token
+    required: true
+  org:
+    description: Control Plane organization
+    required: true
+  ruby_version:
+    description: >-
+      Ruby version used for cpflow. When empty (the default), ruby/setup-ruby
+      auto-detects from .ruby-version, .tool-versions, mise.toml, or a Gemfile
+      ruby directive, then falls back to the action's pinned default.
+    required: false
+    default: ""
+  working_directory:
+    description: Directory where ruby/setup-ruby should detect Ruby version files.
+    required: false
+    default: "."
+  # GitHub parses double-brace expression snippets inside action metadata (including
+  # `description:`) while loading the composite action, and the `vars` context is not
+  # available in that phase. Keep these descriptions in plain prose - reference repo
+  # variables by NAME only, never with literal GitHub Actions expression syntax.
+  cpln_cli_version:
+    description: >-
+      @controlplane/cli version. Empty string falls back to the action's pinned default,
+      so callers can wire this input to the CPLN_CLI_VERSION repository variable
+      unconditionally.
+    required: false
+    default: ""
+  cpflow_version:
+    description: >-
+      cpflow gem version to install from RubyGems. Empty string installs cpflow from
+      the checked-out control-plane-flow repository, so callers can test a GitHub ref
+      without publishing a release.
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  # ruby/setup-ruby tracks Ruby/toolcache updates on a major tag. The privileged
+  # reusable workflows pin GitHub-owned actions to immutable SHAs.
+  steps:
+    - name: Resolve Ruby setup version
+      id: ruby-version
+      shell: bash
+      env:
+        INPUT_RUBY_VERSION: ${{ inputs.ruby_version }}
+        INPUT_WORKING_DIRECTORY: ${{ inputs.working_directory }}
+      run: |
+        set -euo pipefail
+
+        ruby_version="${INPUT_RUBY_VERSION}"
+        working_directory="${INPUT_WORKING_DIRECTORY:-.}"
+        # Bump when the project's minimum-supported Ruby advances.
+        default_ruby_version="3.2"
+
+        if [[ -z "${ruby_version}" ]]; then
+          if [[ -f "${working_directory}/.ruby-version" ]] ||
+             { [[ -f "${working_directory}/.tool-versions" ]] && grep -Eq "^[[:space:]]*ruby[[:space:]]+" "${working_directory}/.tool-versions"; } ||
+             { [[ -f "${working_directory}/mise.toml" ]] && grep -Eq "^[[:space:]]*ruby[[:space:]]*=" "${working_directory}/mise.toml"; } ||
+             { [[ -f "${working_directory}/.mise.toml" ]] && grep -Eq "^[[:space:]]*ruby[[:space:]]*=" "${working_directory}/.mise.toml"; }; then
+            : # keep empty; ruby/setup-ruby will auto-detect
+          elif [[ -f "${working_directory}/Gemfile" ]] && grep -Eq "^[[:space:]]*ruby[[:space:]]*(\(|file:|['\"])" "${working_directory}/Gemfile"; then
+            : # keep empty; ruby/setup-ruby will read Gemfile
+          else
+            ruby_version="${default_ruby_version}"
+          fi
+        fi
+
+        echo "ruby_version=${ruby_version}" >> "$GITHUB_OUTPUT"
+
+    - name: Set up Ruby
+      # ruby/setup-ruby intentionally tracks the v1 tag so Ruby/toolcache updates
+      # roll out automatically; Dependabot/Renovate can manage this non-GitHub action.
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ steps.ruby-version.outputs.ruby_version }}
+        working-directory: ${{ inputs.working_directory }}
+
+    - name: Install Control Plane CLI and cpflow gem
+      shell: bash
+      env:
+        CPLN_CLI_VERSION: ${{ inputs.cpln_cli_version }}
+        CPFLOW_VERSION: ${{ inputs.cpflow_version }}
+        CPFLOW_SOURCE_DIR: ${{ github.action_path }}/../../..
+      run: |
+        set -euo pipefail
+
+        # Bump this default when a new Control Plane CLI release should roll out by default.
+        # Override per-repo by setting the `CPLN_CLI_VERSION` repo variable.
+        default_cpln_cli_version="3.10.2"
+
+        CPLN_CLI_VERSION="${CPLN_CLI_VERSION:-${default_cpln_cli_version}}"
+
+        npm_global_prefix="${HOME}/.npm-global"
+        mkdir -p "${npm_global_prefix}"
+        echo "${npm_global_prefix}/bin" >> "$GITHUB_PATH"
+        export PATH="${npm_global_prefix}/bin:${PATH}"
+
+        npm install --global --prefix "${npm_global_prefix}" "@controlplane/cli@${CPLN_CLI_VERSION}"
+        cpln --version
+
+        if [[ -n "${CPFLOW_VERSION}" ]]; then
+          gem install cpflow -v "${CPFLOW_VERSION}" --no-document
+        else
+          cpflow_source_dir="$(cd "${CPFLOW_SOURCE_DIR}" && pwd)"
+          if [[ ! -f "${cpflow_source_dir}/cpflow.gemspec" ]]; then
+            echo "::error::CPFLOW_SOURCE_DIR (${cpflow_source_dir}) does not contain cpflow.gemspec" >&2
+            exit 1
+          fi
+
+          cpflow_gem="$(mktemp -t cpflow-XXXXXX.gem)"
+          trap 'rm -f "${cpflow_gem}"' EXIT
+          (
+            cd "${cpflow_source_dir}"
+            gem build cpflow.gemspec --output "${cpflow_gem}"
+          )
+          gem install "${cpflow_gem}" --no-document
+        fi
+
+        cpflow --version
+
+    - name: Setup Control Plane profile and registry login
+      shell: bash
+      env:
+        # Pass the token via CPLN_TOKEN so cpln picks it up from the environment
+        # rather than `--token`, which would leak it into /proc/<pid>/cmdline and ps output.
+        CPLN_TOKEN: ${{ inputs.token }}
+        ORG: ${{ inputs.org }}
+      run: |
+        set -euo pipefail
+
+        if [[ -z "$CPLN_TOKEN" ]]; then
+          echo "Error: Control Plane token not provided" >&2
+          exit 1
+        fi
+
+        if [[ -z "$ORG" ]]; then
+          echo "Error: Control Plane organization not provided" >&2
+          exit 1
+        fi
+
+        # `cpln profile update` lists `create` as an alias (cpln profile --help) and is
+        # idempotent: it creates the profile if missing and updates it otherwise. Calling
+        # update directly avoids parsing the CLI's "already exists" English error text,
+        # which would silently swallow a real failure if the wording ever changed.
+        cpln profile update default --org "$ORG"
+        cpln image docker-login --org "$ORG"
+
+        # Keep the token available to later cpflow/cpln steps without passing it
+        # on the command line. GitHub masks secret values in logs, and the env file
+        # itself is not echoed.
+        delim="CPLN_TOKEN_DELIM_$(openssl rand -hex 8)"
+        {
+          echo "CPLN_TOKEN<<${delim}"
+          echo "${CPLN_TOKEN}"
+          echo "${delim}"
+        } >> "$GITHUB_ENV"
@@ -0,0 +1,69 @@
+name: Cleanup Stale Review Apps
+
+on:
+  workflow_call:
+    inputs:
+      control_plane_flow_ref:
+        description: Git ref used to load shared cpflow composite actions.
+        required: false
+        type: string
+        default: main
+
+permissions:
+  contents: read
+
+concurrency:
+  # Single global group: only one cleanup sweep at a time. Independent of review-app
+  # deploy/delete groups (different keys), so cleanup will not block per-PR work.
+  group: cpflow-cleanup-stale-review-apps
+  # A cancelled `cpflow cleanup-stale-apps` can leave half-deleted review apps; let
+  # the in-flight run finish before the next scheduled tick begins.
+  cancel-in-progress: false
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout control-plane-flow actions
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          repository: shakacode/control-plane-flow
+          ref: ${{ inputs.control_plane_flow_ref }}
+          path: .cpflow
+          persist-credentials: false
+
+      - name: Validate required secrets and variables
+        uses: ./.cpflow/.github/actions/cpflow-validate-config
+        env:
+          CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
+          CPLN_ORG_STAGING: ${{ vars.CPLN_ORG_STAGING }}
+          REVIEW_APP_PREFIX: ${{ vars.REVIEW_APP_PREFIX }}
+        with:
+          required: |
+            secret:CPLN_TOKEN_STAGING
+            variable:CPLN_ORG_STAGING
+            variable:REVIEW_APP_PREFIX
+
+      - name: Setup environment
+        uses: ./.cpflow/.github/actions/cpflow-setup-environment
+        with:
+          token: ${{ secrets.CPLN_TOKEN_STAGING }}
+          org: ${{ vars.CPLN_ORG_STAGING }}
+          working_directory: .cpflow
+          cpln_cli_version: ${{ vars.CPLN_CLI_VERSION }}
+          cpflow_version: ${{ vars.CPFLOW_VERSION }}
+
+      - name: Checkout caller repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
+
+      - name: Remove stale review apps
+        env:
+          REVIEW_APP_PREFIX: ${{ vars.REVIEW_APP_PREFIX }}
+          CPLN_ORG_STAGING: ${{ vars.CPLN_ORG_STAGING }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          cpflow cleanup-stale-apps -a "${REVIEW_APP_PREFIX}" --org "${CPLN_ORG_STAGING}" --yes