Regenerate promotion wrappers after review follow-ups

Author: justin808

.controlplane/readme.md

@@ -577,7 +577,7 @@ For this repo, the update loop is:
 1. Generate from the desired `cpflow` release with `--staging-branch master`.
 2. Keep generated refs on a release tag once the upstream hardening changes ship.
    This branch temporarily pins refs to
-   `9ef104c246670d6c1ea4132dfd22be68ef930a70` to test upstream promotion
+   `01dd1d231ce3d8849bcb7ed36b9fd9d184eb3350` to test upstream promotion
    hardening before the next release tag. Leave `CPFLOW_VERSION` unset while
    testing a commit SHA.
 3. Keep app names and GitHub settings aligned with `.controlplane/controlplane.yml`.

.controlplane/shakacode-team.md

@@ -118,7 +118,7 @@ Advanced optional settings are documented upstream in the
 [`control-plane-flow` CI automation guide](https://github.com/shakacode/control-plane-flow/blob/main/docs/ci-automation.md).
 
 Current workflow wrappers are temporarily pinned to upstream
-`control-plane-flow` commit `9ef104c246670d6c1ea4132dfd22be68ef930a70` to test
+`control-plane-flow` commit `01dd1d231ce3d8849bcb7ed36b9fd9d184eb3350` to test
 promotion hardening before it ships in a release tag. Keep release tags as the
 steady-state configuration once the upstream PR is released; use a full commit
 SHA only for short-lived upstream PR testing and leave `CPFLOW_VERSION` unset in

.github/cpflow-help.md

@@ -2,7 +2,7 @@
 
 These commands are generated by [cpflow](https://github.com/shakacode/control-plane-flow).
 For full setup, version-pinning, and troubleshooting details, see the upstream
-[CI automation guide](https://github.com/shakacode/control-plane-flow/blob/9ef104c246670d6c1ea4132dfd22be68ef930a70/docs/ci-automation.md).
+[CI automation guide](https://github.com/shakacode/control-plane-flow/blob/01dd1d231ce3d8849bcb7ed36b9fd9d184eb3350/docs/ci-automation.md).
 
 ## Pull Request Commands
 
@@ -23,11 +23,23 @@ For the normal generated review-app path, GitHub needs one repository secret:
 | --- | --- | --- |
 | `CPLN_TOKEN_STAGING` | Repository secret | Control Plane service-account token for the staging/review org. |
 
+For public repositories, use a staging/review token that cannot access
+production Control Plane resources. Generated review-app deploys skip fork PR
+heads because Docker builds use repository secrets. If a forked change needs a
+review app, first move the reviewed change to a trusted branch in this
+repository.
+
 No repository variables are required for the standard review-app path when
 `.controlplane/controlplane.yml` has exactly one review app entry with
 `match_if_app_name_starts_with: true`. cpflow infers the review-app prefix and
 staging org from that config.
 
+Review apps run pull request code. Any value mounted through
+`cpln://secret/...` can be read by that code after the workload starts, so keep
+review-app secret dictionaries limited to disposable databases, review-only
+renderer credentials, and license values that are acceptable for review-app
+exposure.
+
 Optional overrides exist for forks, clones, and unusual apps:
 
 | Name | Notes |
@@ -100,11 +112,12 @@ production org, using production-only secrets and values.
 
 Generated wrappers normally pin Control Plane Flow with a release tag, for
 example `v5.1.0`. This branch temporarily pins the wrappers to upstream commit
-`9ef104c246670d6c1ea4132dfd22be68ef930a70` while testing unreleased production
-promotion hardening. Reusable review-app, staging, cleanup, and helper workflows
-pin that ref in their `uses:` entry. Production promotion pins the same ref in
-the `Checkout control-plane-flow actions` step so the caller-owned job can keep
-`environment: production` and receive production environment secrets directly.
+`01dd1d231ce3d8849bcb7ed36b9fd9d184eb3350` while testing merged-but-unreleased
+production promotion hardening. Reusable review-app, staging, cleanup, and
+helper workflows pin that ref in their `uses:` entry. Production promotion pins
+the same ref in the `Checkout control-plane-flow actions` step so the
+caller-owned job can keep `environment: production` and receive production
+environment secrets directly.
 
 Leave `CPFLOW_VERSION` unset so the workflow builds cpflow from the same
 checked-out upstream source. If you set `CPFLOW_VERSION`, it must match the
@@ -143,7 +156,7 @@ Most apps do not need these:
 | Name | Notes |
 | --- | --- |
 | `DOCKER_BUILD_EXTRA_ARGS` | Newline-delimited extra Docker build tokens. |
-| `DOCKER_BUILD_SSH_KEY` | Private SSH key for Docker builds that fetch private dependencies. |
+| `DOCKER_BUILD_SSH_KEY` | Read-only, revocable deploy key for Docker builds that fetch private dependencies. Do not use a personal SSH key. |
 | `DOCKER_BUILD_SSH_KNOWN_HOSTS` | SSH known_hosts entries when SSH build hosts are not GitHub.com. |
 | `REVIEW_APP_DEPLOYING_ICON_URL` | Cosmetic custom image URL for the animated deploying icon. Set to `none` to use the text fallback icon. |
 | `STAGING_APP_BRANCH` | Custom staging branch. The branch must also appear in `cpflow-deploy-staging.yml`'s push filter. |

.github/workflows/cpflow-cleanup-stale-review-apps.yml

@@ -12,6 +12,6 @@ jobs:
   cleanup:
     # Cleanup targets the current inferred review-app prefix. If you changed
     # naming conventions, manually delete review apps under the old prefix.
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-cleanup-stale-review-apps.yml@9ef104c246670d6c1ea4132dfd22be68ef930a70
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-cleanup-stale-review-apps.yml@01dd1d231ce3d8849bcb7ed36b9fd9d184eb3350
     secrets:
       CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}

.github/workflows/cpflow-delete-review-app.yml

@@ -31,6 +31,6 @@ jobs:
       github.event_name == 'workflow_dispatch'
     # This `if:` mirrors the upstream job guard to avoid a billable workflow_call
     # when the event does not match. Keep both conditions in sync.
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-delete-review-app.yml@9ef104c246670d6c1ea4132dfd22be68ef930a70
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-delete-review-app.yml@01dd1d231ce3d8849bcb7ed36b9fd9d184eb3350
     secrets:
       CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}

.github/workflows/cpflow-deploy-review-app.yml

@@ -30,7 +30,7 @@ jobs:
        github.event.issue.pull_request &&
        contains(fromJson('["+review-app-deploy","+review-app-deploy\n","+review-app-deploy\r\n"]'), github.event.comment.body) &&
        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association))
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-review-app.yml@9ef104c246670d6c1ea4132dfd22be68ef930a70
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-review-app.yml@01dd1d231ce3d8849bcb7ed36b9fd9d184eb3350
     secrets:
       CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
       DOCKER_BUILD_SSH_KEY: ${{ secrets.DOCKER_BUILD_SSH_KEY }}

.github/workflows/cpflow-deploy-staging.yml

@@ -16,7 +16,7 @@ permissions:
 
 jobs:
   deploy-staging:
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-staging.yml@9ef104c246670d6c1ea4132dfd22be68ef930a70
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-staging.yml@01dd1d231ce3d8849bcb7ed36b9fd9d184eb3350
     with:
       staging_app_branch_default: "master"
     secrets:

.github/workflows/cpflow-help-command.yml

@@ -23,4 +23,4 @@ jobs:
        contains(fromJson('["+review-app-help","+review-app-help\n","+review-app-help\r\n"]'), github.event.comment.body) &&
        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
       github.event_name == 'workflow_dispatch'
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@9ef104c246670d6c1ea4132dfd22be68ef930a70
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@01dd1d231ce3d8849bcb7ed36b9fd9d184eb3350

.github/workflows/cpflow-promote-staging-to-production.yml

@@ -69,7 +69,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           repository: shakacode/control-plane-flow
-          ref: 9ef104c246670d6c1ea4132dfd22be68ef930a70
+          ref: 01dd1d231ce3d8849bcb7ed36b9fd9d184eb3350
           path: .cpflow
           persist-credentials: false
 
@@ -179,7 +179,7 @@ jobs:
           cpln_cli_version: ${{ vars.CPLN_CLI_VERSION }}
           cpflow_version: ${{ vars.CPFLOW_VERSION }}
           # The setup action validates CPFLOW_VERSION against this full workflow ref.
-          control_plane_flow_ref: shakacode/control-plane-flow/.github/workflows/cpflow-promote-staging-to-production.yml@9ef104c246670d6c1ea4132dfd22be68ef930a70
+          control_plane_flow_ref: shakacode/control-plane-flow/.github/workflows/cpflow-promote-staging-to-production.yml@01dd1d231ce3d8849bcb7ed36b9fd9d184eb3350
 
       # Runs after Setup production environment so the pinned Ruby (>= 3.1) is on PATH.
       # YAML.load_file(..., aliases: true) is not supported on Ruby 3.0 (system Ruby on ubuntu-22.04).
@@ -307,6 +307,9 @@ jobs:
             fi
           }
 
+          # check_required_vars intentionally mutates env_check_failed in this
+          # shell; keep calls outside subshells so failures aggregate before the
+          # final exit.
           env_check_failed=0
 
           staging_vars="$(list_gvc_env_names "${CPLN_TOKEN_STAGING}" "${CPLN_ORG_STAGING}" "${STAGING_APP_NAME}")"
@@ -467,13 +470,9 @@ jobs:
           copy_image_attempts=$((copy_image_retries + 1))
           copy_image_retry_interval=$((10#${COPY_IMAGE_RETRY_INTERVAL}))
 
-          if [[ "${STAGING_IMAGE}" == *@* ]]; then
-            staging_image="${STAGING_IMAGE}"
-          else
-            staging_image="${STAGING_IMAGE%%@*}"
-          fi
+          staging_image="${STAGING_IMAGE}"
           if [[ -z "${staging_image}" ]]; then
-            echo "::error::Staging image '${STAGING_IMAGE}' did not contain a usable image reference."
+            echo "::error::STAGING_IMAGE is not set or is empty."
             exit 1
           fi
 

.github/workflows/cpflow-review-app-help.yml

@@ -18,4 +18,4 @@ jobs:
     # to PR-open help. Remove it, or uncomment and adapt this guard, if forks or
     # clones should stay quiet until Control Plane is configured:
     #   if: vars.REVIEW_APP_PREFIX != '' || vars.CPLN_ORG_STAGING != ''
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-review-app-help.yml@9ef104c246670d6c1ea4132dfd22be68ef930a70
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-review-app-help.yml@01dd1d231ce3d8849bcb7ed36b9fd9d184eb3350