Update cpflow GitHub Actions to 5.0.4 (#750)

Author: justin808

.controlplane/docs/testing-cpflow-github-actions.md

@@ -30,7 +30,7 @@ bin/conductor-exec bin/test-cpflow-github-flow ruby /path/to/control-plane-flow/
 ```
 
 Leave `CPFLOW_VERSION` unset while testing a commit SHA. After the upstream gem
-and tag ship, repin wrappers to the release tag, such as `v5.0.1`.
+and tag ship, repin wrappers to the release tag, such as `v5.0.4`.
 
 ## Review App Canary
 

.controlplane/readme.md

@@ -524,7 +524,7 @@ Keep the reusable-workflow mechanics in the upstream
 For this repo, the update loop is:
 
 1. Generate from the desired `cpflow` release with `--staging-branch master`.
-2. Keep generated refs on a release tag such as `v5.0.1`. Use a full upstream
+2. Keep generated refs on a release tag such as `v5.0.4`. Use a full upstream
    commit SHA only for short-lived downstream testing of an unreleased upstream
    PR, and leave `CPFLOW_VERSION` unset in that case.
 3. Keep app names and GitHub settings aligned with `.controlplane/controlplane.yml`.

.controlplane/shakacode-team.md

@@ -79,7 +79,7 @@ Advanced optional settings are documented upstream in the
 [`control-plane-flow` CI automation guide](https://github.com/shakacode/control-plane-flow/blob/main/docs/ci-automation.md).
 
 Current workflow wrappers are pinned to the upstream `control-plane-flow`
-release tag `v5.0.1`. Keep release tags as the steady-state configuration; use
+release tag `v5.0.4`. Keep release tags as the steady-state configuration; use
 a full commit SHA only for short-lived upstream PR testing.
 
 If staging moves off `master`, update both `STAGING_APP_BRANCH` and the branch
@@ -90,7 +90,7 @@ filter in `.github/workflows/cpflow-deploy-staging.yml`.
 When the upstream `control-plane-flow` repo changes the generated GitHub Actions
 flow, regenerate from the target `cpflow` version with `--staging-branch master`,
 review the diff, and validate with `bin/test-cpflow-github-flow` plus the normal
-CI checks. Stable automation should use release tags such as `v5.0.1`, not
+CI checks. Stable automation should use release tags such as `v5.0.4`, not
 `main` or a feature branch.
 
 See [readme.md](readme.md) and

.github/cpflow-help.md

@@ -2,7 +2,7 @@
 
 These commands are generated by [cpflow](https://github.com/shakacode/control-plane-flow).
 For full setup, version-pinning, and troubleshooting details, see the upstream
-[CI automation guide](https://github.com/shakacode/control-plane-flow/blob/v5.0.1/docs/ci-automation.md).
+[CI automation guide](https://github.com/shakacode/control-plane-flow/blob/v5.0.4/docs/ci-automation.md).
 
 ## Pull Request Commands
 
@@ -45,10 +45,17 @@ Before the first staging deploy, bootstrap the persistent staging app once:
 cpflow setup-app -a "$STAGING_APP_NAME" --org "$CPLN_ORG_STAGING" --skip-post-creation-hook
 ```
 
-`setup-app` creates the app identity, app secret dictionary, app secret policy,
-policy binding, and template resources. For later template updates on an
-existing persistent app, use `cpflow apply-template` and make sure the app
-identity has `reveal` permission on the app secret policy.
+`setup-app` reads `.controlplane/controlplane.yml`'s `setup_app_templates` and
+creates the app identity, app secret dictionary, app secret policy, policy
+binding, and template resources. Use `--skip-post-creation-hook` so first-time
+bootstrap does not try to run database setup before an image exists. For later
+template updates on an existing persistent app, use `cpflow apply-template`
+with the same template list and make sure the app identity has `reveal`
+permission on the app secret policy.
+
+Review apps are temporary and are created by the `+review-app-deploy` workflow,
+but staging and production are persistent apps and should be bootstrapped
+explicitly.
 
 Production promotion is part of the generated flow, but keep it protected:
 
@@ -69,17 +76,32 @@ production org, using production-only secrets and values.
 ## Version Locking
 
 Generated wrappers pin Control Plane Flow once with the reusable workflow
-`uses:` ref, for example `@v5.0.1`. For stable releases, this ref should be a
-release tag. The upstream reusable workflow automatically
+`uses:` ref, for example `@v5.0.4`. For stable releases,
+this ref should be a release tag. The upstream reusable workflow automatically
 loads its matching shared actions from GitHub's workflow context, so downstream
 wrappers should not pass a duplicate Control Plane Flow ref input. If your
 generated wrappers still include a `with:` block whose only purpose is to repeat
 the same ref, regenerate them with a newer `cpflow`.
 
 Leave `CPFLOW_VERSION` unset so the workflow builds cpflow from the same
 checked-out upstream source. If you set `CPFLOW_VERSION`, it must match the
-release tag, for example `CPFLOW_VERSION=5.0.1` with a wrapper pinned to
-`uses: ...@v5.0.1`.
+release tag, for example `CPFLOW_VERSION=5.0.4` with a wrapper pinned to
+`uses: ...@v5.0.4`.
+
+After updating the `cpflow` gem in this repo, update the generated wrappers in
+the same PR:
+
+```sh
+cpflow update-github-actions
+bin/test-cpflow-github-flow
+```
+
+If `cpflow` is bundled by the app, use:
+
+```sh
+bundle exec cpflow update-github-actions
+bin/test-cpflow-github-flow bundle exec cpflow
+```
 
 Do not leave downstream apps pinned to a moving branch such as `main`. For a
 short-lived test of an unreleased upstream PR, pin to a full 40-character commit

.github/workflows/cpflow-cleanup-stale-review-apps.yml

@@ -12,6 +12,6 @@ jobs:
   cleanup:
     # Cleanup targets the current inferred review-app prefix. If you changed
     # naming conventions, manually delete review apps under the old prefix.
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-cleanup-stale-review-apps.yml@v5.0.1
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-cleanup-stale-review-apps.yml@v5.0.4
     secrets:
       CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}

.github/workflows/cpflow-delete-review-app.yml

@@ -31,6 +31,6 @@ jobs:
       github.event_name == 'workflow_dispatch'
     # This `if:` mirrors the upstream job guard to avoid a billable workflow_call
     # when the event does not match. Keep both conditions in sync.
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-delete-review-app.yml@v5.0.1
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-delete-review-app.yml@v5.0.4
     secrets:
       CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}

.github/workflows/cpflow-deploy-review-app.yml

@@ -30,7 +30,7 @@ jobs:
        github.event.issue.pull_request &&
        contains(fromJson('["+review-app-deploy","+review-app-deploy\n","+review-app-deploy\r\n"]'), github.event.comment.body) &&
        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association))
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-review-app.yml@v5.0.1
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-review-app.yml@v5.0.4
     secrets:
       CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
       DOCKER_BUILD_SSH_KEY: ${{ secrets.DOCKER_BUILD_SSH_KEY }}

.github/workflows/cpflow-deploy-staging.yml

@@ -16,7 +16,7 @@ permissions:
 
 jobs:
   deploy-staging:
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-staging.yml@v5.0.1
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-staging.yml@v5.0.4
     with:
       staging_app_branch_default: "master"
     secrets:

.github/workflows/cpflow-help-command.yml

@@ -23,4 +23,4 @@ jobs:
        contains(fromJson('["+review-app-help","+review-app-help\n","+review-app-help\r\n"]'), github.event.comment.body) &&
        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
       github.event_name == 'workflow_dispatch'
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@v5.0.1
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@v5.0.4

.github/workflows/cpflow-promote-staging-to-production.yml

@@ -16,7 +16,7 @@ permissions:
 jobs:
   promote-to-production:
     if: github.event.inputs.confirm_promotion == 'promote'
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-promote-staging-to-production.yml@v5.0.1
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-promote-staging-to-production.yml@v5.0.4
     with:
       # Keep CPLN_TOKEN_PRODUCTION as a secret on this protected GitHub
       # Environment. The caller passes the environment name, the upstream