Tighten production promotion review fixes

justin808 · justin808 · commit 68a4a6c8b660 · 2026-06-01T19:09:55.000-10:00
diff --git a/.github/workflows/cpflow-promote-staging-to-production.yml b/.github/workflows/cpflow-promote-staging-to-production.yml
@@ -245,6 +245,8 @@ jobs:
           selected_version=""
           rollback_state='{}'
 
+          # Validate all workloads have images, then promote the primary workload's
+          # image as the canonical image for this GVC.
           while IFS= read -r workload_name; do
             [[ -n "${workload_name}" ]] || continue
 
@@ -372,7 +374,7 @@ jobs:
           accepted_statuses: ${{ env.HEALTH_CHECK_ACCEPTED_STATUSES }}
 
       - name: Roll back on failure
-        if: failure() && steps.capture-current.outputs.rollback_state != '' && steps.capture-current.outputs.rollback_state != '{}'
+        if: failure() && steps.capture-current.outcome == 'success'
         env:
           ROLLBACK_STATE: ${{ steps.capture-current.outputs.rollback_state }}
           PRODUCTION_APP_NAME: ${{ vars.PRODUCTION_APP_NAME }}
@@ -439,7 +441,7 @@ jobs:
           fi
 
       - name: Wait for rollback readiness
-        if: failure() && steps.capture-current.outputs.rollback_state != '' && steps.capture-current.outputs.rollback_state != '{}'
+        if: failure() && steps.capture-current.outcome == 'success'
         env:
           ROLLBACK_STATE: ${{ steps.capture-current.outputs.rollback_state }}
           PRODUCTION_APP_NAME: ${{ vars.PRODUCTION_APP_NAME }}
@@ -462,6 +464,7 @@ jobs:
           pids=()
           for workload_name in "${workloads[@]}"; do
             [[ -n "${workload_name}" ]] || continue
+            status_name="${workload_name//\//_}"
 
             echo "Polling rollback readiness for workload '${workload_name}'..."
             (
@@ -480,9 +483,9 @@ jobs:
               done
 
               if [[ "${ready}" == "true" ]]; then
-                printf 'ready\n' > "${status_dir}/${workload_name}"
+                printf 'ready\n' > "${status_dir}/${status_name}"
               else
-                printf 'not_ready\n' > "${status_dir}/${workload_name}"
+                printf 'not_ready\n' > "${status_dir}/${status_name}"
               fi
             ) &
             pids+=("$!")
@@ -498,7 +501,8 @@ jobs:
 
           for workload_name in "${workloads[@]}"; do
             [[ -n "${workload_name}" ]] || continue
-            status_file="${status_dir}/${workload_name}"
+            status_name="${workload_name//\//_}"
+            status_file="${status_dir}/${status_name}"
             if [[ ! -f "${status_file}" ]] || [[ "$(<"${status_file}")" != "ready" ]]; then
               echo "::warning::Workload '${workload_name}' did not report ready after rollback."
             fi
@@ -510,6 +514,7 @@ jobs:
           HEALTHY: ${{ steps.health-check.outputs.healthy }}
           PREVIOUS_IMAGE: ${{ steps.capture-current.outputs.current_image }}
           PREVIOUS_VERSION: ${{ steps.capture-current.outputs.current_version }}
+          DEPLOYED_IMAGE: ${{ steps.staging-image.outputs.image }}
         shell: bash
         run: |
           {
@@ -523,6 +528,7 @@ jobs:
             echo
             echo "Previous image: \`${PREVIOUS_IMAGE}\`"
             echo "Previous version: ${PREVIOUS_VERSION}"
+            echo "Deployed image: \`${DEPLOYED_IMAGE}\`"
           } >> "$GITHUB_STEP_SUMMARY"
 
   create-github-release:
diff --git a/bin/test-cpflow-github-flow b/bin/test-cpflow-github-flow
@@ -43,7 +43,7 @@ ruby <<'RUBY'
 require "yaml"
 
 CONTROL_PLANE_FLOW_WORKFLOW = %r{\Ashakacode/control-plane-flow/\.github/workflows/[^@\s]+@([^\s]+)\z}
-PROMOTE_WORKFLOW = %r{\Ashakacode/control-plane-flow/\.github/workflows/cpflow-promote-staging-to-production\.yml@[^\s]+\z}
+PROMOTE_WORKFLOW = %r{\Ashakacode/control-plane-flow/\.github/workflows/cpflow-promote-staging-to-production\.yml@([^\s]+)\z}
 EXPECTED_CPFLOW_CHECKOUT_ACTION = "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
 EXPECTED_CPFLOW_CHECKOUT_REPOSITORY = "shakacode/control-plane-flow"
 
@@ -82,7 +82,11 @@ end
 
 promote_path = ".github/workflows/cpflow-promote-staging-to-production.yml"
 promote_doc = YAML.load_file(promote_path, aliases: true)
-promote_job = promote_doc.fetch("jobs", {}).fetch("promote-to-production")
+promote_job = promote_doc.fetch("jobs", {})["promote-to-production"]
+
+unless promote_job
+  abort "#{promote_path}:promote-to-production job is missing"
+end
 
 if promote_job.key?("uses")
   abort "#{promote_path}:promote-to-production must run as a normal caller-repo job, not a reusable workflow, so GitHub can expose production environment secrets"
@@ -116,6 +120,21 @@ end
 
 refs[checkout_ref] << "#{promote_path}:promote-to-production"
 
+setup_step = Array(promote_job["steps"]).find { |step| step["name"] == "Setup production environment" }
+
+unless setup_step
+  abort "#{promote_path}:promote-to-production must include a Setup production environment step"
+end
+
+setup_ref = setup_step.fetch("with", {})["control_plane_flow_ref"]
+setup_match = setup_ref.to_s.match(PROMOTE_WORKFLOW)
+
+unless setup_match
+  abort "#{promote_path}:promote-to-production must pass a pinned production control_plane_flow_ref to setup"
+end
+
+refs[setup_match[1]] << "#{promote_path}:promote-to-production setup"
+
 if refs.empty?
   puts "no upstream cpflow reusable workflow refs found"
 elsif refs.length > 1
