Update cpflow workflows to 5.0.0.rc.0

Author: justin808

.github/actions/cpflow-build-docker-image/action.yml

@@ -21,8 +21,12 @@ inputs:
     description: Optional private SSH key used for Docker builds that fetch private dependencies with RUN --mount=type=ssh
     required: false
   docker_build_ssh_known_hosts:
-    description: Optional SSH known_hosts entries used with docker_build_ssh_key. Defaults to pinned GitHub.com host keys; override if GitHub rotates keys or your build uses another SSH host.
+    description: Optional SSH known_hosts entries used with docker_build_ssh_key. Defaults to pinned GitHub.com host keys.
     required: false
+  working_directory:
+    description: Directory containing the app .controlplane config and Docker build context
+    required: false
+    default: "."
 
 runs:
   using: composite
@@ -48,10 +52,8 @@ runs:
         chmod 700 ~/.ssh
 
         if [[ -n "${DOCKER_BUILD_SSH_KNOWN_HOSTS}" ]]; then
-          printf '%s\n' "${DOCKER_BUILD_SSH_KNOWN_HOSTS}" > ~/.ssh/known_hosts
+          printf '%s\n' "${DOCKER_BUILD_SSH_KNOWN_HOSTS}" | tr -d '\r' > ~/.ssh/known_hosts
         else
-          # GitHub.com host keys verified against GitHub's published keys on 2026-05-01.
-          # Override docker_build_ssh_known_hosts if GitHub rotates keys again.
           printf '%s\n' \
             'github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl' \
             'github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=' \
@@ -60,7 +62,7 @@ runs:
         fi
         chmod 600 ~/.ssh/known_hosts
 
-        printf '%s\n' "${DOCKER_BUILD_SSH_KEY}" > ~/.ssh/cpflow_build_key
+        printf '%s\n' "${DOCKER_BUILD_SSH_KEY}" | tr -d '\r' > ~/.ssh/cpflow_build_key
         chmod 600 ~/.ssh/cpflow_build_key
 
     - name: Build Docker image
@@ -71,20 +73,29 @@ runs:
         CONTROL_PLANE_ORG: ${{ inputs.org }}
         DOCKER_BUILD_EXTRA_ARGS: ${{ inputs.docker_build_extra_args }}
         PR_NUMBER: ${{ inputs.pr_number }}
+        WORKING_DIRECTORY: ${{ inputs.working_directory }}
       run: |
         set -euo pipefail
 
         PR_INFO=""
         docker_build_args=()
         ssh_agent_started=false
+        build_ssh_prepped=false
 
         cleanup_build_ssh() {
           if [[ "${ssh_agent_started}" == "true" ]]; then
             ssh-agent -k >/dev/null || true
           fi
           rm -f "${HOME}/.ssh/cpflow_build_key"
+          # Only remove known_hosts if this action's prep step wrote it. On self-hosted
+          # or reused runners we must not touch a user-managed file we did not create,
+          # so the flag is set inside the same prep-detection branch below.
+          if [[ "${build_ssh_prepped}" == "true" ]]; then
+            rm -f "${HOME}/.ssh/known_hosts"
+          fi
         }
         trap cleanup_build_ssh EXIT
+        cd "${WORKING_DIRECTORY}"
 
         if [[ -n "${PR_NUMBER}" ]]; then
           PR_INFO=" for PR #${PR_NUMBER}"
@@ -106,6 +117,9 @@ runs:
         fi
 
         if [[ -f "${HOME}/.ssh/cpflow_build_key" ]]; then
+          # Mark prep-step ownership so cleanup_build_ssh only removes known_hosts
+          # when this action wrote it (see trap above).
+          build_ssh_prepped=true
           eval "$(ssh-agent -s)"
           ssh_agent_started=true
           ssh-add "${HOME}/.ssh/cpflow_build_key"
@@ -115,10 +129,3 @@ runs:
         echo "🏗️ Building Docker image${PR_INFO} (commit ${COMMIT_SHA})..."
         cpflow build-image -a "${APP_NAME}" --commit="${COMMIT_SHA}" --org="${CONTROL_PLANE_ORG}" "${docker_build_args[@]}"
         echo "✅ Docker image build successful${PR_INFO} (commit ${COMMIT_SHA})"
-
-    - name: Remove SSH key
-      if: ${{ always() }}
-      shell: bash
-      run: |
-        # Defence in depth for cancellations or future refactors around the build trap.
-        rm -f "${HOME}/.ssh/cpflow_build_key"

.github/actions/cpflow-delete-control-plane-app/delete-app.sh

@@ -14,15 +14,6 @@ if [[ "$APP_NAME" != "${expected_prefix}"* ]]; then
   exit 1
 fi
 
-# Guard against a misconfigured REVIEW_APP_PREFIX that would otherwise match a
-# well-known shared environment. This intentionally rejects review-app prefixes
-# containing these word segments; failing closed is safer for deletion.
-if echo "$APP_NAME" | grep -iqE '(^|-)(production|staging)(-|$)'; then
-  echo "❌ ERROR: refusing to delete an app whose name contains 'production' or 'staging'" >&2
-  echo "App name: $APP_NAME" >&2
-  exit 1
-fi
-
 echo "🔍 Checking if application exists: $APP_NAME"
 exists_output=""
 set +e
@@ -33,7 +24,7 @@ set -e
 case "$exists_status" in
   0)
     ;;
-  2)
+  3)
     if [[ -n "$exists_output" ]]; then
       printf '%s\n' "$exists_output"
     fi

.github/actions/cpflow-detect-release-phase/action.yml

@@ -7,6 +7,10 @@ inputs:
   app_name:
     description: cpflow app name to inspect
     required: true
+  working_directory:
+    description: Directory containing .controlplane/controlplane.yml
+    required: false
+    default: "."
 
 outputs:
   flag:
@@ -21,14 +25,16 @@ runs:
       shell: bash
       env:
         APP_NAME: ${{ inputs.app_name }}
+        WORKING_DIRECTORY: ${{ inputs.working_directory }}
       run: |
         set -euo pipefail
+        cd "${WORKING_DIRECTORY}"
 
         release_script="$(ruby - "${APP_NAME}" <<'RUBY'
         require "yaml"
 
         app_name = ARGV.fetch(0)
-        data = YAML.load_file(".controlplane/controlplane.yml", aliases: true)
+        data = YAML.safe_load(File.read(".controlplane/controlplane.yml"), aliases: true)
         apps = data["apps"] || {}
         app_config = apps[app_name]
 

.github/actions/cpflow-setup-environment/action.yml

@@ -29,6 +29,13 @@ inputs:
 
 runs:
   using: composite
+  # Third-party actions are pinned to floating major tags (`@v4`, `@v1`, `@v7`) rather than
+  # immutable SHAs. SHA pinning is GitHub's stronger security recommendation, but for
+  # generated templates that ship into many downstream repositories floating tags are
+  # easier for users to keep current and Dependabot/Renovate already cover the SHA-pinning
+  # workflow for repositories that opt in. Repositories with stricter supply-chain
+  # requirements should replace each `uses: actions/...@vN` with the corresponding
+  # immutable commit SHA.
   steps:
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
@@ -47,7 +54,7 @@ runs:
         # Override per-repo by setting `CPLN_CLI_VERSION` / `CPFLOW_VERSION` repo variables;
         # an empty input falls back to the action's pinned default below.
         default_cpln_cli_version="3.3.1"
-        default_cpflow_version="4.2.0"
+        default_cpflow_version="5.0.0.rc.0"
 
         CPLN_CLI_VERSION="${CPLN_CLI_VERSION:-${default_cpln_cli_version}}"
         CPFLOW_VERSION="${CPFLOW_VERSION:-${default_cpflow_version}}"
@@ -83,22 +90,9 @@ runs:
           exit 1
         fi
 
-        # Persist the token because later cpflow/cpln steps read CPLN_TOKEN directly.
-        # Use a randomized delimiter so a multiline token cannot terminate the heredoc early.
-        delim="CPLN_TOKEN_$(openssl rand -hex 8)"
-        {
-          echo "CPLN_TOKEN<<${delim}"
-          echo "${CPLN_TOKEN}"
-          echo "${delim}"
-        } >> "$GITHUB_ENV"
-
-        create_output=""
-        if ! create_output="$(cpln profile create default --org "$ORG" 2>&1)"; then
-          if ! echo "$create_output" | grep -qi "already exists"; then
-            echo "$create_output" >&2
-            exit 1
-          fi
-        fi
-
+        # `cpln profile update` lists `create` as an alias (cpln profile --help) and is
+        # idempotent: it creates the profile if missing and updates it otherwise. Calling
+        # update directly avoids parsing the CLI's "already exists" English error text,
+        # which would silently swallow a real failure if the wording ever changed.
         cpln profile update default --org "$ORG"
         cpln image docker-login --org "$ORG"

.github/actions/cpflow-validate-config/action.yml

@@ -39,13 +39,23 @@ runs:
         missing=()
         while IFS= read -r entry; do
           entry="${entry%$'\r'}"
-          entry="${entry#"${entry%%[![:space:]]*}"}"
-          entry="${entry%"${entry##*[![:space:]]}"}"
+          entry="${entry## }"
+          entry="${entry%% }"
           [[ -z "${entry}" ]] && continue
 
           type="${entry%%:*}"
           name="${entry#*:}"
 
+          # Reject names that are not plain SHELL_VAR identifiers before doing the
+          # indirect lookup below. Without this guard, ${!name} would expand whatever
+          # bash nameref/transformation a hand-edited generated workflow snuck in
+          # (e.g. `BASH_FUNC_foo%%`). Callers today are the generated templates, but
+          # the generated file lives in the user's repo and can be hand-edited.
+          if [[ ! "${name}" =~ ^[A-Z_][A-Z0-9_]*$ ]]; then
+            echo "Invalid config entry name: ${name}" >&2
+            exit 1
+          fi
+
           # Indirect bash lookup: reads the env var named by ${name} (e.g. CPLN_TOKEN_STAGING)
           # so the value never has to round-trip through workflow logs.
           if [[ -z "${!name:-}" ]]; then

.github/actions/cpflow-wait-for-health/action.yml

@@ -61,12 +61,15 @@ runs:
         for attempt in $(seq 1 "${CPFLOW_MAX_RETRIES}"); do
           echo "Health check attempt ${attempt}/${CPFLOW_MAX_RETRIES}"
 
-          if ! workload_json="$(cpln workload get "${CPFLOW_WORKLOAD_NAME}" --gvc "${CPFLOW_APP_NAME}" --org "${CPFLOW_ORG}" -o json 2>&1)"; then
+          workload_stderr="$(mktemp)"
+          if ! workload_json="$(cpln workload get "${CPFLOW_WORKLOAD_NAME}" --gvc "${CPFLOW_APP_NAME}" --org "${CPFLOW_ORG}" -o json 2>"${workload_stderr}")"; then
             echo "::error::Workload '${CPFLOW_WORKLOAD_NAME}' not found in GVC '${CPFLOW_APP_NAME}'. Set PRIMARY_WORKLOAD to the correct workload name." >&2
-            printf '%s\n' "${workload_json}" >&2
+            cat "${workload_stderr}" >&2
+            rm -f "${workload_stderr}"
             echo "healthy=false" >> "$GITHUB_OUTPUT"
             exit 1
           fi
+          rm -f "${workload_stderr}"
 
           endpoint="$(echo "${workload_json}" | jq -r '.status.endpoint // empty')"
           if [[ -n "${endpoint}" ]]; then

.github/cpflow-help.md

@@ -6,12 +6,12 @@
 - Creates the review app if it does not exist
 - Builds the PR commit image
 - Deploys the image and comments with the review URL
-- The comment must contain exactly `/deploy-review-app` and no other text
+- Comment body must be exactly `/deploy-review-app` — no surrounding text, trailing whitespace, or trailing newline. The trigger uses an exact-equality match, so a comment like `please /deploy-review-app now` or `/deploy-review-app ` (with a trailing space) silently no-ops.
 
 `/delete-review-app`
 - Deletes the review app when the PR is done
 - This also runs automatically when the PR closes
-- The comment must contain exactly `/delete-review-app` and no other text
+- Same exact-match rule as `/deploy-review-app`: the comment body must be exactly `/delete-review-app`.
 
 ## Repository secrets
 

.github/workflows/cpflow-cleanup-stale-review-apps.yml

@@ -23,6 +23,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Validate required secrets and variables
         uses: ./.github/actions/cpflow-validate-config
@@ -52,4 +54,3 @@ jobs:
         run: |
           set -euo pipefail
           cpflow cleanup-stale-apps -a "${REVIEW_APP_PREFIX}" --org "${CPLN_ORG_STAGING}" --yes
-          echo "Stale review apps under prefix '${REVIEW_APP_PREFIX}' have been cleaned up." >> "$GITHUB_STEP_SUMMARY"

.github/workflows/cpflow-delete-review-app.yml

@@ -1,9 +1,6 @@
 name: Delete Review App
 
 on:
-  # SECURITY: pull_request_target is intentional for PR-close cleanup from forks.
-  # This workflow must keep checking out trusted base-branch code only; do not
-  # change checkout to a PR head ref without re-evaluating secret exposure.
   pull_request_target:
     types: [closed]
   issue_comment:
@@ -54,6 +51,11 @@ jobs:
       # trusted base-branch code; keep them that way when changing this workflow.
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          # Delete only invokes `cpln`/`cpflow`; no git push happens, so drop the
+          # GITHUB_TOKEN credential helper to keep the token out of .git/config under
+          # `pull_request_target`, which has access to repository secrets.
+          persist-credentials: false
 
       - name: Validate required secrets and variables
         id: config
@@ -136,7 +138,9 @@ jobs:
                 repo: context.repo.repo,
                 deployment_id: deployment.id,
                 state: "inactive",
-                description: `Review app ${process.env.APP_NAME} was deleted`
+                environment,
+                log_url: process.env.WORKFLOW_URL,
+                description: "Review app deleted"
               });
             }