No actionable comments were generated in the recent review. 🎉

Walkthrough

A GitHub Actions workflow now sets COPY_IMAGE_RETRIES and COPY_IMAGE_RETRY_INTERVAL, prechecks the staging image with cpln image get, retries the staging→production image copy on failure, and refactors rollback updates to set container images by name instead of by array index.

Changes

Staging-to-Production Promotion Workflow

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions
  participant cpln
  participant cpflow
  participant cpln_workload
  GitHubActions->>cpln: CPLN_UPSTREAM_TOKEN + cpln image get (verify staging image)
  GitHubActions->>cpflow: cpflow copy-image-from-upstream (retry loop using COPY_IMAGE_RETRIES/COPY_IMAGE_RETRY_INTERVAL)
  cpflow-->>GitHubActions: copy success or failure code
  GitHubActions->>cpln_workload: cpln workload update with spec.containers.<name>.image (rollback)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• shakacode/react-webpack-rails-tutorial#754: Modifies the same cpflow-promote-staging-to-production.yml promotion workflow and may interact with the environment-gated promotion logic adjusted here.

Poem

🐰 I hop through YAML, retry in tow,
I peek the image where the staging rivers flow,
I try, I wait, I try once more,
Rollback by name — no index chore,
The pipeline hums, and off we go.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:
They require the repository to have cpflow review apps configured, including the CPLN_TOKEN_STAGING secret.

+review-app-deploy

Deploy your PR branch for testing.

+review-app-delete

Remove the review app when done.

+review-app-help

Show detailed instructions, environment setup, and configuration options.

Comment +review-app-help for full setup details.

Greptile Summary

This PR hardens the production promotion workflow by adding a staging image preflight check, a configurable retry loop around the image copy step, and a fix to the rollback logic that switches from unsupported array-index paths (spec.containers[N].image) to CPLN CLI container-name paths (spec.containers.NAME.image).

• Preflight check: Before the retry loop, cpln image get is called with the staging token to confirm the image exists; a failure here causes an early, clear exit before any copy is attempted.
• Retry loop: cpflow copy-image-from-upstream is retried up to COPY_IMAGE_RETRIES (default 3) times with COPY_IMAGE_RETRY_INTERVAL (default 20 s) between attempts; the exit code of the last failed run is preserved and propagated correctly.
• Rollback path fix: The jq query and --set path are updated to use container names rather than positional indices, matching what the CPLN CLI actually supports.

Confidence Score: 4/5

Safe to merge; all three changes address documented real failures and the core copy/rollback logic is correct.

The preflight check, retry loop, and rollback path fix are all well-formed. The only thing worth a second look is that the per-attempt warning is suppressed on the final retry, leaving a small observability gap in the logs — but this has no effect on correctness or production safety.

No files require special attention beyond the minor logging gap on the last retry attempt in the copy step.

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant CPLN_S as CPLN Staging API
    participant CPFLOW as cpflow CLI
    participant CPLN_P as CPLN Production API

    GH->>CPLN_S: cpln image get STAGING_IMAGE (preflight)
    alt Image not found
        CPLN_S-->>GH: error → step fails early
    else Image exists
        CPLN_S-->>GH: 200 OK

        loop Retry up to COPY_IMAGE_RETRIES times
            GH->>CPFLOW: copy-image-from-upstream
            CPFLOW->>CPLN_S: pull image
            CPFLOW->>CPLN_P: push image
            alt Copy succeeds
                CPLN_P-->>GH: success → break
            else "Copy fails (attempt < max)"
                GH->>GH: warning + sleep COPY_IMAGE_RETRY_INTERVAL
            end
        end

        alt All retries exhausted
            GH->>GH: error + exit copy_status
        else Copy succeeded
            GH->>CPLN_P: deploy-image
            alt Deploy healthy
                CPLN_P-->>GH: health check pass
            else Deploy unhealthy
                GH->>CPLN_P: cpln workload update spec.containers.NAME.image (rollback)
                GH->>GH: wait for rollback readiness
            end
        end
    end

_{Reviews (1): Last reviewed commit: "Harden production promotion image copy" | Re-trigger Greptile}

Code Review

Overall: Solid defensive hardening. The preflight check and retry logic are well-structured, and the rollback path fix is a clear correctness improvement. A few things worth addressing before merge:

Correctness

• Rollback fix looks correct. Switching from numeric index notation (spec.containers[0].image) to named-container notation (spec.containers.<name>.image) matches what the CPLN CLI actually supports. The current_names fetch is still used for the safety check that refuses rollback when the container set has changed — that logic is intact.

Edge Cases

• COPY_IMAGE_RETRIES=0 silently skips the copy. seq 1 0 produces no output, so the loop body never executes, copy_status stays at its initialised value of 1, and the job fails with "after 0 attempt(s)" — an odd failure mode if someone misconfigures or tries to use 0 to mean "no retries". Consider guarding with [[ $COPY_IMAGE_RETRIES -gt 0 ]] || COPY_IMAGE_RETRIES=1 or documenting that 0 is unsupported.

• Preflight failure has no custom context message. When cpln image get exits non-zero, the only output is whatever the cpln CLI prints. The copy-failure path has an explicit echo ::error:: naming the staging org and image; the preflight doesn't. Suggest adding an error echo before the cpln image get call (or as a || trap) so the Actions log is self-explanatory without reading cpln's raw output.

Minor

• copy_status capture is correct. After if cmd; then …; fi with no else, bash sets $? to cmd's exit code when the condition was false — so copy_status=$? correctly captures cpflow's non-zero status on each failed attempt.
• Secret exposure surface is unchanged. Using CPLN_TOKEN="${CPLN_TOKEN_STAGING}" as an inline assignment for cpln image get is consistent with the existing pattern and keeps the value out of /proc/<pid>/cmdline.

Code Review: Harden production promotion image copy

Overview

This PR makes three targeted improvements to the staging→production promotion workflow:

1. Preflight check – validates the staging image exists before attempting a copy.
2. Retry loop – wraps cpflow copy-image-from-upstream in a configurable retry with tunable defaults (COPY_IMAGE_RETRIES=3, COPY_IMAGE_RETRY_INTERVAL=20s).
3. Rollback path fix – switches from unsupported array-index paths (spec.containers[${index}].image) to container-name paths (spec.containers.${container_name}.image).

The motivation is well-justified by the linked failed production run, and each change is narrowly scoped.

What works well

• Retry structure is correct. The if cmd; then ... else copy_status=$?; fi pattern inside a set -e shell is the right way to capture failures without triggering the errexit trap. The sleep is correctly skipped after the final attempt.
• No sleep after the last retry. The [[ "${attempt}" -lt "${COPY_IMAGE_RETRIES}" ]] guard is correct.
• Rollback simplification is a clear improvement. The old jq expression used index() to map names→array-positions then formatted [N] paths, which the CLI doesn't support. Direct spec.containers.${container_name}.image paths are both simpler and correct.
• Secret handling is intentional and sound. CPLN_TOKEN_STAGING (used by the preflight cpln call) and CPLN_UPSTREAM_TOKEN (used by cpflow copy-image-from-upstream) reference the same secret but serve different tools. Passing both via env rather than CLI flags keeps the token out of /proc/<pid>/cmdline.

Issues / Suggestions

1. Preflight failure is silent beyond cpln's own output (minor)

If cpln image get fails, set -e exits immediately with only the tool's native output. A quick || { echo "::error::..."; exit 1; } annotation would make the log immediately actionable without digging into cpln error text. See inline comment on line 351.

2. COPY_IMAGE_RETRIES=0 gives a confusing error (minor edge case)

seq 1 0 produces no output so the loop body never executes. copy_status stays at its initial value of 1, and the step fails with "after 0 attempt(s)" — accurate but surprising. A one-line guard ([[ "${COPY_IMAGE_RETRIES}" -ge 1 ]]) or a note in the env-var comment would prevent a head-scratcher. See inline comment on line 353.

3. Container names with dots (cosmetic / low risk)

CPLN container names follow DNS-label rules (alphanumeric + hyphens), so dots should never appear in practice. No action needed.

Security

No new attack surface. Values flow from vars/secrets into env vars consumed by trusted binaries. No dynamic string interpolation into shell commands.

Verdict

The changes are correct, well-scoped, and directly address a documented production failure. The two minor issues above are suggestions, not blockers. Ready to merge with or without the cosmetic improvements.

Code Review

Overall: LGTM with minor nits. This is a solid reliability improvement that directly addresses a real production failure. The logic is correct, the shell scripting is careful, and the rollback fix is a meaningful simplification.

What the PR does

1. Preflight check – validates the staging image exists in the staging org before attempting the cross-org copy, failing fast with a clear error instead of a cryptic copy failure.
2. Retry loop – wraps cpflow copy-image-from-upstream in a configurable retry loop (default 3 retries, 20s interval) with proper exit-status propagation.
3. Rollback fix – replaces fragile array-index --set paths (spec.containers[N].image) with name-based paths (spec.containers.<name>.image) that the CPLN CLI actually supports.

Positives

• 10#${COPY_IMAGE_RETRIES} forces decimal interpretation – good defence against accidental octal parsing if someone sets the var to 08 or similar.
• copy_status=1 initialised before the loop, so a hypothetical zero-iteration loop can't silently succeed.
• $? in the else branch of if cpflow ...; then ...; else copy_status=$?; fi correctly captures cpflow's non-zero exit – subtle but right.
• set -euo pipefail is preserved; the retry loop intentionally avoids -e breaking out early via the if wrapper, which is the correct pattern.
• Removing the current_names | index(...) jq for rollback eliminates a whole class of "container order changed between capture and rollback" bugs.

Issues / suggestions

Minor (line 383): The "no attempts remain" message uses ::warning:: but at this point the copy has definitively failed – ::error:: would match the severity and make the GitHub Actions annotation visually distinct from the transient retry warnings above it. (The subsequent ::error:: on line 388 catches it anyway, so this is cosmetic.)

Nit (lines 341–342): CPLN_TOKEN_STAGING and CPLN_TOKEN_UPSTREAM both resolve to secrets.CPLN_TOKEN_STAGING. The duplication is intentional (different names used for different commands in the script), but a short inline comment noting why both exist would help future readers.

See inline comments for specifics.

✅ Review App Deleted

Review app for PR #755 is deleted

🎮 Control Plane Console
📋 View Workflow Logs