diff --git a/.controlplane/readme.md b/.controlplane/readme.md index f6c25442..b122bdf8 100644 --- a/.controlplane/readme.md +++ b/.controlplane/readme.md @@ -577,9 +577,10 @@ For this repo, the update loop is: 1. Generate from the desired `cpflow` release with `--staging-branch master`. 2. Keep generated refs on a release tag once the upstream hardening changes ship. This branch temporarily pins refs to - `2d8225572edd6f54c83ba9c51bd2983546989e93` to test upstream promotion - hardening before the next release tag. Leave `CPFLOW_VERSION` unset while - testing a commit SHA. + `d8877ca0c9c1d88947f322903e4a4344641029ba` to use merged-but-unreleased + upstream promotion hardening and the release-runner timeout fix before the + next release tag. + Leave `CPFLOW_VERSION` unset while testing a commit SHA. 3. Keep app names and GitHub settings aligned with `.controlplane/controlplane.yml`. 4. Validate locally: diff --git a/.controlplane/shakacode-team.md b/.controlplane/shakacode-team.md index c1206138..20a529fe 100644 --- a/.controlplane/shakacode-team.md +++ b/.controlplane/shakacode-team.md @@ -118,11 +118,11 @@ Advanced optional settings are documented upstream in the [`control-plane-flow` CI automation guide](https://github.com/shakacode/control-plane-flow/blob/main/docs/ci-automation.md). Current workflow wrappers are temporarily pinned to upstream -`control-plane-flow` commit `2d8225572edd6f54c83ba9c51bd2983546989e93` to test -promotion hardening before it ships in a release tag. Keep release tags as the -steady-state configuration once the upstream PR is released; use a full commit -SHA only for short-lived upstream PR testing and leave `CPFLOW_VERSION` unset in -that case. +`control-plane-flow` commit `d8877ca0c9c1d88947f322903e4a4344641029ba` to use +merged-but-unreleased promotion hardening and the release-runner timeout fix +before they ship in a release tag. Keep release tags as the steady-state +configuration once the upstream changes are released; use a full commit SHA only +for short-lived upstream testing and leave `CPFLOW_VERSION` unset in that case. If staging moves off `master`, update both `STAGING_APP_BRANCH` and the branch filter in `.github/workflows/cpflow-deploy-staging.yml`. diff --git a/.github/cpflow-help.md b/.github/cpflow-help.md index b05471a3..786d5692 100644 --- a/.github/cpflow-help.md +++ b/.github/cpflow-help.md @@ -2,7 +2,7 @@ These commands are generated by [cpflow](https://github.com/shakacode/control-plane-flow). For full setup, version-pinning, and troubleshooting details, see the upstream -[CI automation guide](https://github.com/shakacode/control-plane-flow/blob/2d8225572edd6f54c83ba9c51bd2983546989e93/docs/ci-automation.md). +[CI automation guide](https://github.com/shakacode/control-plane-flow/blob/d8877ca0c9c1d88947f322903e4a4344641029ba/docs/ci-automation.md). ## Pull Request Commands @@ -112,9 +112,10 @@ production org, using production-only secrets and values. Generated wrappers normally pin Control Plane Flow with a release tag, for example `v5.1.0`. This branch temporarily pins the wrappers to upstream commit -`2d8225572edd6f54c83ba9c51bd2983546989e93` while testing -merged-but-unreleased production promotion hardening. Reusable review-app, -staging, cleanup, and helper workflows pin that ref in their `uses:` entry. +`d8877ca0c9c1d88947f322903e4a4344641029ba` while using merged-but-unreleased +production promotion hardening plus the release-runner timeout fix. Reusable +review-app, staging, cleanup, and helper workflows pin that ref in their +`uses:` entry. Production promotion pins the same ref in its control-plane-flow checkout step so the caller-owned job can keep `environment: production` and receive production environment secrets directly. diff --git a/.github/workflows/cpflow-cleanup-stale-review-apps.yml b/.github/workflows/cpflow-cleanup-stale-review-apps.yml index 24111068..220b55d7 100644 --- a/.github/workflows/cpflow-cleanup-stale-review-apps.yml +++ b/.github/workflows/cpflow-cleanup-stale-review-apps.yml @@ -12,6 +12,6 @@ jobs: cleanup: # Cleanup targets the current inferred review-app prefix. If you changed # naming conventions, manually delete review apps under the old prefix. - uses: shakacode/control-plane-flow/.github/workflows/cpflow-cleanup-stale-review-apps.yml@2d8225572edd6f54c83ba9c51bd2983546989e93 + uses: shakacode/control-plane-flow/.github/workflows/cpflow-cleanup-stale-review-apps.yml@d8877ca0c9c1d88947f322903e4a4344641029ba secrets: CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }} diff --git a/.github/workflows/cpflow-delete-review-app.yml b/.github/workflows/cpflow-delete-review-app.yml index fe94b89a..659c0baa 100644 --- a/.github/workflows/cpflow-delete-review-app.yml +++ b/.github/workflows/cpflow-delete-review-app.yml @@ -31,6 +31,6 @@ jobs: github.event_name == 'workflow_dispatch' # This `if:` mirrors the upstream job guard to avoid a billable workflow_call # when the event does not match. Keep both conditions in sync. - uses: shakacode/control-plane-flow/.github/workflows/cpflow-delete-review-app.yml@2d8225572edd6f54c83ba9c51bd2983546989e93 + uses: shakacode/control-plane-flow/.github/workflows/cpflow-delete-review-app.yml@d8877ca0c9c1d88947f322903e4a4344641029ba secrets: CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }} diff --git a/.github/workflows/cpflow-deploy-review-app.yml b/.github/workflows/cpflow-deploy-review-app.yml index 2cffcbd4..f43a08f1 100644 --- a/.github/workflows/cpflow-deploy-review-app.yml +++ b/.github/workflows/cpflow-deploy-review-app.yml @@ -30,7 +30,7 @@ jobs: github.event.issue.pull_request && contains(fromJson('["+review-app-deploy","+review-app-deploy\n","+review-app-deploy\r\n"]'), github.event.comment.body) && contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) - uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-review-app.yml@2d8225572edd6f54c83ba9c51bd2983546989e93 + uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-review-app.yml@d8877ca0c9c1d88947f322903e4a4344641029ba secrets: CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }} DOCKER_BUILD_SSH_KEY: ${{ secrets.DOCKER_BUILD_SSH_KEY }} diff --git a/.github/workflows/cpflow-deploy-staging.yml b/.github/workflows/cpflow-deploy-staging.yml index 6521df24..f9a76611 100644 --- a/.github/workflows/cpflow-deploy-staging.yml +++ b/.github/workflows/cpflow-deploy-staging.yml @@ -16,7 +16,7 @@ permissions: jobs: deploy-staging: - uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-staging.yml@2d8225572edd6f54c83ba9c51bd2983546989e93 + uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-staging.yml@d8877ca0c9c1d88947f322903e4a4344641029ba with: staging_app_branch_default: "master" secrets: diff --git a/.github/workflows/cpflow-help-command.yml b/.github/workflows/cpflow-help-command.yml index bcecbfd8..b47a84ec 100644 --- a/.github/workflows/cpflow-help-command.yml +++ b/.github/workflows/cpflow-help-command.yml @@ -23,4 +23,4 @@ jobs: contains(fromJson('["+review-app-help","+review-app-help\n","+review-app-help\r\n"]'), github.event.comment.body) && contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) || github.event_name == 'workflow_dispatch' - uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@2d8225572edd6f54c83ba9c51bd2983546989e93 + uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@d8877ca0c9c1d88947f322903e4a4344641029ba diff --git a/.github/workflows/cpflow-promote-staging-to-production.yml b/.github/workflows/cpflow-promote-staging-to-production.yml index e07a1cc2..e95601ef 100644 --- a/.github/workflows/cpflow-promote-staging-to-production.yml +++ b/.github/workflows/cpflow-promote-staging-to-production.yml @@ -69,7 +69,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: repository: shakacode/control-plane-flow - ref: 2d8225572edd6f54c83ba9c51bd2983546989e93 + ref: d8877ca0c9c1d88947f322903e4a4344641029ba path: .cpflow persist-credentials: false @@ -179,7 +179,7 @@ jobs: cpln_cli_version: ${{ vars.CPLN_CLI_VERSION }} cpflow_version: ${{ vars.CPFLOW_VERSION }} # The setup action validates CPFLOW_VERSION against this full workflow ref. - control_plane_flow_ref: shakacode/control-plane-flow/.github/workflows/cpflow-promote-staging-to-production.yml@2d8225572edd6f54c83ba9c51bd2983546989e93 + control_plane_flow_ref: shakacode/control-plane-flow/.github/workflows/cpflow-promote-staging-to-production.yml@d8877ca0c9c1d88947f322903e4a4344641029ba # Runs after Setup production environment so the pinned Ruby (>= 3.1) is on PATH. # YAML.load_file(..., aliases: true) is not supported on Ruby 3.0 (system Ruby on ubuntu-22.04). diff --git a/.github/workflows/cpflow-review-app-help.yml b/.github/workflows/cpflow-review-app-help.yml index 5218d197..794acaa1 100644 --- a/.github/workflows/cpflow-review-app-help.yml +++ b/.github/workflows/cpflow-review-app-help.yml @@ -18,4 +18,4 @@ jobs: # to PR-open help. Remove it, or uncomment and adapt this guard, if forks or # clones should stay quiet until Control Plane is configured: # if: vars.REVIEW_APP_PREFIX != '' || vars.CPLN_ORG_STAGING != '' - uses: shakacode/control-plane-flow/.github/workflows/cpflow-review-app-help.yml@2d8225572edd6f54c83ba9c51bd2983546989e93 + uses: shakacode/control-plane-flow/.github/workflows/cpflow-review-app-help.yml@d8877ca0c9c1d88947f322903e4a4344641029ba