Pin cpflow workflows to runner wait fix

.controlplane/readme.md

@@ -577,9 +577,10 @@ For this repo, the update loop is:
 1. Generate from the desired `cpflow` release with `--staging-branch master`.
 2. Keep generated refs on a release tag once the upstream hardening changes ship.
    This branch temporarily pins refs to
-   `2d8225572edd6f54c83ba9c51bd2983546989e93` to test upstream promotion
-   hardening before the next release tag. Leave `CPFLOW_VERSION` unset while
-   testing a commit SHA.
+   `d8877ca0c9c1d88947f322903e4a4344641029ba` to use merged-but-unreleased
+   upstream promotion hardening and the release-runner timeout fix before the
+   next release tag.
+   Leave `CPFLOW_VERSION` unset while testing a commit SHA.
 3. Keep app names and GitHub settings aligned with `.controlplane/controlplane.yml`.
 4. Validate locally:
 

.controlplane/shakacode-team.md

@@ -118,11 +118,11 @@ Advanced optional settings are documented upstream in the
 [`control-plane-flow` CI automation guide](https://github.com/shakacode/control-plane-flow/blob/main/docs/ci-automation.md).
 
 Current workflow wrappers are temporarily pinned to upstream
-`control-plane-flow` commit `2d8225572edd6f54c83ba9c51bd2983546989e93` to test
-promotion hardening before it ships in a release tag. Keep release tags as the
-steady-state configuration once the upstream PR is released; use a full commit
-SHA only for short-lived upstream PR testing and leave `CPFLOW_VERSION` unset in
-that case.
+`control-plane-flow` commit `d8877ca0c9c1d88947f322903e4a4344641029ba` to use
+merged-but-unreleased promotion hardening and the release-runner timeout fix
+before they ship in a release tag. Keep release tags as the steady-state
+configuration once the upstream changes are released; use a full commit SHA only
+for short-lived upstream testing and leave `CPFLOW_VERSION` unset in that case.
 
 If staging moves off `master`, update both `STAGING_APP_BRANCH` and the branch
 filter in `.github/workflows/cpflow-deploy-staging.yml`.

.github/cpflow-help.md

@@ -2,7 +2,7 @@
 
 These commands are generated by [cpflow](https://github.com/shakacode/control-plane-flow).
 For full setup, version-pinning, and troubleshooting details, see the upstream
-[CI automation guide](https://github.com/shakacode/control-plane-flow/blob/2d8225572edd6f54c83ba9c51bd2983546989e93/docs/ci-automation.md).
+[CI automation guide](https://github.com/shakacode/control-plane-flow/blob/d8877ca0c9c1d88947f322903e4a4344641029ba/docs/ci-automation.md).
 
 ## Pull Request Commands
 
@@ -112,9 +112,10 @@ production org, using production-only secrets and values.
 
 Generated wrappers normally pin Control Plane Flow with a release tag, for
 example `v5.1.0`. This branch temporarily pins the wrappers to upstream commit
-`2d8225572edd6f54c83ba9c51bd2983546989e93` while testing
-merged-but-unreleased production promotion hardening. Reusable review-app,
-staging, cleanup, and helper workflows pin that ref in their `uses:` entry.
+`d8877ca0c9c1d88947f322903e4a4344641029ba` while using merged-but-unreleased
+production promotion hardening plus the release-runner timeout fix. Reusable
+review-app, staging, cleanup, and helper workflows pin that ref in their
+`uses:` entry.
 Production promotion pins the same ref in its control-plane-flow checkout step
 so the caller-owned job can keep `environment: production` and receive
 production environment secrets directly.

.github/workflows/cpflow-cleanup-stale-review-apps.yml

@@ -12,6 +12,6 @@ jobs:
   cleanup:
     # Cleanup targets the current inferred review-app prefix. If you changed
     # naming conventions, manually delete review apps under the old prefix.
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-cleanup-stale-review-apps.yml@2d8225572edd6f54c83ba9c51bd2983546989e93
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-cleanup-stale-review-apps.yml@d8877ca0c9c1d88947f322903e4a4344641029ba
     secrets:
       CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}

.github/workflows/cpflow-delete-review-app.yml

@@ -31,6 +31,6 @@ jobs:
       github.event_name == 'workflow_dispatch'
     # This `if:` mirrors the upstream job guard to avoid a billable workflow_call
     # when the event does not match. Keep both conditions in sync.
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-delete-review-app.yml@2d8225572edd6f54c83ba9c51bd2983546989e93
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-delete-review-app.yml@d8877ca0c9c1d88947f322903e4a4344641029ba
     secrets:
       CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}

.github/workflows/cpflow-deploy-review-app.yml

@@ -30,7 +30,7 @@ jobs:
        github.event.issue.pull_request &&
        contains(fromJson('["+review-app-deploy","+review-app-deploy\n","+review-app-deploy\r\n"]'), github.event.comment.body) &&
        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association))
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-review-app.yml@2d8225572edd6f54c83ba9c51bd2983546989e93
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-review-app.yml@d8877ca0c9c1d88947f322903e4a4344641029ba
     secrets:
       CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
       DOCKER_BUILD_SSH_KEY: ${{ secrets.DOCKER_BUILD_SSH_KEY }}

.github/workflows/cpflow-deploy-staging.yml

@@ -16,7 +16,7 @@ permissions:
 
 jobs:
   deploy-staging:
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-staging.yml@2d8225572edd6f54c83ba9c51bd2983546989e93
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-staging.yml@d8877ca0c9c1d88947f322903e4a4344641029ba
     with:
       staging_app_branch_default: "master"
     secrets:

.github/workflows/cpflow-help-command.yml

@@ -23,4 +23,4 @@ jobs:
        contains(fromJson('["+review-app-help","+review-app-help\n","+review-app-help\r\n"]'), github.event.comment.body) &&
        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
       github.event_name == 'workflow_dispatch'
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@2d8225572edd6f54c83ba9c51bd2983546989e93
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@d8877ca0c9c1d88947f322903e4a4344641029ba

.github/workflows/cpflow-promote-staging-to-production.yml

@@ -69,7 +69,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           repository: shakacode/control-plane-flow
-          ref: 2d8225572edd6f54c83ba9c51bd2983546989e93
+          ref: d8877ca0c9c1d88947f322903e4a4344641029ba
           path: .cpflow
           persist-credentials: false
 
@@ -179,7 +179,7 @@ jobs:
           cpln_cli_version: ${{ vars.CPLN_CLI_VERSION }}
           cpflow_version: ${{ vars.CPFLOW_VERSION }}
           # The setup action validates CPFLOW_VERSION against this full workflow ref.
-          control_plane_flow_ref: shakacode/control-plane-flow/.github/workflows/cpflow-promote-staging-to-production.yml@2d8225572edd6f54c83ba9c51bd2983546989e93
+          control_plane_flow_ref: shakacode/control-plane-flow/.github/workflows/cpflow-promote-staging-to-production.yml@d8877ca0c9c1d88947f322903e4a4344641029ba
 
       # Runs after Setup production environment so the pinned Ruby (>= 3.1) is on PATH.
       # YAML.load_file(..., aliases: true) is not supported on Ruby 3.0 (system Ruby on ubuntu-22.04).

.github/workflows/cpflow-review-app-help.yml

@@ -18,4 +18,4 @@ jobs:
     # to PR-open help. Remove it, or uncomment and adapt this guard, if forks or
     # clones should stay quiet until Control Plane is configured:
     #   if: vars.REVIEW_APP_PREFIX != '' || vars.CPLN_ORG_STAGING != ''
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-review-app-help.yml@2d8225572edd6f54c83ba9c51bd2983546989e93
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-review-app-help.yml@d8877ca0c9c1d88947f322903e4a4344641029ba