Harden cpflow review follow-ups

justin808 · justin808 · commit 8424f2748ce3 · 2026-05-01T11:39:46.000-10:00
diff --git a/.controlplane/shakacode-team.md b/.controlplane/shakacode-team.md
@@ -22,6 +22,8 @@ Deployments are handled by Control Plane configuration in this repo and GitHub A
 
 ### Production Environment
 - **Manual**: Run the [cpflow-promote-staging-to-production workflow](https://github.com/shakacode/react-webpack-rails-tutorial/actions/workflows/cpflow-promote-staging-to-production.yml) on GitHub
+- Rollback restores workload images only; database migrations and other
+  `--run-release-phase` side effects are not reversed automatically.
 - **URLs**:
   - [Control Plane Console - Production](https://console.cpln.io/console/org/shakacode-open-source-examples-production/gvc/react-webpack-rails-tutorial-production/workload/rails/-info)
   - [Production App](https://reactrails.com/)
diff --git a/.github/actions/cpflow-build-docker-image/action.yml b/.github/actions/cpflow-build-docker-image/action.yml
@@ -109,4 +109,6 @@ runs:
       if: ${{ always() }}
       shell: bash
       run: |
+        # Defence in depth: the build step also traps EXIT, but this still runs
+        # if a future refactor exits before that trap is installed.
         rm -f "${HOME}/.ssh/cpflow_build_key"
diff --git a/.github/actions/cpflow-delete-control-plane-app/check-app-exists.sh b/.github/actions/cpflow-delete-control-plane-app/check-app-exists.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+set -euo pipefail
+
+: "${APP_NAME:?APP_NAME environment variable is required}"
+: "${CPLN_ORG:?CPLN_ORG environment variable is required}"
+
+# Contract this relies on from `cpflow exists`:
+#   - Exit status 0              -> app exists (stdout may contain an informational banner).
+#   - Exit status non-zero, no
+#     recognizable error tokens  -> app does not exist.
+#   - Exit status non-zero with
+#     tokens like "Double check
+#     your org", "Unknown API
+#     token format", "ERROR",
+#     "Error:", "Traceback", or
+#     "Net::"                    -> a real failure; surface and exit 2.
+# TODO: replace this string-matching with a structured signal once `cpflow exists` exposes one
+# (e.g. a distinct exit code for "not found" vs. API/auth errors, or `cpflow exists --json`).
+exists_output=""
+if exists_output="$(cpflow exists -a "$APP_NAME" --org "$CPLN_ORG" 2>&1)"; then
+  if [[ -n "$exists_output" ]]; then
+    printf '%s\n' "$exists_output"
+  fi
+  exit 0
+fi
+
+case "$exists_output" in
+  *"Double check your org"*|*"Unknown API token format"*|*"ERROR"*|*"Error:"*|*"Traceback"*|*"Net::"*)
+    echo "Failed to determine whether application exists: $APP_NAME" >&2
+    printf '%s\n' "$exists_output" >&2
+    exit 2
+    ;;
+esac
+
+if [[ -n "$exists_output" ]]; then
+  echo "cpflow exists returned non-zero output that did not match known error patterns:" >&2
+  printf '%s\n' "$exists_output" >&2
+fi
+
+exit 1
diff --git a/.github/actions/cpflow-delete-control-plane-app/delete-app.sh b/.github/actions/cpflow-delete-control-plane-app/delete-app.sh
@@ -15,43 +15,18 @@ if [[ "$APP_NAME" != "${expected_prefix}"* ]]; then
 fi
 
 echo "🔍 Checking if application exists: $APP_NAME"
-# Contract this relies on from `cpflow exists`:
-#   - Exit status 0              → app exists (stdout may contain an informational banner).
-#   - Exit status non-zero, no
-#     recognizable error tokens  → app does not exist; treat as a no-op success.
-#   - Exit status non-zero with
-#     tokens like "Double check
-#     your org", "Unknown API
-#     token format", "ERROR",
-#     "Error:", "Traceback", or
-#     "Net::"                    → a real failure; surface and exit 1.
-# TODO: replace this string-matching with a structured signal once `cpflow exists` exposes one
-# (e.g. a distinct exit code for "not found" vs. API/auth errors, or `cpflow exists --json`).
-# Until then, keep this list in sync if `cpflow exists` starts emitting new error patterns —
-# any unmatched error string would otherwise be silently treated as "app not found".
-exists_output=""
-if ! exists_output="$(cpflow exists -a "$APP_NAME" --org "$CPLN_ORG" 2>&1)"; then
-  case "$exists_output" in
-    *"Double check your org"*|*"Unknown API token format"*|*"ERROR"*|*"Error:"*|*"Traceback"*|*"Net::"*)
-      echo "❌ ERROR: failed to determine whether application exists: $APP_NAME" >&2
-      printf '%s\n' "$exists_output" >&2
-      exit 1
-      ;;
-  esac
-
-  if [[ -n "$exists_output" ]]; then
-    echo "⚠️ cpflow exists returned non-zero output that did not match known error patterns:" >&2
-    printf '%s\n' "$exists_output" >&2
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+if bash "${script_dir}/check-app-exists.sh"; then
+  :
+else
+  exists_status=$?
+  if [[ "$exists_status" -ne 1 ]]; then
+    exit "$exists_status"
   fi
-
   echo "⚠️ Application does not exist: $APP_NAME"
   exit 0
 fi
 
-if [[ -n "$exists_output" ]]; then
-  printf '%s\n' "$exists_output"
-fi
-
 echo "🗑️ Deleting application: $APP_NAME"
 cpflow delete -a "$APP_NAME" --org "$CPLN_ORG" --yes
 
diff --git a/.github/actions/cpflow-detect-release-phase/action.yml b/.github/actions/cpflow-detect-release-phase/action.yml
@@ -24,8 +24,15 @@ runs:
       run: |
         set -euo pipefail
 
+        config_output=""
+        if ! config_output="$(cpflow config -a "${APP_NAME}" 2>&1)"; then
+          echo "Failed to read cpflow config for app '${APP_NAME}'" >&2
+          printf '%s\n' "${config_output}" >&2
+          exit 1
+        fi
+
         # Anchor to start-of-line so commented-out release_script: entries don't enable --run-release-phase.
-        if cpflow config -a "${APP_NAME}" | grep -qE '^[[:space:]]*release_script:'; then
+        if grep -qE '^[[:space:]]*release_script:' <<< "${config_output}"; then
           echo "flag=--run-release-phase" >> "$GITHUB_OUTPUT"
         else
           echo "flag=" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/cpflow-deploy-review-app.yml b/.github/workflows/cpflow-deploy-review-app.yml
@@ -4,7 +4,7 @@ run-name: "Deploy Review App - PR #${{ github.event.pull_request.number || githu
 
 on:
   pull_request:
-    types: [opened, synchronize, reopened]
+    types: [synchronize, reopened]
   issue_comment:
     types: [created]
   workflow_dispatch:
@@ -35,7 +35,7 @@ env:
 
 jobs:
   deploy:
-    # Skip synchronize/opened events from fork PRs at the job level — they cannot access
+    # Skip synchronize/reopened events from fork PRs at the job level — they cannot access
     # repository secrets anyway, so running any steps just burns billable minutes. Users
     # can still manually deploy a fork PR via `/deploy-review-app` (gated below by
     # author_association) or workflow_dispatch.
@@ -185,26 +185,12 @@ jobs:
         run: |
           set -euo pipefail
 
-          # Keep this in sync with delete-app.sh. `cpflow exists` does not yet expose
-          # distinct structured signals for not-found vs. auth/API failures.
-          exists_output=""
-          if exists_output="$(cpflow exists -a "${APP_NAME}" --org "${CPLN_ORG}" 2>&1)"; then
-            if [[ -n "${exists_output}" ]]; then
-              printf '%s\n' "${exists_output}"
-            fi
-
+          if bash .github/actions/cpflow-delete-control-plane-app/check-app-exists.sh; then
             echo "exists=true" >> "$GITHUB_OUTPUT"
           else
-            case "${exists_output}" in
-              *"Double check your org"*|*"Unknown API token format"*|*"ERROR"*|*"Error:"*|*"Traceback"*|*"Net::"*)
-                echo "Failed to determine whether review app exists: ${APP_NAME}" >&2
-                printf '%s\n' "${exists_output}" >&2
-                exit 1
-                ;;
-            esac
-
-            if [[ -n "${exists_output}" ]]; then
-              printf '%s\n' "${exists_output}"
+            exists_status=$?
+            if [[ "$exists_status" -ne 1 ]]; then
+              exit "$exists_status"
             fi
 
             echo "exists=false" >> "$GITHUB_OUTPUT"
