Sync Control Plane flow hardening

Author: justin808

.controlplane/Dockerfile

@@ -72,7 +72,8 @@ RUN SECRET_KEY_BASE=precompile_placeholder bin/rails react_on_rails:locale
 # and /app/client/app are the client assets that are bundled, so not needed once built
 # Helps to have smaller images b/c of smaller Docker Layer Caches and smaller final images
 # SECRET_KEY_BASE is required for asset precompilation but is not persisted in the image
-RUN SECRET_KEY_BASE=precompile_placeholder yarn res:build && \
+RUN SECRET_KEY_BASE=precompile_placeholder bundle exec rake react_on_rails:generate_packs && \
+    SECRET_KEY_BASE=precompile_placeholder yarn res:build && \
     SECRET_KEY_BASE=precompile_placeholder bin/rails assets:precompile && \
     rm -rf /app/lib/bs /app/client/app
 

.controlplane/entrypoint.sh

@@ -21,7 +21,7 @@ echo " -- Waiting for services"
 wait_for_service $(echo $DATABASE_URL | sed -e 's|^.*@||' -e 's|/.*$||')
 wait_for_service $(echo $REDIS_URL | sed -e 's|redis://||' -e 's|/.*$||')
 
-echo " -- Finishing entrypoint.sh, executing '$@'"
+echo " -- Finishing entrypoint.sh, executing '$*'@'"
 
 # Run the main command
 exec "$@"

.github/actions/cpflow-build-docker-image/action.yml

@@ -20,6 +20,9 @@ inputs:
   docker_build_ssh_key:
     description: Optional private SSH key used for Docker builds that fetch private dependencies with RUN --mount=type=ssh
     required: false
+  docker_build_ssh_known_hosts:
+    description: Optional SSH known_hosts entries used with docker_build_ssh_key. Defaults to pinned GitHub.com host keys.
+    required: false
 
 outputs:
   image_tag:
@@ -53,13 +56,25 @@ runs:
         if [[ -n "${{ inputs.docker_build_ssh_key }}" ]]; then
           mkdir -p ~/.ssh
           chmod 700 ~/.ssh
-          ssh-keyscan -H github.com >> ~/.ssh/known_hosts
+
+          if [[ -n "${{ inputs.docker_build_ssh_known_hosts }}" ]]; then
+            cat <<'EOF' > ~/.ssh/known_hosts
+${{ inputs.docker_build_ssh_known_hosts }}
+EOF
+          else
+            cat <<'EOF' > ~/.ssh/known_hosts
+github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
+EOF
+          fi
+
           chmod 600 ~/.ssh/known_hosts
 
           eval "$(ssh-agent -s)"
           trap 'ssh-agent -k >/dev/null' EXIT
           ssh-add - <<< "${{ inputs.docker_build_ssh_key }}"
-          docker_build_args+=("--ssh default")
+          docker_build_args+=("--ssh" "default")
         fi
 
         echo "🏗️ Building Docker image${PR_INFO} (commit ${{ inputs.commit }})..."

.github/actions/cpflow-delete-control-plane-app/delete-app.sh

@@ -17,14 +17,20 @@ fi
 echo "🔍 Checking if application exists: $APP_NAME"
 exists_output=""
 if ! exists_output="$(cpflow exists -a "$APP_NAME" --org "$CPLN_ORG" 2>&1)"; then
-  if [[ -z "$exists_output" ]]; then
-    echo "⚠️ Application does not exist: $APP_NAME"
-    exit 0
+  case "$exists_output" in
+    *"Double check your org"*|*"Unknown API token format"*|*"ERROR"*|*"Error:"*|*"Traceback"*|*"Net::"*)
+      echo "❌ ERROR: failed to determine whether application exists: $APP_NAME" >&2
+      printf '%s\n' "$exists_output" >&2
+      exit 1
+      ;;
+  esac
+
+  if [[ -n "$exists_output" ]]; then
+    printf '%s\n' "$exists_output"
   fi
 
-  echo "❌ ERROR: failed to determine whether application exists: $APP_NAME" >&2
-  printf '%s\n' "$exists_output" >&2
-  exit 1
+  echo "⚠️ Application does not exist: $APP_NAME"
+  exit 0
 fi
 
 if [[ -n "$exists_output" ]]; then

.github/workflows/cpflow-delete-review-app.yml

@@ -17,6 +17,10 @@ permissions:
   issues: write
   pull-requests: write
 
+concurrency:
+  group: cpflow-review-app-${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
+  cancel-in-progress: true
+
 env:
   APP_NAME: ${{ vars.REVIEW_APP_PREFIX }}-${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
   CPLN_ORG: ${{ vars.CPLN_ORG_STAGING }}
@@ -95,6 +99,7 @@ jobs:
         uses: actions/github-script@v7
         with:
           script: |
+            const commentId = Number("${{ steps.create-comment.outputs.comment-id }}");
             const success = "${{ job.status }}" === "success";
             const body = success
               ? [
@@ -110,9 +115,14 @@ jobs:
                   `[View workflow logs](${process.env.WORKFLOW_URL})`
                 ].join("\n");
 
+            if (!Number.isFinite(commentId) || commentId <= 0) {
+              core.warning("Skipping delete status comment update because no comment id was created.");
+              return;
+            }
+
             await github.rest.issues.updateComment({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              comment_id: Number("${{ steps.create-comment.outputs.comment-id }}"),
+              comment_id: commentId,
               body
             });

.github/workflows/cpflow-deploy-review-app.yml

@@ -254,6 +254,12 @@ jobs:
         uses: actions/github-script@v7
         with:
           script: |
+            const commentId = Number("${{ steps.create-comment.outputs.comment-id }}");
+            if (!Number.isFinite(commentId) || commentId <= 0) {
+              core.warning("Skipping PR comment update because no comment id was created.");
+              return;
+            }
+
             const body = [
               `🏗️ Building Docker image for PR #${process.env.PR_NUMBER}, commit ${process.env.PR_SHA}`,
               "",
@@ -265,7 +271,7 @@ jobs:
             await github.rest.issues.updateComment({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              comment_id: Number("${{ steps.create-comment.outputs.comment-id }}"),
+              comment_id: commentId,
               body
             });
 
@@ -279,12 +285,19 @@ jobs:
           pr_number: ${{ env.PR_NUMBER }}
           docker_build_extra_args: ${{ vars.DOCKER_BUILD_EXTRA_ARGS }}
           docker_build_ssh_key: ${{ secrets.DOCKER_BUILD_SSH_KEY }}
+          docker_build_ssh_known_hosts: ${{ vars.DOCKER_BUILD_SSH_KNOWN_HOSTS }}
 
       - name: Update PR comment with deploy status
         if: steps.config.outputs.ready == 'true' && steps.source.outputs.allowed == 'true' && (steps.check-app.outputs.exists == 'true' || steps.setup-review-app.outcome == 'success')
         uses: actions/github-script@v7
         with:
           script: |
+            const commentId = Number("${{ steps.create-comment.outputs.comment-id }}");
+            if (!Number.isFinite(commentId) || commentId <= 0) {
+              core.warning("Skipping PR comment update because no comment id was created.");
+              return;
+            }
+
             const body = [
               "🚀 Deploying review app to Control Plane...",
               "",
@@ -296,7 +309,7 @@ jobs:
             await github.rest.issues.updateComment({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              comment_id: Number("${{ steps.create-comment.outputs.comment-id }}"),
+              comment_id: commentId,
               body
             });
 
@@ -356,6 +369,11 @@ jobs:
               `[View workflow logs](${process.env.WORKFLOW_URL})`
             ].join("\n");
 
+            if (!Number.isFinite(commentId) || commentId <= 0) {
+              core.warning("Skipping PR comment update because no comment id was created.");
+              return;
+            }
+
             await github.rest.issues.updateComment({
               owner: context.repo.owner,
               repo: context.repo.repo,

.github/workflows/cpflow-deploy-staging.yml

@@ -4,6 +4,8 @@ run-name: Deploy Control Plane staging app
 
 on:
   push:
+    # GitHub does not allow repository vars in branch filters, so this workflow listens to
+    # every branch and exits early unless the ref matches STAGING_APP_BRANCH/main/master.
     branches: ["**"]
   workflow_dispatch:
 
@@ -86,6 +88,7 @@ jobs:
           commit: ${{ github.sha }}
           docker_build_extra_args: ${{ vars.DOCKER_BUILD_EXTRA_ARGS }}
           docker_build_ssh_key: ${{ secrets.DOCKER_BUILD_SSH_KEY }}
+          docker_build_ssh_known_hosts: ${{ vars.DOCKER_BUILD_SSH_KNOWN_HOSTS }}
 
   deploy:
     needs: [validate-branch, build]

.github/workflows/cpflow-help-command.yml

@@ -19,7 +19,8 @@ jobs:
     if: |
       (github.event_name == 'issue_comment' &&
        github.event.issue.pull_request &&
-       github.event.comment.body == '/help') ||
+       github.event.comment.body == '/help' &&
+       contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
       github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
 
@@ -46,6 +47,7 @@ jobs:
               "",
               "- `CPLN_TOKEN_STAGING`",
               "- `CPLN_TOKEN_PRODUCTION`",
+              "- `DOCKER_BUILD_SSH_KEY` (optional, when Docker builds fetch private dependencies over SSH)",
               "",
               "## Repository variables",
               "",
@@ -56,6 +58,8 @@ jobs:
               "- `REVIEW_APP_PREFIX`",
               "- `STAGING_APP_BRANCH` (optional, defaults to `main` or `master`)",
               "- `PRIMARY_WORKLOAD` (optional, defaults to `rails`)",
+              "- `DOCKER_BUILD_EXTRA_ARGS` (optional Docker build flags)",
+              "- `DOCKER_BUILD_SSH_KNOWN_HOSTS` (optional when SSH build hosts are not GitHub.com)",
               "",
               "## Workflow behavior",
               "",

.github/workflows/cpflow-promote-staging-to-production.yml

@@ -187,7 +187,7 @@ jobs:
           exit 1
 
       - name: Roll back on failure
-        if: failure() && steps.capture-current.outputs.rollback_state != ''
+        if: failure() && steps.capture-current.outputs.rollback_state != '{}'
         env:
           ROLLBACK_STATE: ${{ steps.capture-current.outputs.rollback_state }}
         shell: bash