Skip to content

Use stable configured-template review-app validation#195

Merged
justin808 merged 3 commits into
mainfrom
jg-codex/fix-review-app-gate
Jul 18, 2026
Merged

Use stable configured-template review-app validation#195
justin808 merged 3 commits into
mainfrom
jg-codex/fix-review-app-gate

Conversation

@justin808

@justin808 justin808 commented Jul 18, 2026

Copy link
Copy Markdown
Member

Why

The review-app setup path used a Control Plane Flow release that validated unused alternative templates and could reject an otherwise valid configured review-app set. The first stable release with configured-template-only validation also strengthens deployed-health completion.

This addresses #194. The issue intentionally remains open until the merged default workflow is exercised by a fresh disposable verification PR, behavioral smoke passes, and cleanup is confirmed.

The required CI-core RSpec path was also blocked before tests by four current HTML sanitizer advisories. This follow-up applies only the upstream security patch releases and generated lock metadata needed to restore that required gate.

What changed

  • Align all Control Plane Flow wrappers and live operator documentation on stable v5.2.0.
  • Preserve repository configuration and every deployment template unchanged.
  • Update current-state and operational version-lock guidance coherently.
  • Update only Gemfile.lock: loofah 2.25.1 → 2.25.2, rails-html-sanitizer 1.7.0 → 1.7.1, and the generated loofah dependency constraint required by the sanitizer patch.

Workflow change audit

  • Event triggers, permissions, source authorization, dependencies, conditional gates, and credential-reference shape are unchanged.
  • Repository configuration and templates are byte-identical to the base.
  • Security preflight passed; no untrusted issue content was used as instructions.
  • Read-only QA and a maker-distinct Sol/xhigh audit found no blocking or discuss findings on the original workflow-only head.
  • The required simplification review completed with no changes.

Verification

  • Focused review-app readiness and configured-template validation gate
  • Coherent stable-reference sweep across workflows and live docs
  • Exact lockfile diff: 3 additions and 3 removals, limited to the two sanitizer patch versions and one generated dependency-constraint replacement
  • Conservative resolver oracle matches the committed lockfile exactly
  • Empty-path frozen Bundler install and bundle check
  • bin/bundler-audit — no vulnerabilities found
  • Targeted sanitizer behavior probes for encoded URI schemes, safe HTTPS, and external SVG references
  • Sanitizer patch review: security-tightening URI and SVG handling; default Rails SVG allowlist behavior is unaffected
  • bin/test ci — quality, security, doctor, type checking, router-shim, 118 RSpec examples, and 2 browser smoke tests passed
  • git diff --check

Dependency manifests, audit configuration, workflows, ignore rules, repository configuration, and deployment templates are unchanged by the security-gate remediation.

Churn and follow-through

  • Pre-push review: QA, maker-distinct Sol/xhigh adversarial audit, simplification gate, and focused sanitizer security review.
  • Post-push fix rounds: 2. The first hosted rerun exposed stale generated lock dependency metadata that a warm local bundle did not reject; the second round added only that resolver-required metadata and validated it from an empty frozen bundle path.
  • Process-gap disposition: checklist+replay — sweep live version guidance and replay the merged default workflow from a fresh disposable PR before closing Follow-up: Fix review-app setup and restore deployed behavior gate #194.

@coderabbitai

coderabbitai Bot commented Jul 18, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@justin808, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 26 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8ddaa51e-a275-4f0c-ba03-7da1565f0ac4

📥 Commits

Reviewing files that changed from the base of the PR and between 60cca47 and aab28b6.

⛔ Files ignored due to path filters (1)
  • Gemfile.lock is excluded by !**/*.lock
📒 Files selected for processing (10)
  • .controlplane/readme.md
  • .github/cpflow-help.md
  • .github/workflows/cpflow-cleanup-stale-review-apps.yml
  • .github/workflows/cpflow-delete-review-app.yml
  • .github/workflows/cpflow-deploy-review-app.yml
  • .github/workflows/cpflow-deploy-staging.yml
  • .github/workflows/cpflow-help-command.yml
  • .github/workflows/cpflow-promote-staging-to-production.yml
  • .github/workflows/cpflow-review-app-help.yml
  • docs/07-control-plane-handoff.md
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch jg-codex/fix-review-app-gate

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown

🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:
They require the repository to have cpflow review apps configured, including the CPLN_TOKEN_STAGING secret.

+review-app-deploy

Deploy your PR branch for testing.

+review-app-delete

Remove the review app when done.

+review-app-help

Show detailed instructions, environment setup, and configuration options.

Comment +review-app-help for full setup details.

@justin808

Copy link
Copy Markdown
Member Author

Address-review summary

Scan scope: full current-head history via check all reviews at d650ad3249b258604035a018d2dfcc9af00f3d8a.

Mattered

  • No actionable reviewer feedback was found.
  • Current-head readiness remains blocked: the required RSpec-labelled job failed in the dependency audit before test execution. Dependency inputs and the CI/audit scripts are unchanged from the base branch, so this is classified as a pre-existing baseline failure and is not waived.

Skipped

  • Reviewer status — review-status notice only; no actionable feedback and no action taken.
  • Workflow help status — automated command/help text only; no action taken.
  • No review threads were present, so no replies or resolutions were needed.

Next default scan starts after this comment. Say check all reviews to rescan the full PR.

@justin808

Copy link
Copy Markdown
Member Author

Address-review summary

Scan scope: review activity after 2026-07-18T07:02:40Z on current head d907847f2653a04fca18e2c904303ec21918b9c8.

Mattered

  • None. No new actionable review feedback was posted after the prior checkpoint.

Skipped

  • None.

Configured review checks settled successfully. Trusted coordinated action f required no code changes, replies, or thread resolutions.

Next default scan starts after this comment. Say check all reviews to rescan the full PR.

@justin808

Copy link
Copy Markdown
Member Author

Address-review summary

Scan scope: review activity after 2026-07-18T07:23:12Z on current head aab28b67d4f5811c464597b06827287e2ca91447.

Mattered

  • None. No new actionable review feedback was posted after the prior checkpoint.

Skipped

  • None.

All current-head checks and configured review checks settled successfully. Trusted coordinated action f required no code changes, replies, or thread resolutions.

Next default scan starts after this comment. Say check all reviews to rescan the full PR.

@justin808

Copy link
Copy Markdown
Member Author

Final-candidate gate update for aab28b67d4f5811c464597b06827287e2ca91447:

  • Exact-head QA: clean.
  • Fresh maker-distinct Sol/xhigh audit: clean; no blocking or discuss findings.
  • Current-head required CI and review inventory: green, zero unresolved threads.
  • The final simplification rerun exceeded its bounded window and was stopped with zero workspace edits; the audited diff remains unchanged.
  • The maintainer-provided batch authority is auto_merge_when_gates_pass; this is the explicit high-risk workflow/dependency approval decision for this exact head once the remaining ready-state reviewer wave is clear.

No waiver is being applied to CI, review, or behavioral verification. Fresh-default deployment replay remains tracked by #194 after merge.

@justin808
justin808 marked this pull request as ready for review July 18, 2026 08:07
@justin808

Copy link
Copy Markdown
Member Author

Address-review summary

Scan scope: review activity after 2026-07-18T07:38:44Z on ready-for-review head aab28b67d4f5811c464597b06827287e2ca91447.

Mattered

  • None. No actionable review feedback was posted after the prior checkpoint.

Skipped

Ready-state review activity settled cleanly: the post-ready Claude review passed with no feedback, CodeRabbit remains green, all eight current-head checks pass, and there are zero unresolved review threads.

Next default scan starts after this comment. Say check all reviews to rescan the full PR.

@justin808
justin808 merged commit 2d409e8 into main Jul 18, 2026
9 checks passed
@github-actions

github-actions Bot commented Jul 18, 2026

Copy link
Copy Markdown

✅ Review App Deleted

Review app for PR #195 is deleted

🎮 Control Plane Console
📋 View Workflow Logs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant