diff --git a/.controlplane/readme.md b/.controlplane/readme.md
index e12de28..b6cf105 100644
--- a/.controlplane/readme.md
+++ b/.controlplane/readme.md
@@ -90,7 +90,7 @@ Advanced optional variables:
 | --- | --- |
 | `REVIEW_APP_DEPLOYING_ICON_URL` | Cosmetic custom animated icon for review-app comments. Ignore this for the standard setup. |
 | `CPLN_CLI_VERSION` | Pin only when Control Plane CLI compatibility requires it. |
-| `CPFLOW_VERSION` | Runtime gem override. Normally leave unset. If set, it must match the workflow tag without the leading `v`, such as `5.0.2`. |
+| `CPFLOW_VERSION` | Runtime gem override. Normally leave unset. If set, it must match the workflow tag without the leading `v`, such as `5.0.4`. |
 
 ## Control Plane Setup
 
@@ -206,7 +206,7 @@ bin/test-cpflow-github-flow ruby /path/to/control-plane-flow/bin/cpflow
 
 This repo is locked at runtime by the generated workflow wrapper GitHub ref, not
 by the gem alone. The wrappers currently point their `uses:` refs at the
-upstream `control-plane-flow` release tag `v5.0.2`. GitHub loads the reusable
+upstream `control-plane-flow` release tag `v5.0.4`. GitHub loads the reusable
 workflow from that tag, and the upstream workflow checks out its matching shared
 actions from the same workflow context. Downstream wrappers should not pass a
 duplicate `control_plane_flow_ref` input.
@@ -222,7 +222,7 @@ To move to a newer stable `cpflow` release when generated templates changed:
 
 1. Install or bundle the released `cpflow` gem.
 2. Run `cpflow generate-github-actions`.
-3. Verify the generated wrappers point to the matching tag, such as `v5.0.2`.
+3. Verify the generated wrappers point to the matching tag, such as `v5.0.4`.
 4. Leave `CPFLOW_VERSION` unset, or set it to the same RubyGems version without
    the leading `v`. For prereleases, use dot syntax such as `5.0.0.rc.1`.
 5. Run `bin/test-cpflow-github-flow`.
@@ -231,7 +231,7 @@ If the generated files are already current and only the upstream tag needs to
 move, run:
 
 ```sh
-bin/pin-cpflow-github-ref v5.0.2
+bin/pin-cpflow-github-ref v5.0.4
 ```
 
 When testing unreleased `control-plane-flow` changes before a release, pin the
diff --git a/.github/cpflow-help.md b/.github/cpflow-help.md
index d5bcfba..524cabe 100644
--- a/.github/cpflow-help.md
+++ b/.github/cpflow-help.md
@@ -2,7 +2,7 @@
 
 These commands are generated by [cpflow](https://github.com/shakacode/control-plane-flow).
 For full setup, version-pinning, and troubleshooting details, see the upstream
-[CI automation guide](https://github.com/shakacode/control-plane-flow/blob/v5.0.2/docs/ci-automation.md).
+[CI automation guide](https://github.com/shakacode/control-plane-flow/blob/v5.0.4/docs/ci-automation.md).
 
 ## Pull Request Commands
 
@@ -81,7 +81,7 @@ production org, using production-only secrets and values.
 ## Version Locking
 
 Generated wrappers pin Control Plane Flow once with the reusable workflow
-`uses:` ref, for example `@v5.0.2`. For stable releases,
+`uses:` ref, for example `@v5.0.4`. For stable releases,
 this ref should be a release tag. The upstream reusable workflow automatically
 loads its matching shared actions from GitHub's workflow context, so downstream
 wrappers should not pass a duplicate Control Plane Flow ref input. If your
@@ -96,8 +96,8 @@ exactly matches the same released gem.
 
 Leave `CPFLOW_VERSION` unset so the workflow builds cpflow from the same
 checked-out upstream source. If you set `CPFLOW_VERSION`, it must match the
-release tag, for example `CPFLOW_VERSION=5.0.2` with a wrapper pinned to
-`uses: ...@v5.0.2`.
+release tag, for example `CPFLOW_VERSION=5.0.4` with a wrapper pinned to
+`uses: ...@v5.0.4`.
 
 Do not leave downstream apps pinned to a moving branch such as `main`. For a
 short-lived test of an unreleased upstream PR, pin to a full 40-character commit
diff --git a/.github/workflows/cpflow-cleanup-stale-review-apps.yml b/.github/workflows/cpflow-cleanup-stale-review-apps.yml
index 91b6022..d3fb09d 100644
--- a/.github/workflows/cpflow-cleanup-stale-review-apps.yml
+++ b/.github/workflows/cpflow-cleanup-stale-review-apps.yml
@@ -12,6 +12,6 @@ jobs:
   cleanup:
     # Cleanup targets the current inferred review-app prefix. If you changed
     # naming conventions, manually delete review apps under the old prefix.
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-cleanup-stale-review-apps.yml@v5.0.2
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-cleanup-stale-review-apps.yml@v5.0.4
     secrets:
       CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
diff --git a/.github/workflows/cpflow-delete-review-app.yml b/.github/workflows/cpflow-delete-review-app.yml
index a0b07ce..cda1484 100644
--- a/.github/workflows/cpflow-delete-review-app.yml
+++ b/.github/workflows/cpflow-delete-review-app.yml
@@ -31,6 +31,6 @@ jobs:
       github.event_name == 'workflow_dispatch'
     # This `if:` mirrors the upstream job guard to avoid a billable workflow_call
     # when the event does not match. Keep both conditions in sync.
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-delete-review-app.yml@v5.0.2
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-delete-review-app.yml@v5.0.4
     secrets:
       CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
diff --git a/.github/workflows/cpflow-deploy-review-app.yml b/.github/workflows/cpflow-deploy-review-app.yml
index f41ad94..c228e47 100644
--- a/.github/workflows/cpflow-deploy-review-app.yml
+++ b/.github/workflows/cpflow-deploy-review-app.yml
@@ -30,7 +30,7 @@ jobs:
        github.event.issue.pull_request &&
        contains(fromJson('["+review-app-deploy","+review-app-deploy\n","+review-app-deploy\r\n"]'), github.event.comment.body) &&
        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association))
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-review-app.yml@v5.0.2
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-review-app.yml@v5.0.4
     secrets:
       CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
       DOCKER_BUILD_SSH_KEY: ${{ secrets.DOCKER_BUILD_SSH_KEY }}
diff --git a/.github/workflows/cpflow-deploy-staging.yml b/.github/workflows/cpflow-deploy-staging.yml
index 43ad3d6..a8fbdea 100644
--- a/.github/workflows/cpflow-deploy-staging.yml
+++ b/.github/workflows/cpflow-deploy-staging.yml
@@ -16,7 +16,7 @@ permissions:
 
 jobs:
   deploy-staging:
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-staging.yml@v5.0.2
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-staging.yml@v5.0.4
     with:
       staging_app_branch_default: "main"
     secrets:
diff --git a/.github/workflows/cpflow-help-command.yml b/.github/workflows/cpflow-help-command.yml
index 055bfd7..b12697c 100644
--- a/.github/workflows/cpflow-help-command.yml
+++ b/.github/workflows/cpflow-help-command.yml
@@ -23,4 +23,4 @@ jobs:
        contains(fromJson('["+review-app-help","+review-app-help\n","+review-app-help\r\n"]'), github.event.comment.body) &&
        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
       github.event_name == 'workflow_dispatch'
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@v5.0.2
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@v5.0.4
diff --git a/.github/workflows/cpflow-promote-staging-to-production.yml b/.github/workflows/cpflow-promote-staging-to-production.yml
index a443e97..6103c4d 100644
--- a/.github/workflows/cpflow-promote-staging-to-production.yml
+++ b/.github/workflows/cpflow-promote-staging-to-production.yml
@@ -20,7 +20,7 @@ jobs:
     # upgrades are auditable and easy to roll forward. If your security policy
     # requires immutable refs, run bin/pin-cpflow-github-ref with the full
     # 40-character commit SHA behind the release tag and update the docs too.
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-promote-staging-to-production.yml@v5.0.2
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-promote-staging-to-production.yml@v5.0.4
     with:
       # Keep CPLN_TOKEN_PRODUCTION as a secret on this protected GitHub
       # Environment. The caller passes the environment name, the upstream
diff --git a/.github/workflows/cpflow-review-app-help.yml b/.github/workflows/cpflow-review-app-help.yml
index 3b65d38..c8b24e1 100644
--- a/.github/workflows/cpflow-review-app-help.yml
+++ b/.github/workflows/cpflow-review-app-help.yml
@@ -18,4 +18,4 @@ jobs:
     # to PR-open help. Remove it, or uncomment and adapt this guard, if forks or
     # clones should stay quiet until Control Plane is configured:
     #   if: vars.REVIEW_APP_PREFIX != '' || vars.CPLN_ORG_STAGING != ''
-    uses: shakacode/control-plane-flow/.github/workflows/cpflow-review-app-help.yml@v5.0.2
+    uses: shakacode/control-plane-flow/.github/workflows/cpflow-review-app-help.yml@v5.0.4