Update cpflow review app guidance

Author: justin808

.controlplane/readme.md

@@ -124,9 +124,13 @@ This repo now uses the shared `cpflow-*` GitHub Actions scaffolding:
 - `.github/workflows/cpflow-promote-staging-to-production.yml`
 - `.github/workflows/cpflow-cleanup-stale-review-apps.yml`
 
+The legacy workflows in this branch keep their help text inline instead of using
+the newer generated `.github/cpflow-help.md` file. The local setup action
+installs `cpflow` 5.1.1 by default.
+
 Behavior:
 
-- comment `/deploy-review-app` on a PR to create or update a review app
+- comment `+review-app-deploy` on a PR to create or update a review app
 - later pushes to that PR auto-redeploy the existing review app
 - pushes to `master` auto-deploy staging unless `STAGING_APP_BRANCH` overrides it
 - production promotion happens manually from the Actions tab
@@ -158,10 +162,19 @@ Optional variables:
 
 Operational notes:
 
-- `/deploy-review-app` and `/delete-review-app` only run for trusted commenters (`OWNER`, `MEMBER`, `COLLABORATOR`)
+- `+review-app-deploy`, `+review-app-delete`, and `+review-app-help` only run for trusted commenters (`OWNER`, `MEMBER`, `COLLABORATOR`)
 - fork PRs still receive help comments, but review app deploys are skipped because the workflow builds Docker images with repository secrets
 - PR pushes do not auto-create review apps; the first deploy remains opt-in
 
+Secret grant notes for `cpflow` 5.1.1:
+
+- this repo keeps the app secret dictionary and policy placeholders,
+  `{{APP_SECRETS}}` and `{{APP_SECRETS_POLICY}}`
+- `shared_secret_grants` is only for a separate shared org-level dictionary
+  referenced from templates with `{{SHARED_SECRET_<NAME>}}`
+- do not add `shared_secret_grants` here unless the app/workload templates start
+  referencing such a shared dictionary
+
 ## HTTP/2 and Thruster Configuration
 
 This application uses [Thruster](https://github.com/basecamp/thruster), a zero-config HTTP/2 proxy from Basecamp, for optimized performance on Control Plane.

.controlplane/shakacode-team.md

@@ -5,7 +5,7 @@
 Deployments are handled by Control Plane configuration in this repo and GitHub Actions.
 
 ### Review Apps
-- Add a comment `/deploy-review-app` to any PR to deploy a review app
+- Add a comment `+review-app-deploy` to any PR to deploy a review app
 
 ### Staging Environment
 - **Automatic**: Any merge to the `master` branch automatically deploys to staging

.controlplane/templates/org.yml

@@ -1,8 +1,10 @@
-# Org level secrets are used to store sensitive information that is
-# shared across multiple apps in the same organization. This is
-# useful for storing things like API keys, database credentials, and
-# other sensitive information that is shared across multiple apps
-# in the same organization.
+# App secret dictionaries store sensitive information for apps in the
+# organization. This template keeps the cpflow app-secret placeholders
+# {{APP_SECRETS}} and {{APP_SECRETS_POLICY}}.
+#
+# cpflow 5.1.1 shared_secret_grants are only for a separate shared
+# org-level dictionary referenced from app/workload templates with
+# {{SHARED_SECRET_<NAME>}}.
 
 # This is how you apply this once (not during CI)
 # cpl apply-template secrets  -a qa-react-webpack-rails-tutorial --org shakacode-open-source-examples-staging
@@ -15,7 +17,7 @@ data:
 
 ---
 
-# Policy is needed to allow identities to access secrets
+# App secret policy grants app identities reveal access to this dictionary.
 kind: policy
 name: {{APP_SECRETS_POLICY}}
 targetKind: secret

.github/actions/cpflow-build-docker-image/action.yml

@@ -66,14 +66,14 @@ runs:
 
           if [[ -n "${{ inputs.docker_build_ssh_known_hosts }}" ]]; then
             cat <<'EOF' > ~/.ssh/known_hosts
-${{ inputs.docker_build_ssh_known_hosts }}
-EOF
+        ${{ inputs.docker_build_ssh_known_hosts }}
+        EOF
           else
             cat <<'EOF' > ~/.ssh/known_hosts
-github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
-github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
-github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
-EOF
+        github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+        github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+        github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
+        EOF
           fi
 
           chmod 600 ~/.ssh/known_hosts

.github/actions/cpflow-setup-environment/action.yml

@@ -19,7 +19,7 @@ inputs:
   cpflow_version:
     description: cpflow gem version
     required: false
-    default: "4.2.0"
+    default: "5.1.1"
 
 runs:
   using: composite

.github/workflows/cpflow-delete-review-app.yml

@@ -32,7 +32,7 @@ jobs:
     if: |
       (github.event_name == 'issue_comment' &&
        github.event.issue.pull_request &&
-       github.event.comment.body == '/delete-review-app' &&
+       contains(fromJson('["+review-app-delete","+review-app-delete\n","+review-app-delete\r\n"]'), github.event.comment.body) &&
        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
       (github.event_name == 'pull_request_target' && github.event.action == 'closed') ||
       github.event_name == 'workflow_dispatch'

.github/workflows/cpflow-deploy-review-app.yml

@@ -38,7 +38,7 @@ jobs:
       github.event_name == 'workflow_dispatch' ||
       (github.event_name == 'issue_comment' &&
        github.event.issue.pull_request &&
-       github.event.comment.body == '/deploy-review-app' &&
+       contains(fromJson('["+review-app-deploy","+review-app-deploy\n","+review-app-deploy\r\n"]'), github.event.comment.body) &&
        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association))
     runs-on: ubuntu-latest
 
@@ -186,7 +186,7 @@ jobs:
         run: |
           {
             echo "Review app ${APP_NAME} does not exist yet."
-            echo "Create it with a PR comment that is exactly /deploy-review-app."
+            echo "Create it with +review-app-deploy as the PR comment body."
           } >> "$GITHUB_STEP_SUMMARY"
 
       - name: Setup review app if it does not exist yet

.github/workflows/cpflow-help-command.yml

@@ -19,7 +19,7 @@ jobs:
     if: |
       (github.event_name == 'issue_comment' &&
        github.event.issue.pull_request &&
-       github.event.comment.body == '/help' &&
+       contains(fromJson('["+review-app-help","+review-app-help\n","+review-app-help\r\n"]'), github.event.comment.body) &&
        contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
       github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
@@ -34,15 +34,18 @@ jobs:
               "",
               "## PR commands",
               "",
-              "`/deploy-review-app`",
+              "`+review-app-deploy`",
               "- Creates the review app if it does not exist",
               "- Builds the PR commit image",
               "- Deploys the image and comments with the review URL",
               "",
-              "`/delete-review-app`",
+              "`+review-app-delete`",
               "- Deletes the review app when the PR is done",
               "- This also runs automatically when the PR closes",
               "",
+              "`+review-app-help`",
+              "- Shows this help message",
+              "",
               "## Repository secrets",
               "",
               "- `CPLN_TOKEN_STAGING`",
@@ -61,9 +64,15 @@ jobs:
               "- `DOCKER_BUILD_EXTRA_ARGS` (optional Docker build flags)",
               "- `DOCKER_BUILD_SSH_KNOWN_HOSTS` (optional when SSH build hosts are not GitHub.com)",
               "",
+              "## App secrets and shared grants",
+              "",
+              "- This repo keeps the app secret dictionary/policy pattern generated from `{{APP_SECRETS}}` and `{{APP_SECRETS_POLICY}}`",
+              "- `shared_secret_grants` is only for a separate shared org-level dictionary referenced from templates with `{{SHARED_SECRET_<NAME>}}`",
+              "- Do not add `shared_secret_grants` unless app templates actually reference that shared dictionary",
+              "",
               "## Workflow behavior",
               "",
-              "- Review apps are opt-in and created with `/deploy-review-app`",
+              "- Review apps are opt-in and created with `+review-app-deploy`",
               "- New commits redeploy existing review apps automatically",
               "- Pushes to the staging branch deploy staging automatically",
               "- Promotion to production is manual via the Actions tab",

.github/workflows/cpflow-review-app-help.yml

@@ -19,13 +19,13 @@ jobs:
             const body = [
               "# Control Plane review app commands",
               "",
-              "`/deploy-review-app`",
+              "`+review-app-deploy`",
               "Create the review app or redeploy the PR branch to it.",
               "",
-              "`/delete-review-app`",
+              "`+review-app-delete`",
               "Delete the review app and its temporary resources.",
               "",
-              "`/help`",
+              "`+review-app-help`",
               "Show the required GitHub variables, secrets, and workflow behavior."
             ].join("\n");
 

Gemfile

@@ -5,7 +5,7 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 ruby "3.4.6"
 
-gem "react_on_rails", "16.6.0.rc.0"
+gem "react_on_rails", "17.0.0.rc.1"
 gem "shakapacker", "10.0.0.rc.0"
 
 # Bundle edge Rails instead: gem "rails", github: "rails/rails"