Clarify review app security guidance

[justin808]

Summary

• document that public fork PRs do not deploy review apps because the workflow uses repository secrets
• clarify that review-app secrets, renderer credentials, database values, and Pro license values are readable by PR code once mounted
• recommend review/staging-scoped Control Plane tokens and read-only deploy keys for private build dependencies

Verification

• git diff --check

---

Note

Low Risk
Markdown and template comment changes only; no application, workflow, or infrastructure behavior is modified.

Overview
Documentation-only updates across Control Plane and cpflow help docs to spell out review-app security expectations.

Fork PRs and deploys: Public fork PR heads do not get review-app deploys because Docker builds use repository secrets; contributors should land changes on a trusted branch in this repo when a review app is needed. Comment-triggered deploys on fork PRs still should not run untrusted fork code.

Secrets and tokens: Staging/review CPLN_TOKEN_STAGING must not reach production Control Plane orgs or secret dictionaries. Review apps execute PR code, so values mounted via cpln://secret/... (shared qa-* dictionaries, renderer credentials, DB URLs, Pro license) must be review-safe and must not reuse production or long-lived staging secrets. Template comments in app.yml and org.yml reinforce the same rules.

Build keys: DOCKER_BUILD_SSH_KEY guidance now calls for a read-only, revocable deploy key instead of a personal SSH key.

^{Reviewed by Cursor Bugbot for commit 5945332. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Documentation
  • Enhanced deployment security guidance for review and staging environments, including best practices for credential management and token usage.
  • Clarified deployment restrictions and requirements for pull requests from forked repositories to ensure secure build processes.
  • Improved instructions on managing secret values and preventing production credential exposure in non-production deployments.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 98479cf3-86a1-4215-a7f8-b7dea2f3edae

📥 Commits

Reviewing files that changed from the base of the PR and between 6378189 and 5945332.

📒 Files selected for processing (5)

• .controlplane/readme.md
• .controlplane/shakacode-team.md
• .controlplane/templates/app.yml
• .controlplane/templates/org.yml
• .github/cpflow-help.md

---

Walkthrough

Documentation enhancements clarify review-app deployment security across Control Plane configuration and GitHub workflow guidance: staging/review tokens must not access production resources, fork PR deployments are restricted due to Docker build secrets, and review-app secret dictionaries must use only disposable/review-safe credentials, never reusing production values.

Changes

Review-App Deployment Safety and Credential Guidance

Layer / File(s)	Summary
Fork PR deployment constraints and staging token requirements .controlplane/readme.md, .controlplane/shakacode-team.md	Specifies that staging/review tokens cannot access production Control Plane resources or secret dictionaries; clarifies that fork PR heads skip deployment due to Docker build secret handling; explains when reviewed code must be moved to a trusted repository branch for review-app deployment.
Review-app secret dictionaries and credential constraints .controlplane/readme.md, .controlplane/shakacode-team.md, .controlplane/templates/app.yml, .controlplane/templates/org.yml	Documents that review-app secret dictionaries must be constrained to disposable review-safe credentials and acceptable license values; specifies staging/review service-account token requirements; clarifies qa-* dictionary bootstrap for review apps versus manual prod/staging creation; updates REACT_ON_RAILS_PRO_LICENSE guidance to prevent production secret exposure to pull-request code.
GitHub workflow help documentation and Docker build SSH key guidance .github/cpflow-help.md	Expands public-repository review-app setup guidance with staging token limits, fork/heads deploy behavior, and cpln://secret/... exposure warnings; clarifies that DOCKER_BUILD_SSH_KEY should be a read-only revocable deploy key rather than a personal SSH key.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• shakacode/react-webpack-rails-tutorial#737: Updates .github/cpflow-help.md and Control Plane docs to clarify review-app deployment triggers and fork PR handling with secrets/tokens.
• shakacode/react-webpack-rails-tutorial#747: Aligns cpflow review-app guidance documentation, particularly staging vs production tokens and review-app SSH key/secret handling.
• shakacode/react-webpack-rails-tutorial#735: Regenerates cpflow deploy flow and updated review-app help docs for fork-triggered deployments alongside the main PR's fork PR and credential constraints.

Poem

🐰 Fork prs dance with caution's grace,
Staging tokens keep secrets in their place,
No production keys in review-app zones,
Just disposable creds on borrowed thrones. ✨
Rabbit guards the safety, line by line,
So review-apps stay secure and fine!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly summarizes the main objective of this documentation-focused pull request, which updates multiple files to clarify security guidance for review app deployments.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jg-codex/review-app-security-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:
They require the repository to have cpflow review apps configured, including the CPLN_TOKEN_STAGING secret.

+review-app-deploy

Deploy your PR branch for testing.

+review-app-delete

Remove the review app when done.

+review-app-help

Show detailed instructions, environment setup, and configuration options.

Comment +review-app-help for full setup details.

[greptile-apps]

Greptile Summary

This documentation-only PR adds security guidance across five Control Plane and GitHub Actions markdown files, clarifying how review-app secrets are scoped and why public fork PR heads are skipped during deploys.

• Documents that fork PR heads are excluded from review-app deploys because Docker builds consume repository secrets, and explains the workaround (moving the change to a trusted branch).
• Adds explicit warnings that any value mounted via cpln://secret/... is readable by PR code, recommending disposable databases, review-only renderer credentials, and review-scoped Control Plane tokens.
• Tightens the DOCKER_BUILD_SSH_KEY description to recommend read-only, revocable deploy keys instead of personal SSH keys.

Confidence Score: 4/5

Documentation-only change with accurate, well-scoped guidance; safe to merge after fixing the missing blank line in readme.md.

All five files contain only comment and documentation updates — no workflow logic, template values, or secrets are modified. The guidance added is internally consistent and matches best practices for isolating review-app credentials. The only defect is a missing blank line in readme.md that causes two distinct paragraphs to merge when rendered.

.controlplane/readme.md — the new fork-PR paragraph runs directly into the next paragraph without a blank line separator, which collapses them in rendered Markdown.

Important Files Changed

Filename	Overview
.controlplane/readme.md	Adds fork-PR deploy skip rationale and review-app secret isolation guidance; one missing blank line causes two paragraphs to merge in rendered output.
.controlplane/shakacode-team.md	Adds fork-PR deploy restriction and review-safe secrets guidance; wording is clear and consistent with other files.
.controlplane/templates/app.yml	Appends a one-line "review-safe" reminder to the existing secrets comment; no functional change.
.controlplane/templates/org.yml	Rewrites the qa-* dictionary comment to emphasize disposable/review-safe values and separate production dictionaries; adds note about using a review-safe Pro license token.
.github/cpflow-help.md	Adds fork-PR deploy skip explanation, review-app secret exposure warning, and tightens DOCKER_BUILD_SSH_KEY guidance to recommend read-only deploy keys instead of personal keys.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[PR pushed] --> B{Fork PR?}
    B -- Yes --> C[Skip deploy\nrepo secrets unavailable]
    B -- No --> D{Trusted branch?}
    D -- Yes --> E[Build Docker image\nusing repo secrets]
    D -- No / Untrusted --> C
    E --> F[Deploy review app]
    F --> G[Mount cpln://secret/...\nvalues into workload]
    G --> H{Secrets review-safe?}
    H -- Yes\ndisposable DB, review token --> I[PR code runs safely]
    H -- No\nprod secrets reused --> J[⚠️ Secrets exposed\nto PR code]

Loading

_{Reviews (1): Last reviewed commit: "docs: clarify review app security" | Re-trigger Greptile}

[greptile-apps]

Missing blank line between paragraphs — without it, the "Fork PR heads are skipped…" sentence flows directly into "Pushes to the staging branch…" in the rendered Markdown, merging them into one paragraph and obscuring both messages.

Suggested change

	automatically. Use `+review-app-help` for the review-app command reference.
	Fork PR heads are skipped for deploys because the workflow builds Docker images
	with repository secrets. A trusted comment on a fork PR still should not deploy
	the fork head; move the reviewed change to a branch in this repository when a
	review app is needed.
	Pushes to the staging branch deploy staging, and production promotion is manual
	automatically. Use `+review-app-help` for the review-app command reference.
	Fork PR heads are skipped for deploys because the workflow builds Docker images
	with repository secrets. A trusted comment on a fork PR still should not deploy
	the fork head; move the reviewed change to a branch in this repository when a
	review app is needed.
	Pushes to the staging branch deploy staging, and production promotion is manual

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[claude]

Missing blank line between this new paragraph and the following "Pushes to the staging branch…" paragraph. Without it, Markdown renders them as a single run-on paragraph.

Suggested change

	review app is needed.
	review app is needed.

[claude]

Code Review: Clarify review-app security guidance

Summary: Documentation-only PR adding security guidance around review-app secrets, fork PR deploy restrictions, and SSH key best practices. No application, workflow, or infrastructure code is changed.

---

What the PR does well

• Fork PR deploy restriction is clearly explained across all relevant docs — the reason (Docker builds consume repository secrets) is stated inline, which is more useful than a bare rule.
• Secret exposure surface is now explicitly called out: PR code can read anything mounted via cpln://secret/..., so review-app dictionaries must use disposable / review-scoped values. This is important and was previously undocumented.
• Read-only deploy key recommendation for DOCKER_BUILD_SSH_KEY is the right call — personal SSH keys in CI secrets are a common, high-impact mistake.
• Changes are consistent across the four docs files, avoiding drift between them.

---

Issues

Formatting bug — missing blank line (inline comment posted)

In .controlplane/readme.md the four new lines ending in review app is needed. are not separated from the following paragraph by a blank line, so Markdown renders them as one continuous paragraph. See the inline suggestion.

Ambiguous language: "still should not deploy"

A trusted comment on a fork PR still should not deploy the fork head

"Should not" reads like a recommendation, but the intent appears to be that the workflow enforces this — fork heads are actively skipped, not merely discouraged. Consider:

A trusted comment on a fork PR does not deploy the fork head; the workflow skips it. Move the reviewed change to a branch in this repository when a review app is needed.

This avoids implying that someone could override the behaviour if they chose to.

shakacode-team.md — sentence fragment

Review apps run pull request code. Keep CPLN_TOKEN_STAGING, qa-react-webpack-rails-tutorial-secrets, database credentials, renderer credentials, and license values limited to review/staging use.

The list mixes a token name (CPLN_TOKEN_STAGING) with secret dictionary names and value categories, which can confuse readers about what "limited to review/staging use" means for each. Splitting into two sentences — one about the token scope, one about secret dictionary contents — would improve clarity.

---

Minor nits

• .controlplane/readme.md line ~34: the new paragraph about fork PRs and CPLN_TOKEN_STAGING could benefit from a > **Note** block-quote to match the visual style used elsewhere in the same file.
• .controlplane/templates/org.yml comment: "Use a review-safe token for public review apps if the production token must not be exposed" — for a public repository the production token always must not be exposed, so the conditional "if" weakens a should-be-absolute rule.

---

Verdict

Approve with minor fixes. The formatting bug is the only change needed before merge; the rest are suggestions. The security guidance itself is accurate and addresses a real gap in the docs.

[github-actions]

✅ Review App Deleted

Review app for PR #752 is deleted

🎮 Control Plane Console
📋 View Workflow Logs