Clarify production environment secret setup

[justin808]

Summary

• Add exact remediation steps for the CPLN_TOKEN_PRODUCTION is not set production promotion failure.
• Clarify that the production token must live on the protected production GitHub Environment, not as a repository or organization secret.
• Include gh secret set/list --env production commands in the generated help, team notes, and Control Plane docs.

Related upstream generator/docs PR: shakacode/control-plane-flow#351

Verification

• git diff --check -- .github/cpflow-help.md .controlplane/shakacode-team.md .controlplane/readme.md
• /Users/justin/.agents/skills/autoreview/scripts/autoreview --mode local (clean, no actionable findings)

---

Note

Low Risk
Documentation-only changes with no runtime, CI, or secret-handling code changes.

Overview
Adds matching production promotion troubleshooting to .controlplane/readme.md, .controlplane/shakacode-team.md, and .github/cpflow-help.md.

When promotion fails with CPLN_TOKEN_PRODUCTION is not set. Add it as a secret on the 'production' GitHub Environment., the docs now explain that the token must be on the protected production GitHub Environment, not a repo/org secret, and give gh secret set / gh secret list with --env production, plus a note that environment-management permissions are required.

^{Reviewed by Cursor Bugbot for commit b31af7b. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Documentation
  • Added troubleshooting for failed production promotions when the production environment token is missing, clarifying that repository/org secrets are insufficient for this workflow.
  • Provided exact gh CLI commands to create and verify the required environment-scoped secret for production.
  • Harmonized guidance across promotion-related docs and added a note about required permissions to manage repository environments and secrets.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 699ebdb6-82a5-40a7-9483-21328bc15e5c

📥 Commits

Reviewing files that changed from the base of the PR and between f76c3a1 and b31af7b.

📒 Files selected for processing (3)

• .controlplane/readme.md
• .controlplane/shakacode-team.md
• .github/cpflow-help.md

✅ Files skipped from review due to trivial changes (1)

• .controlplane/shakacode-team.md

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/cpflow-help.md
• .controlplane/readme.md

---

Walkthrough

This PR adds consistent troubleshooting documentation across three files describing a common production promotion failure: when CPLN_TOKEN_PRODUCTION is missing from the GitHub Environment scope. Each file now includes the same guidance with gh CLI commands to set and verify the environment secret.

Changes

Production promotion troubleshooting guidance

Layer / File(s)	Summary
CPLN_TOKEN_PRODUCTION environment secret guidance .controlplane/readme.md, .controlplane/shakacode-team.md, .github/cpflow-help.md	Three documentation files receive parallel troubleshooting sections explaining that CPLN_TOKEN_PRODUCTION must be set as a GitHub Environment secret (not repo/org scope) for the production environment, with identical gh secret set and gh secret list commands scoped to --env production.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• shakacode/react-webpack-rails-tutorial#747: Updates production promotion documentation around CPLN_TOKEN_PRODUCTION in the protected production GitHub Environment with main PR adding troubleshooting commands.
• shakacode/react-webpack-rails-tutorial#735: Both PRs update documentation around CPLN_TOKEN_PRODUCTION; this PR adds troubleshooting gh secret set/list --env production guidance while the retrieved PR restructures cpflow-help and related docs.

Poem

🐰 I hopped through docs to find the spot,
A missing token in env, oh what a plot!
gh secret set — a gentle tap,
gh secret list to close the gap,
Now promotions hop along, no more stop. 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Clarify production environment secret setup' directly and accurately summarizes the main objective of the pull request: adding documentation to clarify how to properly configure the CPLN_TOKEN_PRODUCTION secret in the production GitHub Environment.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jg-codex/clarify-production-env-secret-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review

Overview: Documentation-only PR that adds troubleshooting steps for the CPLN_TOKEN_PRODUCTION is not set production promotion failure. No runtime or workflow code is modified.

What it does well:

• Clear, actionable remediation steps with exact gh CLI commands
• Correctly identifies the key distinction: repo/org-level secrets do not satisfy environment-scoped secret requirements
• Consistent placement across the three files that cover the same workflow

Issues found:

Minor inconsistency across the three files

.controlplane/shakacode-team.md is missing the sentence present in the other two files:

A repository or organization secret with the same name is not enough for this workflow.

That sentence is the most important clarification — it's the likely source of confusion. Omitting it from the team notes file leaves that audience without the explicit warning.

Suggestion: Add that sentence to .controlplane/shakacode-team.md to keep all three files consistent.

---

Security note: The gh secret set command in the docs will prompt for the token value interactively (no --body flag), which is safe. No secrets are hard-coded.

Overall: Low-risk, high-value docs change. Approved pending the consistency fix above.

[greptile-apps]

Greptile Summary

This PR adds identical troubleshooting blocks to three documentation files, clarifying that CPLN_TOKEN_PRODUCTION must be stored on the protected production GitHub Environment (not as a repository or organization secret) and providing exact gh secret set/list --env production commands to resolve the failure.

• .controlplane/readme.md and .github/cpflow-help.md receive the full remediation block including the note that a repo/org secret is insufficient.
• .controlplane/shakacode-team.md receives a shorter variant that omits that clarifying sentence, creating a minor inconsistency across the three files.

Confidence Score: 4/5

Documentation-only change; no executable code is modified and the remediation commands are correct for the described failure scenario.

All three files describe the same workflow correctly, but shakacode-team.md omits the clarifying sentence about repo/org secrets being insufficient that appears in the other two files — a reader following only that file might still try the wrong secret scope before reaching the --env flag.

.controlplane/shakacode-team.md — the truncated remediation text is the one inconsistency worth reviewing.

Important Files Changed

Filename	Overview
.controlplane/readme.md	Adds a troubleshooting block for the CPLN_TOKEN_PRODUCTION is not set error with gh secret set/list remediation commands scoped to the production environment.
.controlplane/shakacode-team.md	Adds a similar troubleshooting block but omits the clarifying sentence present in the other two files explaining that a repo/org secret with the same name is insufficient.
.github/cpflow-help.md	Adds the same troubleshooting block as readme.md with the full clarifying sentence about repo/org secrets being insufficient.

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub Actions
    participant Env as production Environment
    participant CP as Control Plane

    Dev->>GH: Push / trigger promotion workflow
    GH->>Env: Request approval gate
    Env-->>GH: Approved → inject CPLN_TOKEN_PRODUCTION
    GH->>CP: Deploy using CPLN_TOKEN_PRODUCTION
    CP-->>GH: Deployment success

    Note over Dev,Env: If CPLN_TOKEN_PRODUCTION missing from Env scope:
    Dev->>GH: gh secret set CPLN_TOKEN_PRODUCTION --env production
    GH->>Env: Secret stored in environment scope
    Dev->>GH: gh secret list --env production (verify)

Loading

_{Reviews (1): Last reviewed commit: "Clarify production environment secret se..." | Re-trigger Greptile}

[claude]

The other two files (.controlplane/readme.md and .github/cpflow-help.md) include the sentence:

A repository or organization secret with the same name is not enough for this workflow.

This is the key clarification that prevents confusion. It's missing here, leaving team members without the explicit warning.

Suggested change

	the token is missing from the environment scope. A repository or organization
	secret with the same name is not enough for this workflow. Configure it with:

[justin808]

Fixed in f76c3a1 by adding the missing repository/organization-secret warning to .controlplane/shakacode-team.md.

[greptile-apps]

The two other files (.controlplane/readme.md and .github/cpflow-help.md) include the sentence "A repository or organization secret with the same name is not enough for this workflow." This context is the key reason someone reaches for the gh secret set --env flag rather than the repository-level secret page, and its absence here leaves a gap for readers of this file.

Suggested change

	the token is missing from the environment scope. Configure it with:
	the token is missing from the environment scope. A repository or organization
	secret with the same name is not enough for this workflow. Configure it with:

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[justin808]

Fixed in f76c3a1 by adding the missing repository/organization-secret warning to .controlplane/shakacode-team.md.

[github-actions]

🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:
They require the repository to have cpflow review apps configured, including the CPLN_TOKEN_STAGING secret.

+review-app-deploy

Deploy your PR branch for testing.

+review-app-delete

Remove the review app when done.

+review-app-help

Show detailed instructions, environment setup, and configuration options.

Comment +review-app-help for full setup details.

[claude]

Code Review: PR #753 — Clarify production environment secret setup

Overall: LGTM. Documentation-only, low risk. The additions are clear, actionable, and placed in the right locations for discoverability.

What the PR does

Adds a consistent troubleshooting section to three docs (.controlplane/readme.md, .controlplane/shakacode-team.md, .github/cpflow-help.md) explaining that CPLN_TOKEN_PRODUCTION must live in a GitHub Environment secret scoped to production — not a repo or org secret — and provides exact gh CLI commands to fix it.

Suggestions

Minor — wording inconsistency across files
.controlplane/readme.md and .github/cpflow-help.md say "Create or verify the environment secret with:", while .controlplane/shakacode-team.md says "Configure it with:". Harmonizing to the former phrasing would be more consistent across all three files.

Minor — missing permission note
gh secret set --env production requires environment admin access (or repo admin). Without it the command returns a 403 and gives the reader no useful signal. A one-liner like "You must have environment admin access to run these commands." would prevent a confusing dead-end.

Minor — gh secret set interactive prompt
Without --body, gh secret set prompts interactively for the secret value — correct behavior for a troubleshooting doc. No change needed, but worth knowing if anyone adapts this for scripting (echo $TOKEN | gh secret set ...).

No concerns on

• Security: gh secret list exposes only names, never values. Safe to document.
• Accuracy: Error message string, --env production flag, and hardcoded repo path all look correct for this repo-specific context.
• Coverage: All three relevant docs updated.

[claude]

Minor wording inconsistency: the other two files (readme.md, cpflow-help.md) use "Create or verify the environment secret with:" at this point. Consider aligning for consistency:

Suggested change

	secret with the same name is not enough for this workflow. Configure it with:
	secret with the same name is not enough for this workflow. Create or verify the
	environment secret with:

[justin808]

Fixed in b31af7b by aligning the wording with the other two files and adding the permission note across all three docs.

[claude]

The permission note was inserted between the colon-ending sentence and its code block, breaking the prose flow. A sentence ending with : implies the code block immediately follows — a reader following the colon lands on a second sentence instead.

Consider either folding the caveat into the lead-in line or placing it after the block:

Suggested change

	secret with the same name is not enough for this workflow. Create or verify the
	environment secret with:
	You need permission to manage repository environments and secrets to run these
	commands.
	secret with the same name is not enough for this workflow. Create or verify the
	environment secret with the `gh` CLI (requires permission to manage repository environments and secrets):

[claude]

Same prose-flow issue as in readme.md — the permission note lands between the colon and its code block.

Suggested change

	secret with the same name is not enough for this workflow. Create or verify the
	environment secret with:
	You need permission to manage repository environments and secrets to run these
	commands.
	secret with the same name is not enough for this workflow. Create or verify the
	environment secret with the `gh` CLI (requires permission to manage repository environments and secrets):

[claude]

Same prose-flow issue — permission note interrupts the colon→code-block expectation.

Suggested change

	secret with the same name is not enough for this workflow. Create or verify the
	environment secret with:
	You need permission to manage repository environments and secrets to run these
	commands.
	secret with the same name is not enough for this workflow. Create or verify the
	environment secret with the `gh` CLI (requires permission to manage repository environments and secrets):

[claude]

gh secret set without --body or piped input will prompt interactively for the secret value, which is the right behaviour — but worth noting for readers who aren't familiar with the CLI, otherwise the command looks incomplete. A short comment like # (prompts for the token value) or a preceding sentence would help.

Suggested change

	gh secret set CPLN_TOKEN_PRODUCTION --repo shakacode/react-webpack-rails-tutorial --env production
	gh secret set CPLN_TOKEN_PRODUCTION --repo shakacode/react-webpack-rails-tutorial --env production # prompts for the token value
	gh secret list --repo shakacode/react-webpack-rails-tutorial --env production

[claude]

Review: Clarify production environment secret setup

Overall: Documentation-only change. The troubleshooting block is valuable and the core content is accurate. One structural prose issue appears in all three files (introduced in the final commit), plus a minor UX nit on the gh command.

---

Issues

Prose flow broken in all three files (must-fix)

The third commit inserted the permission note directly after a sentence ending with a colon, without a blank line separating it from the code block the colon was pointing to:

Create or verify the environment secret with:
You need permission to manage repository environments and secrets to run these commands.

```sh

A sentence ending in : leads the reader to expect the code block next. The permission note interrupts that expectation and reads as a run-on sentence. See the inline suggestions — the fix is a one-line reword that folds the caveat into the lead-in sentence.

gh secret set looks incomplete without a value hint (minor)

Running gh secret set CPLN_TOKEN_PRODUCTION ... with no --body flag or piped input is correct behaviour (the CLI prompts interactively), but readers unfamiliar with gh may think the command is missing an argument. A trailing # prompts for the token value comment removes that ambiguity.

---

Positives

• Content is accurate: environment secrets vs. repo/org secrets is the right distinction, and --env production is the correct flag.
• Wording is consistent across all three doc files.
• Low blast radius — no code or CI changes.

[github-actions]

✅ Review App Deleted

Review app for PR #753 is deleted

🎮 Control Plane Console
📋 View Workflow Logs