🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:
They require the repository to have cpflow review apps configured, including the CPLN_TOKEN_STAGING secret.

+review-app-deploy

Deploy your PR branch for testing.

+review-app-delete

Remove the review app when done.

+review-app-help

Show detailed instructions, environment setup, and configuration options.

Comment +review-app-help for full setup details.

Walkthrough

This PR repins the upstream shakacode/control-plane-flow commit reference to d8877ca0c9c1d88947f322903e4a4344641029ba across documentation and all cpflow GitHub Actions wrappers, preserving guidance to leave CPFLOW_VERSION unset while testing an immutable commit SHA.

Changes

Control Plane Flow Upstream Reference Update

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• shakacode/react-webpack-rails-tutorial#745: Repins the same shakacode/control-plane-flow reusable-workflow uses: references across cpflow wrappers.
• shakacode/react-webpack-rails-tutorial#742: Overlaps in repinning cpflow reusable workflow commit SHAs for deploy and review-app workflows.
• shakacode/react-webpack-rails-tutorial#743: Related documentation updates describing CPFLOW_VERSION behavior and upstream ref pinning.

Poem

🐰 A little rabbit hops the CI lane,
Pins a SHA to test the hardened chain.
Docs refreshed and workflows now aligned,
Short-lived testing, steady tags confined.
Hoppity happy, the pipelines hum along.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Code Review

Overview

This PR re-pins all generated cpflow GitHub Actions workflow refs and related documentation from upstream commit 2d8225572e to 2ffe4d0ab2 to pick up both the production promotion hardening and the release-runner polling timeout fix. The change is purely mechanical and low-risk: 10 files, all SHA replacements with matching doc updates.

What looks good

• Consistency: All 10 files are updated with the same new SHA — no stragglers. The two locations in cpflow-promote-staging-to-production.yml (the actions/checkout ref: and the control_plane_flow_ref: input) are both updated correctly.
• Full SHA pinning is the right security posture: Using a 40-character commit SHA instead of a mutable branch or tag prevents supply-chain attacks where a tag could be silently moved to a malicious commit. This is the GitHub Actions security best practice.
• Documentation kept in sync: All three doc files (readme.md, shakacode-team.md, cpflow-help.md) now accurately describe the pin as covering both the promotion hardening and the timeout fix, and the CI automation guide link in cpflow-help.md is updated to point to the matching commit so readers see docs that match the running code.
• PR description is thorough: Links to the failing CI run, the upstream fix PR, and the Control Plane task-completion timestamps make the regression easy to understand and verify later.

Suggestions

1. Track the migration back to a release tag. The docs correctly say this pin is temporary and should be replaced with a release tag once the upstream PRs ship. Consider opening a follow-up issue (or adding a # TODO(issue-link) comment in one of the workflow files) so the temporary state does not quietly persist beyond its intended window.

2. Verify the new SHA before merging. The upstream fix referenced in the PR body is Handle completed runner jobs before replicas appear control-plane-flow#361. Confirming that 2ffe4d0ab222585e47618ddbbfa0a7bee95dba73 is a commit on the default branch of shakacode/control-plane-flow that includes that merged PR would close the loop on correctness (a wrong SHA would silently fall back to a previous behavior or fail at runtime).

3. No functional code changes means no new test coverage needed, but the verification steps in the PR body (bin/conductor-exec ruby -e '...' YAML.load_file..., bin/conductor-exec bin/test-cpflow-github-flow) are appropriate regression checks — confirming those passed before merging is sufficient.

Risk assessment

Low. No application code, secrets, or runtime behaviour changes. The only impact is which upstream cpflow commit GitHub Actions checks out when a CI job runs. The worst credible failure mode is a bad SHA causing a workflow to fail loudly at checkout — which is immediately visible and easily rolled back.

Greptile Summary

This PR advances the pinned upstream control-plane-flow commit SHA from 2d8225572edd6f54c83ba9c51bd2983546989e93 to 2ffe4d0ab222585e47618ddbbfa0a7bee95dba73 across all six GitHub workflow wrappers and three documentation files, picking up the release-runner timeout fix (upstream PR #361) that caused a staging deployment to stall at the polling step.

• All workflow uses: references and the manual actions/checkout ref: + control_plane_flow_ref in the production-promotion workflow are updated to the new SHA — changes are consistent and complete across every file.
• Documentation in .controlplane/readme.md, .controlplane/shakacode-team.md, and .github/cpflow-help.md is updated to reference the new SHA and clarify that the pin covers both the promotion hardening and the runner-timeout fix.
• CPFLOW_VERSION remains intentionally unset so the workflows build cpflow from the pinned source rather than a released gem version.

Confidence Score: 5/5

Safe to merge — all changes are a mechanical SHA bump in workflow uses: references and documentation, with no logic modifications.

Every changed line is either a SHA substitution in a workflow uses: or checkout ref: field, or a documentation update describing the new pin. The new SHA picks up the upstream runner-wait fix that caused the previous staging deploy to time out. All six workflow files and both ref:/control_plane_flow_ref entries in the production-promotion workflow are updated to the same new SHA, so the change is internally consistent. No workflow logic, secrets handling, or permission scopes were touched.

No files require special attention. The production-promotion workflow has two SHA references (checkout ref: and control_plane_flow_ref input) and both are correctly updated to match.

Important Files Changed

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[GitHub Workflow Trigger] --> B{Workflow Type}
    B --> C[cpflow-deploy-staging]
    B --> D[cpflow-deploy-review-app]
    B --> E[cpflow-delete-review-app]
    B --> F[cpflow-cleanup-stale-review-apps]
    B --> G[cpflow-help-command]
    B --> H[cpflow-review-app-help]
    B --> I[cpflow-promote-staging-to-production]
    C -->|uses: @2ffe4d0| J[shakacode/control-plane-flow]
    D -->|uses: @2ffe4d0| J
    E -->|uses: @2ffe4d0| J
    F -->|uses: @2ffe4d0| J
    G -->|uses: @2ffe4d0| J
    H -->|uses: @2ffe4d0| J
    I -->|checkout ref: 2ffe4d0| J
    I -->|control_plane_flow_ref: @2ffe4d0| J
    J --> K[Runner wait fix included - PR 361 + promotion hardening]

_{Reviews (1): Last reviewed commit: "Pin cpflow workflows to runner wait fix" | Re-trigger Greptile}

Code Review

Summary: This is a mechanical ref bump of the pinned control-plane-flow commit SHA from 2d82255… to d8877ca… across 7 GitHub workflow files, plus documentation updates in 3 files explaining the new SHA covers both the production promotion hardening and the release-runner timeout fix.

What the PR does

• Bumps the upstream control-plane-flow commit pin in all uses: entries (review-app deploy/delete/cleanup/help, staging deploy, help command, review-app-help)
• Updates both the checkout ref: and the control_plane_flow_ref input in the production promotion workflow (these must stay in sync — and they do)
• Updates .controlplane/readme.md, .controlplane/shakacode-team.md, and .github/cpflow-help.md to explain the new SHA carries the runner timeout fix in addition to the promotion hardening

Assessment

Correctness: The bump is consistent across all 7 workflow files. The production promotion workflow is the trickiest because it carries two SHA references (checkout ref: and control_plane_flow_ref input) — both are updated together correctly.

Security: Pinning to a full 40-character commit SHA is more tamper-resistant than a mutable branch ref, and is a GitHub-recommended practice for third-party actions. persist-credentials: false remains set on the control-plane-flow checkout. Secrets are passed via secrets: inheritance, not hardcoded. No regressions here.

Documentation: The three doc files now clearly describe the SHA as covering both promotion hardening and the release-runner timeout fix, with explicit guidance to move back to a release tag once upstream ships the changes.

Risk: Low. No application code, test code, or runtime configuration is touched. The only behavioral change is which upstream commit the CI jobs pull from, and the motivation (fixing a 30-minute runner-polling timeout) is well-evidenced by the linked CI run.

Minor notes

• The temporary SHA strategy is explicitly acknowledged as short-lived (pending upstream release tag). A follow-up PR to switch back to a version tag once control-plane-flow cuts a release would complete the loop.
• CPFLOW_VERSION intentionally stays unset — correct, since setting it alongside a SHA pin would cause the setup action's validation to fail.

Verdict: Approve. Changes are minimal, consistent, well-documented, and address a real CI failure with a properly scoped fix.

✅ Review App Deleted

Review app for PR #761 is deleted

🎮 Control Plane Console
📋 View Workflow Logs