[codex] Update cpflow review app guidance

.controlplane/Dockerfile

@@ -72,7 +72,8 @@ RUN SECRET_KEY_BASE=precompile_placeholder bin/rails react_on_rails:locale
 # and /app/client/app are the client assets that are bundled, so not needed once built
 # Helps to have smaller images b/c of smaller Docker Layer Caches and smaller final images
 # SECRET_KEY_BASE is required for asset precompilation but is not persisted in the image
-RUN SECRET_KEY_BASE=precompile_placeholder yarn res:build && \
+RUN SECRET_KEY_BASE=precompile_placeholder bundle exec rake react_on_rails:generate_packs && \
+    SECRET_KEY_BASE=precompile_placeholder yarn res:build && \
     SECRET_KEY_BASE=precompile_placeholder bin/rails assets:precompile && \
     rm -rf /app/lib/bs /app/client/app
 

.controlplane/entrypoint.sh

@@ -21,7 +21,7 @@ echo " -- Waiting for services"
 wait_for_service $(echo $DATABASE_URL | sed -e 's|^.*@||' -e 's|/.*$||')
 wait_for_service $(echo $REDIS_URL | sed -e 's|redis://||' -e 's|/.*$||')
 
-echo " -- Finishing entrypoint.sh, executing '$@'"
+echo " -- Finishing entrypoint.sh, executing '$*'"
 
 # Run the main command
 exec "$@"

.controlplane/templates/org.yml

@@ -1,8 +1,10 @@
-# Org level secrets are used to store sensitive information that is
-# shared across multiple apps in the same organization. This is
-# useful for storing things like API keys, database credentials, and
-# other sensitive information that is shared across multiple apps
-# in the same organization.
+# App secret dictionaries store sensitive information for apps in the
+# organization. This template keeps the cpflow app-secret placeholders
+# {{APP_SECRETS}} and {{APP_SECRETS_POLICY}}.
+#
+# cpflow 5.1.1 shared_secret_grants are only for a separate shared
+# org-level dictionary referenced from app/workload templates with
+# {{SHARED_SECRET_<NAME>}}.
 
 # The qa-* dictionary is bootstrapped via this template for review apps.
 # Review apps run pull request code, so values in this dictionary must be
@@ -29,7 +31,7 @@ data:
 
 ---
 
-# Policy is needed to allow identities to access secrets
+# App secret policy grants app identities reveal access to this dictionary.
 kind: policy
 name: {{APP_SECRETS_POLICY}}
 targetKind: secret

.github/actions/cpflow-build-docker-image/action.yml

@@ -0,0 +1,92 @@
+name: Build Docker Image
+description: Builds and pushes the app image for a Control Plane workload
+
+inputs:
+  app_name:
+    description: Name of the application
+    required: true
+  org:
+    description: Control Plane organization name
+    required: true
+  commit:
+    description: Commit SHA to tag the image with
+    required: true
+  pr_number:
+    description: Pull request number for status messaging
+    required: false
+  docker_build_extra_args:
+    description: Optional newline-delimited extra docker build tokens. Use key=value forms like --build-arg=FOO=bar.
+    required: false
+  docker_build_ssh_key:
+    description: Optional private SSH key used for Docker builds that fetch private dependencies with RUN --mount=type=ssh
+    required: false
+  docker_build_ssh_known_hosts:
+    description: Optional SSH known_hosts entries used with docker_build_ssh_key. Defaults to pinned GitHub.com host keys.
+    required: false
+
+outputs:
+  image_tag:
+    description: Fully qualified image tag
+    value: ${{ steps.build.outputs.image_tag }}
+
+runs:
+  using: composite
+  steps:
+    - name: Build Docker image
+      id: build
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        PR_INFO=""
+        docker_build_args=()
+
+        if [[ -n "${{ inputs.pr_number }}" ]]; then
+          PR_INFO=" for PR #${{ inputs.pr_number }}"
+        fi
+
+        if [[ -n "${{ inputs.docker_build_extra_args }}" ]]; then
+          while IFS= read -r arg; do
+            arg="${arg%$'\r'}"
+            [[ -n "${arg}" ]] || continue
+
+            if [[ "${arg}" =~ [[:space:]] ]]; then
+              echo "docker_build_extra_args entries must be single docker-build tokens. " \
+                   "Use key=value forms like --build-arg=FOO=bar." >&2
+              exit 1
+            fi
+
+            docker_build_args+=("${arg}")
+          done <<< "${{ inputs.docker_build_extra_args }}"
+        fi
+
+        if [[ -n "${{ inputs.docker_build_ssh_key }}" ]]; then
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+
+          if [[ -n "${{ inputs.docker_build_ssh_known_hosts }}" ]]; then
+            cat <<'EOF' > ~/.ssh/known_hosts
+        ${{ inputs.docker_build_ssh_known_hosts }}
+        EOF
+          else
+            cat <<'EOF' > ~/.ssh/known_hosts
+        github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+        github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+        github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
+        EOF
+          fi
+
+          chmod 600 ~/.ssh/known_hosts
+
+          eval "$(ssh-agent -s)"
+          trap 'ssh-agent -k >/dev/null' EXIT
+          ssh-add - <<< "${{ inputs.docker_build_ssh_key }}"
+          docker_build_args+=("--ssh=default")
+        fi
+
+        echo "🏗️ Building Docker image${PR_INFO} (commit ${{ inputs.commit }})..."
+        cpflow build-image -a "${{ inputs.app_name }}" --commit="${{ inputs.commit }}" --org="${{ inputs.org }}" "${docker_build_args[@]}"
+
+        image_tag="${{ inputs.org }}/${{ inputs.app_name }}:${{ inputs.commit }}"
+        echo "image_tag=${image_tag}" >> "$GITHUB_OUTPUT"
+        echo "✅ Docker image build successful${PR_INFO} (commit ${{ inputs.commit }})"

.github/actions/cpflow-delete-control-plane-app/action.yml

@@ -0,0 +1,24 @@
+name: Delete Control Plane App
+description: Deletes a Control Plane app and all associated resources
+
+inputs:
+  app_name:
+    description: Name of the application to delete
+    required: true
+  cpln_org:
+    description: Control Plane organization name
+    required: true
+  review_app_prefix:
+    description: Prefix used for review app names
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Delete application
+      shell: bash
+      run: ${{ github.action_path }}/delete-app.sh
+      env:
+        APP_NAME: ${{ inputs.app_name }}
+        CPLN_ORG: ${{ inputs.cpln_org }}
+        REVIEW_APP_PREFIX: ${{ inputs.review_app_prefix }}

.github/actions/cpflow-delete-control-plane-app/delete-app.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+set -euo pipefail
+
+: "${APP_NAME:?APP_NAME environment variable is required}"
+: "${CPLN_ORG:?CPLN_ORG environment variable is required}"
+: "${REVIEW_APP_PREFIX:?REVIEW_APP_PREFIX environment variable is required}"
+
+expected_prefix="${REVIEW_APP_PREFIX}-"
+if [[ "$APP_NAME" != "${expected_prefix}"* ]]; then
+  echo "❌ ERROR: refusing to delete an app outside the review app prefix" >&2
+  echo "App name: $APP_NAME" >&2
+  echo "Expected prefix: ${expected_prefix}" >&2
+  exit 1
+fi
+
+echo "🔍 Checking if application exists: $APP_NAME"
+exists_output=""
+if ! exists_output="$(cpflow exists -a "$APP_NAME" --org "$CPLN_ORG" 2>&1)"; then
+  case "$exists_output" in
+    *"Double check your org"*|*"Unknown API token format"*|*"ERROR"*|*"Error:"*|*"Traceback"*|*"Net::"*)
+      echo "❌ ERROR: failed to determine whether application exists: $APP_NAME" >&2
+      printf '%s\n' "$exists_output" >&2
+      exit 1
+      ;;
+  esac
+
+  if [[ -n "$exists_output" ]]; then
+    printf '%s\n' "$exists_output"
+  fi
+
+  echo "⚠️ Application does not exist: $APP_NAME"
+  exit 0
+fi
+
+if [[ -n "$exists_output" ]]; then
+  printf '%s\n' "$exists_output"
+fi
+
+echo "🗑️ Deleting application: $APP_NAME"
+cpflow delete -a "$APP_NAME" --org "$CPLN_ORG" --yes
+
+echo "✅ Successfully deleted application: $APP_NAME"

.github/actions/cpflow-setup-environment/action.yml

@@ -0,0 +1,70 @@
+name: Setup Control Plane Environment
+description: Sets up Ruby, installs the Control Plane CLI and cpflow gem, and configures a default profile
+
+inputs:
+  token:
+    description: Control Plane token
+    required: true
+  org:
+    description: Control Plane organization
+    required: true
+  ruby_version:
+    description: Ruby version used for cpflow
+    required: false
+    default: "3.4.6"
+  cpln_cli_version:
+    description: "@controlplane/cli version"
+    required: false
+    default: "3.3.1"
+  cpflow_version:
+    description: cpflow gem version
+    required: false
+    default: "5.1.1"
+
+runs:
+  using: composite
+  steps:
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ inputs.ruby_version }}
+
+    - name: Install Control Plane CLI and cpflow gem
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        sudo npm install -g @controlplane/cli@${{ inputs.cpln_cli_version }}
+        cpln --version
+
+        gem install cpflow -v ${{ inputs.cpflow_version }}
+        cpflow --version
+
+    - name: Setup Control Plane profile and registry login
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        TOKEN="${{ inputs.token }}"
+        ORG="${{ inputs.org }}"
+
+        if [[ -z "$TOKEN" ]]; then
+          echo "Error: Control Plane token not provided" >&2
+          exit 1
+        fi
+
+        if [[ -z "$ORG" ]]; then
+          echo "Error: Control Plane organization not provided" >&2
+          exit 1
+        fi
+
+        create_output=""
+        if ! create_output="$(cpln profile create default --token "$TOKEN" --org "$ORG" 2>&1)"; then
+          if ! echo "$create_output" | grep -qi "already exists"; then
+            echo "$create_output" >&2
+            exit 1
+          fi
+        fi
+
+        cpln profile update default --org "$ORG" --token "$TOKEN"
+        cpln image docker-login --org "$ORG"

Gemfile

@@ -6,7 +6,8 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 ruby "3.4.6"
 
 gem "cpflow", "5.1.1", require: false
-gem "react_on_rails_pro", "16.7.0.rc.3"
+gem "react_on_rails", "17.0.0.rc.1"
+gem "react_on_rails_pro", "17.0.0.rc.1"
 gem "shakapacker", "10.1.0"
 
 # Bundle edge Rails instead: gem "rails", github: "rails/rails"

Gemfile.lock

@@ -134,7 +134,7 @@ GEM
     coffee-script-source (1.12.2)
     concurrent-ruby (1.3.6)
     connection_pool (3.0.2)
-    console (1.35.1)
+    console (1.36.0)
       fiber-annotation
       fiber-local (~> 1.1)
       json
@@ -201,7 +201,7 @@ GEM
     jbuilder (2.12.0)
       actionview (>= 5.0.0)
       activesupport (>= 5.0.0)
-    json (2.19.5)
+    json (2.19.8)
     jwt (3.2.0)
       base64
     language_server-protocol (3.17.0.5)
@@ -346,22 +346,22 @@ GEM
       erb
       psych (>= 4.0.0)
       tsort
-    react_on_rails (16.7.0.rc.3)
+    react_on_rails (17.0.0.rc.1)
       addressable
       connection_pool
       execjs (~> 2.5)
       rails (>= 5.2)
       rainbow (~> 3.0)
       shakapacker (>= 6.0)
-    react_on_rails_pro (16.7.0.rc.3)
+    react_on_rails_pro (17.0.0.rc.1)
       addressable
       async (>= 2.29)
       async-http (~> 0.95)
       execjs (~> 2.9)
       io-endpoint (~> 0.17.0)
       jwt (>= 2.5, < 4)
       rainbow
-      react_on_rails (= 16.7.0.rc.3)
+      react_on_rails (= 17.0.0.rc.1)
     redcarpet (3.6.0)
     redis (5.3.0)
       redis-client (>= 0.22.0)
@@ -505,7 +505,7 @@ GEM
       bindex (>= 0.4.0)
       railties (>= 6.0.0)
     websocket (1.2.10)
-    websocket-driver (0.8.0)
+    websocket-driver (0.8.1)
       base64
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
@@ -549,7 +549,8 @@ DEPENDENCIES
   rails-html-sanitizer
   rails_best_practices
   rainbow
-  react_on_rails_pro (= 16.7.0.rc.3)
+  react_on_rails (= 17.0.0.rc.1)
+  react_on_rails_pro (= 17.0.0.rc.1)
   redcarpet
   redis (~> 5.0)
   rspec-rails (~> 6.0.0)

README.md

@@ -11,7 +11,7 @@
 
 ShakaCode recently migrated [HiChee.com](https://hichee.com) to Control Plane, resulting in a two-thirds reduction in server hosting costs!
 
-See doc in [./.controlplane/readme.md](./.controlplane/readme.md) for how to easily deploy this app to Control Plane.
+See [./.controlplane/readme.md](./.controlplane/readme.md) for local `cpflow` setup plus the shared `cpflow-*` GitHub Actions flow for review apps, automatic staging deploys, and manual promotion to production.
 
 The instructions leverage the `cpflow` CLI, with source code and many more tips on how to migrate from Heroku to Control Plane
 in https://github.com/shakacode/heroku-to-control-plane.
@@ -184,9 +184,12 @@ assets_bundler: rspack
 
 ### Version Targets
 
-- `react_on_rails_pro` gem: `16.7.0.rc.3`
-- `react-on-rails-pro` npm package: `16.7.0-rc.3`
-- `react-on-rails-pro-node-renderer` npm package: `16.7.0-rc.3`
+- `react_on_rails` gem: `17.0.0.rc.1`
+- `react-on-rails` npm package: `17.0.0-rc.1`
+- `react_on_rails_pro` gem: `17.0.0.rc.1`
+- `react-on-rails-pro` npm package: `17.0.0-rc.1`
+- `react-on-rails-pro-node-renderer` npm package: `17.0.0-rc.1`
+- `react-on-rails-rsc` npm package: `19.0.5-rc.5`
 - `shakapacker` gem/npm package: `10.1.0`
 - `@rspack/core` and `@rspack/cli`: `2.0.0-beta.7`
 - `react`: `~19.0.4` (minimum for React Server Components)

client/app/bundles/comments/components/CommentBox/CommentList/CommentList.spec.jsx

@@ -27,9 +27,7 @@ describe('CommentList', () => {
   );
 
   it('renders a list of Comments in normal order', () => {
-    render(
-      <CommentList $$comments={comments} cssTransitionGroupClassNames={cssTransitionGroupClassNames} />,
-    );
+    render(<CommentList $$comments={comments} cssTransitionGroupClassNames={cssTransitionGroupClassNames} />);
 
     // Verify both authors are rendered in order
     expect(screen.getByText('Frank')).toBeInTheDocument();

client/app/bundles/comments/components/SimpleCommentScreen/ror_components/SimpleCommentScreen.jsx

@@ -1,4 +1,5 @@
 /* eslint-disable max-classes-per-file */
+
 'use client';
 
 import React from 'react';