Document cpflow workflow testing

[justin808]

Adds a focused guide for testing generated cpflow GitHub Actions changes, including the default-branch trusted-actions gotcha we hit while validating PR 734.

Also updates the existing Control Plane docs and generated review-app help text so workflow_dispatch --ref is described as a partial smoke test: it loads the workflow file from the ref, but the deploy workflow still checks out trusted local composite actions from master before using secrets.

Included guidance:

• local YAML/action metadata/actionlint checks
• post-merge review-app deploy verification steps
• troubleshooting for composite action metadata parsing and invalid CPLN_TOKEN_STAGING
• suggested ways to make future testing easier

Validation:

• git diff --check

---

Note

Low Risk
Low risk: changes are documentation plus a new local test script; no production code paths or CI workflows are modified.

Overview
Adds a dedicated guide for validating and troubleshooting changes to generated cpflow-* GitHub Actions, emphasizing that review-app deploys load trusted composite actions from the default branch before using secrets.

Updates existing Control Plane docs/help text to frame workflow_dispatch --ref runs as a partial smoke test (workflow file from the ref, but local actions still from master), and introduces bin/test-cpflow-github-flow to run cpflow github-flow-readiness, parse generated YAML, fail on ${{ ... }} in action input descriptions, and run actionlint.

^{Reviewed by Cursor Bugbot for commit e4302c5. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Documentation

  • Added a comprehensive guide for testing generated GitHub Actions workflows, with step‑by‑step local checks, CI/run guidance, post‑merge deployment verification, troubleshooting signals, and simplification suggestions.
  • Clarified and expanded existing workflow validation guidance and cross‑references.

• Chores

  • Added a command‑line helper to automate local validation and linting of generated workflows and composite action metadata.

[github-actions]

Review app commands

• +review-app-deploy - create or redeploy this PR's review app.
• +review-app-delete - delete this PR's review app and temporary resources.
• +review-app-help - show setup details and workflow behavior.

For setup details, comment +review-app-help.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 18ea5900-5f0f-42c6-a089-fa32683f82ac

📥 Commits

Reviewing files that changed from the base of the PR and between 117d705 and e4302c5.

📒 Files selected for processing (5)

• .controlplane/docs/testing-cpflow-github-actions.md
• .controlplane/readme.md
• .controlplane/shakacode-team.md
• .github/cpflow-help.md
• bin/test-cpflow-github-flow

✅ Files skipped from review due to trivial changes (2)

• .controlplane/shakacode-team.md
• .controlplane/readme.md

---

Walkthrough

Adds a new testing guide for cpflow-generated GitHub Actions, updates related docs to reference the guide and clarify default-branch sourcing of trusted composite actions, and introduces a bin/test-cpflow-github-flow script to validate generated YAML, composite-action metadata, and run actionlint.

Changes

cpflow GitHub Actions Testing

Layer / File(s)	Summary
New testing guide: foundation and three-layer approach .controlplane/docs/testing-cpflow-github-actions.md	Introduces the testing guide and three-layer verification framework (local generated-file checks, GitHub workflow CI smoke tests, and post-merge review-app deployment), noting trusted composite actions are sourced from the default branch.
Local testing procedures .controlplane/docs/testing-cpflow-github-actions.md	Documents concrete local commands for regenerating workflows and running readiness: generator invocation examples, YAML parsing checks, composite-action description expression detection, and actionlint usage.
PR/CI smoke testing & cross-doc updates .controlplane/readme.md, .github/cpflow-help.md	Clarifies gh workflow run --ref <branch> usage for exercising PR workflow YAML, documents workflow_dispatch behavior vs trusted-action sourcing, and updates validation command examples to use bin/conductor-exec and ignore SC2129 for cpflow-generated workflows.
Post-merge deployment verification & troubleshooting .controlplane/docs/testing-cpflow-github-actions.md	Adds a step-by-step post-merge review-app checklist (canary PR, ensure merge commit checks out master, confirm cpflow version, run deploy, validate HTTP 200), plus troubleshooting examples for composite-action metadata parsing failures and invalid token format errors.
Validation script: parse, metadata guard, actionlint bin/test-cpflow-github-flow	New Bash script that runs bin/conductor-exec readiness, parses workflow/action YAML with Ruby, aborts on composite-action input description values containing ${{, and runs actionlint against .github/workflows/cpflow-*.yml ignoring SC2129.
Team guidance update .controlplane/shakacode-team.md	Expands "Keeping cpflow Automation Current" with explicit validation steps and links to the new testing guide; documents that review-app workflow changes must land on the default branch to be fully tested.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• shakacode/react-webpack-rails-tutorial#736: Related testing/docs updates and the composite action metadata-description ${{ ... }} guard that matches that PR's regenerated templates and fixes.
• shakacode/react-webpack-rails-tutorial#735: Related readiness and action description changes that refine review-app workflow testing and default-branch sourcing guidance.

Poem

🐰 I hop through YAML, scripts, and guide,
Three layers checked with vigilance and pride,
Master holds the trusted action seed,
A canary PR and an HTTP heed,
Cheers—tests that make deployments glide.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title "Document cpflow workflow testing" clearly and accurately summarizes the main purpose of the changeset, which adds comprehensive documentation and guides for testing cpflow-generated GitHub Actions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jg-codex/cpflow-testing-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review: Document cpflow workflow testing

Overview

Documentation-only PR that adds a testing guide for cpflow GitHub Actions changes and updates three existing docs to clarify the trusted-default-branch checkout behavior. The content is accurate and fills a real gap — the "PR-branch composite actions are not exercised until merge" gotcha is non-obvious and worth documenting.

Strengths

• Clear layered structure (local → CI → real deploy) for the new testing guide.
• Correctly updates readme.md to use bin/conductor-exec wrappers, consistent with the project's conductor-compatibility guidance.
• The troubleshooting section maps exact error shapes to root causes, which is immediately actionable.
• Inline suggestion to upstream the metadata-description guard to cpflow github-flow-readiness is a good call.

Issues

Inconsistent actionlint flags across docs

testing-cpflow-github-actions.md runs:

actionlint -ignore 'SC2129' .github/workflows/cpflow-*.yml

But readme.md still has the original command without that flag:

actionlint .github/workflows/cpflow-*.yml

A reader following readme.md will see a noisier actionlint run than someone following the new guide. Either add -ignore 'SC2129' to readme.md as well, or remove the flag from the new guide and note separately when SC2129 suppression is appropriate.

Local Checks preamble conflates released vs unreleased usage

The section opens with "When testing an unreleased upstream control-plane-flow checkout, invoke that checkout's bin/cpflow directly" but every command in the block hard-codes /path/to/control-plane-flow/bin/cpflow — there is no variant shown for a normally-installed gem. A reader using a released gem will not know they should replace ruby /path/to/control-plane-flow/bin/cpflow with just cpflow. Consider splitting the block or adding a one-line note: "If using the installed gem, replace ruby /path/to/control-plane-flow/bin/cpflow with cpflow."

Long one-liner is fragile to copy from Markdown

The description-check Ruby command is ~200 characters on a single line. In rendered Markdown it wraps unpredictably, and a mis-copy will silently produce a syntax error. The "Ways To Make This Easier" section already suggests bin/test-cpflow-github-flow; moving this command there now (with a brief comment) would be more robust than leaving it as a bare inline one-liner.

Minor

• The APP_NAME template in the post-merge section uses shell-expansion syntax (${REVIEW_APP_PREFIX}-${PR_NUMBER}) inside a text code block. A small note that this is a template, not an evaluatable expression, would avoid confusion.
• .github/cpflow-help.md change is correct and well-worded — no issues.

[claude]

The new testing-cpflow-github-actions.md guide runs actionlint -ignore 'SC2129', but this line still omits that flag. The two docs will produce different output for the same workflow files, which is confusing for anyone switching between them.

Suggested change

	```
	actionlint -ignore 'SC2129' .github/workflows/cpflow-*.yml

[claude]

The preamble introduces the unreleased-checkout case, but every command in the block below uses a hard-coded path — there is no hint for readers using a normally-installed gem. Consider clarifying:

Suggested change

	from `master` until the fix is merged there.
	## Local Checks
	After regenerating the flow, run these checks from the repository root. If
	`cpflow` is installed as a gem, use `bin/conductor-exec cpflow <subcommand>`
	directly. When testing an unreleased upstream `control-plane-flow` checkout,
	replace `cpflow` with `ruby /path/to/control-plane-flow/bin/cpflow`:

[greptile-apps]

Greptile Summary

This PR adds a focused testing guide for cpflow GitHub Actions changes and propagates the "trusted local actions load from master" clarification across the existing Control Plane docs and generated help text.

• New testing-cpflow-github-actions.md covers local YAML/lint checks, partial smoke-test caveats for workflow_dispatch --ref, post-merge review-app verification steps, and two concrete troubleshooting scenarios.
• readme.md updates command prefixes from bundle exec to bin/conductor-exec and adds a link to the new guide, but the inline actionlint call is missing the -ignore 'SC2129' flag present in the new guide, and the existing "Before merge, run the PR branch workflow explicitly" sentence still lacks the partial-smoke-test caveat.
• shakacode-team.md and cpflow-help.md both receive accurate, consistent wording about the default-branch composite-action loading behaviour.

Confidence Score: 4/5

Safe to merge — all changes are documentation only, with no impact on production code or workflow logic.

The readme.md actionlint command is missing the -ignore SC2129 flag that the new guide introduces, so following the two docs in parallel produces inconsistent results. The same file's pre-merge wording still reads as a complete validation step while the new guide and cpflow-help.md both qualify it as a partial smoke test.

.controlplane/readme.md — two minor inconsistencies with the new guide worth a quick pass before merge.

Important Files Changed

Filename	Overview
.controlplane/docs/testing-cpflow-github-actions.md	New guide covering local checks, PR checks, post-merge verification, troubleshooting, and future improvements for cpflow GitHub Actions testing; content is accurate and well-structured.
.controlplane/readme.md	Updates command prefixes from bundle exec to bin/conductor-exec and adds a link to the new guide; actionlint call is missing the -ignore 'SC2129' flag present in the new guide, and the inline description of gh workflow run is still phrased as a complete pre-merge test.
.controlplane/shakacode-team.md	Adds the trusted-actions-from-master caveat and cross-references both readme.md and the new testing guide; no issues found.
.github/cpflow-help.md	Clarifies that workflow_dispatch --ref is only a partial smoke test for top-level workflow edits and directs composite action changes to the post-merge path; wording is consistent with the new guide.

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Local as Local Checks
    participant GH as GitHub Actions
    participant Master as master branch

    Dev->>Local: bin/conductor-exec cpflow generate-github-actions
    Dev->>Local: actionlint -ignore SC2129
    Dev->>Local: Ruby YAML + metadata-description checks
    Local-->>Dev: Pass / Fail

    Dev->>GH: Open PR CI runs
    GH-->>Dev: Syntax and CI validation (partial)

    Dev->>GH: gh workflow run --ref PR-branch (workflow_dispatch)
    GH->>Master: Checkout trusted local composite actions
    Master-->>GH: ".github/actions/* from master"
    GH-->>Dev: Partial smoke test (top-level workflow only)

    Note over Dev,Master: .github/actions/* changes NOT fully tested until merged

    Dev->>Master: Merge PR
    Dev->>GH: Rerun review-app deploy on canary PR
    GH->>Master: Checkout trusted local composite actions (merge commit)
    GH-->>Dev: Full end-to-end validation

Loading

Comments Outside Diff (1)

1. .controlplane/readme.md, line 438-444 (link)

   This paragraph still presents gh workflow run --ref <branch> as a sufficient pre-merge test ("Before merge, run the PR branch workflow explicitly") without the partial-smoke-test caveat added in both the new guide and cpflow-help.md. A reader skimming readme.md alone will believe this command fully validates .github/actions/ changes, when it only loads the top-level workflow file from the branch while composite actions still come from master.

_{Reviews (1): Last reviewed commit: "Document cpflow workflow testing" | Re-trigger Greptile}

[claude]

This one-liner is ~200 characters and will wrap unpredictably in rendered Markdown, making it easy to mis-copy (a truncated command silently does nothing or raises a syntax error). The "Ways To Make This Easier" section already suggests extracting these checks into bin/test-cpflow-github-flow. Moving this command there now — even as a thin wrapper — would be more robust and reduce copy-paste risk for future readers.

[greptile-apps]

The actionlint command in readme.md omits the -ignore 'SC2129' flag that the new testing-cpflow-github-actions.md guide adds. Anyone following readme.md will get SC2129 warnings that the new guide explicitly silences, causing a confusing inconsistency between the two docs.

Suggested change

	actionlint .github/workflows/cpflow-*.yml
	actionlint -ignore 'SC2129' .github/workflows/cpflow-*.yml

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 117d7052b8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove extra brace from metadata-check one-liner

The Ruby command in this checklist has an extra }; before abort, so running it as documented raises a SyntaxError instead of validating action metadata descriptions. Anyone following the new local test steps will fail at this point and may skip the intended guard entirely; removing the extra block terminator makes the command executable.

Useful? React with 👍 / 👎.

[justin808]

+review-app-deploy

[github-actions]

Review app ready

Open review app

Open Control Plane console
View workflow logs

[claude]

If no cpflow-*.yml files exist (e.g. in a fresh checkout or on a branch before generation), bash passes the literal glob string cpflow-*.yml to actionlint with set -euo pipefail active, causing a confusing "no such file" failure rather than a clean "nothing to lint" exit.

Consider guarding with shopt -s nullglob or an explicit check:

Suggested change

	shopt -s nullglob
	workflow_files=(.github/workflows/cpflow-*.yml)
	if [[ ${#workflow_files[@]} -eq 0 ]]; then
	echo "no cpflow workflow files found, skipping actionlint"
	else
	actionlint -ignore "SC2129" "${workflow_files[@]}"
	fi

[claude]

No check that actionlint is installed before invoking it. A missing binary produces command not found with no hint about where to get it. A quick guard would give a clearer developer experience:

Suggested change

	puts "no action metadata descriptions contain GitHub expressions"
	RUBY
	echo "==> actionlint"
	if ! command -v actionlint &>/dev/null; then
	echo "actionlint not found — install it (https://github.com/rhysd/actionlint#installation) and rerun" >&2
	exit 1
	fi
	actionlint -ignore "SC2129" .github/workflows/cpflow-*.yml

[claude]

When no arguments are supplied the script silently falls back to looking up cpflow in $PATH. If it isn't installed, conductor-exec will fail with a generic "not found" error.

A small guard here mirrors what you're already doing for actionlint (or could do — see other comment) and makes the failure message more actionable:

Suggested change

	cpflow_cmd=(cpflow)
	if [[ $# -gt 0 ]]; then
	cpflow_cmd=("$@")
	cpflow_cmd=(cpflow)
	if [[ $# -gt 0 ]]; then
	cpflow_cmd=("$@")
	elif ! command -v cpflow &>/dev/null; then
	echo "cpflow not found in PATH — install it or pass the path as an argument: $0 ruby /path/to/cpflow" >&2
	exit 1
	fi

[claude]

The APP_NAME: ${REVIEW_APP_PREFIX}-${PR_NUMBER} line is shell-interpolation syntax inside a fenced text block, so it renders literally in markdown — which is exactly what the following paragraph explains. No change needed, just confirming the intent is clear.

[claude]

Code Review — PR #737: Document cpflow workflow testing

Overall: solid documentation PR with a useful local test script. Two minor bugs in bin/test-cpflow-github-flow worth fixing before merge; everything else is clean.

---

What the PR does

• Adds .controlplane/docs/testing-cpflow-github-actions.md: a focused guide covering the trusted-actions-from-master gotcha, local checks, PR checks, post-merge verification, and troubleshooting signals.
• Updates .controlplane/readme.md and .controlplane/shakacode-team.md to frame workflow_dispatch --ref as a partial smoke test and link to the new guide.
• Clarifies .github/cpflow-help.md to note that composite actions under .github/actions/ still load from the default branch even when dispatching a PR-branch workflow.
• Adds bin/test-cpflow-github-flow: a bash script that runs cpflow github-flow-readiness, parses generated YAML, checks action input descriptions for literal GitHub expressions, and runs actionlint.

---

Issues

bin/test-cpflow-github-flow — two bugs

1. Unmatched glob passed to actionlint (line 40): With set -euo pipefail active and no shopt -s nullglob, cpflow-*.yml expands to the literal string when no files match and actionlint exits with "no such file". Harmless on this repo today but will silently bite anyone who runs the script before generating the files. See inline suggestion.

2. No actionlint availability check (lines 38–40): Missing binary gives a generic command not found with no install hint. Same pattern applies to the default cpflow path (lines 6–9). Inline suggestions cover both.

---

What's good

• The ${{ expression check in action input descriptions is a genuinely useful guard — this is the class of error that silently breaks deploys and is easy to miss in review.
• set -euo pipefail and the use of a proper array (cpflow_cmd=("$@")) rather than a string are correct bash practice.
• YAML.load_file(path, aliases: true) handles YAML anchors correctly and .to_s on the description before include? handles nil gracefully.
• The documentation clearly distinguishes the three test layers (local / CI / real deploy) and explains why the layering matters — exactly the context a developer needs when debugging a failed deploy.
• The "Ways To Make This Easier" section in the new guide is a nice forward-looking addition (upstreaming the description check to cpflow github-flow-readiness in particular).

---

Minor nits (non-blocking)

• The APP_NAME: ${REVIEW_APP_PREFIX}-${PR_NUMBER} line in the guide is fine — the following paragraph explains it's a template, not a runnable command.
• No test coverage is expected for a developer utility script and documentation-only changes; the git diff --check validation called out in the PR description is sufficient.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Ruby fetch returns nil for nil-valued YAML keys
  • Updated the action metadata check to iterate over an empty hash for nil inputs and treat nil input specs as empty specs before reading descriptions.

Or push these changes by commenting:

@cursor push 4f71316d0b

Preview (4f71316d0b)

diff --git a/bin/test-cpflow-github-flow b/bin/test-cpflow-github-flow
--- a/bin/test-cpflow-github-flow
+++ b/bin/test-cpflow-github-flow
@@ -29,8 +29,8 @@
 bad = []
 Dir[".github/actions/**/action.yml"].sort.each do |path|
   doc = YAML.load_file(path, aliases: true)
-  doc.fetch("inputs", {}).each do |name, spec|
-    bad << "#{path}:#{name}" if spec["description"].to_s.include?("${{")
+  (doc["inputs"] || {}).each do |name, spec|
+    bad << "#{path}:#{name}" if (spec || {})["description"].to_s.include?("${{")
   end
 end

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit e4302c5. Configure here.}

[cursor]

Ruby fetch returns nil for nil-valued YAML keys

Low Severity

doc.fetch("inputs", {}) only falls back to {} when the "inputs" key is entirely absent. If an action YAML file contains inputs: with no sub-keys, the key exists but maps to nil, so fetch returns nil and nil.each raises a NoMethodError. Similarly, if an individual input spec is nil (e.g. token: with no properties), spec["description"] crashes on nil. Using (doc["inputs"] || {}) and guarding spec would prevent both crashes.

 

^{Reviewed by Cursor Bugbot for commit e4302c5. Configure here.}

[github-actions]

✅ Review app for PR #737 is deleted

Open organization console
View workflow logs