Pin cpflow workflows to Ruby setup fallback

[justin808]

Summary

• repin generated cpflow workflow wrappers from upstream commit 8e9c0c5 to 6f44c840
• picks up the cpflow-setup-environment Ruby fallback fix from control-plane-flow PR 306
• intended to fix the post-merge staging deploy failure in Setup environment

Verification

• bin/test-cpflow-github-flow

---

Note

Low Risk
Low risk: this only changes which upstream reusable GitHub Actions workflows are referenced, but it can affect deploy/review-app automation behavior if the new pinned ref has regressions.

Overview
Repins all cpflow-* GitHub Actions workflow wrappers to a newer pinned shakacode/control-plane-flow commit (6f44c840…), updating both the uses: refs and matching control_plane_flow_ref inputs.

This affects the reusable workflows for staging deploy, review app deploy/delete/help, stale review app cleanup, and staging promotion, and is intended to pick up the upstream environment-setup (Ruby fallback) fix.

^{Reviewed by Cursor Bugbot for commit f3544e8. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Chores
  • Updated deployment and review app management workflows to use the latest versions of shared infrastructure tools.

[github-actions]

🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:

+review-app-deploy

Deploy your PR branch for testing.

+review-app-delete

Remove the review app when done.

+review-app-help

Show detailed instructions, environment setup, and configuration options.

Comment +review-app-help for full setup details.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 50a70491-5fac-4b5c-adce-c80be227d9f5

📥 Commits

Reviewing files that changed from the base of the PR and between ab025f9 and f3544e8.

📒 Files selected for processing (7)

• .github/workflows/cpflow-cleanup-stale-review-apps.yml
• .github/workflows/cpflow-delete-review-app.yml
• .github/workflows/cpflow-deploy-review-app.yml
• .github/workflows/cpflow-deploy-staging.yml
• .github/workflows/cpflow-help-command.yml
• .github/workflows/cpflow-promote-staging-to-production.yml
• .github/workflows/cpflow-review-app-help.yml

---

Walkthrough

Seven workflow files that delegate to upstream shakacode/control-plane-flow reusable workflows are pinned to a newer commit SHA (6f44c840... replacing 8e9c0c5e...) for review-app cleanup, deletion, deployment, staging/production promotion, and help command operations.

Changes

Reusable workflow reference updates

Layer / File(s)	Summary
Reusable workflow reference updates to control-plane-flow commit .github/workflows/cpflow-cleanup-stale-review-apps.yml, cpflow-delete-review-app.yml, cpflow-deploy-review-app.yml, cpflow-deploy-staging.yml, cpflow-help-command.yml, cpflow-promote-staging-to-production.yml, cpflow-review-app-help.yml	Seven GitHub Actions workflows update their uses: commit SHA and control_plane_flow_ref input to reference a newer control-plane-flow commit (6f44c84049d4fa09aaa8c0a72cc436cd52e66fb0), enabling upstream improvements while maintaining deterministic workflow pinning.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• shakacode/react-webpack-rails-tutorial#741: The main PR's updates to the pinned uses/control_plane_flow_ref for the reusable shakacode/control-plane-flow workflows are directly connected to #741's regeneration that refactors the same workflows to delegate to upstream reusable workflows.

Poem

🐇 Workflows updated, versions align,
Seven files now point to a newer design,
Control-plane-flow's commit pins bright,
Infrastructure automation flowing just right!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Pin cpflow workflows to Ruby setup fallback' accurately reflects the main change: updating pinned commit references in cpflow workflows to incorporate a Ruby setup fallback fix.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jg-codex/cpflow-ruby-setup-fallback

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR re-pins all seven cpflow GitHub Actions reusable workflow wrappers from upstream commit 8e9c0c5 to 6f44c840, picking up the Ruby setup environment fallback fix from control-plane-flow PR #306 to resolve post-merge staging deploy failures.

• All seven workflow files are updated consistently: the uses: SHA and control_plane_flow_ref input are both bumped where applicable. The two help-command workflows (cpflow-help-command.yml, cpflow-review-app-help.yml) correctly omit control_plane_flow_ref since those upstream workflows don't accept that input.
• All references remain SHA-pinned (not a mutable tag), which is the correct practice for third-party reusable workflows.

Confidence Score: 5/5

Safe to merge — the change is a consistent SHA bump across all seven workflow files with no logic modifications.

Every workflow file is updated uniformly: the uses: SHA and control_plane_flow_ref input both point to the new commit where the input exists, and the two workflows that don't use control_plane_flow_ref are handled correctly. The new commit is still SHA-pinned, not a mutable ref.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/cpflow-deploy-staging.yml	Bumps reusable workflow ref and control_plane_flow_ref from 8e9c0c5 to 6f44c840; most directly affected by the Ruby setup fallback fix
.github/workflows/cpflow-deploy-review-app.yml	Bumps reusable workflow ref and control_plane_flow_ref from 8e9c0c5 to 6f44c840
.github/workflows/cpflow-promote-staging-to-production.yml	Bumps reusable workflow ref and control_plane_flow_ref from 8e9c0c5 to 6f44c840
.github/workflows/cpflow-cleanup-stale-review-apps.yml	Bumps reusable workflow ref and control_plane_flow_ref from 8e9c0c5 to 6f44c840
.github/workflows/cpflow-delete-review-app.yml	Bumps reusable workflow ref and control_plane_flow_ref from 8e9c0c5 to 6f44c840
.github/workflows/cpflow-help-command.yml	Bumps reusable workflow ref only (no control_plane_flow_ref input — correct, this workflow doesn't accept one)
.github/workflows/cpflow-review-app-help.yml	Bumps reusable workflow ref only (no control_plane_flow_ref input — correct, this workflow doesn't accept one)

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[GitHub Event Trigger] --> B{Workflow Type}
    B --> C[cpflow-deploy-staging]
    B --> D[cpflow-deploy-review-app]
    B --> E[cpflow-delete-review-app]
    B --> F[cpflow-cleanup-stale-review-apps]
    B --> G[cpflow-promote-staging-to-production]
    B --> H[cpflow-help-command]
    B --> I[cpflow-review-app-help]
    C --> J["shakacode/control-plane-flow@6f44c840\n(was 8e9c0c5)"]
    D --> J
    E --> J
    F --> J
    G --> J
    H --> J
    I --> J
    J --> K[cpflow-setup-environment\nRuby fallback fix included]

Loading

_{Reviews (1): Last reviewed commit: "Pin cpflow workflows to Ruby setup fallb..." | Re-trigger Greptile}

[claude]

Code Review: Pin cpflow workflows to Ruby setup fallback

Overview

This PR updates 7 GitHub Actions workflow wrappers to repin from upstream commit 8e9c0c5e → 6f44c840 in shakacode/control-plane-flow, picking up the Ruby environment setup fallback fix from control-plane-flow PR #306. The change affects staging deploy, review-app deploy/delete/help, stale cleanup, and staging promotion.

---

What's done well

• Full SHA pinning — Using complete 40-character commit SHAs instead of tags or branches is the GitHub-recommended security practice. It prevents tag-hijacking attacks on third-party reusable workflows.
• Atomic consistency — All 7 files are updated to the same commit in a single PR, avoiding any split-brain state where some workflows run different upstream versions.
• Both refs updated together — For the 5 action workflows, both the uses: SHA and the control_plane_flow_ref input are updated in lockstep, which is correct.

---

Pre-existing inconsistency worth noting

Two workflows (cpflow-help-command.yml and cpflow-review-app-help.yml) have no with: block — they reference the upstream workflow via uses: SHA only, without passing control_plane_flow_ref as an input. This is pre-existing and not introduced by this PR, but worth a quick sanity check:

• If the upstream reusable workflows accept a control_plane_flow_ref input, omitting it here could cause them to fall back to a default ref (potentially a mutable branch tip) rather than the pinned commit.
• If they don't declare that input at all, omitting the with: block is correct.

Could you confirm whether these two upstream workflows accept control_plane_flow_ref? If they do, adding with: control_plane_flow_ref: 6f44c84049d4fa09aaa8c0a72cc436cd52e66fb0 would fully lock their behavior.

---

Risk Assessment

Low risk — mechanically correct, no logic changes, all 7 files updated consistently. Risk is bounded to potential regressions in commit 6f44c840 itself.

Suggested pre-merge check: Confirm bin/test-cpflow-github-flow passes against the new pin before merging.

[claude]

This workflow (and cpflow-review-app-help.yml) omits the with: control_plane_flow_ref: block that the other 5 cpflow wrappers all pass. If the upstream cpflow-help-command.yml reusable workflow accepts that input, the missing block means it won't be fully pinned — it could resolve control_plane_flow_ref to a default (e.g. a branch tip) instead of the commit SHA in the uses: ref.

If the upstream workflow does accept it, the fix would be:

Suggested change

	uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@6f44c84049d4fa09aaa8c0a72cc436cd52e66fb0
	uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@6f44c84049d4fa09aaa8c0a72cc436cd52e66fb0
	with:
	control_plane_flow_ref: 6f44c84049d4fa09aaa8c0a72cc436cd52e66fb0

If it doesn't declare that input at all, this is fine as-is — just worth a quick confirmation.

[github-actions]

❌ Failed to Delete Review App

Failed to delete review app for PR #742

🎮 Control Plane Console
📋 View Workflow Logs