Document cpflow upstream ref pinning

[justin808]

Summary

• explain how generated cpflow workflow wrappers pin upstream reusable workflows
• distinguish the GitHub workflow ref from the CPFLOW_VERSION runtime gem install override
• document the stable release-tag flow and the temporary commit-SHA testing flow

Verification

• git diff --check
• bin/test-cpflow-github-flow

---

Note

Low Risk
Documentation-only changes clarifying how generated cpflow-* workflows pin upstream refs and how CPFLOW_VERSION affects gem installation; no runtime code or CI behavior changes.

Overview
Documents how generated cpflow-* GitHub Actions pin upstream shakacode/control-plane-flow code. Adds an explicit explanation that each wrapper must keep uses: ...@<ref> and control_plane_flow_ref: <ref> in sync, and recommends stable pinning to v<cpflow gem version> tags (using commit SHAs only for temporary unreleased testing).

Clarifies that CPFLOW_VERSION is a runtime gem-install override distinct from the GitHub workflow ref (build-from-upstream when unset vs gem install -v when set), and updates team/help docs to reflect this guidance.

^{Reviewed by Cursor Bugbot for commit d74319f. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Documentation
  • Improved documentation on GitHub Actions workflow configuration, including how generated workflows reference upstream code via pinned references and how CPFLOW_VERSION controls the runtime gem installation.
  • Added guidance on version tagging best practices: using stable release tags for production automation and feature branches for testing purposes.

[github-actions]

🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:

+review-app-deploy

Deploy your PR branch for testing.

+review-app-delete

Remove the review app when done.

+review-app-help

Show detailed instructions, environment setup, and configuration options.

Comment +review-app-help for full setup details.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0a970473-4268-49b0-9451-3dee67a4d5a1

📥 Commits

Reviewing files that changed from the base of the PR and between b589e5e and d74319f.

📒 Files selected for processing (4)

• .controlplane/docs/testing-cpflow-github-actions.md
• .controlplane/readme.md
• .controlplane/shakacode-team.md
• .github/cpflow-help.md

---

Walkthrough

This PR adds and refines documentation across four files to explain how generated GitHub Actions cpflow-* workflow wrappers reference upstream reusable workflows via pinned refs and how the CPFLOW_VERSION environment variable controls runtime gem installation.

Changes

Upstream Pinning & CPFLOW_VERSION Guidance

Layer / File(s)

Summary

Upstream pinning and CPFLOW_VERSION documentation .controlplane/docs/testing-cpflow-github-actions.md, .controlplane/readme.md, .controlplane/shakacode-team.md, .github/cpflow-help.md

New comprehensive section in the testing guide explains dual ref pinning (reusable workflow uses and control_plane_flow_ref), distinguishes between CPFLOW_VERSION (runtime gem override) and workflow ref selection, and documents release vs unreleased pinning guidance. README and shakacode-team.md sections introduce the wrapper model and provide deployment guidance; cpflow-help.md refines the CPFLOW_VERSION behavior description.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• shakacode/react-webpack-rails-tutorial#742: Repins multiple cpflow-* wrapper workflows to a new upstream commit SHA using the same dual-ref pinning mechanism documented in this PR.
• shakacode/react-webpack-rails-tutorial#741: Refactors generated cpflow workflows to delegate to upstream reusable workflows while passing control_plane_flow_ref, directly implementing the pinning model this PR documents.
• shakacode/react-webpack-rails-tutorial#736: Updates the generated cpflow setup composite action's cpflow_version input descriptions in alignment with the CPFLOW_VERSION behavior clarifications in this PR.

---

🐰 Documentation blooms in the garden fair,
Pinned refs and versions floating through the air,
CPFLOW_VERSION guides the way,
Clear and bright for each new day,
Upstream workflows, steady and true,
The docs explain what workflows will do! 📋✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: documentation explaining how cpflow workflow wrappers pin upstream reusable workflows via refs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jg-codex/cpflow-ref-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds documentation clarifying how generated cpflow-* GitHub Actions wrappers pin upstream reusable workflows via two synchronized refs (uses: ...@<ref> and control_plane_flow_ref), and how CPFLOW_VERSION is a separate runtime gem-install override rather than a workflow-load pin.

• Adds a new "How Upstream Code Is Pinned" section to testing-cpflow-github-actions.md, with a YAML example showing the two-pin pattern, the stable release path, and guidance to prefer release tags over branch refs.
• Updates CPFLOW_VERSION descriptions in shakacode-team.md and cpflow-help.md to clarify its role as an optional gem-install override (vs. the GitHub workflow ref).
• Adds equivalent pinning guidance to readme.md alongside the existing "Keeping Generated cpflow Workflows Updated" section.

Confidence Score: 5/5

Documentation-only changes with no runtime code modified; safe to merge.

All four changed files are Markdown documentation. The new content is accurate, internally consistent across files, and aligns with how GitHub Actions reusable workflows actually resolve refs. The transient note about the current commit-SHA pin is an honest description of the repository's state and does not introduce any risk.

No files require special attention.

Important Files Changed

Filename	Overview
.controlplane/docs/testing-cpflow-github-actions.md	Adds a clear "How Upstream Code Is Pinned" section with a YAML example, the stable release workflow, and guidance on commit-SHA vs. tag pins; consistent with the rest of the file and other docs.
.controlplane/readme.md	New paragraph under "Keeping Generated cpflow Workflows Updated" explains the two-pin pattern and CPFLOW_VERSION override; wording is consistent with the other changed docs.
.controlplane/shakacode-team.md	CPFLOW_VERSION bullet now accurately describes runtime gem-install override semantics; new paragraph explains the workflow wrapper ref pattern consistently with other docs.
.github/cpflow-help.md	Single table cell updated: CPFLOW_VERSION description now matches the cleaner language used in the other docs.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Need to update cpflow workflows] --> B{Testing unreleased\nupstream changes?}
    B -- No --> C[Install released cpflow gem]
    C --> D[Run cpflow generate-github-actions\n--staging-branch master]
    D --> E[Generated wrappers set\nuses: ...@v<gem version>\ncontrol_plane_flow_ref: v<gem version>]
    E --> F{Set CPFLOW_VERSION?}
    F -- Leave unset --> G[Setup action builds cpflow\nfrom checked-out upstream ref]
    F -- Set to gem version\nwithout leading v --> H[Setup action runs\ngem install cpflow -v <version>]
    B -- Yes --> I[Pin to immutable commit SHA\nnot a branch name]
    I --> J[Manually set uses: ...@<SHA>\nand control_plane_flow_ref: <SHA>]
    J --> K[Temporary test pin]
    K --> L{Upstream release published?}
    L -- Yes --> C
    L -- No --> M[Keep SHA pin until\nrelease tag is available]

Loading

_{Reviews (1): Last reviewed commit: "Document cpflow upstream ref pinning" | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d74319f988

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Qualify claim that every wrapper has two upstream pins

This states that each generated cpflow-* wrapper has both uses: ...@<ref> and control_plane_flow_ref, but that is not true for all generated wrappers in this repo (for example, .github/workflows/cpflow-review-app-help.yml and .github/workflows/cpflow-help-command.yml only pin the uses ref). Following this wording when repinning could lead maintainers to add an unsupported with.control_plane_flow_ref input to workflows that do not accept it, causing workflow-call validation failures.

Useful? React with 👍 / 👎.

[claude]

Code Review: Document cpflow upstream ref pinning

Overview

Documentation-only PR (70 additions, 2 deletions across 4 Markdown files) clarifying:

1. How generated cpflow-* wrappers pin upstream reusable workflows via uses: ...@<ref> and control_plane_flow_ref
2. The distinction between the GitHub workflow ref and the CPFLOW_VERSION runtime gem-install override
3. The recommended stable release-tag flow vs. temporary commit-SHA testing

---

Strengths

• Clear separation of concerns: The explanation of why two pins exist (uses: ...@<ref> selects the workflow file; control_plane_flow_ref selects the checkout for composite actions and optional gem build) is accurate and fills a real knowledge gap.
• Consistent messaging: The same guidance appears across all four files at appropriate detail levels — comprehensive in the dedicated testing doc, summary in readme/team doc, one-liner in the help table.
• Actionable guidance: The step-by-step release path and the explicit warning against pinning main or a feature branch in production are practical.

---

Issues and Suggestions

1. Ephemeral state statement will become stale (see inline comment)

The last paragraph of the new section in testing-cpflow-github-actions.md says the repo is "currently pinned to an upstream commit SHA" as a temporary measure. Once the upstream release is cut and the pin is updated, this will be factually wrong. Recommend removing it or converting to an HTML comment so it is hidden from rendered docs and easy to find/delete later.

2. Missing consequence of version mismatch

The docs say the two refs must "stay in sync" but do not explain what breaks if they diverge. A one-sentence note such as: If the two refs diverge, the composite actions loaded at runtime may not match the reusable workflow logic, producing unpredictable deployment behavior. would help readers understand the severity.

3. Minor: CPFLOW_VERSION example would reduce ambiguity

The phrase "use the RubyGems version without a leading v" appears in multiple files. A short inline example (e.g. CPFLOW_VERSION=1.4.2) would make it immediately copy-pasteable.

4. Readme section placement

In .controlplane/readme.md the new block is inserted mid-paragraph between two sentences about the regeneration workflow, which reads slightly awkwardly. Consider placing it as a named subsection directly before the validate block.

---

Summary

Low-risk, well-written docs PR. The core content is accurate and fills a real gap. The main actionable item is the ephemeral "currently pinned" paragraph — it should be removed or marked as a TODO comment before merge to avoid becoming misleading once the upstream release lands.

[claude]

This paragraph describes a transient repo state ("currently pinned to an upstream commit SHA") that will become factually wrong once the upstream release is published and the pin is updated to a release tag.

Recommend either removing it entirely (the general guidance above it is sufficient) or converting to an HTML comment so it is hidden from rendered docs but easy to find and delete later:

Suggested change

	This repo is currently pinned to an upstream commit SHA because the reusable
	workflow change was tested before a new `cpflow` gem release existed. That is
	safer than pinning a branch, but it should be treated as a temporary test pin
	until the next upstream release tag is available.

[github-actions]

❌ Failed to Delete Review App

Failed to delete review app for PR #743

🎮 Control Plane Console
📋 View Workflow Logs