Pin cpflow delete checkout fix

[justin808]

Summary

• repin generated cpflow reusable workflow wrappers to upstream control-plane-flow commit 3e0e7e1f0a35c15648cc9254b573b058d77ca8c4
• picks up Fix review app delete project checkout control-plane-flow#307 so review-app deletion checks out the downstream project before running cpflow delete

Validation

• bin/test-cpflow-github-flow
• bin/conductor-exec git diff --check

This is needed because closing #734 exposed that the delete reusable workflow could not find .controlplane/controlplane.yml while cleaning up the old review app.

---

Note

Medium Risk
Updates pinned SHAs for reusable control-plane-flow GitHub Actions workflows that manage deploy/delete/cleanup of review and staging apps; any upstream workflow behavior changes could impact automation and environment lifecycle operations.

Overview
Repins all cpflow GitHub Actions workflow wrappers (deploy-review-app, delete-review-app, cleanup-stale-review-apps, deploy-staging, promote-staging-to-production, and help workflows) from commit 6f44c84... to 3e0e7e1..., including updating the control_plane_flow_ref inputs where present.

This pulls in upstream reusable-workflow changes (notably for review-app deletion) without changing local workflow logic beyond the pinned references.

^{Reviewed by Cursor Bugbot for commit 42e48f0. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Chores
  • Updated deployment automation workflow infrastructure across review app, staging, and production environments to use the latest versions of control plane deployment tools. This ensures improved consistency and reliability in automated deployment and promotion processes.

[github-actions]

🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:

+review-app-deploy

Deploy your PR branch for testing.

+review-app-delete

Remove the review app when done.

+review-app-help

Show detailed instructions, environment setup, and configuration options.

Comment +review-app-help for full setup details.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4d9ab735-a768-417e-b6a3-055c21499e68

📥 Commits

Reviewing files that changed from the base of the PR and between 050e04f and 42e48f0.

📒 Files selected for processing (7)

• .github/workflows/cpflow-cleanup-stale-review-apps.yml
• .github/workflows/cpflow-delete-review-app.yml
• .github/workflows/cpflow-deploy-review-app.yml
• .github/workflows/cpflow-deploy-staging.yml
• .github/workflows/cpflow-help-command.yml
• .github/workflows/cpflow-promote-staging-to-production.yml
• .github/workflows/cpflow-review-app-help.yml

---

Walkthrough

Seven GitHub Actions workflows that invoke reusable shakacode/control-plane-flow workflows are updated to pin both the uses: reference and the control_plane_flow_ref input to a newer commit SHA. All updates follow the same pattern: the old SHA is replaced consistently across each caller.

Changes

Control Plane Flow Workflow Pinning

Layer / File(s)

Summary

Update reusable workflow references across all control-plane-flow callers .github/workflows/cpflow-cleanup-stale-review-apps.yml, .github/workflows/cpflow-delete-review-app.yml, .github/workflows/cpflow-deploy-review-app.yml, .github/workflows/cpflow-deploy-staging.yml, .github/workflows/cpflow-help-command.yml, .github/workflows/cpflow-promote-staging-to-production.yml, .github/workflows/cpflow-review-app-help.yml

Each workflow that calls an upstream shakacode/control-plane-flow reusable workflow is updated to pin the uses: target and the control_plane_flow_ref input parameter to the same new commit SHA (3e0e7e1f0a35c15648cc9254b573b058d77ca8c4), replacing the prior reference.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• shakacode/react-webpack-rails-tutorial#742: Both PRs update the same GitHub Actions wrapper workflows (cpflow-*-*.yml) by repinning shakacode/control-plane-flow reusable-workflow uses: and matching control_plane_flow_ref values.
• shakacode/react-webpack-rails-tutorial#741: Both PRs modify the same cpflow-* workflow wiring to call the upstream shakacode/control-plane-flow reusable workflows by updating the uses/control_plane_flow_ref reference.

Poem

🐰 A rabbit hops through workflows seven,
Updating each reference to workflow heaven,
One SHA to bind them all with care,
Upstream pins now fresh and fair! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Pin cpflow delete checkout fix' directly describes the main change: pinning the cpflow workflows to a specific commit that includes a checkout fix for the delete workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jg-codex/cpflow-delete-checkout-pin

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR updates all 7 Control Plane Flow reusable workflow references from commit 6f44c84049d4fa09aaa8c0a72cc436cd52e66fb0 to 3e0e7e1f0a35c15648cc9254b573b058d77ca8c4, picking up an upstream fix (shakacode/control-plane-flow#307) that ensures the downstream project is checked out before running cpflow delete, resolving a missing controlplane.yml error during review app cleanup.

• All 7 workflow files are updated consistently: both the uses: SHA and the control_plane_flow_ref input (where applicable) point to the same new commit.
• cpflow-help-command.yml and cpflow-review-app-help.yml only update the uses: SHA — they never had a with: block passing control_plane_flow_ref, and that remains unchanged.

Confidence Score: 5/5

Safe to merge — all 7 workflow files are updated consistently to the same upstream commit SHA, picking up a targeted bug fix with no structural changes.

Every changed file is a mechanical SHA bump — the uses: ref and control_plane_flow_ref input are updated in lockstep across all workflows. The two files without a with: block (cpflow-help-command.yml, cpflow-review-app-help.yml) were already not passing control_plane_flow_ref before this PR, so there is no regression there. The upstream change is narrowly scoped to adding a checkout step before deletion, directly addressing the reported failure.

No files require special attention — all changes are consistent SHA updates.

Important Files Changed

Filename	Overview
.github/workflows/cpflow-delete-review-app.yml	Repin both uses: SHA and control_plane_flow_ref — the primary beneficiary of the upstream fix for missing checkout before cpflow delete.
.github/workflows/cpflow-cleanup-stale-review-apps.yml	Repin both uses: SHA and control_plane_flow_ref from old to new commit — consistent update.
.github/workflows/cpflow-deploy-review-app.yml	Repin both uses: SHA and control_plane_flow_ref — consistent update, no logic changes.
.github/workflows/cpflow-deploy-staging.yml	Repin both uses: SHA and control_plane_flow_ref — consistent update, no logic changes.
.github/workflows/cpflow-help-command.yml	Repin uses: SHA only — this workflow has no with: block and never passed control_plane_flow_ref, consistent with prior state.
.github/workflows/cpflow-promote-staging-to-production.yml	Repin both uses: SHA and control_plane_flow_ref — consistent update, no logic changes.
.github/workflows/cpflow-review-app-help.yml	Repin uses: SHA only — this workflow has no with: block, consistent with prior state.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant CPF as control-plane-flow@3e0e7e1f
    participant Repo as Downstream Repo

    GH->>CPF: cpflow-delete-review-app workflow (PR closed)
    CPF->>Repo: checkout downstream project
    CPF->>Repo: read .controlplane/controlplane.yml
    CPF->>CPF: cpflow delete review app
    CPF-->>GH: success

    Note over GH,CPF: Previously (6f44c840): checkout step was missing,<br/>causing "controlplane.yml not found" error

Loading

_{Reviews (1): Last reviewed commit: "Pin cpflow delete checkout fix" | Re-trigger Greptile}

[claude]

Code Review: Pin cpflow delete checkout fix

Overview

This PR updates pinned SHA references for all 7 reusable control-plane-flow GitHub Actions workflows from 6f44c84... to 3e0e7e1..., picking up the upstream fix from shakacode/control-plane-flow#307 that adds a repository checkout step before running cpflow delete in the review-app deletion workflow.

---

What looks good

• Full SHA pinning: Using 40-character commit SHAs (rather than mutable tags/branches) is the correct security practice for third-party GitHub Actions reusable workflows, preventing supply-chain attacks via tag mutation.
• Consistency: All 7 workflow files are updated to the same SHA atomically. No partial updates or mismatches.
• Dual reference correctness: For the 5 workflows that pass control_plane_flow_ref as an input, both the uses: SHA and the input value are updated in lockstep, which is required for the upstream workflow to self-reference the right version.
• Minimal blast radius: Pure SHA bump with zero local logic changes, easy to reason about and revert if needed.
• Bug motivation is clear: Closing Update HorizontalForm.res with demo text #734 exposed that the delete workflow failed to locate .controlplane/controlplane.yml because the repo was not checked out first. The fix is targeted and well-described.

---

Considerations

• Verify upstream commit contents: Before merging, confirm that commit 3e0e7e1f0a35c15648cc9254b573b058d77ca8c4 in the upstream repo contains only the expected checkout fix and no other unreviewed changes, since this project inherits all upstream workflow logic at that SHA.
• cpflow-help-command.yml and cpflow-review-app-help.yml: These two files correctly omit the control_plane_flow_ref input update since they do not pass that input. The asymmetry is intentional, not a miss.
• Rollback reference: The prior SHA (6f44c84049d4fa09aaa8c0a72cc436cd52e66fb0) is captured in git history, but worth noting explicitly in the PR description in case a quick revert is needed.

---

Risk assessment

Low - pure dependency pin update with no local logic changes. The only risk is unintended behavior changes in the upstream workflow at the new SHA, which is mitigated by reviewing shakacode/control-plane-flow#307 before merge.

Approved pending upstream commit verification.

[github-actions]

✅ Review App Deleted

Review app for PR #745 is deleted

🎮 Control Plane Console
📋 View Workflow Logs