[codex] Update cpflow review app guidance

[justin808]

Summary

• update legacy cpflow setup defaults/docs to 5.1.1
• keep the existing local GitHub Actions wrapper model and refresh shared grant terminology
• update React on Rails package references to 17.0.0-rc.1

Validation

• ruby -S cpflow --version
• YAML parse for .github/workflows/cpflow-*.yml and .controlplane/controlplane.yml
• git diff --check
• actionlint .github/workflows/cpflow-*.yml was run and only reported existing shellcheck style/info findings

Notes

• Draft PR for CI/human review.
• Autoreview completed clean before the final generated-wrapper fixes in the other repos; this legacy PR was not changed afterward.

---

Note

Medium Risk
Touches production Docker precompile, CI deploy/delete paths, and a major React on Rails RC upgrade; misordered or failed pack generation would break deploys and SSR/RSC.

Overview
Aligns the tutorial with cpflow 5.1.1 and React on Rails 17.0.0.rc.1 by adding reusable GitHub composite actions (setup, Docker build with optional SSH, guarded review-app delete) and refreshing Control Plane secret-template comments.

Build and deploy: The production Dockerfile now runs react_on_rails:generate_packs before ReScript and assets:precompile. Rails initializer and yarn build:test / build:dev scripts run locale generation (and test generate_packs) ahead of Shakapacker so direct bundler invocations match v17 expectations. Webpack resolves client/app and aliases react-on-rails to Pro to avoid mixing core and Pro at runtime.

App surface: Gems and npm lock to RoR 17 / react-on-rails-rsc 19.0.5-rc.5; README documents the new Control Plane Actions flow and versions. Small client updates add 'use client' where needed and formatting-only RSC/demo tweaks. entrypoint logging uses $* instead of $@.

^{Reviewed by Cursor Bugbot for commit 7a11703. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:
They require the repository to have cpflow review apps configured, including the CPLN_TOKEN_STAGING secret.

+review-app-deploy

Deploy your PR branch for testing.

+review-app-delete

Remove the review app when done.

+review-app-help

Show detailed instructions, environment setup, and configuration options.

Comment +review-app-help for full setup details.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 87fd223b-521f-4ba6-8bbb-6b13aa961ffc

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jg-codex/cpflow-5-1-shared-secret-rollout

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[justin808]

+review-app-deploy

[github-actions]

❌ Review App Deployment Failed

Deployment failed for PR #764, commit 8b4be0c

🎮 Control Plane Console
📋 View Failed Action Build and Deploy Logs

[github-actions]

Review app ready

Open review app

Open Control Plane console
View workflow logs

[github-actions]

🎉 Deploy Complete!

Open Review App

Deployment successful for PR #764, commit 7a11703

🎮 Control Plane Console
📋 View Completed Action Build and Deploy Logs

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{Bugbot Autofix is ON. A cloud agent has been kicked off to fix the reported issues.}

^{Reviewed by Cursor Bugbot for commit 7a11703. Configure here.}

[cursor]

Production build omits packs

Medium Severity

build_production_command still runs ReScript, locale, and Shakapacker but never react_on_rails:generate_packs, even though the same upgrade adds that task to the Docker image build and test asset scripts. Any production precompile that relies only on this configured command can miss generated pack entrypoints.

 

^{Reviewed by Cursor Bugbot for commit 7a11703. Configure here.}

[cursor]

Exists errors skip deletion

Medium Severity

When cpflow exists exits non-zero, the script treats any output that does not match a short list of substrings as “application does not exist” and exits successfully without calling delete. Transient API, auth, or network failures can therefore be misread as a missing app and leave review apps undeleted.

 

^{Reviewed by Cursor Bugbot for commit 7a11703. Configure here.}

[cursor]

Dev build skips pack generation

Low Severity

build:test runs react_on_rails:generate_packs before Shakapacker, but build:dev in the same edit does not. Local development builds that use only yarn build:dev can diverge from CI and fail or serve stale packs after v17 pack generation changes.

 

^{Reviewed by Cursor Bugbot for commit 7a11703. Configure here.}

[claude]

build:dev is missing react_on_rails:generate_packs

build:test (line above) now runs react_on_rails:generate_packs before shakapacker, and the Dockerfile was updated the same way. But build:dev only adds react_on_rails:locale. If v17 requires generate_packs before webpack (which the other changes imply), direct yarn build:dev calls will produce a broken dev bundle.

Suggested change

	"build:dev": "rm -rf public/packs && yarn res:build && RAILS_ENV=development NODE_ENV=development bundle exec rails react_on_rails:locale && RAILS_ENV=development NODE_ENV=development bin/shakapacker",
	"build:dev": "rm -rf public/packs && yarn res:build && RAILS_ENV=development NODE_ENV=development bundle exec rails react_on_rails:locale && RAILS_ENV=development NODE_ENV=development bundle exec rake react_on_rails:generate_packs && RAILS_ENV=development NODE_ENV=development bin/shakapacker",

[claude]

build_production_command is missing react_on_rails:generate_packs

The Dockerfile was updated to run bundle exec rake react_on_rails:generate_packs before assets:precompile, and build:test in package.json also runs it. But this production command only adds react_on_rails:locale — generate_packs is absent. All three build paths should be consistent.

Also note that build_test_command (line 11–12) has the same omission compared to the build:test yarn script, which does include generate_packs. Consider whether the initializer's test command should also include it.

Suggested change

	config.build_production_command =
	"yarn res:build && RAILS_ENV=production NODE_ENV=production bin/rails react_on_rails:locale && " \
	"RAILS_ENV=production NODE_ENV=production bin/shakapacker"
	config.build_production_command =
	"yarn res:build && RAILS_ENV=production NODE_ENV=production bin/rails react_on_rails:locale && " \
	"RAILS_ENV=production NODE_ENV=production bin/rails react_on_rails:generate_packs && " \
	"RAILS_ENV=production NODE_ENV=production bin/shakapacker"

[claude]

Shell injection risk: template expressions in inline script

${{ inputs.docker_build_extra_args }} is rendered into the script before the shell runs it. GitHub Actions does not shell-escape template values, so a crafted input like "; malicious_command; echo " could escape the here-string context. The same issue applies to ${{ inputs.docker_build_ssh_key }} on line 83.

The GitHub hardening guide recommends routing such values through env: variables instead:

      env:
        DOCKER_BUILD_EXTRA_ARGS: ${{ inputs.docker_build_extra_args }}
      run: |
        ...
        if [[ -n "$DOCKER_BUILD_EXTRA_ARGS" ]]; then
          while IFS= read -r arg; do
            ...
          done <<< "$DOCKER_BUILD_EXTRA_ARGS"
        fi

Since this action is only called from controlled workflows today the practical risk is low, but this pattern prevents future misuse if the action is ever invoked with PR-derived inputs.

[claude]

Minor: $* vs $@ in the display message

The actual exec "$@" below is correct. But in a double-quoted string, $* joins all positional parameters with the first character of IFS (usually a space), while $@ expands them as separate words. For a display message they behave identically in normal cases, but $@ is the more precise choice and consistent with the exec below.

Suggested change

	echo " -- Finishing entrypoint.sh, executing '$*'"
	echo " -- Finishing entrypoint.sh, executing '$@'"

[claude]

Dead code: both token and org inputs are declared required: true at lines 4 and 8, so GitHub Actions will fail the job before the shell script ever runs if they are absent. These runtime checks add noise without providing any additional safety. They can be removed.

[github-actions]

🎉 Deploy Complete!

Open Review App

Deployment successful for PR #764, commit 7a11703

🎮 Control Plane Console
📋 View Completed Action Build and Deploy Logs