Add Control Plane GitHub flow#44
Conversation
Control Plane review app commands
|
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 23 minutes and 8 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (15)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 838f04f204
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| (github.event_name == 'issue_comment' && | ||
| github.event.issue.pull_request && | ||
| github.event.comment.body == '/deploy-review-app') |
There was a problem hiding this comment.
The issue_comment trigger only checks github.event.comment.body == '/deploy-review-app', so any user who can comment on a PR can start this job. In that path the workflow resolves the PR SHA, checks out PR code, and then builds/deploys with repository secrets (CPLN_TOKEN_STAGING, optionally DOCKER_BUILD_SSH_KEY), which lets an untrusted fork PR exfiltrate credentials during build/deploy. Gate this command on trusted actor permissions (for example author_association/repo permission checks) before checking out or executing PR code.
Useful? React with 👍 / 👎.
| (github.event_name == 'issue_comment' && | ||
| github.event.issue.pull_request && | ||
| github.event.comment.body == '/delete-review-app') || |
There was a problem hiding this comment.
The slash-command path for issue_comment accepts any PR comment with /delete-review-app and does not verify commenter trust level. On public repos this allows arbitrary external users to tear down active review apps for open PRs, causing avoidable outages/noise in the review workflow. Add an authorization check (e.g., OWNER/MEMBER/COLLABORATOR or equivalent permission) before executing the delete action.
Useful? React with 👍 / 👎.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
| jobs: | ||
| promote-to-production: | ||
| if: github.event.inputs.confirm_promotion == 'promote' | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
Production promotion workflow lacks concurrency control
Medium Severity
The production promotion workflow is the only deployment workflow missing a concurrency group. The cleanup, review-app deploy, and staging deploy workflows all define concurrency controls, but this most critical workflow does not. If two promotions are triggered close together, both capture the same pre-promotion rollback state. If one succeeds and the other fails its health check, the failing run's rollback would revert the successful promotion — silently undoing a good deploy.
Reviewed by Cursor Bugbot for commit 93293a5. Configure here.
| value: cpln://secret/{{APP_SECRETS}}.RENDERER_PASSWORD | ||
| - name: REACT_ON_RAILS_PRO_LICENSE | ||
| value: cpln://secret/react-server-components-demo-secrets.REACT_ON_RAILS_PRO_LICENSE | ||
| value: cpln://secret/{{APP_SECRETS}}.REACT_ON_RAILS_PRO_LICENSE |
There was a problem hiding this comment.
Undocumented template variable may not resolve in secrets
High Severity
{{APP_SECRETS}} is not among the documented cpflow v4.2.0 template variables (APP_ORG, APP_NAME, APP_LOCATION, APP_LOCATION_LINK, APP_IMAGE, APP_IMAGE_LINK, APP_IDENTITY, APP_IDENTITY_LINK). The PR validation used a local dev build of cpflow (ruby /Users/justin/codex/control-plane-flow/cpflow), but CI installs the published v4.2.0 gem. If the published gem doesn't resolve {{APP_SECRETS}}, every secret reference (DATABASE_URL, SECRET_KEY_BASE, etc.) would be a literal broken string, and the app would fail at runtime.
Reviewed by Cursor Bugbot for commit 93293a5. Configure here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 3 total unresolved issues (including 2 from previous reviews).
Bugbot Autofix is ON, but it could not run because on-demand usage is turned off. To enable Bugbot Autofix, turn on on-demand usage and set a spend limit in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 3ec73f2. Configure here.
| ruby -e 'require "yaml"; app = ARGV.fetch(0); data = YAML.load_file(".controlplane/controlplane.yml", aliases: true); app_config = data.fetch("apps").fetch(app); workloads = Array(app_config["app_workloads"]); workloads = ["rails"] if workloads.empty?; puts workloads.join(",")' "${{ vars.PRODUCTION_APP_NAME }}" | ||
| )" | ||
|
|
||
| echo "names=${workloads}" >> "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
Ruby used before setup-ruby action runs
Medium Severity
The "Resolve production app workloads" step invokes ruby -e with YAML.load_file(..., aliases: true) before the "Setup production environment" step installs Ruby 3.4.6 via ruby/setup-ruby. This relies on the runner's system Ruby (currently 3.2.3 on ubuntu-24.04), which happens to support aliases: true, but the workflow explicitly configures a different Ruby version. If the runner image changes or the system Ruby is removed, this step will fail.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 3ec73f2. Configure here.
1 participant
Summary
Validation
Note
Medium Risk
Adds multiple GitHub Actions workflows that build Docker images with optional SSH keys and can deploy/delete apps in Control Plane; misconfiguration could impact deployment automation or accidentally tear down review apps (guarded by prefix checks).
Overview
Introduces a shared
cpflow-based GitHub Actions deployment flow: opt-in PR review apps (/deploy-review-app), automatic staging deploys on branch pushes, manual staging→production promotion (with health check/rollback), and scheduled stale review app cleanup.Updates Control Plane configuration to define separate staging/review/production apps (including upstream promotion) and switches template secret references to a dynamic
{{APP_SECRETS}}placeholder with secrets managed directly in Control Plane.Refreshes deployment docs and local Docker instructions (including SSH-forwarding for private GitHub dependencies) and points the main
README.mddeployment section to.controlplane/README.md.Reviewed by Cursor Bugbot for commit 3ec73f2. Bugbot is set up for automated code reviews on this repo. Configure here.