Add Control Plane GitHub flow

.controlplane/controlplane.yml

@@ -0,0 +1,50 @@
+# Keys beginning with "cpln_" correspond to your settings in Control Plane.
+#
+# This demo uses the repository root Dockerfile, a separate renderer workload,
+# and a persistent volume mounted at `/rails/storage` so SQLite and uploaded
+# files survive container restarts.
+
+allow_org_override_by_env: true
+allow_app_override_by_env: true
+
+aliases:
+  common: &common
+    cpln_org: my-org-staging
+    default_location: aws-us-east-2
+
+    setup_app_templates:
+      - app
+      - storage
+      - rails
+      - renderer
+
+    skip_secrets_setup: true
+
+    one_off_workload: rails
+    app_workloads:
+      - rails
+      - renderer
+
+    dockerfile: ../Dockerfile
+    release_script: release_script.sh
+
+    stale_app_image_deployed_days: 5
+    image_retention_days: 7
+
+  production: &production
+    <<: *common
+    allow_org_override_by_env: false
+    allow_app_override_by_env: false
+    cpln_org: my-org-production
+    upstream: react-on-rails-demo-16-4-0-rc5-staging
+
+apps:
+  react-on-rails-demo-16-4-0-rc5-staging:
+    <<: *common
+
+  react-on-rails-demo-16-4-0-rc5-review:
+    <<: *common
+    match_if_app_name_starts_with: true
+
+  react-on-rails-demo-16-4-0-rc5-production:
+    <<: *production

.controlplane/readme.md

@@ -0,0 +1,72 @@
+# Control Plane Deployment Notes
+
+This repo now includes `cpflow` scaffolding for:
+
+- opt-in PR review apps
+- automatic staging deploys
+- manual promotion from staging to production
+
+## Why This Shape
+
+This demo uses SQLite and local Active Storage in production, both rooted under
+`/rails/storage`.
+
+The Control Plane setup mirrors that:
+
+- `.controlplane/controlplane.yml` points `dockerfile: ../Dockerfile`
+- `templates/storage.yml` creates a persistent volume for `/rails/storage`
+- `templates/rails.yml` runs the public `rails` workload on port `3000`
+- `templates/renderer.yml` runs the internal React on Rails Pro Node renderer on port `3800`
+- `release_script.sh` runs `bin/rails db:prepare` before deploys switch images
+
+Because this demo uses Shakapacker plus the React on Rails Pro Node renderer,
+the root `Dockerfile` now installs Node.js and runs `npm ci` so the same image
+can both precompile assets and serve renderer requests in Control Plane.
+The renderer is also configured to bind `0.0.0.0` in production so the separate
+`rails` workload can reach it over the shared Control Plane network.
+Its bundle cache is stored under `/rails/tmp/.node-renderer-bundles`, which
+stays writable for the non-root app user inside the production image.
+
+## Required Runtime Secrets
+
+Before the app will boot on Control Plane, configure at least:
+
+- `SECRET_KEY_BASE`
+
+Optional:
+
+- `RENDERER_PASSWORD`
+- `REDIS_URL`
+
+These can be added either as direct GVC env vars or via a Control Plane secret
+store referenced from `templates/app.yml`.
+
+## Local cpflow Flow
+
+Typical setup:
+
+```sh
+export APP_NAME=react-on-rails-demo-16-4-0-rc5-staging
+
+cpflow setup-app -a "$APP_NAME"
+cpflow build-image -a "$APP_NAME"
+cpflow deploy-image -a "$APP_NAME" --run-release-phase
+cpflow open -a "$APP_NAME"
+```
+
+## GitHub Actions Variables and Secrets
+
+Set these in GitHub before enabling the generated `cpflow-*` workflows:
+
+- `CPLN_TOKEN_STAGING`
+- `CPLN_TOKEN_PRODUCTION`
+- `CPLN_ORG_STAGING`
+- `CPLN_ORG_PRODUCTION`
+- `STAGING_APP_NAME=react-on-rails-demo-16-4-0-rc5-staging`
+- `PRODUCTION_APP_NAME=react-on-rails-demo-16-4-0-rc5-production`
+- `REVIEW_APP_PREFIX=react-on-rails-demo-16-4-0-rc5-review`
+
+Optional:
+
+- `STAGING_APP_BRANCH=main`
+- `PRIMARY_WORKLOAD=rails`

.controlplane/release_script.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -euo pipefail
+
+bin/rails db:prepare

.controlplane/templates/app.yml

@@ -0,0 +1,36 @@
+kind: gvc
+name: {{APP_NAME}}
+spec:
+  env:
+    - name: PORT
+      value: "3000"
+    - name: RAILS_ENV
+      value: production
+    - name: RAILS_LOG_LEVEL
+      value: info
+    - name: RAILS_SERVE_STATIC_FILES
+      value: "true"
+    - name: REACT_RENDERER_URL
+      value: http://renderer.{{APP_NAME}}.cpln.local:3800
+    - name: RENDERER_HOST
+      value: "0.0.0.0"
+    - name: RENDERER_PORT
+      value: "3800"
+    - name: RENDERER_WORKERS_COUNT
+      value: "1"
+    - name: RENDERER_SERVER_BUNDLE_CACHE_PATH
+      value: /rails/tmp/.node-renderer-bundles
+    # Required runtime secret:
+    # - name: SECRET_KEY_BASE
+    #   value: cpln://secret/react-on-rails-demo-16-4-0-rc5-secrets/SECRET_KEY_BASE
+    #
+    # Optional renderer secret:
+    # - name: RENDERER_PASSWORD
+    #   value: cpln://secret/react-on-rails-demo-16-4-0-rc5-secrets/RENDERER_PASSWORD
+    #
+    # Optional Action Cable Redis connection:
+    # - name: REDIS_URL
+    #   value: redis://redis.{{APP_NAME}}.cpln.local:6379/1
+  staticPlacement:
+    locationLinks:
+      - {{APP_LOCATION_LINK}}

.controlplane/templates/rails.yml

@@ -0,0 +1,29 @@
+kind: workload
+name: rails
+spec:
+  type: standard
+  containers:
+    - name: rails
+      cpu: 500m
+      inheritEnv: true
+      image: {{APP_IMAGE_LINK}}
+      memory: 1Gi
+      ports:
+        - number: 3000
+          protocol: http
+      volumes:
+        - path: /rails/storage
+          recoveryPolicy: retain
+          uri: cpln://volumeset/rails-storage
+  defaultOptions:
+    autoscaling:
+      minScale: 1
+      maxScale: 1
+    capacityAI: false
+    timeoutSeconds: 60
+  firewallConfig:
+    external:
+      inboundAllowCIDR:
+        - 0.0.0.0/0
+      outboundAllowCIDR:
+        - 0.0.0.0/0

.controlplane/templates/renderer.yml

@@ -0,0 +1,25 @@
+kind: workload
+name: renderer
+spec:
+  type: standard
+  containers:
+    - name: renderer
+      args:
+        - node
+        - client/node-renderer.js
+      cpu: 250m
+      inheritEnv: true
+      image: {{APP_IMAGE_LINK}}
+      memory: 512Mi
+      ports:
+        - number: 3800
+          protocol: http
+  defaultOptions:
+    autoscaling:
+      minScale: 1
+      maxScale: 1
+    capacityAI: false
+    timeoutSeconds: 60
+  firewallConfig:
+    internal:
+      inboundAllowType: same-gvc

.controlplane/templates/storage.yml

@@ -0,0 +1,6 @@
+kind: volumeset
+name: rails-storage
+spec:
+  fileSystemType: ext4
+  initialCapacity: 10
+  performanceClass: general-purpose-ssd

.github/actions/cpflow-build-docker-image/action.yml

@@ -0,0 +1,85 @@
+name: Build Docker Image
+description: Builds and pushes the app image for a Control Plane workload
+
+inputs:
+  app_name:
+    description: Name of the application
+    required: true
+  org:
+    description: Control Plane organization name
+    required: true
+  commit:
+    description: Commit SHA to tag the image with
+    required: true
+  pr_number:
+    description: Pull request number for status messaging
+    required: false
+  docker_build_extra_args:
+    description: Optional newline-delimited extra arguments passed through to docker build
+    required: false
+  docker_build_ssh_key:
+    description: Optional private SSH key used for Docker builds that fetch private dependencies with RUN --mount=type=ssh
+    required: false
+  docker_build_ssh_known_hosts:
+    description: Optional SSH known_hosts entries used with docker_build_ssh_key. Defaults to pinned GitHub.com host keys.
+    required: false
+
+outputs:
+  image_tag:
+    description: Fully qualified image tag
+    value: ${{ steps.build.outputs.image_tag }}
+
+runs:
+  using: composite
+  steps:
+    - name: Build Docker image
+      id: build
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        PR_INFO=""
+        docker_build_args=()
+
+        if [[ -n "${{ inputs.pr_number }}" ]]; then
+          PR_INFO=" for PR #${{ inputs.pr_number }}"
+        fi
+
+        if [[ -n "${{ inputs.docker_build_extra_args }}" ]]; then
+          while IFS= read -r arg; do
+            arg="${arg%$'\r'}"
+            [[ -n "${arg}" ]] || continue
+            docker_build_args+=("${arg}")
+          done <<< "${{ inputs.docker_build_extra_args }}"
+        fi
+
+        if [[ -n "${{ inputs.docker_build_ssh_key }}" ]]; then
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+
+          if [[ -n "${{ inputs.docker_build_ssh_known_hosts }}" ]]; then
+            cat <<'EOF' > ~/.ssh/known_hosts
+${{ inputs.docker_build_ssh_known_hosts }}
+EOF
+          else
+            cat <<'EOF' > ~/.ssh/known_hosts
+github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
+EOF
+          fi
+
+          chmod 600 ~/.ssh/known_hosts
+
+          eval "$(ssh-agent -s)"
+          trap 'ssh-agent -k >/dev/null' EXIT
+          ssh-add - <<< "${{ inputs.docker_build_ssh_key }}"
+          docker_build_args+=("--ssh" "default")
+        fi
+
+        echo "🏗️ Building Docker image${PR_INFO} (commit ${{ inputs.commit }})..."
+        cpflow build-image -a "${{ inputs.app_name }}" --commit="${{ inputs.commit }}" --org="${{ inputs.org }}" "${docker_build_args[@]}"
+
+        image_tag="${{ inputs.org }}/${{ inputs.app_name }}:${{ inputs.commit }}"
+        echo "image_tag=${image_tag}" >> "$GITHUB_OUTPUT"
+        echo "✅ Docker image build successful${PR_INFO} (commit ${{ inputs.commit }})"

.github/actions/cpflow-delete-control-plane-app/action.yml

@@ -0,0 +1,24 @@
+name: Delete Control Plane App
+description: Deletes a Control Plane app and all associated resources
+
+inputs:
+  app_name:
+    description: Name of the application to delete
+    required: true
+  cpln_org:
+    description: Control Plane organization name
+    required: true
+  review_app_prefix:
+    description: Prefix used for review app names
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Delete application
+      shell: bash
+      run: ${{ github.action_path }}/delete-app.sh
+      env:
+        APP_NAME: ${{ inputs.app_name }}
+        CPLN_ORG: ${{ inputs.cpln_org }}
+        REVIEW_APP_PREFIX: ${{ inputs.review_app_prefix }}

.github/actions/cpflow-delete-control-plane-app/delete-app.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+set -euo pipefail
+
+: "${APP_NAME:?APP_NAME environment variable is required}"
+: "${CPLN_ORG:?CPLN_ORG environment variable is required}"
+: "${REVIEW_APP_PREFIX:?REVIEW_APP_PREFIX environment variable is required}"
+
+expected_prefix="${REVIEW_APP_PREFIX}-"
+if [[ "$APP_NAME" != "${expected_prefix}"* ]]; then
+  echo "❌ ERROR: refusing to delete an app outside the review app prefix" >&2
+  echo "App name: $APP_NAME" >&2
+  echo "Expected prefix: ${expected_prefix}" >&2
+  exit 1
+fi
+
+echo "🔍 Checking if application exists: $APP_NAME"
+exists_output=""
+if ! exists_output="$(cpflow exists -a "$APP_NAME" --org "$CPLN_ORG" 2>&1)"; then
+  case "$exists_output" in
+    *"Double check your org"*|*"Unknown API token format"*|*"ERROR"*|*"Error:"*|*"Traceback"*|*"Net::"*)
+      echo "❌ ERROR: failed to determine whether application exists: $APP_NAME" >&2
+      printf '%s\n' "$exists_output" >&2
+      exit 1
+      ;;
+  esac
+
+  if [[ -n "$exists_output" ]]; then
+    printf '%s\n' "$exists_output"
+  fi
+
+  echo "⚠️ Application does not exist: $APP_NAME"
+  exit 0
+fi
+
+if [[ -n "$exists_output" ]]; then
+  printf '%s\n' "$exists_output"
+fi
+
+echo "🗑️ Deleting application: $APP_NAME"
+cpflow delete -a "$APP_NAME" --org "$CPLN_ORG" --yes
+
+echo "✅ Successfully deleted application: $APP_NAME"