chore(deps): consolidate 12 Dependabot dependency updates

[justin808]

Consolidates the 12 open Dependabot PRs into a single PR by cherry-picking each Dependabot commit, preserving their exact lockfile/manifest edits and original authorship. Lets us review and merge one change instead of twelve, then close the individual PRs.

GitHub Actions

• actions/checkout v6 → v7 — ci.yml, claude.yml, claude-code-review.yml (tags and pinned SHAs)
• shakacode/control-plane-flow reusable workflows v5.0.4 → v5.1.1 — 7 × cpflow-*.yml

Ruby gems (Gemfile.lock)

• kamal 2.11.0 → 2.12.0
• bootsnap 1.24.5 → 1.24.6
• image_processing 2.0.1 → 2.0.2
• selenium-webdriver 4.44.0 → 4.45.0 (dev)
• transitive (pulled in by the above, as Dependabot resolved them): i18n 1.14.8 → 1.15.2, msgpack 1.8.0 → 1.8.3, rubyzip 3.3.0 → 3.4.0

Supersedes

Replaces and closes #168, #167, #165, #161, #159, #158, #157, #156, #155, #154, #153, #152.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated several automated workflows to use newer, pinned versions of their underlying checkout and reusable workflow steps.
  • Kept all existing triggers, inputs, secrets, and deployment behavior unchanged.

[github-actions]

🚀 Quick Review App Commands

Welcome! Here are the commands you can use in this PR:
They require the repository to have cpflow review apps configured, including the CPLN_TOKEN_STAGING secret.

+review-app-deploy

Deploy your PR branch for testing.

+review-app-delete

Remove the review app when done.

+review-app-help

Show detailed instructions, environment setup, and configuration options.

Comment +review-app-help for full setup details.

[coderabbitai]

Walkthrough

Multiple GitHub Actions workflows were updated to use newer actions/checkout references and newer reusable control-plane workflow versions. The changes touch CI, Claude review automation, and review app, staging, and promotion workflows. No other workflow logic changed.

Changes

Workflow dependency version updates

Layer / File(s)	Summary
Checkout action updates .github/workflows/ci.yml, .github/workflows/claude*.yml	actions/checkout is bumped from v6 to v7 in CI and Claude workflow jobs, with two CI jobs switching from one pinned checkout SHA to another.
Reusable workflow updates .github/workflows/cpflow-*.yml	Reusable control-plane workflow references are bumped from v5.0.4 to v5.1.1 across review-app, staging, promotion, and help workflows.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description lacks the repository's required Summary, Validation Tier, Test Plan, and Starter Checklist sections.	Rewrite the PR description to follow the template and include Summary, Validation Tier, Test Plan, and Starter Checklist entries.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: consolidating Dependabot dependency updates.
Linked Issues check	✅ Passed	The checkout action was bumped from v6 to v7 in the workflow files, satisfying linked issue #168.
Out of Scope Changes check	✅ Passed	The reviewed changes stay within the stated Dependabot dependency updates and workflow version bumps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/consolidate-dependabot-updates

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 34: The checkout steps in the core, playwright-full, and
production-boot-smoke jobs still use the mutable actions/checkout@v7 tag, unlike
the other pinned workflow steps. Update the actions/checkout reference in each
of those jobs to a commit SHA so the ci workflow is reproducible; use the
existing checkout step locations in the jobs defined in .github/workflows/ci.yml
to find them.

In @.github/workflows/claude-code-review.yml:
- Line 30: The workflow step using actions/checkout is pinned to a moving tag,
so update the checkout reference in claude-code-review.yml to use the v7.0.0
commit SHA instead of actions/checkout@v7. Keep the existing step structure
intact and only replace the actions/checkout version reference so the workflow
stays on the same action while using the fixed commit-based pin.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bc7dcb3e-ba0f-4d4a-bebb-7072b8ce1efb

📥 Commits

Reviewing files that changed from the base of the PR and between 981ff47 and 21d09f6.

⛔ Files ignored due to path filters (1)

• Gemfile.lock is excluded by !**/*.lock

📒 Files selected for processing (10)

• .github/workflows/ci.yml
• .github/workflows/claude-code-review.yml
• .github/workflows/claude.yml
• .github/workflows/cpflow-cleanup-stale-review-apps.yml
• .github/workflows/cpflow-delete-review-app.yml
• .github/workflows/cpflow-deploy-review-app.yml
• .github/workflows/cpflow-deploy-staging.yml
• .github/workflows/cpflow-help-command.yml
• .github/workflows/cpflow-promote-staging-to-production.yml
• .github/workflows/cpflow-review-app-help.yml

[coderabbitai]

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the relevant workflow file around the cited lines.
git ls-files .github/workflows/ci.yml
wc -l .github/workflows/ci.yml
sed -n '1,260p' .github/workflows/ci.yml

Repository: shakacode/react-on-rails-starter-tanstack

Length of output: 6605

---

Pin the three actions/checkout refs in .github/workflows/ci.yml.
The core, playwright-full, and production-boot-smoke jobs still use actions/checkout@v7 (lines 34, 84, 140), while the other checkout steps are already SHA-pinned. Replace these tags with commit SHAs so the workflow stays reproducible.

🧰 Tools

🪛 zizmor (1.26.1)

[error] 34-34: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 34, The checkout steps in the core,
playwright-full, and production-boot-smoke jobs still use the mutable
actions/checkout@v7 tag, unlike the other pinned workflow steps. Update the
actions/checkout reference in each of those jobs to a commit SHA so the ci
workflow is reproducible; use the existing checkout step locations in the jobs
defined in .github/workflows/ci.yml to find them.

Source: Linters/SAST tools

[coderabbitai]

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files .github/workflows/claude-code-review.yml
echo '---'
cat -n .github/workflows/claude-code-review.yml | sed -n '1,120p'

Repository: shakacode/react-on-rails-starter-tanstack

Length of output: 1965

---

🌐 Web query:

actions/checkout v7 release tag immutable ref commit SHA GitHub Actions

💡 Result:

As of June 24, 2026, the latest release of the official GitHub actions/checkout action is v7.0.0, published on June 18, 2026 [1][2][3]. Regarding the immutability of release tags and the use of commit SHAs: 1. Tag Mutability: GitHub release tags (such as v7 or v7.0.0) are technically mutable, meaning they can be moved or deleted by users with appropriate repository permissions [4][5]. While GitHub has introduced a feature for "Immutable Releases" to protect against unauthorized tag updates [4][5], it is not currently enabled for the actions/checkout repository [4][5]. 2. Best Practice: Because tags can be moved, they are susceptible to supply chain security risks if an attacker gains access to the repository [5]. To ensure complete immutability and security, it is best practice to pin your actions to a specific commit SHA rather than a tag or branch name [5]. 3. Implementation: You can use a commit SHA in your workflow configuration like this [5]: yaml - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v7.0.0 By pinning to a full-length commit SHA, you ensure that the exact code you tested is executed, regardless of any future changes to tags in the repository [5]. Using the tag as a comment (as shown above) is a common pattern to keep the configuration readable while maintaining the security benefits of SHA pinning [5].

Citations:

• 1: https://github.com/actions/checkout/releases/tag/v7.0.0
• 2: https://github.com/actions/checkout/releases
• 3: https://github.com/actions/checkout/?tab=readme-ov-file
• 4: Use immutable GitHub release feature actions/checkout#2316
• 5: make releases immutable for supply chain attack security actions/checkout#2411

---

Pin actions/checkout to a commit SHA.

actions/checkout@v7 is a moving tag; pin it to the v7.0.0 commit instead.

Suggested fix

-        uses: actions/checkout@v7
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v7.0.0

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/checkout@v7
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v7.0.0

🧰 Tools

🪛 zizmor (1.26.1)

[error] 30-30: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-code-review.yml at line 30, The workflow step using
actions/checkout is pinned to a moving tag, so update the checkout reference in
claude-code-review.yml to use the v7.0.0 commit SHA instead of
actions/checkout@v7. Keep the existing step structure intact and only replace
the actions/checkout version reference so the workflow stays on the same action
while using the fixed commit-based pin.

Source: Linters/SAST tools

[github-actions]

✅ Review App Deleted

Review app for PR #171 is deleted

🎮 Control Plane Console
📋 View Workflow Logs