Skip to content

Auto-PR: fix(deploy): automated AnythingLLM deploys now bootable + compliance facts table#89

Merged
ncimino merged 1 commit into
mainfrom
fix/nik-anythingllm-autodeploy-gaps
Jul 15, 2026
Merged

Auto-PR: fix(deploy): automated AnythingLLM deploys now bootable + compliance facts table#89
ncimino merged 1 commit into
mainfrom
fix/nik-anythingllm-autodeploy-gaps

Conversation

@weown-bot

Copy link
Copy Markdown
Contributor

🤖 Automated Pull Request — authored by weown-bot (ecosystem service account)

Opened by: @ncimino
Last pushed by: @ncimino
Branch: fix/nik-anythingllm-autodeploy-gapsmain

Contributors on this branch:


📋 Human Review Checklist — NIST CSF 2.0 Functions

Review per the 6 NIST CSF Functions. Frameworks referenced: NIST CSF 2.0, CIS Controls v8 IG1, CSA CCM v4, ISO/IEC 27001:2022, SOC 2, ISO/IEC 42001:2023. See docs/COMPLIANCE_ROADMAP.md.

🏛️ Govern (GV)

  • CODEOWNERS correct for affected paths (.github/CODEOWNERS)
  • ADR required/updated if an architectural decision is introduced
  • Policy impact considered and documented
  • All Copilot AI review comments addressed or explicitly deferred with rationale

🔍 Identify (ID)

  • New assets inventoried (Helm values, container images, dependencies)
  • SBOM regenerated if dependencies changed
  • Risk register / threat model touched if threat surface changed (.github/SECURITY_ASSESSMENT.md)

🛡️ Protect (PR)

  • Least privilege: RBAC, ServiceAccounts, scoped PATs (NIST PR.AC, CIS 5/6, ISO A.5.15-A.5.18)
  • Secrets managed via Infisical (never --from-literal, never /tmp, always $(mktemp) — ISO A.8.24)
  • NetworkPolicy present for new deployments (NIST PR.AC-5, CIS 12, CSA IVS)
  • TLS 1.3 with strong cipher suites where applicable (NIST PR.DS-1, CIS 3)
  • Container security: non-root UID 1000+, Pod Security restricted (NIST PR.IP, CIS 4)

🕵️ Detect (DE)

  • Logs / metrics added for new components (NIST DE.CM, CIS 8/13)
  • Alert rules updated if thresholds change
  • Health checks (livenessProbe + readinessProbe) configured

🚨 Respond (RS)

  • Runbook updated if operational behavior changes (.github/INCIDENT_RESPONSE.md)
  • Incident response impact considered (escalation paths, on-call)

♻️ Recover (RC)

  • Backup strategy covers new persistent data (NIST RC.RP, CIS 11, ISO A.8.13)
  • Rollback procedure tested or documented
  • DR impact assessed for new critical components

📚 Documentation & Versioning

  • Relevant CHANGELOG.md updated (per-directory or repo-level /CHANGELOG.md)
  • #WeOwnVer version bumped per docs/VERSIONING_WEOWNVER.md
  • READMEs / ADRs / inline comments updated

📝 Recent Commits (full bodies for Copilot context)

0097fe8 fix(deploy): automated AnythingLLM deploys now bootable + compliance facts table

Author: Nik
Date: Wed Jul 15 10:49:30 2026 -0600

  • deploy-new-site.sh: anythingllm-docker branch in Phase 2 pushes the remaining
    fail-loud-required values (ANYTHINGLLM_IMAGE from env, EMBEDDING_ENGINE default
    openrouter, optional EMBEDDING_MODEL_PREF) and mints the per-customer capped
    OPENROUTER_API_KEY via scripts/provision-openrouter-key.sh (OPENROUTER_LIMIT_USD,
    default 50). Loud warnings when a value cannot be set automatically.
  • docs/CUSTOMER_INSTANCE_PROVISIONING.md: Compliance & data handling facts table
    (tenancy, locality, encryption, retention 60d, subprocessors, framework mapping)
    backing the customer-facing terms.
  • CHANGELOG: [Unreleased] Fixed entry (folded into the existing Fixed section).

Verified: bash -n + shellcheck clean.



🔍 Copilot AI Review: Copilot is configured to auto-request review for bot-authored PRs. If an auto-created PR opens without an initial Copilot review, push a follow-up commit to the same open PR (review_on_push: true) to trigger review automatically.

👥 Required Reviewers: human approval enforced by branch protection + CODEOWNERS. @ncimino requested automatically.

📚 Review Guidelines: .github/copilot-instructions.md (phase-aware compliance directives)

🛠️ Workflow Operations: .github/workflows/README.md

Auto-generated by .github/workflows/auto-pr-to-main.yml

…facts table

- deploy-new-site.sh: anythingllm-docker branch in Phase 2 pushes the remaining
  fail-loud-required values (ANYTHINGLLM_IMAGE from env, EMBEDDING_ENGINE default
  openrouter, optional EMBEDDING_MODEL_PREF) and mints the per-customer capped
  OPENROUTER_API_KEY via scripts/provision-openrouter-key.sh (OPENROUTER_LIMIT_USD,
  default 50). Loud warnings when a value cannot be set automatically.
- docs/CUSTOMER_INSTANCE_PROVISIONING.md: Compliance & data handling facts table
  (tenancy, locality, encryption, retention 60d, subprocessors, framework mapping)
  backing the customer-facing terms.
- CHANGELOG: [Unreleased] Fixed entry (folded into the existing Fixed section).

Verified: bash -n + shellcheck clean.
Copilot AI review requested due to automatic review settings July 15, 2026 16:49
@weown-bot weown-bot requested a review from ncimino as a code owner July 15, 2026 16:49
@weown-bot weown-bot removed the request for review from Copilot July 15, 2026 16:49
@ncimino ncimino merged commit 4c9bf68 into main Jul 15, 2026
18 of 19 checks passed
@ncimino ncimino deleted the fix/nik-anythingllm-autodeploy-gaps branch July 15, 2026 16:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants