feat(cli): Building the CLI for the users to aggregate the deployment of the weOwn AI stack #3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-domain-aware wp/matomo/n8n deploy + CLI help + docs - also detailing the setup in README
Author
|
currently it might require some more changes ( specially in terms of the networking setup and configuration for the matomo to get analytics ) and also the grafana setup. let me do some final commits tommorrow |
romandidomizio
added a commit
that referenced
this pull request
Jan 25, 2026
**Issue #1: kubectl secret rotation using wrong credentials** - Fixed: Use new credentials from API response node, not environment variables - Changed: $INFISICAL_CLIENT_ID → {{ $node["Create New Client Secret"].json.clientId }} - Impact: Ensures Kubernetes secret updated with NEW credentials, not old ones **Issue #2: OpenRouter key deletion invalid hash filter** - Fixed: Use .json.hash field from API response - Changed: | hash filter → .json.hash (proper OpenRouter API field) - Impact: Correct key deletion using hash returned from GET /api/v1/keys **Issue #3: envSlug inconsistency across files** - Fixed: Standardized default to 'prod' matching documentation examples - Changed: values.yaml and template default from 'production' → 'prod' - Impact: Prevents confusion and integration failures from mismatched slugs All 3 issues validated by Copilot AI review on PR #4.
romandidomizio
added a commit
that referenced
this pull request
Jan 27, 2026
Resolved all issues identified in PR #5 Copilot review: Issue #1: Removed duplicate Version line in INFISICAL_INTEGRATION.md Issue #2: Fixed corrupted emoji (� → ⚙️) in README Helm section Issue #3 & #8: Updated VERSIONING_WEOWNVER.md path references: - Changed ../VERSIONING_WEOWNVER.md to /docs/VERSIONING_WEOWNVER.md - Updated in CHANGELOG.md (2 locations) and README.md Issue #4: Fixed VERSIONING_WEOWNVER.md path in anythingllm README.md - Changed relative path to absolute: /docs/VERSIONING_WEOWNVER.md Issue #5: Fixed VERSIONING_WEOWNVER.md path in copilot-instructions.md - Updated version reference documentation path Issue #6: Clarified 3-digit format in VERSIONING_WEOWNVER.md - Added note explaining 3.4.0 uses SEASON.WEEK.DAY where DAY=0 - Documented weekly rollup shorthand format Issue #7: Fixed corrupted emoji (�� → 🔑) in README API section Issue #9: Updated workflow filename reference in auto-pr-to-main.yml - Changed auto-pr-maintenance.yml to auto-pr-to-main.yml in PR body Issue #10: Clarified ISO week year boundary in Season Calendar - Changed W40-W05 to 2025-W40–2026-W05 for Season 2 - Makes year transition explicit and unambiguous All documentation paths now use absolute references (/docs/) for consistency and proper linking across repository structure.
romandidomizio
added a commit
that referenced
this pull request
Jan 27, 2026
Resolved all remaining issues from PR #5 Copilot review: Issue #1 - Workflow branch triggers: - Added explicit branch patterns: maintenance, feature/*, fix/*, docs/*, hotfix/* - Excluded experimental/* branches to prevent unintended PRs - Maintains security while supporting defined branching strategy Issue #2 - Dynamic repository values: - Changed hardcoded 'WeOwnNetwork' to ${{ github.repository_owner }} - Changed hardcoded 'ai' to ${{ github.event.repository.name }} - Enables workflow portability across forks and repos Issue #3 - Improved PR title fallback: - Added commit count when available - Uses latest commit subject as additional hint - Provides context: 'Merge branch into main (X commits)' - Falls back gracefully through multiple options Issue #4 - Copilot date context: - Updated to current date: January 26, 2026 (Sunday) - Clarified Copilot cannot use web search during reviews - Focus on format validation vs exact date calculation Issue #5 & #9 - Version format clarity: - Clarified 3.4.0 as SEASON.WEEK.DAY with DAY=0, VERSION omitted - Updated special cases table with explicit component breakdowns - Added note explaining shorthand format vs full 4-part format Issue #6 - CI/CD dry-run validation: - Removed '|| true' error suppression - Allows failures to propagate and fail pipeline - Aligns with quality gates (blocking on K8s failures) Issue #7 - README absolute paths: - Changed ../docs/ to /docs/ for HELM_VALUE_MANAGEMENT.md - Ensures links work across all documentation contexts Issue #11 - Example day inconsistency: - Fixed Jan 25, 2026 from Saturday (6) to Sunday (7) - Provided complete example version: 2.5.7.1 Issue #12 - CHANGELOG date: - Updated from 2026-01-25 to 2026-01-26 (current date) Issue #14 - WordPress version clarity: - Clarified as 'WordPress application version 3.2.5' - Distinguishes from WeOwnVer chart versioning Issue #15 - Security consistency: - Pinned all actions/checkout@v4 to specific SHA - Added comment: # v4.1.5 for version tracking - Consistent with other pinned actions in workflow All paths now use absolute /docs/ references, all version format ambiguities resolved, security controls enforced consistently.
romandidomizio
added a commit
that referenced
this pull request
Jan 27, 2026
Path consistency, verified SHA pinning, critical /tmp security fixes, and documentation date updates. Issue #1: Path references (copilot-instructions.md) - Lines 392, 446: /VERSIONING_WEOWNVER.md → /docs/VERSIONING_WEOWNVER.md Issue #2: GitHub Actions security (SHA pinning) - Applied VERIFIED SHAs (fetched via GitHub API): * actions/checkout@34e1148 # v4 * actions/create-github-app-token@d72941d # v1 - SHA pinning required for security-sensitive workflows: * Handles authentication secrets (APP_ID, APP_PRIVATE_KEY) * Has pull-requests: write permission * Runs automatically without human approval - SHAs are immutable commit fingerprints preventing supply chain attacks - Tags are mutable and can be redirected by compromised maintainers Issue #3: Chart.yaml path reference - Updated to /docs/VERSIONING_WEOWNVER.md for consistency Issue #4-5: Date consistency - VERSIONING_WEOWNVER.md version history: Jan 25 → Jan 26 - copilot-instructions.md example date: Jan 25 → Jan 26 - Removed duplicate date line from previous edit Issues #6-9: CRITICAL SECURITY - /tmp usage (5 instances) - HELM_VALUE_MANAGEMENT.md line 145: mktemp + trap cleanup - Line 302: Secure temp file for modify_live_deployment() - Line 350: Added cleanup after values file editing - Line 440: Secure temp for bulk configuration changes - Line 571: Quick reference updated to mktemp pattern - Prevents credential leakage (API keys, passwords, JWT tokens) on multi-user systems where /tmp is world-readable Documentation updates: - copilot-instructions.md: Last Updated 2026-01-26 - CI_CD_WORKFLOWS.md: Last Updated 2026-01-26 Security improvements align with SOC2/ISO42001 compliance requirements and WeOwn enterprise security protocols.
romandidomizio
added a commit
that referenced
this pull request
Jan 27, 2026
SHA pinning consistency, resource cleanup, version migration clarity. Issue #1: SHA pinning consistency (CI_CD_WORKFLOWS.md) - Pin codeql-action/upload-sarif to verified SHA - SHA: b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2 - Matches security standard used elsewhere in workflows Issue #2: Resource cleanup (auto-pr-to-main.yml) - Add trap 'rm -f $PR_BODY $PR_TITLE' EXIT - Prevents orphaned temp files if workflow fails - Ensures cleanup on exit or error Issue #3: Version migration clarity (CHANGELOG.md) - Add migration note explaining 2.1.0 (SemVer) → 2.5.0 (WeOwnVer) - Clarifies version numbers not directly comparable across systems - Improves user understanding of versioning transition All changes align with SOC2/ISO42001 security requirements.
romandidomizio
added a commit
that referenced
this pull request
Jan 31, 2026
Enhanced security controls, error handling, and compliance validation. Issue #1: Trap cleanup timing (auto-pr-to-main.yml) - Set trap immediately after first mktemp (line 56) - Prevents orphaned temp files if second mktemp fails - Security: Ensures cleanup even on early script failure Issue #2: Redundant cleanup (auto-pr-to-main.yml) - Removed manual cleanup at line 157 - Trap EXIT handler already performs cleanup - Prevents double-cleanup errors Issues #3-5: mktemp error handling (HELM_VALUE_MANAGEMENT.md) - Line 145: Added error handling for secure temp file creation - Line 305: Added validation for mktemp in modify_live_deployment() - Line 365: Removed redundant cleanup (rely on trap/caller) - Impact: Scripts now fail fast with clear error messages Issue #6: Placeholder clarification (VERSIONING_WEOWNVER.md) - Added note explaining angle brackets are placeholders - Example: Use SHARED-KERNEL_v3.1.1.1.md, not <SHARED-KERNEL>_v<3>... - Prevents filename confusion for new users Issue #7: Secret exposure fix (HELM_VALUE_MANAGEMENT.md) - Line 478: Encode password to variable before kubectl patch - Prevents password exposure in process listings/logs - Security: Follows enterprise secret handling best practices Issue #8: WeOwnVer day validation (CI_CD_WORKFLOWS.md) - Added day component validation (0-7 range) - Enhanced season validation (1-9999 range) - Week validation improved (0-17 range) - Prevents invalid version numbers in CI/CD pipeline Issue #9: Hardcoded secrets detection (CI_CD_WORKFLOWS.md) - Improved grep pattern to reduce false positives - Excludes comments, examples, and proper secret injection - Pattern: ^[[:space:]]*[^#]*password[^:]*[:=][[:space:]]*[^[:space:]#]+ - Better detection of actual security violations Issue #10: TLS 1.3 enforcement (CI_CD_WORKFLOWS.md) - Changed from ::warning to ::error (SOC2 requirement) - Pipeline now blocks deployments without TLS 1.3 - Aligns with copilot-instructions.md MANDATORY TLS 1.3 policy All changes enhance SOC2/ISO42001 compliance and production security.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Author: Dhruv (@dhruvmalik007 )
This pull request introduces a comprehensive and interactive CLI tool for deploying and managing WeOwn stacks on DigitalOcean Kubernetes. It adds modular Bash scripts for cluster management, Helm-based application deployment, and user-friendly terminal UI, along with improvements to documentation and DNS validation. The CLI enables teams to manage clusters, deploy infrastructure and applications, and monitor deployments with ease.
Major features and changes:
1. CLI Tooling and User Experience
cli/weownexecutable as the main entry point for the WeOwn CLI, providing an interactive menu for cluster and application management. The CLI uses modular scripts for maintainability and extensibility.cli/lib/styles.shfor consistent terminal output, banners, colorized logs, and interactive menu helpers, enhancing the overall user experience.2. Kubernetes Cluster Management
cli/lib/do_k8s.shto automate DigitalOcean Kubernetes cluster operations, including node pool management (list, scale, create, delete), cluster creation/deletion, and context setup usingdoctl.3. Helm Application Deployment
cli/lib/helm_utils.shto abstract Helm chart deployment, upgrades, listing, and uninstallation, ensuring reusable and robust Helm operations.cli/lib/stacks.shto define available infrastructure and application stacks (e.g., WordPress, Matomo, n8n), handle environment-based configuration, and orchestrate deployments with custom Helm arguments.4. Documentation and Usability
README.mdwith detailed instructions for setting up and using the WeOwn CLI, including prerequisites, environment variables, and usage examples.5. Deployment Robustness
n8n/deploy.shwith a DNS validation function to check that the configured domain resolves to the expected ingress IP before attempting Let's Encrypt certificate issuance, reducing deployment errors.in README