Auto-PR: Merge maintenance → main

.github/workflows/auto-pr-to-main.yml

@@ -0,0 +1,158 @@
+name: Auto-Create PR to Main
+
+on:
+  push:
+    branches:
+      - 'maintenance'
+      - 'feature/*'
+      - 'fix/*'
+      - 'docs/*'
+      - 'hotfix/*'
+      - '!main'
+      - '!experimental/*'
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  create-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate GitHub App Token
+        id: generate-token
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: ${{ github.event.repository.name }}
+
+      - name: Checkout repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Create Pull Request
+        id: create-pr
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        run: |
+          # Get current branch name
+          BRANCH_NAME="${{ github.ref_name }}"
+
+          # Check if PR already exists
+          existing_pr=$(gh pr list --base main --head "$BRANCH_NAME" --json number --jq '.[0].number')
+
+          if [ -n "$existing_pr" ]; then
+            echo "PR #$existing_pr already exists, new commits will be added automatically"
+            echo "pr_number=$existing_pr" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          # Create PR body and title files with cleanup trap
+          # Set trap first to ensure cleanup even if second mktemp fails
+          trap 'rm -f "$PR_BODY" "$PR_TITLE"' EXIT
+          PR_BODY=$(mktemp)
+          PR_TITLE=$(mktemp)
+
+          # Generate dynamic title from first commit (relative to main when available)
+          TARGET_BRANCH="main"
+          if git rev-parse --verify "origin/$TARGET_BRANCH" >/dev/null 2>&1; then
+            FIRST_COMMIT=$(git log --format=%s -1 "$BRANCH_NAME" ^"origin/$TARGET_BRANCH")
+          else
+            FIRST_COMMIT=$(git log --format=%s -1 "$BRANCH_NAME")
+          fi
+
+          # Fallback if no unique commits are found or subject is empty
+          if [ -z "$FIRST_COMMIT" ]; then
+            # Determine commit count compared to target branch when possible
+            if git rev-parse --verify "origin/$TARGET_BRANCH" >/dev/null 2>&1; then
+              COMMIT_COUNT=$(git rev-list --count "$BRANCH_NAME" ^"origin/$TARGET_BRANCH" 2>/dev/null || echo "")
+            else
+              COMMIT_COUNT=$(git rev-list --count "$BRANCH_NAME" 2>/dev/null || echo "")
+            fi
+
+            # Use latest commit message on the branch as an additional hint
+            LATEST_SUBJECT=$(git log --format=%s -1 "$BRANCH_NAME" 2>/dev/null || echo "")
+
+            if [ -n "$LATEST_SUBJECT" ]; then
+              FIRST_COMMIT="Merge $BRANCH_NAME into $TARGET_BRANCH - $LATEST_SUBJECT"
+            elif [ -n "$COMMIT_COUNT" ]; then
+              FIRST_COMMIT="Merge $BRANCH_NAME into $TARGET_BRANCH ($COMMIT_COUNT commits)"
+            else
+              FIRST_COMMIT="Merge $BRANCH_NAME into $TARGET_BRANCH"
+            fi
+          fi
+
+          # Create title: "Auto-PR: <descriptive subject>"
+          echo "Auto-PR: $FIRST_COMMIT" > "$PR_TITLE"
+
+          {
+            echo "🤖 Automated Pull Request"
+            echo ""
+            echo "## 📋 Human-in-the-Loop Review Checklist"
+            echo ""
+            echo "**Review the following before approving this PR:**"
+            echo ""
+            echo "### Security & Compliance"
+            echo "- [ ] All GitHub Copilot AI code review comments addressed"
+            echo "- [ ] SOC2/ISO/IEC 42001 compliance requirements validated"
+            echo "- [ ] Security best practices followed (no hardcoded secrets, proper RBAC, etc.)"
+            echo "- [ ] No sensitive data in commits"
+            echo "- [ ] TLS 1.3 configured where applicable"
+            echo ""
+            echo "### Code Quality & Testing"
+            echo "- [ ] Code follows established conventions and style guides"
+            echo "- [ ] All automated tests passing"
+            echo "- [ ] No breaking changes (or migration plan documented)"
+            echo "- [ ] Performance implications assessed"
+            echo "- [ ] Error handling adequate"
+            echo ""
+            echo "### Documentation & Versioning"
+            echo "- [ ] Documentation updated (README, CHANGELOG, inline comments)"
+            echo "- [ ] Version numbers incremented appropriately"
+            echo "- [ ] API changes documented"
+            echo "- [ ] Architecture Decision Records (ADRs) created if applicable"
+            echo ""
+            echo "### Infrastructure & DevOps"
+            echo "- [ ] Helm chart best practices followed"
+            echo "- [ ] Kubernetes manifests validated (helm lint, kubectl dry-run)"
+            echo "- [ ] Docker best practices followed (multi-stage builds, security)"
+            echo "- [ ] Resource limits and requests configured"
+            echo "- [ ] Deployment tested in staging"
+            echo ""
+            echo "## 📝 Recent Commits"
+            echo ""
+            # Show last 5 commits on current branch (handle missing main branch)
+            if git rev-parse --verify origin/main >/dev/null 2>&1; then
+              git log --oneline --no-decorate -5 "$BRANCH_NAME" ^origin/main
+            else
+              git log --oneline --no-decorate -5 "$BRANCH_NAME"
+            fi
+            echo ""
+            echo "---"
+            echo ""
+            echo "**🔍 Copilot AI Review**: Automated compliance and security validation will run on this PR."
+            echo ""
+            echo "**📚 Guidelines**: See \`.github/copilot-instructions.md\` for complete review criteria."
+            echo ""
+            echo "**Auto-generated by** \`.github/workflows/auto-pr-to-main.yml\`"
+          } > "$PR_BODY"
+
+          # Create PR with dynamic title and body
+          pr_url=$(gh pr create \
+            --base main \
+            --head "$BRANCH_NAME" \
+            --title "$(cat "$PR_TITLE")" \
+            --body-file "$PR_BODY")
+
+          # Extract PR number from URL
+          pr_number=$(echo "$pr_url" | grep -oE '[0-9]+$')
+          echo "pr_number=$pr_number" >> $GITHUB_OUTPUT
+          echo "Created PR #$pr_number"
+          echo "Note: Copilot auto-review will be triggered by Repository Ruleset"
+
+          # Note: cleanup of PR_BODY and PR_TITLE temp files is handled by the 'trap EXIT' set on line 56
+          # Trap is set before mktemp calls to ensure cleanup even if subsequent operations fail

.gitignore

@@ -69,6 +69,9 @@ Icon?
 servers/
 knowledge-cache/
 
+# Windsurf/AI Assistant workspace rules (local only)
+.windsurf/rules/
+
 # Development artifacts
 getMessage
 **/getMessage
@@ -103,3 +106,6 @@ helm/Chart.lock
 # Temporary Helm values
 values-*.yaml.tmp
 custom-values-*.yaml
+
+# Windsurf workspace rules (local configuration, never commit)
+.windsurf/rules/

anythingllm/CHANGELOG.md

@@ -3,9 +3,18 @@
 All notable changes to the AnythingLLM Kubernetes deployment will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+and this project adheres to [#WeOwnVer](/docs/VERSIONING_WEOWNVER.md) (Season.Week.Day.Version).
 
-## [2.1.0] - 2026-01-25
+## [2.5.0] - 2026-01-26
+
+### Changed - Versioning System
+- **Adopted #WeOwnVer**: Transitioned from Semantic Versioning to WeOwn ecosystem versioning
+- **Version Format**: SEASON.WEEK.DAY.VERSION (2.5.0 = Season 2, Week 5, summary)
+- **Documentation**: Added reference to `/docs/VERSIONING_WEOWNVER.md` for versioning standards
+- **Chart Version**: Updated to align with WeOwn ecosystem rhythm (Season 2, Week 5)
+- **Migration Note**: `2.5.0` is the direct successor to `2.1.0`. Versions before `2.5.0` used SemVer, and versions `2.5.0` and later use #WeOwnVer, so version numbers across this change are not directly comparable by their numeric components.
+
+## [2.1.0] - 2026-01-25 (Legacy SemVer)
 
 ### Added - Enterprise Secrets Management (Infisical Integration)
 

anythingllm/README.md

@@ -272,6 +272,22 @@ Agent skills can execute code on your system. The default setting (`"1"`) only a
 
 To disable completely, remove the `COMMUNITY_HUB_BUNDLE_DOWNLOADS_ENABLED` variable from values.yaml.
 
+### ⚙️ Helm Value Management
+
+For comprehensive guidance on safely updating configuration values in production:
+
+**📖 See: [`/docs/HELM_VALUE_MANAGEMENT.md`](/docs/HELM_VALUE_MANAGEMENT.md)**
+
+This guide covers:
+- ✅ **Safe upgrade strategies** (`--reuse-values` vs `--reset-values` vs `--values`)
+- ✅ **Live deployment updates** without downtime
+- ✅ **Common pitfalls** and how to avoid them (database connection failures, lost configuration)
+- ✅ **GUI tools** (Lens, Portainer) and their limitations
+- ✅ **Deploy script integration** for secure value updates
+- ✅ **Emergency recovery** procedures
+
+**Critical Rule:** Always use `--reuse-values` with stateful applications (AnythingLLM, WordPress, Matomo). Never use `--reset-values` as it regenerates all values including passwords, breaking database connections.
+
 ### 🔑 API Key Management & Rotation
 
 #### Manual Secret Management (Current Process)
@@ -589,9 +605,10 @@ The script generates secure admin credentials for:
 ### 🔄 **Updates & Maintenance**
 
 #### **Version Information**
-- **Current Version**: 1.9.1 (January 2026)
-- **Chart Version**: 2.0.7
-- **Image**: `mintplexlabs/anythingllm:1.9.1`
+- **Current Version**: 1.10.0 (January 2026)
+- **Chart Version**: 2.5.0 (#WeOwnVer: Season 2, Week 5)
+- **Versioning System**: [#WeOwnVer](/docs/VERSIONING_WEOWNVER.md) (Season.Week.Day.Version)
+- **Image**: `mintplexlabs/anythingllm:1.10.0`
 - **Update Strategy**: Rolling updates with zero downtime
 
 #### **Manual Upgrade Commands**

anythingllm/docs/INFISICAL_INTEGRATION.md

@@ -614,5 +614,7 @@ infisical:
 ---
 
 **Last Updated**: January 2026  
-**Version**: 2.1.0  
+**Version**: 2.5.0 (#WeOwnVer format)  
 **Maintainer**: WeOwn Development Team
+
+**Note**: This document follows the #WeOwnVer versioning system. See `/docs/VERSIONING_WEOWNVER.md` for details. The exact WEEK value methodology will be clarified in a future update.

anythingllm/helm/Chart.yaml

@@ -8,11 +8,12 @@ description: |
 type: application
 
 # Chart version - increment when making changes to chart templates
-# Follows Semantic Versioning (https://semver.org/)
-version: 2.1.0
+# Follows #WeOwnVer (Season.Week.Day.Version) - see /docs/VERSIONING_WEOWNVER.md
+# Current: Season 2, Week 5 (Jan 26-Feb 1, 2026), Day 7 (Sunday, Feb 1)
+version: 2.5.0
 
 # Application version - AnythingLLM version being deployed
-appVersion: "1.9.1"
+appVersion: "1.10.0"
 
 # Keywords for chart discovery
 keywords:

anythingllm/helm/values.yaml

@@ -1,6 +1,6 @@
-# values.yaml for AnythingLLM - WeOwn Enterprise Security MVP-0.2
+# values.yaml for AnythingLLM
 # SECURITY NOTE: No secrets should be stored in this file!
-# All sensitive values are injected from Kubernetes secrets.
+# All sensitive values are injected from Infisical and Kubernetes secrets.
 # Enterprise-grade security: Argon2id hashing, rate limiting, security headers, zero-trust networking
 
 # Global configuration