Enterprise production readiness: governance, CI/CD, and config fixes#21
Open
Copilot wants to merge 2 commits into
Open
Enterprise production readiness: governance, CI/CD, and config fixes#21Copilot wants to merge 2 commits into
Copilot wants to merge 2 commits into
Conversation
- Fix README HSTS section to reflect active includeSubDomains; preload policy - Fix config typos: Pakistan, Afghanistan in bot-mitigation-logic.conf - Remove commented-out COEP dead code from nginx site config - Add .gitignore - Add CHANGELOG.md, CONTRIBUTING.md, SECURITY.md, SUPPORT.md, CODE_OF_CONDUCT.md - Add CODEOWNERS - Add .github/PULL_REQUEST_TEMPLATE.md - Add .github/ISSUE_TEMPLATE/ (bug, feature, regression, documentation, config) - Add .github/workflows/validate.yml (nginx, varnish, apache, php lint)
Copilot
AI
changed the title
Enterprise production readiness review — governance, CI/CD, config fixes
Enterprise production readiness: governance, CI/CD, and config fixes
May 22, 2026
Copilot created this pull request from a session on behalf of
MaximillianGroup
May 22, 2026 01:58
View session
MaximillianGroup
approved these changes
May 22, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds missing repository governance + CI validation for a production infrastructure repo, while also aligning a few docs/comments with the active Nginx configuration.
Changes:
- Add governance scaffolding (CONTRIBUTING, SECURITY, SUPPORT, CODEOWNERS, CoC, templates, CHANGELOG, .gitignore).
- Add a GitHub Actions workflow to syntax-check Nginx/Varnish/Apache configs and lint MU-plugin PHP on PRs/pushes.
- Fix minor documentation/comment correctness issues (HSTS policy description, remove dead commented directive, country name typos).
Reviewed changes
Copilot reviewed 16 out of 17 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| SUPPORT.md | Adds support channels and what’s out of scope for this repo. |
| SECURITY.md | Adds security policy, disclosure process, and control-location map. |
| README.md | Updates HSTS documentation to match the active emitted headers. |
| nginx/sites-available/system-core.conf | Removes dead commented-out COEP header directive. |
| nginx/conf.d/spx-bot-mitigation-logic.conf | Fixes country name typos in comments. |
| CONTRIBUTING.md | Adds contributor workflow + local validation commands. |
| CODEOWNERS | Requires maintainer review for sensitive paths/config. |
| CODE_OF_CONDUCT.md | Adds Contributor Covenant code of conduct. |
| CHANGELOG.md | Introduces changelog with initial release + unreleased entries. |
| .gitignore | Adds ignore rules for common editor/OS/temp artifacts. |
| .github/workflows/validate.yml | New CI workflow to validate Nginx/Varnish/Apache/PHP syntax. |
| .github/PULL_REQUEST_TEMPLATE.md | PR template enforcing validation + risk/rollback notes. |
| .github/ISSUE_TEMPLATE/regression_report.yml | Regression issue template. |
| .github/ISSUE_TEMPLATE/feature_request.yml | Feature request issue template. |
| .github/ISSUE_TEMPLATE/documentation_issue.yml | Documentation issue template. |
| .github/ISSUE_TEMPLATE/config.yml | Disables blank issues and adds contact links. |
| .github/ISSUE_TEMPLATE/bug_report.yml | Bug report issue template. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+46
to
+48
| Instances of abusive, harassing, or otherwise unacceptable behavior may be | ||
| reported to the community leaders responsible for enforcement at the contact | ||
| address listed in [SECURITY.md](SECURITY.md). |
Comment on lines
+32
to
+38
| If you do not have Nginx installed locally, use the Docker one-liner: | ||
|
|
||
| ```bash | ||
| docker run --rm \ | ||
| -v "$(pwd)/nginx:/etc/nginx:ro" \ | ||
| nginx:stable nginx -t | ||
| ``` |
Comment on lines
+34
to
+54
| - name: Install stub GeoIP database | ||
| # GeoIP2 module requires a valid .mmdb file at load time. | ||
| # We install a minimal stub so nginx -t does not fail on a | ||
| # missing file path before it even reaches the config parse. | ||
| run: | | ||
| sudo apt-get install -y libmaxminddb-dev wget | ||
| sudo mkdir -p /var/lib/GeoIP | ||
| # Download the free GeoLite2-Country database (requires a MaxMind | ||
| # license key in production; for CI we use the test stub from the | ||
| # MaxMind test-data repository which is always publicly available). | ||
| wget -q -O /tmp/GeoLite2-Country.tar.gz \ | ||
| "https://github.com/maxmind/MaxMind-DB/raw/main/test-data/GeoLite2-Country-Test.mmdb" \ | ||
| || wget -q -O /tmp/GeoLite2-Country.tar.gz \ | ||
| "https://github.com/maxmind/MaxMind-DB/raw/main/test-data/GeoLite2-Country.mmdb" \ | ||
| || true | ||
| # Fall back to an empty stub if download fails (network-restricted runners). | ||
| if [ -f /tmp/GeoLite2-Country.tar.gz ]; then | ||
| sudo cp /tmp/GeoLite2-Country.tar.gz /var/lib/GeoIP/GeoLite2-Country.mmdb | ||
| else | ||
| sudo touch /var/lib/GeoIP/GeoLite2-Country.mmdb | ||
| fi |
Comment on lines
+79
to
+84
| - name: Install Nginx modules (GeoIP2 + Brotli) | ||
| run: | | ||
| sudo apt-get install -y libnginx-mod-http-geoip2 || true | ||
| # Brotli may not be available on all Ubuntu runner versions. | ||
| sudo apt-get install -y libnginx-mod-http-brotli || true | ||
|
|
Comment on lines
+8
to
+11
| Use this template for confirmed bugs or misconfigurations in Nginx, | ||
| Varnish, Apache, or the WordPress MU plugins. For security issues, | ||
| use the **private vulnerability reporting** channel instead | ||
| (see [SECURITY.md](../SECURITY.md)). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three config correctness issues and a complete absence of repository governance infrastructure across this production infrastructure repo (Nginx · Varnish · Apache · WP MU plugin).
Config fixes
max-age=31536000only (noincludeSubDomains), but bothsystem-core.confandspx-cors-preflight-response.confalready emitincludeSubDomains; preload. README was wrong; updated to match reality.#add_header Cross-Origin-Embedder-Policy "unsafe-none"with no rationale fromsystem-core.conf.spx-bot-mitigation-logic.conf(comment strings, not ISO codes).Governance (all net-new)
CONTRIBUTING.md— local validation checklist (nginx -t, varnishd -C, apachectl -t, php -l), PR process, config conventionsSECURITY.md— private disclosure policy, in-scope controls, security control mapSUPPORT.md,CODE_OF_CONDUCT.md,CHANGELOG.mdCODEOWNERS— mandatory maintainer review on all config and governance paths.github/PULL_REQUEST_TEMPLATE.md— requires validation checklist, risk assessment, rollback notes.gitignore— editor artifacts, OS files, local overridesCI/CD (net-new)
.github/workflows/validate.yml— runs on every PR tomain:nginx -twith stub certs, GeoIP mmdb, and secret filevarnishd -C -f varnish/default.vclapachectl -tphp -lacross all MU pluginsNo server-side changes required; all config modifications are comment/documentation only.