docs(iwooos): 補記 CD runner secret 正式驗證 [skip ci]
This commit is contained in:
@@ -1,3 +1,39 @@
|
||||
## 2026-06-16|IwoooS CD / Runner / Secret 回讀 Gate 正式部署驗證
|
||||
|
||||
**背景**:上一段 CD / Runner / Secret 注入事故後回讀 gate 已完成 repo 內 artifact / guard / 前台 marker,但一度被 CD run `3071` 的 Docker build lock timeout 擋住,不能宣告 production 完成。後續另一個 Session 記錄 empty lock cleanup evidence,並以 `97b66a0e` 前端 locale commit 觸發正式 CD;本視窗只做只讀 Actions / production 回讀與 LOGBOOK 同步,未 SSH、未 Docker / host live write、未 workflow dispatch、未改 runner 或 repository secret。
|
||||
|
||||
**Gitea / CD**:
|
||||
- Feature commit:`bb459d59 feat(iwooos): 新增 CD runner secret 事故回讀 gate`。
|
||||
- LOGBOOK blocker commit:`c9b4363b docs(iwooos): 記錄 CD runner lock 阻塞 [skip ci]`。
|
||||
- Recovery trigger commit:`97b66a0e fix(governance): 強化日週月報主看板前段提示`。
|
||||
- Code-review run:`3074` 成功。
|
||||
- CD run:`3073` 成功;build-and-deploy job 確認 Docker build lock acquired / released、image pushed、ArgoCD `Synced / Healthy`、`awoooi-api` / `awoooi-web` / `awoooi-worker` rollout 成功、API health 通過、post-deploy smoke `5 passed`。
|
||||
- Deploy marker:`bd66e264 chore(cd): deploy 97b66a0 [skip ci]`。
|
||||
- 後續 LOGBOOK commit:`1ce36cb2 docs(governance): 補記日週月報正式驗證 [skip ci]`。
|
||||
|
||||
**Production 驗證**:
|
||||
- HTML readback:`https://awoooi.wooo.work/zh-TW/iwooos?_v=bd66e264-iwooos-cd-runner-secret-prod` 回 `200`,CD / runner / secret post-incident readback 必要 marker 缺漏 `0`。
|
||||
- 命中的 IwoooS marker:`cd_runner_secret_injection_post_incident_readback_plan_candidate_count=5`、`cd_runner_secret_injection_post_incident_readback_plan_blocked_action_count=52`、`secret_metadata_coverage_percent=70`、`gitea_workflow_runner_source_control_coverage_percent=74`、`cd_runner_secret_injection_post_incident_readback_plan_runtime_gate_count=0`。
|
||||
- Chrome desktop `1440x1100`:`/zh-TW/iwooos?_v=bd66e264-iwooos-cd-runner-secret-prod-cdp` marker 全部命中,敏感 / 內部協作片語命中 `0`,`horizontalOverflow=false`,`scrollWidth=1434`,`clientWidth=1434`。
|
||||
- Chrome mobile `390x844`:`/zh-TW/iwooos?_v=bd66e264-iwooos-cd-runner-secret-prod-cdp` marker 全部命中,敏感 / 內部協作片語命中 `0`,`horizontalOverflow=false`,`scrollWidth=390`,`clientWidth=390`。
|
||||
- Governance automation inventory:`/zh-TW/governance?tab=automation-inventory&_v=bd66e264-governance-reports-prod-cdp` 在 desktop / mobile 均命中 `日報 / 週報 / 月報`、`報告可見`、`AI Agent`、`Telegram`、`live`,敏感 / 內部協作片語命中 `0`,`horizontalOverflow=false`。
|
||||
- AwoooP tenants:`/zh-TW/awooop/tenants?_v=bd66e264-tenants-redaction-prod-cdp` 在 desktop / mobile 均命中 `脫敏範圍`、`runtime gate`,敏感 / 內部協作片語命中 `0`,`horizontalOverflow=false`;現行頁面不顯示 `agent-bounty-protocol` raw repo 字串,符合脫敏要求。
|
||||
- Chrome 截圖:
|
||||
- `/tmp/iwooos-desktop-bd66e264.png`
|
||||
- `/tmp/iwooos-mobile-bd66e264.png`
|
||||
- `/tmp/governance-desktop-bd66e264.png`
|
||||
- `/tmp/governance-mobile-bd66e264.png`
|
||||
- `/tmp/tenants-desktop-bd66e264.png`
|
||||
- `/tmp/tenants-mobile-bd66e264.png`
|
||||
|
||||
**完成度與邊界**:
|
||||
- CD / Runner / Secret injection post-incident readback plan:repo 內 artifact / guard / 前台 marker `100%`,production deploy / marker readback `100%`。
|
||||
- Secret metadata 只讀成熟度:`68% -> 70%`;Gitea workflow / runner source control 只讀成熟度:`72% -> 74%`。
|
||||
- 高價值配置平均成熟度:維持 `71%`;IwoooS headline 維持 `64%`;active runtime gate 維持 `0`。
|
||||
- readback received / accepted、runtime execution authorized、action buttons allowed、workflow modification authorized、runner change authorized、repo secret change authorized、secret rotation authorized、Gitea action dispatch authorized、host write、production write、active scan 與 runtime gate 全部仍為 `0 / false`。
|
||||
- 本視窗未 SSH、未 Docker / systemd / Nginx / firewall / ArgoCD / K8s live action、未 workflow dispatch、未改 runner、未改 repository secret、未讀 secret value / hash / partial token、未 active scan、未 force push。
|
||||
- 下一優先:CD runner Docker build lock owner readback 仍需補正式 owner evidence;另需回到 S4.9 owner response、Backup / Restore / Escrow、Monitoring receiver receipt 與 Public Gateway / Nginx owner evidence,不得用 CD success、deploy marker、route `200`、UI 可見或 AwoooP approval 當 runtime 授權。
|
||||
|
||||
## 2026-06-16|CD / Runner / Secret 注入事故後回讀 Gate 與 CD Lock 阻塞
|
||||
|
||||
**背景**:CD / Runner / repository secret injection 屬於高價值配置面,不能因 code-review 成功、CD 開始、UI marker 預期存在或 deploy 通知預覽就視為 runtime 已授權。近期 110 冷啟動、端口異動、Harbor / registry / StockPlatform / monitoring 類事故也證明,部署通道本身必須有事故後回讀欄位與 no-false-green 邊界。本階段已完成 repo 內只讀 gate、snapshot、guard 與前台 marker;但 production deploy 被後續 `9f4ed285` 觸發的 CD run `3071` 擋在 Docker build lock timeout,正式站尚未出現新 marker。
|
||||
|
||||
Reference in New Issue
Block a user