feat(delivery): expose production deploy readback blocker
This commit is contained in:
@@ -48726,6 +48726,35 @@ production browser smoke:
|
||||
**本段驗證目標**:
|
||||
- JSON parse、`py_compile`、focused GitHub gate API tests、Delivery Workbench test、`git diff --check`。
|
||||
- 此段只關閉內部 MCP / RAG / KM / PlayBook / LOG governance gap;GitHub executable channel 仍維持 freeze / external unblock。
|
||||
|
||||
## 2026-06-28 — 19:28 Production deploy readback blocker 機器可讀化
|
||||
|
||||
**背景**:
|
||||
- GitHub operator unblock governance closure 已在 Gitea `main` 歷史內,最新 source control main 為 `b1da5cc7d324`。
|
||||
- Production 仍讀回舊 image tag `af45811e876fda322ee63c036fbc39c9f07ffd76`,`/api/v1/agents/github-target-controlled-execution-preflight` 與 `/api/v1/agents/delivery-closure-workbench` 尚未出現 `internal_governance_writeback` / KM / PlayBook 新欄位。
|
||||
- Gitea actions 公開頁僅見舊 CD run `#3848` 指向 `af45811e87`;未登入狀態沒有 Run workflow 按鈕,未帶 token 的 workflow dispatch 回 `401 token is required`。
|
||||
|
||||
**完成內容**:
|
||||
- 新增 `docs/operations/awoooi-production-deploy-readback-blocker.snapshot.json`,把 source main、production tag、CD run 與 dispatch blocker 收斂為 P0 read-only snapshot。
|
||||
- 新增 `awoooi_production_deploy_readback_blocker` loader,強制 `deploy_trigger_allowed=false`、`workflow_modification_allowed=false`、`gitea_api_write_allowed=false`、`host_write_allowed=false`、`k8s_write_allowed=false`、`secret_read_allowed=false`。
|
||||
- `delivery_closure_workbench` 新增 `production_deploy` lane 與 summary counters:`production_deploy_image_tag_matches_main=false`、`production_deploy_authorized_dispatch_channel_ready=false`、`production_deploy_hard_blocker_count=1`。
|
||||
|
||||
**驗證結果**:
|
||||
- JSON parse:通過。
|
||||
- `py_compile`:通過。
|
||||
- `ruff check`:通過。
|
||||
- focused pytest:`20 passed`。
|
||||
- `git diff --check`:通過。
|
||||
|
||||
**仍維持**:
|
||||
- Production 尚未部署最新 `main`,不能宣稱 runtime closure 完成。
|
||||
- 沒有使用 GitHub app / connector / MCP、`gh`、GitHub API、GitHub Actions、PR / issue / search。
|
||||
- 沒有讀 raw sessions / SQLite / auth / `.env` / token / cookie;沒有 host / Docker / K8s / firewall / Wazuh runtime 操作。
|
||||
- 沒有修改 Gitea workflow trigger、沒有 workflow_dispatch、沒有手改 K8s image tag、沒有重開 110 runner。
|
||||
|
||||
**下一個 P0**:
|
||||
- 取得合法的 Gitea manual workflow_dispatch channel 後觸發 `cd.yaml ref=main`。
|
||||
- CD 完成後重跑 production readback,目標是 Workbench 與 GitHub preflight production payload 出現 `internal_governance_writeback` 與 KM / PlayBook / LOG counters。
|
||||
## 2026-06-28 — 19:09 Wazuh allowlisted check-mode dry-run 本地完成
|
||||
|
||||
**時間與來源**:
|
||||
|
||||
@@ -0,0 +1,64 @@
|
||||
{
|
||||
"schema_version": "awoooi_production_deploy_readback_blocker_v1",
|
||||
"generated_at": "2026-06-28T19:28:54+08:00",
|
||||
"status": "blocked_waiting_authorized_gitea_workflow_dispatch",
|
||||
"priority": "P0",
|
||||
"scope": "awoooi_production_truth",
|
||||
"readback": {
|
||||
"source_control_main_sha": "b1da5cc7d32415667a1a74288874f817bb97f639",
|
||||
"source_control_main_short_sha": "b1da5cc7d324",
|
||||
"governance_closure_merge_sha": "27b96f0450d0e3ca6651d6b5f274a341dd727ef2",
|
||||
"governance_closure_commit_sha": "9e3e7fbb6ba3ffd324b45abf3ad1e7b6ec826b22",
|
||||
"production_image_tag_sha": "af45811e876fda322ee63c036fbc39c9f07ffd76",
|
||||
"production_image_tag_short_sha": "af45811e87",
|
||||
"production_image_tag_matches_main": false,
|
||||
"production_preflight_http_status": 200,
|
||||
"production_workbench_http_status": 200,
|
||||
"production_internal_governance_writeback_present": false,
|
||||
"production_workbench_governance_ready_present": false,
|
||||
"latest_visible_cd_run_id": "3848",
|
||||
"latest_visible_cd_run_commit_short_sha": "af45811e87",
|
||||
"current_main_cd_run_visible": false,
|
||||
"manual_run_button_visible": false,
|
||||
"gitea_sign_in_required": true,
|
||||
"dispatch_without_token_http_status": 401,
|
||||
"dispatch_without_token_message": "token is required",
|
||||
"authorized_dispatch_channel_ready": false
|
||||
},
|
||||
"blockers": [
|
||||
{
|
||||
"id": "authorized_gitea_workflow_dispatch_channel_missing",
|
||||
"kind": "external_authorized_control_channel",
|
||||
"severity": "P0",
|
||||
"description": "Source 已進 Gitea main,但 production image tag 仍停在舊 SHA;目前沒有可用的已授權 Gitea workflow_dispatch channel 觸發 CD。",
|
||||
"blocked_action": "deploy_current_gitea_main_to_production",
|
||||
"safe_boundary": "不得讀 token/cookie/session,不得改 workflow 為 push trigger,不得手改 K8s tag,不得重開 110 runner 或 host/K8s runtime。"
|
||||
}
|
||||
],
|
||||
"next_actions": [
|
||||
"使用已授權的 Gitea manual workflow_dispatch channel 觸發 cd.yaml ref=main。",
|
||||
"CD 完成後讀回 production image tag,確認不再是 af45811e87。",
|
||||
"重新讀回 /api/v1/agents/github-target-controlled-execution-preflight 與 /api/v1/agents/delivery-closure-workbench,確認 internal_governance_writeback 與 KM / PlayBook counters 出現。"
|
||||
],
|
||||
"rollups": {
|
||||
"hard_blocker_count": 1,
|
||||
"next_action_count": 3,
|
||||
"source_control_main_ready": true,
|
||||
"production_image_tag_matches_main": false,
|
||||
"production_governance_fields_present": false,
|
||||
"authorized_dispatch_channel_ready": false,
|
||||
"runtime_write_performed": false,
|
||||
"secret_values_collected": false
|
||||
},
|
||||
"operation_boundaries": {
|
||||
"read_only_api_allowed": true,
|
||||
"deploy_trigger_allowed": false,
|
||||
"workflow_modification_allowed": false,
|
||||
"gitea_api_write_allowed": false,
|
||||
"host_write_allowed": false,
|
||||
"k8s_write_allowed": false,
|
||||
"secret_read_allowed": false,
|
||||
"github_api_allowed": false,
|
||||
"raw_session_or_sqlite_read_allowed": false
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user