fix(iwooos): 新增 cd runner secret 變更證據驗收
This commit is contained in:
@@ -0,0 +1,515 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
IwoooS CD / Runner / Secret 注入變更證據驗收只讀帳本產生器。
|
||||
|
||||
本工具讀取 repo 內既有 workflow / secret 名稱 snapshot 與 `.gitea/workflows`
|
||||
檔案 metadata,建立未來 CD、runner、secret injection 變更證據如何收件、
|
||||
補件、拒收或交給 reviewer 的 metadata-only ledger。它不呼叫 Gitea / GitHub
|
||||
API、不讀 secret store、不讀 secret value、不修改 workflow、不啟用 runner、
|
||||
不 rotate secret、不 dispatch workflow、不觸發部署。
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import argparse
|
||||
import json
|
||||
import re
|
||||
import subprocess
|
||||
import sys
|
||||
from datetime import datetime, timedelta, timezone
|
||||
from pathlib import Path
|
||||
from typing import Any
|
||||
|
||||
|
||||
TAIPEI = timezone(timedelta(hours=8))
|
||||
|
||||
CHANGE_EVIDENCE_FIELDS = [
|
||||
"change_evidence_candidate_id",
|
||||
"source_refs",
|
||||
"control_tier",
|
||||
"proposed_workflow_or_config_change_ref",
|
||||
"workflow_diff_ref",
|
||||
"runner_attestation_ref",
|
||||
"secret_name_parity_ref",
|
||||
"secret_injection_route_ref",
|
||||
"deploy_marker_readback_ref",
|
||||
"gitea_action_run_ref",
|
||||
"guard_result_ref",
|
||||
"log_redaction_review_ref",
|
||||
"notification_route_owner_ref",
|
||||
"blast_radius",
|
||||
"maintenance_window",
|
||||
"rollback_owner",
|
||||
"rollback_plan_ref",
|
||||
"postcheck_evidence_ref",
|
||||
"affected_scope",
|
||||
"redacted_evidence_refs",
|
||||
"reviewer_outcome",
|
||||
"not_approval",
|
||||
]
|
||||
|
||||
REQUIRED_EVIDENCE_FIELDS = [
|
||||
"proposed_workflow_or_config_change_ref",
|
||||
"workflow_diff_ref",
|
||||
"runner_attestation_ref",
|
||||
"secret_name_parity_ref",
|
||||
"secret_injection_route_ref",
|
||||
"deploy_marker_readback_ref",
|
||||
"gitea_action_run_ref",
|
||||
"guard_result_ref",
|
||||
"log_redaction_review_ref",
|
||||
"notification_route_owner_ref",
|
||||
"blast_radius",
|
||||
"maintenance_window",
|
||||
"rollback_owner",
|
||||
"rollback_plan_ref",
|
||||
"postcheck_evidence_ref",
|
||||
"affected_scope",
|
||||
"redacted_evidence_refs",
|
||||
"reviewer_outcome",
|
||||
"not_approval",
|
||||
]
|
||||
|
||||
REVIEWER_CHECKS = [
|
||||
{
|
||||
"check_id": "change_ref_present",
|
||||
"instruction": "必須有 proposed workflow / config / policy change ref,不能只寫口頭同意。",
|
||||
},
|
||||
{
|
||||
"check_id": "workflow_diff_ref_only",
|
||||
"instruction": "只能收 workflow diff ref 或 committed patch ref,不保存未脫敏 workflow payload。",
|
||||
},
|
||||
{
|
||||
"check_id": "gitea_actions_run_readback_ref_shape",
|
||||
"instruction": "Gitea Actions run readback 只能是 run id / job id / status ref,不保存 token 或 cookie。",
|
||||
},
|
||||
{
|
||||
"check_id": "deploy_marker_not_runtime_approval",
|
||||
"instruction": "deploy marker 只能當部署證據,不代表資安 runtime approval。",
|
||||
},
|
||||
{
|
||||
"check_id": "runner_owner_attestation_present",
|
||||
"instruction": "runner label、executor、host alias、owner 與維護窗口必須可追溯。",
|
||||
},
|
||||
{
|
||||
"check_id": "hosted_minutes_risk_review_present",
|
||||
"instruction": "涉及 hosted runner 時必須標出額度與供應鏈風險,不得自動啟用。",
|
||||
},
|
||||
{
|
||||
"check_id": "secret_name_parity_ref_only",
|
||||
"instruction": "secret parity 只能保存 secret name / scope / present-absent / owner metadata。",
|
||||
},
|
||||
{
|
||||
"check_id": "no_secret_value_or_hash",
|
||||
"instruction": "不得出現 secret value、hash、masked token、partial token 或 credential derivative。",
|
||||
},
|
||||
{
|
||||
"check_id": "secret_injection_path_called_out",
|
||||
"instruction": "涉及 CD / K8s secret injection 時必須標出 injection path 與 owner,不得讀 value。",
|
||||
},
|
||||
{
|
||||
"check_id": "step_env_with_secret_guard_result_present",
|
||||
"instruction": "必須附 `check-gitea-step-env-secrets` 或等價 guard result ref。",
|
||||
},
|
||||
{
|
||||
"check_id": "telegram_route_owner_present",
|
||||
"instruction": "涉及通知時必須確認 SRE route owner,不得新增 legacy Telegram route。",
|
||||
},
|
||||
{
|
||||
"check_id": "deploy_key_and_webhook_material_absent",
|
||||
"instruction": "不得保存 webhook secret、deploy key private material、runner token 或 write token。",
|
||||
},
|
||||
{
|
||||
"check_id": "branch_protection_or_required_checks_impact_called_out",
|
||||
"instruction": "影響 required checks / CODEOWNERS / branch protection 時必須標出影響。",
|
||||
},
|
||||
{
|
||||
"check_id": "blast_radius_present",
|
||||
"instruction": "必須列出 repo、workflow、runner、secret metadata、notification、deploy path 影響範圍。",
|
||||
},
|
||||
{
|
||||
"check_id": "maintenance_window_present",
|
||||
"instruction": "任何 future workflow / runner / secret injection 變更都必須另有維護窗口。",
|
||||
},
|
||||
{
|
||||
"check_id": "rollback_owner_present",
|
||||
"instruction": "必須有 rollback owner 與回復方式;不能只寫『可回復』。",
|
||||
},
|
||||
{
|
||||
"check_id": "postcheck_evidence_present",
|
||||
"instruction": "需有 post-check evidence ref,例如 guard result、run status、route smoke 或 notification receipt。",
|
||||
},
|
||||
{
|
||||
"check_id": "no_execution_claim",
|
||||
"instruction": "不能把本帳本、owner response、CD success 或 AwoooP approval 當執行批准。",
|
||||
},
|
||||
{
|
||||
"check_id": "cross_project_sync_noted",
|
||||
"instruction": "若影響 AwoooP、IwoooS、agent-bounty、監控或公開服務,需有跨專案同步 ref。",
|
||||
},
|
||||
]
|
||||
|
||||
OUTCOME_LANES = [
|
||||
{
|
||||
"lane_id": "waiting_change_evidence",
|
||||
"meaning": "尚未收到 CD / runner / secret injection 變更證據;所有 accepted / runtime count 維持 0。",
|
||||
},
|
||||
{
|
||||
"lane_id": "quarantine_sensitive_payload",
|
||||
"meaning": "收到 secret value、hash、runner token、webhook secret、private key 或未脫敏截圖時只能隔離。",
|
||||
},
|
||||
{
|
||||
"lane_id": "reject_unredacted_or_runtime_claim",
|
||||
"meaning": "出現未脫敏 payload 或把 evidence 誤當執行批准時直接拒收。",
|
||||
},
|
||||
{
|
||||
"lane_id": "request_supplement",
|
||||
"meaning": "缺 workflow diff、runner owner、secret parity、guard result、rollback 或 post-check 時要求補件。",
|
||||
},
|
||||
{
|
||||
"lane_id": "ready_for_reviewer_acceptance",
|
||||
"meaning": "metadata 合格後只能進 reviewer acceptance,不得自動修改 workflow / secret / runner。",
|
||||
},
|
||||
{
|
||||
"lane_id": "ready_for_runtime_approval_package",
|
||||
"meaning": "reviewer 接受後也只能形成 runtime approval package,不自動打開 gate。",
|
||||
},
|
||||
{
|
||||
"lane_id": "waiting_maintenance_window",
|
||||
"meaning": "若未來要改 workflow / runner / secret injection,仍需獨立維護窗口。",
|
||||
},
|
||||
{
|
||||
"lane_id": "waiting_runtime_gate",
|
||||
"meaning": "change evidence accepted 後 runtime gate 仍等待獨立人工批准。",
|
||||
},
|
||||
]
|
||||
|
||||
BLOCKED_ACTIONS = [
|
||||
"modify_workflow",
|
||||
"workflow_dispatch_without_approval",
|
||||
"enable_runner",
|
||||
"change_runner_label",
|
||||
"install_runner",
|
||||
"restart_runner",
|
||||
"use_runner_admin_token",
|
||||
"enable_github_hosted_runner",
|
||||
"collect_secret_value",
|
||||
"collect_secret_hash",
|
||||
"collect_partial_token",
|
||||
"create_repo_secret",
|
||||
"update_repo_secret",
|
||||
"rotate_secret",
|
||||
"delete_secret",
|
||||
"read_secret_store",
|
||||
"change_secret_injection_path",
|
||||
"modify_webhook",
|
||||
"change_webhook_secret",
|
||||
"modify_deploy_key",
|
||||
"rotate_deploy_key",
|
||||
"change_branch_protection",
|
||||
"change_codeowners",
|
||||
"sync_refs",
|
||||
"force_push",
|
||||
"switch_github_primary",
|
||||
"disable_gitea",
|
||||
"run_cd_pipeline_as_action",
|
||||
"inject_k8s_secret",
|
||||
"argocd_sync",
|
||||
"production_deploy",
|
||||
"add_action_button",
|
||||
]
|
||||
|
||||
EXECUTION_BOUNDARIES = {
|
||||
"runtime_execution_authorized": False,
|
||||
"workflow_modification_authorized": False,
|
||||
"webhook_modification_authorized": False,
|
||||
"runner_change_authorized": False,
|
||||
"deploy_key_change_authorized": False,
|
||||
"branch_protection_change_authorized": False,
|
||||
"codeowners_change_authorized": False,
|
||||
"repo_secret_change_authorized": False,
|
||||
"secret_value_collection_allowed": False,
|
||||
"secret_hash_collection_allowed": False,
|
||||
"partial_token_collection_allowed": False,
|
||||
"secret_rotation_authorized": False,
|
||||
"secret_store_read_authorized": False,
|
||||
"secret_injection_change_authorized": False,
|
||||
"step_env_secret_allowed": False,
|
||||
"github_hosted_runner_enable_authorized": False,
|
||||
"gitea_action_dispatch_authorized": False,
|
||||
"cd_pipeline_run_authorized": False,
|
||||
"deploy_marker_write_authorized": False,
|
||||
"k8s_secret_injection_authorized": False,
|
||||
"argocd_sync_authorized": False,
|
||||
"production_deploy_authorized": False,
|
||||
"refs_sync_authorized": False,
|
||||
"force_push_authorized": False,
|
||||
"github_primary_switch_authorized": False,
|
||||
"disable_gitea_authorized": False,
|
||||
"action_buttons_allowed": False,
|
||||
"not_authorization": True,
|
||||
}
|
||||
|
||||
CANDIDATE_DEFINITIONS = [
|
||||
{
|
||||
"candidate_id": "cd_pipeline_deploy_marker_and_k8s_secret_injection",
|
||||
"title": "CD pipeline / deploy marker / K8s secret 注入路徑",
|
||||
"control_tier": "C0",
|
||||
"risk": "HIGH",
|
||||
"source_refs": [".gitea/workflows/cd.yaml", "scripts/ci/check-gitea-step-env-secrets.js"],
|
||||
"affected_scope": "main push CD、Harbor build / push、K8s secret injection、ArgoCD deploy marker、post-deploy checks",
|
||||
},
|
||||
{
|
||||
"candidate_id": "code_review_pipeline_secret_and_notification_surface",
|
||||
"title": "Code Review workflow / notification / secret 使用面",
|
||||
"control_tier": "C0",
|
||||
"risk": "HIGH",
|
||||
"source_refs": [".gitea/workflows/code-review.yaml", "scripts/ci/check-gitea-step-env-secrets.js"],
|
||||
"affected_scope": "Code Review、Telegram / AWOOI API notification、deterministic review report、Gitea Actions status",
|
||||
},
|
||||
{
|
||||
"candidate_id": "deploy_alerts_and_monitoring_route",
|
||||
"title": "Deploy alerts workflow / monitoring notification route",
|
||||
"control_tier": "C1",
|
||||
"risk": "MEDIUM",
|
||||
"source_refs": [".gitea/workflows/deploy-alerts.yaml", "scripts/ops/deploy-alerts.sh"],
|
||||
"affected_scope": "Prometheus / Alertmanager rule deploy、notification route、SRE receipt evidence",
|
||||
},
|
||||
{
|
||||
"candidate_id": "runner_label_and_executor_attestation",
|
||||
"title": "Runner label / executor / hosted minutes owner attestation",
|
||||
"control_tier": "C0",
|
||||
"risk": "HIGH",
|
||||
"source_refs": ["docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json"],
|
||||
"affected_scope": "awoooi-host、self-hosted、ubuntu-latest、harbor、k8s runner labels 與 executor owner",
|
||||
},
|
||||
{
|
||||
"candidate_id": "repository_secret_name_parity_and_injection_owner",
|
||||
"title": "Repository secret name parity / injection owner",
|
||||
"control_tier": "C0",
|
||||
"risk": "HIGH",
|
||||
"source_refs": [
|
||||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||||
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
|
||||
],
|
||||
"affected_scope": "9 個 in-scope repos 的 secret name parity、rotation owner、CD / K8s injection owner",
|
||||
},
|
||||
]
|
||||
|
||||
|
||||
def git_short_sha(root: Path) -> str:
|
||||
try:
|
||||
result = subprocess.run(
|
||||
["git", "rev-parse", "--short", "HEAD"],
|
||||
cwd=root,
|
||||
check=True,
|
||||
capture_output=True,
|
||||
text=True,
|
||||
)
|
||||
return result.stdout.strip()
|
||||
except Exception:
|
||||
return "unknown"
|
||||
|
||||
|
||||
def load_json(path: Path) -> dict[str, Any]:
|
||||
return json.loads(path.read_text(encoding="utf-8"))
|
||||
|
||||
|
||||
def workflow_secret_names(root: Path, source_refs: list[str]) -> list[str]:
|
||||
names: set[str] = set()
|
||||
expression_re = re.compile(r"\$\{\{(.+?)\}\}")
|
||||
secret_re = re.compile(
|
||||
r"secrets(?:\.([A-Za-z_][A-Za-z0-9_]*)|\[['\"]([^'\"]+)['\"]\])"
|
||||
)
|
||||
for ref in source_refs:
|
||||
path = root / ref
|
||||
if not path.exists() or not path.is_file():
|
||||
continue
|
||||
if ".gitea/workflows/" not in ref and ".github/workflows/" not in ref:
|
||||
continue
|
||||
text = path.read_text(encoding="utf-8", errors="replace")
|
||||
for expression in expression_re.findall(text):
|
||||
if "secrets" not in expression:
|
||||
continue
|
||||
for match in secret_re.finditer(expression):
|
||||
names.update(name for name in match.groups() if name)
|
||||
return sorted(names)
|
||||
|
||||
|
||||
def build_candidate(root: Path, definition: dict[str, Any]) -> dict[str, Any]:
|
||||
source_refs = list(definition["source_refs"])
|
||||
return {
|
||||
"change_evidence_candidate_id": f"cd_runner_secret_injection:{definition['candidate_id']}",
|
||||
"status": "waiting_change_evidence",
|
||||
"title": definition["title"],
|
||||
"control_tier": definition["control_tier"],
|
||||
"risk": definition["risk"],
|
||||
"source_refs": source_refs,
|
||||
"workflow_secret_name_refs": workflow_secret_names(root, source_refs),
|
||||
"write_capable": True,
|
||||
"requires_runtime_approval_package": True,
|
||||
"affected_scope": definition["affected_scope"],
|
||||
"change_evidence_fields": CHANGE_EVIDENCE_FIELDS,
|
||||
"required_evidence_fields": REQUIRED_EVIDENCE_FIELDS,
|
||||
"reviewer_checks": [item["check_id"] for item in REVIEWER_CHECKS],
|
||||
"outcome_lanes": [item["lane_id"] for item in OUTCOME_LANES],
|
||||
"blocked_actions": BLOCKED_ACTIONS,
|
||||
"proposed_workflow_or_config_change_ref": None,
|
||||
"workflow_diff_ref": None,
|
||||
"runner_attestation_ref": None,
|
||||
"secret_name_parity_ref": None,
|
||||
"secret_injection_route_ref": None,
|
||||
"deploy_marker_readback_ref": None,
|
||||
"gitea_action_run_ref": None,
|
||||
"guard_result_ref": None,
|
||||
"log_redaction_review_ref": None,
|
||||
"notification_route_owner_ref": None,
|
||||
"blast_radius": "pending_change_evidence",
|
||||
"maintenance_window": "pending_change_evidence",
|
||||
"rollback_owner": "pending_change_evidence",
|
||||
"rollback_plan_ref": None,
|
||||
"postcheck_evidence_ref": None,
|
||||
"redacted_evidence_refs": [],
|
||||
"reviewer_outcome": "waiting_change_evidence",
|
||||
"not_approval": True,
|
||||
"change_evidence_received": False,
|
||||
"change_evidence_accepted": False,
|
||||
"change_evidence_rejected": False,
|
||||
"change_evidence_quarantined": False,
|
||||
"workflow_diff_accepted": False,
|
||||
"runner_attestation_accepted": False,
|
||||
"secret_name_parity_accepted": False,
|
||||
"secret_injection_route_accepted": False,
|
||||
"deploy_marker_readback_accepted": False,
|
||||
"guard_result_accepted": False,
|
||||
"postcheck_evidence_accepted": False,
|
||||
"runtime_approval_package_ready": False,
|
||||
"runtime_gate": False,
|
||||
**{
|
||||
key: value
|
||||
for key, value in EXECUTION_BOUNDARIES.items()
|
||||
if key != "not_authorization"
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
def build_report(root: Path, generated_at: str | None) -> dict[str, Any]:
|
||||
local_evidence = load_json(
|
||||
root / "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json"
|
||||
)
|
||||
export_request = load_json(
|
||||
root / "docs/security/source-control-workflow-secret-name-export-request.snapshot.json"
|
||||
)
|
||||
owner_response = load_json(
|
||||
root / "docs/security/source-control-workflow-secret-name-owner-response.snapshot.json"
|
||||
)
|
||||
local_summary = local_evidence["summary"]
|
||||
export_summary = export_request["summary"]
|
||||
owner_summary = owner_response["summary"]
|
||||
candidates = [build_candidate(root, item) for item in CANDIDATE_DEFINITIONS]
|
||||
c0_candidates = [item for item in candidates if item["control_tier"] == "C0"]
|
||||
c1_candidates = [item for item in candidates if item["control_tier"] == "C1"]
|
||||
report_time = generated_at or datetime.now(TAIPEI).isoformat(timespec="seconds")
|
||||
|
||||
return {
|
||||
"schema_version": "cd_runner_secret_injection_change_evidence_acceptance_v1",
|
||||
"generated_at": report_time,
|
||||
"git_commit": git_short_sha(root),
|
||||
"status": "change_evidence_acceptance_ledger_ready_no_runtime_action",
|
||||
"mode": "metadata_only_no_secret_value_no_workflow_change",
|
||||
"source_paths": [
|
||||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||||
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
|
||||
".gitea/workflows/cd.yaml",
|
||||
".gitea/workflows/code-review.yaml",
|
||||
".gitea/workflows/deploy-alerts.yaml",
|
||||
"scripts/ci/check-gitea-step-env-secrets.js",
|
||||
],
|
||||
"summary": {
|
||||
"change_evidence_candidate_count": len(candidates),
|
||||
"c0_change_evidence_candidate_count": len(c0_candidates),
|
||||
"c1_change_evidence_candidate_count": len(c1_candidates),
|
||||
"write_capable_candidate_count": sum(1 for item in candidates if item["write_capable"]),
|
||||
"local_workflow_file_count": local_summary["workflow_file_count"],
|
||||
"gitea_workflow_file_count": local_summary["gitea_workflow_file_count"],
|
||||
"github_workflow_file_count": local_summary["github_workflow_file_count"],
|
||||
"local_referenced_secret_name_count": local_summary["unique_secret_name_count"],
|
||||
"runner_label_count": local_summary["runner_label_count"],
|
||||
"export_request_count": export_summary["export_request_count"],
|
||||
"export_lane_count": export_summary["export_lane_count"],
|
||||
"owner_response_template_count": owner_summary["response_template_count"],
|
||||
"owner_response_received_count": owner_summary["received_response_count"],
|
||||
"owner_response_accepted_count": owner_summary["accepted_response_count"],
|
||||
"required_evidence_field_count": len(REQUIRED_EVIDENCE_FIELDS),
|
||||
"reviewer_check_count": len(REVIEWER_CHECKS),
|
||||
"outcome_lane_count": len(OUTCOME_LANES),
|
||||
"blocked_action_count": len(BLOCKED_ACTIONS),
|
||||
"change_evidence_received_count": 0,
|
||||
"change_evidence_accepted_count": 0,
|
||||
"workflow_diff_accepted_count": 0,
|
||||
"runner_attestation_accepted_count": 0,
|
||||
"secret_name_parity_accepted_count": 0,
|
||||
"secret_injection_route_accepted_count": 0,
|
||||
"deploy_marker_readback_accepted_count": 0,
|
||||
"guard_result_accepted_count": 0,
|
||||
"postcheck_evidence_accepted_count": 0,
|
||||
"runtime_approval_package_ready_count": 0,
|
||||
"runtime_gate_count": 0,
|
||||
"action_button_count": 0,
|
||||
"secret_metadata_coverage_percent_before_acceptance": 66,
|
||||
"secret_metadata_coverage_percent_after_acceptance": 68,
|
||||
"gitea_workflow_runner_coverage_percent_before_acceptance": 70,
|
||||
"gitea_workflow_runner_coverage_percent_after_acceptance": 72,
|
||||
},
|
||||
"execution_boundaries": EXECUTION_BOUNDARIES,
|
||||
"change_evidence_fields": CHANGE_EVIDENCE_FIELDS,
|
||||
"required_evidence_fields": REQUIRED_EVIDENCE_FIELDS,
|
||||
"reviewer_checks": REVIEWER_CHECKS,
|
||||
"outcome_lanes": OUTCOME_LANES,
|
||||
"blocked_actions": BLOCKED_ACTIONS,
|
||||
"change_evidence_candidates": candidates,
|
||||
"operator_interpretation": [
|
||||
"此帳本只描述 CD / runner / secret injection 變更證據如何收件與拒收,不是 workflow 變更批准。",
|
||||
"secret 只能以名稱、scope、present-absent、owner 與 redacted evidence ref 呈現,不得保存 value、hash 或 partial token。",
|
||||
"deploy marker、Gitea Actions success、AwoooP approval 與 UI 可見狀態都不能被解讀成 runtime gate 已開。",
|
||||
"未來若要修改 workflow、runner、secret injection、webhook、deploy key 或 branch protection,仍需獨立 owner response、維護窗口、rollback owner 與 runtime approval package。",
|
||||
],
|
||||
}
|
||||
|
||||
|
||||
def main() -> int:
|
||||
parser = argparse.ArgumentParser(description="CD / Runner / Secret 注入變更證據驗收只讀帳本")
|
||||
parser.add_argument("--root", default=".", help="repo root")
|
||||
parser.add_argument("--output", help="寫出 JSON 報告")
|
||||
parser.add_argument("--generated-at", help="固定報告時間,供 committed snapshot 使用")
|
||||
args = parser.parse_args()
|
||||
|
||||
root = Path(args.root).resolve()
|
||||
report = build_report(root, args.generated_at)
|
||||
payload = json.dumps(report, ensure_ascii=False, indent=2, sort_keys=True)
|
||||
|
||||
if args.output:
|
||||
output = Path(args.output)
|
||||
output.parent.mkdir(parents=True, exist_ok=True)
|
||||
output.write_text(payload + "\n", encoding="utf-8")
|
||||
else:
|
||||
print(payload)
|
||||
|
||||
summary = report["summary"]
|
||||
print(
|
||||
"CD_RUNNER_SECRET_INJECTION_CHANGE_EVIDENCE_ACCEPTANCE_OK "
|
||||
f"candidates={summary['change_evidence_candidate_count']} "
|
||||
f"c0={summary['c0_change_evidence_candidate_count']} "
|
||||
f"write_capable={summary['write_capable_candidate_count']} "
|
||||
f"checks={summary['reviewer_check_count']} "
|
||||
f"lanes={summary['outcome_lane_count']} "
|
||||
f"accepted={summary['change_evidence_accepted_count']} "
|
||||
f"runtime_gate={summary['runtime_gate_count']}",
|
||||
file=sys.stderr,
|
||||
)
|
||||
return 0
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
raise SystemExit(main())
|
||||
@@ -73,26 +73,32 @@ CONTROL_STATUS_BY_CATEGORY = {
|
||||
"next_owner_action": "補 GitOps owner 回覆、proposed commit ref、rendered manifest diff ref、ArgoCD app / sync revision ref、health before / after、rollout、route smoke、metrics / alert、blast radius、rollback revision、maintenance window 與 post-check owner。",
|
||||
},
|
||||
"secret_metadata": {
|
||||
"coverage_status": "metadata_policy_ready",
|
||||
"coverage_percent": 66,
|
||||
"coverage_status": "secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
|
||||
"coverage_percent": 68,
|
||||
"evidence_refs": [
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
|
||||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
|
||||
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
|
||||
"docs/security/CD-RUNNER-SECRET-INJECTION-CHANGE-EVIDENCE-ACCEPTANCE.md",
|
||||
"docs/security/cd-runner-secret-injection-change-evidence-acceptance.snapshot.json",
|
||||
"docs/security/SECRETS_REFERENCE.md",
|
||||
],
|
||||
"current_gap": "只允許 secret name / metadata;仍缺 owner response 與 parity acceptance。",
|
||||
"next_owner_action": "只回覆 secret name owner、rotation owner、injection owner 與 redacted evidence refs。",
|
||||
"current_gap": "已固定 secret name / injection owner 變更證據驗收帳本;secret value、hash、partial token、secret store read、secret rotation、repo secret change 與 injection path change 仍全部為 0。",
|
||||
"next_owner_action": "補 secret name parity ref、injection route owner、rotation owner、guard result ref、rollback owner、post-check evidence 與 redacted evidence refs。",
|
||||
},
|
||||
"gitea_workflow_runner_source_control": {
|
||||
"coverage_status": "metadata_inventory_ready",
|
||||
"coverage_percent": 70,
|
||||
"coverage_status": "cd_runner_secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
|
||||
"coverage_percent": 72,
|
||||
"evidence_refs": [
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
|
||||
"docs/security/CD-RUNNER-SECRET-INJECTION-CHANGE-EVIDENCE-ACCEPTANCE.md",
|
||||
"docs/security/cd-runner-secret-injection-change-evidence-acceptance.snapshot.json",
|
||||
"docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md",
|
||||
],
|
||||
"current_gap": "workflow / runner / deploy key / webhook / branch protection 仍待 owner response;不得改 workflow。",
|
||||
"next_owner_action": "補 runner label、webhook、deploy key、branch protection 與 workflow parity owner metadata。",
|
||||
"current_gap": "已固定 CD / runner / secret injection 變更證據驗收帳本;workflow diff、runner attestation、secret parity、guard result、deploy marker readback、rollback owner 與 post-check evidence 仍全部為 0。",
|
||||
"next_owner_action": "補 workflow diff ref、runner owner attestation、secret name parity ref、Gitea run readback、guard result、maintenance window、rollback owner 與 post-check evidence。",
|
||||
},
|
||||
"public_admin_api_runtime_config": {
|
||||
"coverage_status": "policy_ready_needs_change_scoped_smoke",
|
||||
@@ -339,6 +345,8 @@ def build_report(root: Path, generated_at: str | None) -> dict[str, Any]:
|
||||
"rendered_diff_acceptance_ledger_ready_needs_owner_live_diff",
|
||||
"owner_response_acceptance_ledger_ready_needs_runtime_evidence",
|
||||
"change_evidence_acceptance_ready_needs_gitops_owner_evidence",
|
||||
"secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
|
||||
"owner_response_acceptance_ledger_ready_needs_restore_drill_owner",
|
||||
"owner_response_acceptance_ledger_ready_needs_network_owner",
|
||||
"change_evidence_acceptance_ready_needs_network_owner_evidence",
|
||||
|
||||
@@ -146,6 +146,9 @@ def validate(root: Path) -> None:
|
||||
k8s_argocd_change_evidence_acceptance = load_json(
|
||||
security_dir / "k8s-argocd-change-evidence-acceptance.snapshot.json"
|
||||
)
|
||||
cd_runner_secret_injection_change_evidence_acceptance = load_json(
|
||||
security_dir / "cd-runner-secret-injection-change-evidence-acceptance.snapshot.json"
|
||||
)
|
||||
public_gateway_preflight_inventory = load_json(
|
||||
security_dir / "public-gateway-preflight-inventory.snapshot.json"
|
||||
)
|
||||
@@ -2503,7 +2506,7 @@ def validate(root: Path) -> None:
|
||||
assert_equal(
|
||||
"high_value_config_coverage.summary.needs_live_evidence_count",
|
||||
high_value_config_coverage["summary"]["needs_live_evidence_count"],
|
||||
6,
|
||||
8,
|
||||
)
|
||||
for key in [
|
||||
"owner_response_received_count",
|
||||
@@ -2824,6 +2827,62 @@ def validate(root: Path) -> None:
|
||||
k8s_gitops_category["evidence_refs"],
|
||||
evidence_ref,
|
||||
)
|
||||
secret_metadata_category = next(
|
||||
item
|
||||
for item in high_value_config_coverage["coverage_categories"]
|
||||
if item["category_id"] == "secret_metadata"
|
||||
)
|
||||
assert_equal(
|
||||
"high_value_config_coverage.coverage_categories.secret_metadata.coverage_percent",
|
||||
secret_metadata_category["coverage_percent"],
|
||||
68,
|
||||
)
|
||||
assert_equal(
|
||||
"high_value_config_coverage.coverage_categories.secret_metadata.coverage_status",
|
||||
secret_metadata_category["coverage_status"],
|
||||
"secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
|
||||
)
|
||||
for evidence_ref in [
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
|
||||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
|
||||
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
|
||||
"docs/security/CD-RUNNER-SECRET-INJECTION-CHANGE-EVIDENCE-ACCEPTANCE.md",
|
||||
"docs/security/cd-runner-secret-injection-change-evidence-acceptance.snapshot.json",
|
||||
"docs/security/SECRETS_REFERENCE.md",
|
||||
]:
|
||||
assert_contains(
|
||||
"high_value_config_coverage.coverage_categories.secret_metadata.evidence_refs",
|
||||
secret_metadata_category["evidence_refs"],
|
||||
evidence_ref,
|
||||
)
|
||||
workflow_runner_category = next(
|
||||
item
|
||||
for item in high_value_config_coverage["coverage_categories"]
|
||||
if item["category_id"] == "gitea_workflow_runner_source_control"
|
||||
)
|
||||
assert_equal(
|
||||
"high_value_config_coverage.coverage_categories.workflow_runner.coverage_percent",
|
||||
workflow_runner_category["coverage_percent"],
|
||||
72,
|
||||
)
|
||||
assert_equal(
|
||||
"high_value_config_coverage.coverage_categories.workflow_runner.coverage_status",
|
||||
workflow_runner_category["coverage_status"],
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
|
||||
)
|
||||
for evidence_ref in [
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
|
||||
"docs/security/CD-RUNNER-SECRET-INJECTION-CHANGE-EVIDENCE-ACCEPTANCE.md",
|
||||
"docs/security/cd-runner-secret-injection-change-evidence-acceptance.snapshot.json",
|
||||
"docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md",
|
||||
]:
|
||||
assert_contains(
|
||||
"high_value_config_coverage.coverage_categories.workflow_runner.evidence_refs",
|
||||
workflow_runner_category["evidence_refs"],
|
||||
evidence_ref,
|
||||
)
|
||||
assert_contains(
|
||||
"high_value_config_coverage.lowest_coverage_categories.docker",
|
||||
[item["category_id"] for item in high_value_config_coverage["lowest_coverage_categories"]],
|
||||
@@ -5731,7 +5790,7 @@ def validate(root: Path) -> None:
|
||||
"high_value_config_control_coverage_c0_category_count": 8,
|
||||
"high_value_config_control_coverage_c1_category_count": 4,
|
||||
"high_value_config_control_coverage_average_percent": 68,
|
||||
"high_value_config_control_coverage_needs_live_evidence_count": 6,
|
||||
"high_value_config_control_coverage_needs_live_evidence_count": 8,
|
||||
"high_value_config_control_coverage_owner_response_required_count": 14,
|
||||
"high_value_config_control_coverage_owner_response_received_count": 0,
|
||||
"high_value_config_control_coverage_owner_response_accepted_count": 0,
|
||||
@@ -5851,6 +5910,39 @@ def validate(root: Path) -> None:
|
||||
"k8s_argocd_change_evidence_acceptance_runtime_gate_count": 0,
|
||||
"k8s_argocd_change_evidence_acceptance_action_button_count": 0,
|
||||
"k8s_argocd_change_evidence_acceptance_coverage_percent_after_acceptance": 64,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_first_layer": True,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_candidate_count": 5,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_c0_candidate_count": 4,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_c1_candidate_count": 1,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_write_capable_candidate_count": 5,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_local_workflow_file_count": 33,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_gitea_workflow_file_count": 12,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_github_workflow_file_count": 21,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_local_referenced_secret_name_count": 42,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_runner_label_count": 5,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_export_request_count": 9,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_export_lane_count": 5,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_owner_response_template_count": 5,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_required_evidence_field_count": 19,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_reviewer_check_count": 19,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_outcome_lane_count": 8,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_blocked_action_count": 32,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_received_count": 0,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_accepted_count": 0,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_workflow_diff_accepted_count": 0,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_runner_attestation_accepted_count": 0,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_secret_name_parity_accepted_count": 0,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_secret_injection_route_accepted_count": 0,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_deploy_marker_readback_accepted_count": 0,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_guard_result_accepted_count": 0,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_postcheck_evidence_accepted_count": 0,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_runtime_approval_package_ready_count": 0,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_runtime_gate_count": 0,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_action_button_count": 0,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_secret_metadata_coverage_percent_before_acceptance": 66,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_secret_metadata_coverage_percent_after_acceptance": 68,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_gitea_workflow_runner_coverage_percent_before_acceptance": 70,
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_gitea_workflow_runner_coverage_percent_after_acceptance": 72,
|
||||
}
|
||||
for key, expected in expected_ssh_network_projection_summary.items():
|
||||
assert_equal(
|
||||
@@ -15441,7 +15533,7 @@ def validate(root: Path) -> None:
|
||||
"high_value_config_control_coverage_c0_category_count=8",
|
||||
"high_value_config_control_coverage_c1_category_count=4",
|
||||
"high_value_config_control_coverage_average_percent=68",
|
||||
"high_value_config_control_coverage_needs_live_evidence_count=6",
|
||||
"high_value_config_control_coverage_needs_live_evidence_count=8",
|
||||
"high_value_config_control_coverage_owner_response_required_count=14",
|
||||
"high_value_config_control_coverage_owner_response_received_count=0",
|
||||
"high_value_config_control_coverage_owner_response_accepted_count=0",
|
||||
@@ -15449,6 +15541,32 @@ def validate(root: Path) -> None:
|
||||
"high_value_config_control_coverage_action_button_count=0",
|
||||
"nginx_public_gateway_coverage_percent=88",
|
||||
"k8s_production_gitops_coverage_percent=64",
|
||||
"secret_metadata_coverage_percent=68",
|
||||
"gitea_workflow_runner_source_control_coverage_percent=72",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_candidate_count=5",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_c0_candidate_count=4",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_c1_candidate_count=1",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_write_capable_candidate_count=5",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_local_workflow_file_count=33",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_gitea_workflow_file_count=12",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_github_workflow_file_count=21",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_local_referenced_secret_name_count=42",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_runner_label_count=5",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_required_evidence_field_count=19",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_reviewer_check_count=19",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_outcome_lane_count=8",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_blocked_action_count=32",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_received_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_accepted_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_workflow_diff_accepted_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_runner_attestation_accepted_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_secret_name_parity_accepted_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_secret_injection_route_accepted_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_deploy_marker_readback_accepted_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_guard_result_accepted_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_postcheck_evidence_accepted_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_runtime_approval_package_ready_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_runtime_gate_count=0",
|
||||
"k8s_argocd_change_evidence_acceptance_candidate_count=4",
|
||||
"k8s_argocd_change_evidence_acceptance_c0_candidate_count=3",
|
||||
"k8s_argocd_change_evidence_acceptance_write_capable_candidate_count=4",
|
||||
@@ -15572,6 +15690,27 @@ def validate(root: Path) -> None:
|
||||
"live_alert_fire_authorized=false",
|
||||
"alert_chain_smoke_authorized=false",
|
||||
"workflow_modification_authorized=false",
|
||||
"webhook_modification_authorized=false",
|
||||
"runner_change_authorized=false",
|
||||
"deploy_key_change_authorized=false",
|
||||
"branch_protection_change_authorized=false",
|
||||
"codeowners_change_authorized=false",
|
||||
"repo_secret_change_authorized=false",
|
||||
"secret_hash_collection_allowed=false",
|
||||
"partial_token_collection_allowed=false",
|
||||
"secret_rotation_authorized=false",
|
||||
"secret_store_read_authorized=false",
|
||||
"secret_injection_change_authorized=false",
|
||||
"github_hosted_runner_enable_authorized=false",
|
||||
"gitea_action_dispatch_authorized=false",
|
||||
"cd_pipeline_run_authorized=false",
|
||||
"deploy_marker_write_authorized=false",
|
||||
"k8s_secret_injection_authorized=false",
|
||||
"production_deploy_authorized=false",
|
||||
"refs_sync_authorized=false",
|
||||
"force_push_authorized=false",
|
||||
"github_primary_switch_authorized=false",
|
||||
"disable_gitea_authorized=false",
|
||||
"active_scan_authorized=false",
|
||||
"agent_bounty_runtime_authorized=false",
|
||||
]:
|
||||
@@ -15600,6 +15739,11 @@ def validate(root: Path) -> None:
|
||||
iwooos_projection_page,
|
||||
"{ key: 'k8sArgocd', rank: 'P0-3', state: '64% / sync 0'",
|
||||
)
|
||||
assert_text_contains(
|
||||
"iwooos_page.critical_config_priority_workflow_secret_percent",
|
||||
iwooos_projection_page,
|
||||
"{ key: 'workflowSecret', rank: 'P0-4', state: '68% / 72%'",
|
||||
)
|
||||
for text in [
|
||||
"critical_config_priority_frontstage_summary_count=4",
|
||||
"critical_config_priority_item_count=6",
|
||||
@@ -15614,6 +15758,23 @@ def validate(root: Path) -> None:
|
||||
"nginx_public_gateway_rendered_diff_accepted=false",
|
||||
"nginx_public_gateway_rendered_diff_acceptance_candidate_count=3",
|
||||
"nginx_public_gateway_nginx_test_evidence_count=0",
|
||||
"secret_metadata_coverage_percent=68",
|
||||
"gitea_workflow_runner_source_control_coverage_percent=72",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_candidate_count=5",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_c0_candidate_count=4",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_write_capable_candidate_count=5",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_required_evidence_field_count=19",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_reviewer_check_count=19",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_outcome_lane_count=8",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_blocked_action_count=32",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_received_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_accepted_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_workflow_diff_accepted_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_runner_attestation_accepted_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_secret_name_parity_accepted_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_secret_injection_route_accepted_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_runtime_approval_package_ready_count=0",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_runtime_gate_count=0",
|
||||
"k8s_argocd_change_evidence_acceptance_candidate_count=4",
|
||||
"k8s_argocd_change_evidence_acceptance_c0_candidate_count=3",
|
||||
"k8s_argocd_change_evidence_acceptance_write_capable_candidate_count=4",
|
||||
@@ -15632,6 +15793,14 @@ def validate(root: Path) -> None:
|
||||
"network_policy_apply_authorized=false",
|
||||
"nodeport_change_authorized=false",
|
||||
"rbac_change_authorized=false",
|
||||
"runner_change_authorized=false",
|
||||
"repo_secret_change_authorized=false",
|
||||
"secret_injection_change_authorized=false",
|
||||
"gitea_action_dispatch_authorized=false",
|
||||
"cd_pipeline_run_authorized=false",
|
||||
"production_deploy_authorized=false",
|
||||
"force_push_authorized=false",
|
||||
"github_primary_switch_authorized=false",
|
||||
"runtime_execution_authorized=false",
|
||||
"active_runtime_gate_count=0",
|
||||
"action_buttons_allowed=false",
|
||||
@@ -17004,6 +17173,174 @@ def validate(root: Path) -> None:
|
||||
f"k8s_argocd_change_evidence_acceptance.{item['change_evidence_candidate_id']}.{false_key}",
|
||||
item[false_key],
|
||||
)
|
||||
assert_equal(
|
||||
"cd_runner_secret_injection_change_evidence_acceptance.schema",
|
||||
cd_runner_secret_injection_change_evidence_acceptance["schema_version"],
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_v1",
|
||||
)
|
||||
assert_equal(
|
||||
"cd_runner_secret_injection_change_evidence_acceptance.status",
|
||||
cd_runner_secret_injection_change_evidence_acceptance["status"],
|
||||
"change_evidence_acceptance_ledger_ready_no_runtime_action",
|
||||
)
|
||||
assert_equal(
|
||||
"cd_runner_secret_injection_change_evidence_acceptance.mode",
|
||||
cd_runner_secret_injection_change_evidence_acceptance["mode"],
|
||||
"metadata_only_no_secret_value_no_workflow_change",
|
||||
)
|
||||
expected_cd_runner_secret_injection_summary = {
|
||||
"change_evidence_candidate_count": 5,
|
||||
"c0_change_evidence_candidate_count": 4,
|
||||
"c1_change_evidence_candidate_count": 1,
|
||||
"write_capable_candidate_count": 5,
|
||||
"local_workflow_file_count": 33,
|
||||
"gitea_workflow_file_count": 12,
|
||||
"github_workflow_file_count": 21,
|
||||
"local_referenced_secret_name_count": 42,
|
||||
"runner_label_count": 5,
|
||||
"export_request_count": 9,
|
||||
"export_lane_count": 5,
|
||||
"owner_response_template_count": 5,
|
||||
"owner_response_received_count": 0,
|
||||
"owner_response_accepted_count": 0,
|
||||
"required_evidence_field_count": 19,
|
||||
"reviewer_check_count": 19,
|
||||
"outcome_lane_count": 8,
|
||||
"blocked_action_count": 32,
|
||||
"change_evidence_received_count": 0,
|
||||
"change_evidence_accepted_count": 0,
|
||||
"workflow_diff_accepted_count": 0,
|
||||
"runner_attestation_accepted_count": 0,
|
||||
"secret_name_parity_accepted_count": 0,
|
||||
"secret_injection_route_accepted_count": 0,
|
||||
"deploy_marker_readback_accepted_count": 0,
|
||||
"guard_result_accepted_count": 0,
|
||||
"postcheck_evidence_accepted_count": 0,
|
||||
"runtime_approval_package_ready_count": 0,
|
||||
"runtime_gate_count": 0,
|
||||
"action_button_count": 0,
|
||||
"secret_metadata_coverage_percent_before_acceptance": 66,
|
||||
"secret_metadata_coverage_percent_after_acceptance": 68,
|
||||
"gitea_workflow_runner_coverage_percent_before_acceptance": 70,
|
||||
"gitea_workflow_runner_coverage_percent_after_acceptance": 72,
|
||||
}
|
||||
for key, expected in expected_cd_runner_secret_injection_summary.items():
|
||||
assert_equal(
|
||||
f"cd_runner_secret_injection_change_evidence_acceptance.summary.{key}",
|
||||
cd_runner_secret_injection_change_evidence_acceptance["summary"][key],
|
||||
expected,
|
||||
)
|
||||
for key, value in cd_runner_secret_injection_change_evidence_acceptance["execution_boundaries"].items():
|
||||
if key == "not_authorization":
|
||||
assert_true(f"cd_runner_secret_injection_change_evidence_acceptance.execution_boundaries.{key}", value)
|
||||
else:
|
||||
assert_false(f"cd_runner_secret_injection_change_evidence_acceptance.execution_boundaries.{key}", value)
|
||||
expected_cd_runner_secret_injection_ids = [
|
||||
"cd_runner_secret_injection:cd_pipeline_deploy_marker_and_k8s_secret_injection",
|
||||
"cd_runner_secret_injection:code_review_pipeline_secret_and_notification_surface",
|
||||
"cd_runner_secret_injection:deploy_alerts_and_monitoring_route",
|
||||
"cd_runner_secret_injection:runner_label_and_executor_attestation",
|
||||
"cd_runner_secret_injection:repository_secret_name_parity_and_injection_owner",
|
||||
]
|
||||
assert_equal(
|
||||
"cd_runner_secret_injection_change_evidence_acceptance.candidate_ids",
|
||||
[
|
||||
item["change_evidence_candidate_id"]
|
||||
for item in cd_runner_secret_injection_change_evidence_acceptance["change_evidence_candidates"]
|
||||
],
|
||||
expected_cd_runner_secret_injection_ids,
|
||||
)
|
||||
assert_equal(
|
||||
"cd_runner_secret_injection_change_evidence_acceptance.reviewer_checks.count",
|
||||
len(cd_runner_secret_injection_change_evidence_acceptance["reviewer_checks"]),
|
||||
19,
|
||||
)
|
||||
assert_equal(
|
||||
"cd_runner_secret_injection_change_evidence_acceptance.outcome_lanes.count",
|
||||
len(cd_runner_secret_injection_change_evidence_acceptance["outcome_lanes"]),
|
||||
8,
|
||||
)
|
||||
assert_equal(
|
||||
"cd_runner_secret_injection_change_evidence_acceptance.blocked_actions.count",
|
||||
len(cd_runner_secret_injection_change_evidence_acceptance["blocked_actions"]),
|
||||
32,
|
||||
)
|
||||
for item in cd_runner_secret_injection_change_evidence_acceptance["change_evidence_candidates"]:
|
||||
assert_equal(
|
||||
f"cd_runner_secret_injection_change_evidence_acceptance.{item['change_evidence_candidate_id']}.change_evidence_fields",
|
||||
len(item["change_evidence_fields"]),
|
||||
22,
|
||||
)
|
||||
assert_equal(
|
||||
f"cd_runner_secret_injection_change_evidence_acceptance.{item['change_evidence_candidate_id']}.required_evidence_fields",
|
||||
len(item["required_evidence_fields"]),
|
||||
19,
|
||||
)
|
||||
assert_equal(
|
||||
f"cd_runner_secret_injection_change_evidence_acceptance.{item['change_evidence_candidate_id']}.reviewer_checks",
|
||||
len(item["reviewer_checks"]),
|
||||
19,
|
||||
)
|
||||
assert_equal(
|
||||
f"cd_runner_secret_injection_change_evidence_acceptance.{item['change_evidence_candidate_id']}.outcome_lanes",
|
||||
len(item["outcome_lanes"]),
|
||||
8,
|
||||
)
|
||||
assert_equal(
|
||||
f"cd_runner_secret_injection_change_evidence_acceptance.{item['change_evidence_candidate_id']}.blocked_actions",
|
||||
len(item["blocked_actions"]),
|
||||
32,
|
||||
)
|
||||
assert_true(
|
||||
f"cd_runner_secret_injection_change_evidence_acceptance.{item['change_evidence_candidate_id']}.not_approval",
|
||||
item["not_approval"],
|
||||
)
|
||||
for false_key in [
|
||||
"change_evidence_received",
|
||||
"change_evidence_accepted",
|
||||
"change_evidence_rejected",
|
||||
"change_evidence_quarantined",
|
||||
"workflow_diff_accepted",
|
||||
"runner_attestation_accepted",
|
||||
"secret_name_parity_accepted",
|
||||
"secret_injection_route_accepted",
|
||||
"deploy_marker_readback_accepted",
|
||||
"guard_result_accepted",
|
||||
"postcheck_evidence_accepted",
|
||||
"runtime_approval_package_ready",
|
||||
"runtime_execution_authorized",
|
||||
"workflow_modification_authorized",
|
||||
"webhook_modification_authorized",
|
||||
"runner_change_authorized",
|
||||
"deploy_key_change_authorized",
|
||||
"branch_protection_change_authorized",
|
||||
"codeowners_change_authorized",
|
||||
"repo_secret_change_authorized",
|
||||
"secret_value_collection_allowed",
|
||||
"secret_hash_collection_allowed",
|
||||
"partial_token_collection_allowed",
|
||||
"secret_rotation_authorized",
|
||||
"secret_store_read_authorized",
|
||||
"secret_injection_change_authorized",
|
||||
"step_env_secret_allowed",
|
||||
"github_hosted_runner_enable_authorized",
|
||||
"gitea_action_dispatch_authorized",
|
||||
"cd_pipeline_run_authorized",
|
||||
"deploy_marker_write_authorized",
|
||||
"k8s_secret_injection_authorized",
|
||||
"argocd_sync_authorized",
|
||||
"production_deploy_authorized",
|
||||
"refs_sync_authorized",
|
||||
"force_push_authorized",
|
||||
"github_primary_switch_authorized",
|
||||
"disable_gitea_authorized",
|
||||
"runtime_gate",
|
||||
"action_buttons_allowed",
|
||||
]:
|
||||
assert_false(
|
||||
f"cd_runner_secret_injection_change_evidence_acceptance.{item['change_evidence_candidate_id']}.{false_key}",
|
||||
item[false_key],
|
||||
)
|
||||
assert_equal(
|
||||
"iwooos_projection.summary.domain_tls_certbot_inventory_managed_domain_count",
|
||||
iwooos_projection["summary"]["domain_tls_certbot_inventory_managed_domain_count"],
|
||||
|
||||
Reference in New Issue
Block a user