feat(governance): 新增 Gitea workflow runner 健康合約
This commit is contained in:
@@ -62,6 +62,9 @@ from src.services.offsite_escrow_readiness_status import (
|
||||
from src.services.runtime_surface_inventory import (
|
||||
load_latest_runtime_surface_inventory,
|
||||
)
|
||||
from src.services.gitea_workflow_runner_health import (
|
||||
load_latest_gitea_workflow_runner_health,
|
||||
)
|
||||
from src.services.package_supply_chain_inventory import (
|
||||
load_latest_package_supply_chain_inventory,
|
||||
)
|
||||
@@ -506,6 +509,33 @@ async def get_runtime_surface_inventory() -> dict[str, Any]:
|
||||
) from exc
|
||||
|
||||
|
||||
@router.get(
|
||||
"/gitea-workflow-runner-health",
|
||||
response_model=dict[str, Any],
|
||||
summary="取得 Gitea 工作流程與 runner 健康合約",
|
||||
description=(
|
||||
"讀取最新已提交的 Gitea workflow / runner health contract;"
|
||||
"此端點不呼叫 Gitea API、不修改 workflow、不重啟 runner、不停止 container、"
|
||||
"不讀 Secret payload、不送 Telegram 測試通知、不觸發 deploy 或 migration。"
|
||||
),
|
||||
)
|
||||
async def get_gitea_workflow_runner_health() -> dict[str, Any]:
|
||||
"""Return the latest read-only Gitea workflow / runner health contract."""
|
||||
try:
|
||||
return await asyncio.to_thread(load_latest_gitea_workflow_runner_health)
|
||||
except FileNotFoundError as exc:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_404_NOT_FOUND,
|
||||
detail=str(exc),
|
||||
) from exc
|
||||
except (json.JSONDecodeError, ValueError) as exc:
|
||||
logger.error("gitea_workflow_runner_health_invalid", error=str(exc))
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
|
||||
detail="Gitea 工作流程與 runner 健康合約快照無效",
|
||||
) from exc
|
||||
|
||||
|
||||
@router.get(
|
||||
"/backup-dr-target-inventory",
|
||||
response_model=dict[str, Any],
|
||||
|
||||
260
apps/api/src/services/gitea_workflow_runner_health.py
Normal file
260
apps/api/src/services/gitea_workflow_runner_health.py
Normal file
@@ -0,0 +1,260 @@
|
||||
"""
|
||||
Gitea workflow / runner health contract snapshot.
|
||||
|
||||
Loads the latest committed, read-only Gitea workflow and runner health
|
||||
contract. This module never calls Gitea, mutates workflows, restarts runners,
|
||||
stops containers, reads Secret payloads, triggers deploys, or sends
|
||||
notifications.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import json
|
||||
from pathlib import Path
|
||||
from typing import Any
|
||||
|
||||
from src.services.snapshot_paths import default_evaluations_dir
|
||||
|
||||
_DEFAULT_EVALUATIONS_DIR = default_evaluations_dir(Path(__file__))
|
||||
_SNAPSHOT_PATTERN = "gitea_workflow_runner_health_*.json"
|
||||
_SCHEMA_VERSION = "gitea_workflow_runner_health_v1"
|
||||
|
||||
|
||||
def load_latest_gitea_workflow_runner_health(
|
||||
evaluations_dir: Path | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Load the newest committed Gitea workflow / runner health snapshot."""
|
||||
directory = evaluations_dir or _DEFAULT_EVALUATIONS_DIR
|
||||
candidates = sorted(directory.glob(_SNAPSHOT_PATTERN))
|
||||
if not candidates:
|
||||
raise FileNotFoundError(f"no Gitea workflow / runner health snapshots found in {directory}")
|
||||
|
||||
latest = candidates[-1]
|
||||
with latest.open(encoding="utf-8") as handle:
|
||||
payload = json.load(handle)
|
||||
|
||||
if not isinstance(payload, dict):
|
||||
raise ValueError(f"{latest}: expected JSON object")
|
||||
_require_schema(payload, _SCHEMA_VERSION, str(latest))
|
||||
_require_read_only_boundaries(payload, str(latest))
|
||||
_require_operation_boundaries(payload, str(latest))
|
||||
_require_rollup_consistency(payload, str(latest))
|
||||
_require_workflow_evidence(payload, str(latest))
|
||||
_require_runner_contracts(payload, str(latest))
|
||||
_require_notification_contracts(payload, str(latest))
|
||||
_require_operator_denials(payload, str(latest))
|
||||
_require_no_plaintext_secret_payload_keys(payload, str(latest))
|
||||
return payload
|
||||
|
||||
|
||||
def _require_schema(payload: dict[str, Any], expected: str, label: str) -> None:
|
||||
actual = payload.get("schema_version")
|
||||
if actual != expected:
|
||||
raise ValueError(f"{label}: expected schema_version={expected}, got {actual!r}")
|
||||
|
||||
|
||||
def _require_read_only_boundaries(payload: dict[str, Any], label: str) -> None:
|
||||
program_status = payload.get("program_status") or {}
|
||||
if program_status.get("read_only_mode") is not True:
|
||||
raise ValueError(f"{label}: program_status.read_only_mode must be true")
|
||||
|
||||
approval_boundaries = payload.get("approval_boundaries") or {}
|
||||
allowed = sorted(key for key, value in approval_boundaries.items() if value is not False)
|
||||
if allowed:
|
||||
raise ValueError(f"{label}: approval boundaries must remain false: {allowed}")
|
||||
|
||||
|
||||
def _require_operation_boundaries(payload: dict[str, Any], label: str) -> None:
|
||||
boundaries = payload.get("operation_boundaries") or {}
|
||||
if boundaries.get("read_only_api_allowed") is not True:
|
||||
raise ValueError(f"{label}: read_only_api_allowed must be true")
|
||||
|
||||
blocked_flags = {
|
||||
"workflow_modification_allowed",
|
||||
"runner_restart_allowed",
|
||||
"runner_container_stop_allowed",
|
||||
"runner_label_change_allowed",
|
||||
"runner_registration_allowed",
|
||||
"secret_read_allowed",
|
||||
"secret_plaintext_allowed",
|
||||
"notification_send_allowed",
|
||||
"schedule_enable_allowed",
|
||||
"gitea_api_write_allowed",
|
||||
"deploy_trigger_allowed",
|
||||
"migration_trigger_allowed",
|
||||
}
|
||||
allowed = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False)
|
||||
if allowed:
|
||||
raise ValueError(f"{label}: operation boundaries must remain false: {allowed}")
|
||||
|
||||
|
||||
def _require_rollup_consistency(payload: dict[str, Any], label: str) -> None:
|
||||
workflows = payload.get("workflow_records") or []
|
||||
runners = payload.get("runner_contracts") or []
|
||||
notifications = payload.get("notification_contracts") or []
|
||||
rollups = payload.get("rollups") or {}
|
||||
|
||||
if rollups.get("total_workflows") != len(workflows):
|
||||
raise ValueError(f"{label}: rollups.total_workflows must match workflow_records")
|
||||
if rollups.get("by_workflow_status") != _count_by(workflows, "status"):
|
||||
raise ValueError(f"{label}: rollups.by_workflow_status must match workflow_records")
|
||||
if rollups.get("by_runner_evidence_status") != _count_by(workflows, "runner_evidence_status"):
|
||||
raise ValueError(f"{label}: rollups.by_runner_evidence_status must match workflow_records")
|
||||
|
||||
if rollups.get("workflows_with_schedule") != _count_where(workflows, lambda row: "schedule" in row.get("triggers", [])):
|
||||
raise ValueError(f"{label}: rollups.workflows_with_schedule must match workflow_records")
|
||||
if rollups.get("workflows_with_workflow_dispatch") != _count_where(
|
||||
workflows,
|
||||
lambda row: "workflow_dispatch" in row.get("triggers", []),
|
||||
):
|
||||
raise ValueError(f"{label}: rollups.workflows_with_workflow_dispatch must match workflow_records")
|
||||
if rollups.get("workflows_with_notify_bridge") != _count_where(
|
||||
workflows,
|
||||
lambda row: (row.get("notify_bridge_calls") or 0) > 0,
|
||||
):
|
||||
raise ValueError(f"{label}: rollups.workflows_with_notify_bridge must match workflow_records")
|
||||
if rollups.get("workflows_with_actionable_or_failure_quiet_policy") != _count_where(
|
||||
workflows,
|
||||
lambda row: row.get("notification_policy") in {"actionable_only_no_success_noise", "failure_only"},
|
||||
):
|
||||
raise ValueError(
|
||||
f"{label}: rollups.workflows_with_actionable_or_failure_quiet_policy must match workflow_records"
|
||||
)
|
||||
|
||||
attestation_required = sorted(
|
||||
row.get("workflow_id")
|
||||
for row in workflows
|
||||
if row.get("runner_evidence_status") in {"owner_attestation_required", "comment_ambiguous"}
|
||||
)
|
||||
if sorted(rollups.get("workflow_ids_requiring_runner_attestation") or []) != attestation_required:
|
||||
raise ValueError(
|
||||
f"{label}: rollups.workflow_ids_requiring_runner_attestation must match workflow_records"
|
||||
)
|
||||
|
||||
if rollups.get("total_runner_contracts") != len(runners):
|
||||
raise ValueError(f"{label}: rollups.total_runner_contracts must match runner_contracts")
|
||||
action_required_runners = sorted(
|
||||
runner.get("contract_id")
|
||||
for runner in runners
|
||||
if runner.get("status") == "action_required"
|
||||
)
|
||||
if sorted(rollups.get("runner_contracts_requiring_action") or []) != action_required_runners:
|
||||
raise ValueError(f"{label}: rollups.runner_contracts_requiring_action must match runner_contracts")
|
||||
|
||||
if rollups.get("notification_contracts_total") != len(notifications):
|
||||
raise ValueError(f"{label}: rollups.notification_contracts_total must match notification_contracts")
|
||||
quiet_contract_ids = sorted(
|
||||
contract.get("contract_id")
|
||||
for contract in notifications
|
||||
if contract.get("policy_kind") in {"failure_only", "actionable_only"}
|
||||
)
|
||||
if rollups.get("notification_contracts_quiet_success_count") != len(quiet_contract_ids):
|
||||
raise ValueError(
|
||||
f"{label}: rollups.notification_contracts_quiet_success_count must match notification_contracts"
|
||||
)
|
||||
if sorted(rollups.get("notification_contracts_quiet_success_ids") or []) != quiet_contract_ids:
|
||||
raise ValueError(f"{label}: rollups.notification_contracts_quiet_success_ids must match contracts")
|
||||
|
||||
|
||||
def _require_workflow_evidence(payload: dict[str, Any], label: str) -> None:
|
||||
workflows = payload.get("workflow_records") or []
|
||||
missing = sorted(
|
||||
workflow.get("workflow_id")
|
||||
for workflow in workflows
|
||||
if not workflow.get("file_ref")
|
||||
or not workflow.get("evidence_refs")
|
||||
or not workflow.get("triggers")
|
||||
or not workflow.get("runner_labels")
|
||||
)
|
||||
if missing:
|
||||
raise ValueError(f"{label}: workflow_records must include file, evidence, trigger, runner labels: {missing}")
|
||||
|
||||
|
||||
def _require_runner_contracts(payload: dict[str, Any], label: str) -> None:
|
||||
runners = payload.get("runner_contracts") or []
|
||||
missing = sorted(
|
||||
runner.get("contract_id")
|
||||
for runner in runners
|
||||
if not runner.get("evidence_refs")
|
||||
or not runner.get("health_contract")
|
||||
or not runner.get("next_action")
|
||||
)
|
||||
if missing:
|
||||
raise ValueError(f"{label}: runner_contracts must include evidence, health contract, next_action: {missing}")
|
||||
|
||||
|
||||
def _require_notification_contracts(payload: dict[str, Any], label: str) -> None:
|
||||
contracts = payload.get("notification_contracts") or []
|
||||
missing = sorted(
|
||||
contract.get("contract_id")
|
||||
for contract in contracts
|
||||
if not contract.get("success_noise_policy")
|
||||
or not contract.get("failure_policy")
|
||||
or not contract.get("evidence_refs")
|
||||
)
|
||||
if missing:
|
||||
raise ValueError(f"{label}: notification_contracts must include policy and evidence: {missing}")
|
||||
|
||||
quiet_contracts = [
|
||||
contract
|
||||
for contract in contracts
|
||||
if contract.get("policy_kind") in {"failure_only", "actionable_only"}
|
||||
]
|
||||
if len(quiet_contracts) < 2:
|
||||
raise ValueError(f"{label}: must preserve failure-only and actionable-only notification contracts")
|
||||
|
||||
noisy_quiet_contracts = sorted(
|
||||
contract.get("contract_id")
|
||||
for contract in quiet_contracts
|
||||
if "不" not in str(contract.get("success_noise_policy"))
|
||||
and "quiet" not in str(contract.get("success_noise_policy")).lower()
|
||||
)
|
||||
if noisy_quiet_contracts:
|
||||
raise ValueError(f"{label}: quiet notification contracts must suppress success noise: {noisy_quiet_contracts}")
|
||||
|
||||
|
||||
def _require_operator_denials(payload: dict[str, Any], label: str) -> None:
|
||||
contract = payload.get("operator_contract") or {}
|
||||
must_not_interpret_as = set(contract.get("must_not_interpret_as") or [])
|
||||
required_denials = {
|
||||
"workflow 修改批准",
|
||||
"runner restart / stop 批准",
|
||||
"Secret 已讀取或可輸出",
|
||||
"Telegram 測試通知批准",
|
||||
"Gitea write token 授權",
|
||||
"deploy / migration workflow 觸發批准",
|
||||
}
|
||||
if not required_denials.issubset(must_not_interpret_as):
|
||||
raise ValueError(f"{label}: operator_contract.must_not_interpret_as is missing required denials")
|
||||
|
||||
|
||||
def _require_no_plaintext_secret_payload_keys(value: Any, label: str, path: str = "$") -> None:
|
||||
if isinstance(value, dict):
|
||||
forbidden_key_fragments = {
|
||||
"secret_value",
|
||||
"token_value",
|
||||
"authorization_header",
|
||||
"private_key",
|
||||
"webhook_secret",
|
||||
"runner_token",
|
||||
}
|
||||
for key, nested in value.items():
|
||||
lowered = str(key).lower()
|
||||
if any(fragment in lowered for fragment in forbidden_key_fragments):
|
||||
raise ValueError(f"{label}: forbidden secret payload key at {path}.{key}")
|
||||
_require_no_plaintext_secret_payload_keys(nested, label, f"{path}.{key}")
|
||||
elif isinstance(value, list):
|
||||
for index, nested in enumerate(value):
|
||||
_require_no_plaintext_secret_payload_keys(nested, label, f"{path}[{index}]")
|
||||
|
||||
|
||||
def _count_by(items: list[dict[str, Any]], key: str) -> dict[str, int]:
|
||||
counts: dict[str, int] = {}
|
||||
for item in items:
|
||||
value = item.get(key)
|
||||
counts[value] = counts.get(value, 0) + 1
|
||||
return counts
|
||||
|
||||
|
||||
def _count_where(items: list[dict[str, Any]], predicate) -> int:
|
||||
return sum(1 for item in items if predicate(item))
|
||||
Reference in New Issue
Block a user