feat(iwooos): 新增 CD runner secret 事故回讀 gate
This commit is contained in:
@@ -77,8 +77,8 @@ CONTROL_STATUS_BY_CATEGORY = {
|
||||
"next_owner_action": "補 GitOps / K8s 事故回讀包:incident / change ref、actor role / team、ArgoCD sync / health / revision、degraded / Pending / image pull / scheduling 摘要、rollout before-after、event summary、metrics / alert、drift scanner、CronJob schedule、NetworkPolicy / Service / RBAC 影響、public/admin route、AI provider、monitoring、operator notification、cross-project sync、recovery 或 still-degraded ref、recurrence guard、maintenance window、rollback revision、rollback owner、post-check owner 與 no-secret-value evidence。",
|
||||
},
|
||||
"secret_metadata": {
|
||||
"coverage_status": "secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
|
||||
"coverage_percent": 68,
|
||||
"coverage_status": "post_incident_readback_plan_ready_needs_secret_injection_owner_evidence",
|
||||
"coverage_percent": 70,
|
||||
"evidence_refs": [
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
|
||||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||||
@@ -86,23 +86,27 @@ CONTROL_STATUS_BY_CATEGORY = {
|
||||
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
|
||||
"docs/security/CD-RUNNER-SECRET-INJECTION-CHANGE-EVIDENCE-ACCEPTANCE.md",
|
||||
"docs/security/cd-runner-secret-injection-change-evidence-acceptance.snapshot.json",
|
||||
"docs/security/CD-RUNNER-SECRET-INJECTION-POST-INCIDENT-READBACK-PLAN.md",
|
||||
"docs/security/cd-runner-secret-injection-post-incident-readback-plan.snapshot.json",
|
||||
"docs/security/SECRETS_REFERENCE.md",
|
||||
],
|
||||
"current_gap": "已固定 secret name / injection owner 變更證據驗收帳本;secret value、hash、partial token、secret store read、secret rotation、repo secret change 與 injection path change 仍全部為 0。",
|
||||
"next_owner_action": "補 secret name parity ref、injection route owner、rotation owner、guard result ref、rollback owner、post-check evidence 與 redacted evidence refs。",
|
||||
"current_gap": "已固定 secret name / injection owner 變更證據驗收帳本,並新增事故後回讀計畫;secret name parity state、secret injection route、step-env secret guard、log redaction、deploy marker / Gitea run readback、rollback、post-check、防再發與 no-false-green 已納入;secret value、hash、partial token、runner token、secret store read、secret rotation、repo secret change 與 injection path change 仍全部為 0。",
|
||||
"next_owner_action": "補 secret name parity state ref、secret injection route state ref、step-env secret guard result、log redaction readback、deploy marker / Gitea run readback、notification receipt、rollback owner、post-check evidence、recurrence guard 與 no-secret-value evidence。",
|
||||
},
|
||||
"gitea_workflow_runner_source_control": {
|
||||
"coverage_status": "cd_runner_secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
|
||||
"coverage_percent": 72,
|
||||
"coverage_status": "post_incident_readback_plan_ready_needs_workflow_runner_owner_evidence",
|
||||
"coverage_percent": 74,
|
||||
"evidence_refs": [
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
|
||||
"docs/security/CD-RUNNER-SECRET-INJECTION-CHANGE-EVIDENCE-ACCEPTANCE.md",
|
||||
"docs/security/cd-runner-secret-injection-change-evidence-acceptance.snapshot.json",
|
||||
"docs/security/CD-RUNNER-SECRET-INJECTION-POST-INCIDENT-READBACK-PLAN.md",
|
||||
"docs/security/cd-runner-secret-injection-post-incident-readback-plan.snapshot.json",
|
||||
"docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md",
|
||||
],
|
||||
"current_gap": "已固定 CD / runner / secret injection 變更證據驗收帳本;workflow diff、runner attestation、secret parity、guard result、deploy marker readback、rollback owner 與 post-check evidence 仍全部為 0。",
|
||||
"next_owner_action": "補 workflow diff ref、runner owner attestation、secret name parity ref、Gitea run readback、guard result、maintenance window、rollback owner 與 post-check evidence。",
|
||||
"current_gap": "已固定 CD / runner / secret injection 變更證據驗收帳本,並新增事故後回讀計畫;workflow diff state、runner attestation、executor / host、workspace cleanup、permission scope、webhook / notification、deploy key / branch protection / CODEOWNERS、deploy marker / Gitea run、rollback、post-change monitoring、防再發與 no-false-green 已納入;workflow 修改、dispatch、runner 啟用 / 重啟、GitHub hosted runner、webhook / deploy key / branch protection / CODEOWNERS 修改仍全部為 0。",
|
||||
"next_owner_action": "補 workflow diff state ref、runner owner attestation、executor / host readback、workspace cleanup、permission scope、Gitea run readback、deploy marker readback、webhook / notification receipt、maintenance window、rollback owner、post-change monitoring 與 recurrence guard evidence。",
|
||||
},
|
||||
"public_admin_api_runtime_config": {
|
||||
"coverage_status": "frontend_sensitive_surface_guard_ready_needs_runtime_config_owner_evidence",
|
||||
@@ -392,6 +396,8 @@ def build_report(root: Path, generated_at: str | None) -> dict[str, Any]:
|
||||
"post_incident_readback_plan_ready_needs_gitops_owner_evidence",
|
||||
"secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
|
||||
"post_incident_readback_plan_ready_needs_secret_injection_owner_evidence",
|
||||
"post_incident_readback_plan_ready_needs_workflow_runner_owner_evidence",
|
||||
"change_evidence_acceptance_ready_needs_runtime_config_owner_evidence",
|
||||
"frontend_sensitive_surface_guard_ready_needs_runtime_config_owner_evidence",
|
||||
"owner_response_acceptance_ledger_ready_needs_restore_drill_owner",
|
||||
|
||||
Reference in New Issue
Block a user