docs(security): add workflow secret local evidence [skip ci]
This commit is contained in:
@@ -54,7 +54,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
|
||||
| `source_control_ref_detail_diff_v1` | refs-blocked repo branch/tag 明細 diff | Migration reviewer evidence | mirror-only | 只顯示 diff,不 fetch、不 push、不刪 refs |
|
||||
| `source_control_ref_truth_classification_v1` | refs diff 真相來源與 deprecated 候選分類 | Repo owner review queue、migration reviewer handoff | approval-only | 只顯示分類與人工判定隊列,不執行 sync/delete |
|
||||
| `source_control_primary_readiness_gate_v1` | GitHub primary readiness / parity gate | Source-control review、Operator Console、Audit | approval-only | 只顯示 primary blockers、parity gates、rollback ADR 缺口;目前 `primary_ready_count=0` |
|
||||
| `source_control_workflow_secret_name_inventory_v1` | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate | Source-control review、Secret hygiene audit、Operator Console | approval-only | 只顯示缺口與 redacted snapshot 需求;目前 `inventory_complete_count=0`,不得保存 secret value |
|
||||
| `source_control_workflow_secret_name_inventory_v1` | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate | Source-control review、Secret hygiene audit、Operator Console | approval-only | 只顯示缺口與 S4.2 local evidence;目前 `inventory_complete_count=0`,不得保存 secret value |
|
||||
| `local_repo_canonical_probe_v1` | 本機 working tree lineage 比對 | Canonical decision evidence | mirror-only | 不自動合併、不自動建 repo、不刪除 |
|
||||
| `git_remote_refs_probe_v1` | 指定 repo remote refs read-only probe | Source readiness evidence | mirror-only | 不 fetch、不 push、不自動 mirror |
|
||||
| `approval_required_event_v1` | 上述事件的高風險 gate | Approval queue、Audit | approval-only | `blocked_until_approved=true` |
|
||||
@@ -100,7 +100,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
|
||||
| `security_approval_state_transition_v1.mode=approval_state_transition_only` | `observe` | 顯示 5 個 decision options 的 next state;不得把 transition 當 execution authorization |
|
||||
| `security_followup_runtime_gate_v1.mode=runtime_gate_preparation_only` | `observe` | 顯示 8 個後續 runtime gate 準備模板、0 個 active runtime gates;不得新增 action button |
|
||||
| `source_control_primary_readiness_gate_v1.status=draft_blocked` | `approve_required` | 顯示 8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;不得切 primary |
|
||||
| `source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence` | `approve_required` | 顯示 8 個 candidate repos、7 個 in-scope missing inventory、0 個 complete;不得收集 secret value、不得修改 workflow |
|
||||
| `source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence` | `approve_required` | 顯示 8 個 candidate repos、S4.2 local evidence 4 repos / 31 workflows / 43 referenced secret names、0 個 complete;不得收集 secret value、不得修改 workflow |
|
||||
| `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 34 個 contracts 的 readiness;不得把 readiness 當 execution authorization |
|
||||
| `security_mirror_intake_plan_v1.status=draft` | `observe` | 顯示 5 個 intake waves 與 4 個 acceptance gates;不得執行 wave |
|
||||
| `security_mirror_event_v1.execution_authorized=false` | `observe` | 只包裝鏡像 payload,明確不授權執行、不顯示執行按鈕 |
|
||||
@@ -171,6 +171,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
|
||||
| Source Control ref truth classification | `docs/security/source-control-ref-truth-classification.snapshot.json` / `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` |
|
||||
| Source Control GitHub primary readiness gate | `docs/security/source-control-primary-readiness-gate.snapshot.json` / `docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md` |
|
||||
| Source Control workflow / secret name inventory | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md` |
|
||||
| Source Control workflow / secret name local evidence | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md` |
|
||||
| Kali 112 integration status | `docs/security/kali-integration-status.snapshot.json` / `docs/security/KALI-INTEGRATION-STATUS.md` |
|
||||
| Security finding contract | `docs/security/security-finding-kali-sample.snapshot.json` / `docs/security/SECURITY-FINDING-CONTRACT.md` |
|
||||
| Kali scan scope approval package | `docs/security/kali-scan-scope-approval.snapshot.json` / `docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` |
|
||||
|
||||
@@ -217,7 +217,9 @@ Snapshot:`docs/security/source-control-workflow-secret-name-inventory.snapshot
|
||||
|
||||
目前 inventory:8 個 candidate repos、7 個 in-scope repos、1 個 external review;`inventory_complete_count=0`、`missing_inventory_count=7`、`secret_value_collection_allowed=false`。
|
||||
|
||||
AwoooP 初期處理方式:只顯示 inventory lane 缺口、要求 redacted snapshot 與人工 review;不得收集 secret value、修改 workflow、rotate secret、sync refs 或切 GitHub primary。
|
||||
S4.2 local evidence:已新增本機只讀 collector 與 snapshot,7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、5 個 runner labels、`secret_value_detected=false`。webhook、deploy key、branch protection 與 repository secret parity 仍需後續 redacted evidence。
|
||||
|
||||
AwoooP 初期處理方式:只顯示 inventory lane 缺口、S4.2 local evidence、要求 redacted snapshot 與人工 review;不得收集 secret value、修改 workflow、rotate secret、sync refs 或切 GitHub primary。
|
||||
|
||||
### `security_mirror_readiness_v1`
|
||||
|
||||
@@ -311,7 +313,7 @@ Schema:`docs/schemas/security_mirror_status_rollup_v1.schema.json`
|
||||
|
||||
Snapshot:`docs/security/security-mirror-status-rollup.snapshot.json`
|
||||
|
||||
目前 rollup:`framework_ready_waiting_approval`;34 個 contracts、31 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆;primary ready 0 筆;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆;decision records 目前 0 筆。
|
||||
目前 rollup:`framework_ready_waiting_approval`;34 個 contracts、31 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆;primary ready 0 筆;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。
|
||||
|
||||
AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence;不得把 rollup 當 runtime authorization。
|
||||
|
||||
@@ -789,6 +791,8 @@ Console 初期不提供高風險執行按鈕。
|
||||
|
||||
2026-05-13 S4.1 workflow / secret name inventory 追加:已新增 `docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json`、`docs/security/source-control-workflow-secret-name-inventory.snapshot.json` 與 `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md`。AwoooP 可顯示 8 個 candidate repos 的 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 `inventory_complete_count=0`、`secret_value_collection_allowed=false`,不得收集 secret value、修改 workflow、rotate secret、sync refs 或切 GitHub primary。
|
||||
|
||||
2026-05-13 S4.2 workflow / secret name local evidence 追加:已新增 `scripts/security/source-control-workflow-secret-name-local-inventory.py`、`docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json`、`docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` 與 `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md`。本輪只從本機 working tree 的 `.github/workflows`、`.gitea/workflows` 與 CODEOWNERS 萃取名稱級 metadata:7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、`secret_value_detected=false`;不得視為 GitHub primary ready。
|
||||
|
||||
2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json`、`docs/security/kali-integration-status.snapshot.json` 與 `docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up;已 targeted update `nmap`、`nikto`、`nuclei`、`curl`、`openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence,但不得直接啟動 scan、credentialed scan 或 `/execute`。
|
||||
|
||||
本波仍不做:
|
||||
@@ -849,6 +853,9 @@ Console 初期不提供高風險執行按鈕。
|
||||
- [source_control_ref_truth_classification_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-ref-truth-classification.snapshot.json)
|
||||
- [Source Control workflow / secret name inventory](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md)
|
||||
- [source_control_workflow_secret_name_inventory_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-workflow-secret-name-inventory.snapshot.json)
|
||||
- [Source Control workflow / secret name local evidence](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md)
|
||||
- [source_control_workflow_secret_name_local_evidence_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json)
|
||||
- [source-control workflow / secret name local collector](/Users/ogt/awoooi/scripts/security/source-control-workflow-secret-name-local-inventory.py)
|
||||
- [本機 repo canonical lineage snapshot](/Users/ogt/awoooi/docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md)
|
||||
- [local_repo_canonical_probe_v1 snapshot](/Users/ogt/awoooi/docs/security/local-repo-canonical-ewoooc-momo.snapshot.json)
|
||||
- [本機 repo canonical lineage script](/Users/ogt/awoooi/scripts/security/local-repo-canonical-probe.py)
|
||||
@@ -880,6 +887,7 @@ Console 初期不提供高風險執行按鈕。
|
||||
- [security_approval_decision_record_v1 schema](/Users/ogt/awoooi/docs/schemas/security_approval_decision_record_v1.schema.json)
|
||||
- [source_control_ref_truth_classification_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_ref_truth_classification_v1.schema.json)
|
||||
- [source_control_workflow_secret_name_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json)
|
||||
- [source_control_workflow_secret_name_local_evidence_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json)
|
||||
- [local_repo_canonical_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/local_repo_canonical_probe_v1.schema.json)
|
||||
- [git_remote_refs_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/git_remote_refs_probe_v1.schema.json)
|
||||
- [approval_required_event_v1 schema](/Users/ogt/awoooi/docs/schemas/approval_required_event_v1.schema.json)
|
||||
|
||||
@@ -81,7 +81,7 @@ AwoooP 可以將 ready / partial contracts mirror 到:
|
||||
13. 再 mirror `security_approval_state_transition_v1`,只顯示決策後 next state 與 follow-up runtime gate。
|
||||
14. 再 mirror `security_followup_runtime_gate_v1`,只顯示 runtime gate 準備模板、preflight checks 與 rollback / disable requirement。
|
||||
15. 再 mirror `source_control_primary_readiness_gate_v1`,只顯示 GitHub primary parity、owner、rollback 與人工批准缺口。
|
||||
16. 再 mirror `source_control_workflow_secret_name_inventory_v1`,只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,不保存 secret value。
|
||||
16. 再 mirror `source_control_workflow_secret_name_inventory_v1` 與 S4.2 local evidence,只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names,不保存 secret value。
|
||||
17. 再 mirror `kali_integration_status_v1` 與 `kali_scan_scope_approval_v1`。
|
||||
18. 最後再 mirror source-control 其他 contracts。
|
||||
|
||||
|
||||
@@ -28,7 +28,7 @@
|
||||
| State transitions | S3.3 已建立;5 個 decision options 都有 next state,且都不授權執行 |
|
||||
| Follow-up runtime gate templates | S3.4 已建立;8 個 templates、0 個 active runtime gates |
|
||||
| GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready |
|
||||
| Workflow / secret name inventory | S4.1 已建立;8 個 candidate repos、0 個 inventory complete、禁止收集 secret value |
|
||||
| Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence;0 個 inventory complete、禁止收集 secret value |
|
||||
| Dry-run | `contract_defined_not_executed` |
|
||||
| Runtime actions | `false` |
|
||||
| Payload ingestion | `false` |
|
||||
@@ -61,6 +61,6 @@
|
||||
4. GitHub target / owner / visibility / canonical。
|
||||
5. Kali `/execute` 維持 block candidate。
|
||||
6. GitHub primary readiness blockers 與 rollback ADR 缺口。
|
||||
7. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,且只保存名稱與 owner,不保存 value。
|
||||
7. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence,再補 webhook / deploy key / branch protection / repository secret parity;只保存名稱與 owner,不保存 value。
|
||||
|
||||
任何批准後的執行仍需下一階段 runtime gate 與獨立 evidence,不得由本 rollup 自動觸發。
|
||||
|
||||
@@ -49,7 +49,7 @@
|
||||
| `source_control_ref_detail_diff_v1` | mirror-only | refs-blocked repo 的 branch/tag 明細 diff | `source-control-ref-detail-diff.snapshot.json` |
|
||||
| `source_control_ref_truth_classification_v1` | approval-only | refs diff 的真相來源候選與 deprecated 候選分類 | `source-control-ref-truth-classification.snapshot.json` |
|
||||
| `source_control_primary_readiness_gate_v1` | approval-only | GitHub primary readiness / parity gate | `source-control-primary-readiness-gate.snapshot.json` |
|
||||
| `source_control_workflow_secret_name_inventory_v1` | approval-only | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate | `source-control-workflow-secret-name-inventory.snapshot.json` |
|
||||
| `source_control_workflow_secret_name_inventory_v1` | approval-only | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate;S4.2 已補 local evidence | `source-control-workflow-secret-name-inventory.snapshot.json` / `source-control-workflow-secret-name-local-evidence.snapshot.json` |
|
||||
| `local_repo_canonical_probe_v1` | mirror-only | momo/ewoooc lineage evidence | `local-repo-canonical-ewoooc-momo.snapshot.json` |
|
||||
| `git_remote_refs_probe_v1` | mirror-only | 110 / GitHub remote refs readiness | `bitan-tsenyang`、`wooo-infra-config` |
|
||||
| `approval_required_event_v1` | approval-only | 高風險 / 敏感邊界 approval | `gitea-readonly-inventory-approval.snapshot.json` |
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
|------|------|
|
||||
| 日期 | 2026-05-13 |
|
||||
| 狀態 | S0/S1 read-only evidence 建置中 |
|
||||
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + Workflow / Secret Name Inventory + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
|
||||
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
|
||||
| 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
|
||||
|
||||
## 0. 本階段完成後整體進度
|
||||
@@ -40,6 +40,7 @@
|
||||
| S3.4 後續 runtime gate 準備契約 | 完成草案 | `security_followup_runtime_gate_v1` 已建立;8 個 gate templates、0 個 active runtime gates、0 個 approved scope | AwoooP 可顯示前置 evidence、preflight checks 與 rollback / disable requirement,不可啟用 runtime gate |
|
||||
| S4.0 GitHub primary readiness gate | 完成草案 | `source_control_primary_readiness_gate_v1` 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready | AwoooP 可顯示 parity、owner、rollback ADR 缺口,不可切 primary |
|
||||
| S4.1 Workflow / Secret 名稱 inventory 契約 | 完成草案 | `source_control_workflow_secret_name_inventory_v1` 已建立;8 個 candidate repos、7 個 in-scope repos 尚缺實際 inventory、0 個 complete、禁止收集 secret value | AwoooP 可顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱缺口,不可修改 workflow 或 secret |
|
||||
| S4.2 Workflow / Secret 名稱 local evidence | 完成草案 | 已建立 local read-only collector 與 snapshot;7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、secret value detected=false | 補 webhook / deploy key / branch protection / repository secret parity 的 redacted evidence;仍不可切 primary |
|
||||
| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證 | SHA/tag/workflow parity 與 rollback ADR |
|
||||
|
||||
## 1. 已建立的主要 evidence
|
||||
@@ -72,6 +73,9 @@
|
||||
| Source Control GitHub primary readiness gate JSON | `docs/security/source-control-primary-readiness-gate.snapshot.json` |
|
||||
| Source Control workflow / secret name inventory | `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md` |
|
||||
| Source Control workflow / secret name inventory JSON | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` |
|
||||
| Source Control workflow / secret name local evidence | `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md` |
|
||||
| Source Control workflow / secret name local evidence JSON | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` |
|
||||
| Source Control workflow / secret name local collector | `scripts/security/source-control-workflow-secret-name-local-inventory.py` |
|
||||
| Kali 112 integration status | `docs/security/KALI-INTEGRATION-STATUS.md` |
|
||||
| Kali 112 integration status JSON | `docs/security/kali-integration-status.snapshot.json` |
|
||||
| Security finding contract | `docs/security/SECURITY-FINDING-CONTRACT.md` |
|
||||
|
||||
@@ -44,7 +44,7 @@
|
||||
2. 顯示 `primary_ready_count=0`。
|
||||
3. 將 7 個 in-scope repos 維持在 approval / review lane。
|
||||
4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、refs truth、workflow/runner/secret name inventory、rollback ADR。
|
||||
5. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口;只保存 secret 名稱與 owner,不保存 value。
|
||||
5. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口與 S4.2 local evidence;只保存 secret 名稱與 owner,不保存 value。
|
||||
6. 把狀態寫入 Audit evidence 與 Operator Console。
|
||||
|
||||
## 4. AwoooP 不可做
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
| 狀態 | 草案,missing evidence |
|
||||
| Schema | `docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json` |
|
||||
| Snapshot | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` |
|
||||
| Local evidence | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` |
|
||||
| 模式 | `inventory_contract_only` |
|
||||
| runtime 執行授權 | `false` |
|
||||
|
||||
@@ -17,6 +18,8 @@
|
||||
|
||||
它不收集 secret value,不修改 workflow,不搬移 secrets,也不授權 GitHub primary cutover。目前 `inventory_complete_count=0`。
|
||||
|
||||
S4.2 已補本機可見 evidence:4 個 repos 有 workflow / CODEOWNERS evidence、31 個 workflow files、43 個 referenced secret names、5 個 runner labels。這只是 local partial evidence,仍不代表 GitHub primary ready。
|
||||
|
||||
## 1. 目前狀態
|
||||
|
||||
| 指標 | 數量 |
|
||||
@@ -27,6 +30,9 @@
|
||||
| Inventory complete | 0 |
|
||||
| Missing inventory | 7 |
|
||||
| Secret value collection allowed | `false` |
|
||||
| Local evidence repos | 4 |
|
||||
| Local workflow files | 31 |
|
||||
| Local referenced secret names | 43 |
|
||||
|
||||
## 2. Inventory Lanes
|
||||
|
||||
@@ -47,6 +53,7 @@
|
||||
3. 將 redacted inventory snapshot 寫入 Audit evidence。
|
||||
4. 對缺資料 repo 顯示 owner review lane。
|
||||
5. 將失敗或含敏感值 payload 交給 mirror quarantine。
|
||||
6. 顯示 S4.2 本機 evidence 與仍缺的 API / export lanes。
|
||||
|
||||
## 4. AwoooP 不可做
|
||||
|
||||
@@ -62,4 +69,6 @@
|
||||
|
||||
S4.1 讓 GitHub primary readiness 的「workflow / secret 名稱 parity」缺口變成可追蹤清單。
|
||||
|
||||
這仍是低摩擦框架期:只定義欄位、只顯示缺口、只留痕,不碰任何實際 secret 或發版流程。
|
||||
S4.2 讓本機可見 workflow / CODEOWNERS / referenced secret names 先形成 partial evidence。
|
||||
|
||||
這仍是低摩擦框架期:只定義欄位、只顯示缺口、只留痕,不碰任何實際 secret 或發版流程。webhook、deploy key、branch protection 與 repository secret parity 仍需要後續 redacted export 或 read-only API evidence。
|
||||
|
||||
@@ -0,0 +1,75 @@
|
||||
# Workflow / Secret 名稱本機 Evidence Snapshot
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-05-13 |
|
||||
| 狀態 | 草案,partial local evidence |
|
||||
| Schema | `docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json` |
|
||||
| Snapshot | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` |
|
||||
| 來源契約 | `source_control_workflow_secret_name_inventory_v1` |
|
||||
| 收集器 | `scripts/security/source-control-workflow-secret-name-local-inventory.py` |
|
||||
| runtime 執行授權 | `false` |
|
||||
|
||||
## 0. 核心結論
|
||||
|
||||
S4.2 先補本機可見 working tree 的只讀 workflow / secret 名稱 evidence。
|
||||
|
||||
本 snapshot 只從 `.github/workflows/`、`.gitea/workflows/`、`CODEOWNERS` 與 `.github/CODEOWNERS` 萃取名稱級 metadata。它不呼叫 GitHub / Gitea API、不讀 `.env`、不讀 secret store、不收集 secret value、不修改 workflow。
|
||||
|
||||
這仍不代表 GitHub primary ready。webhook、deploy key、branch protection 與 repository secret parity 還需要後續 redacted export 或 read-only API evidence。
|
||||
|
||||
## 1. 摘要
|
||||
|
||||
| 指標 | 數量 |
|
||||
|------|------|
|
||||
| Candidate repos | 8 |
|
||||
| Local repo visible | 7 |
|
||||
| Local evidence repos | 4 |
|
||||
| Workflow files | 31 |
|
||||
| Gitea workflow files | 10 |
|
||||
| GitHub workflow files | 21 |
|
||||
| CODEOWNERS files | 2 |
|
||||
| Unique referenced secret names | 43 |
|
||||
| Runner labels | 5 |
|
||||
| Secret value detected | `false` |
|
||||
|
||||
## 2. Repo 結果
|
||||
|
||||
| Repo | Local status | Workflow files | Secret names | CODEOWNERS | 說明 |
|
||||
|------|--------------|----------------|--------------|------------|------|
|
||||
| `owenhytsai/awoooi` | `partial_local_evidence` | 14 | 37 | 0 | Gitea / GitHub workflows 都可見;仍需 webhook、branch protection、repository secret parity evidence |
|
||||
| `owenhytsai/clawbot-v5` | `local_repo_visible_no_workflow_files` | 0 | 0 | 0 | 本機 repo 可見,但未找到 workflow / CODEOWNERS |
|
||||
| `owenhytsai/wooo-aiops` | `partial_local_evidence` | 14 | 12 | 2 | GitHub / Gitea workflow 與 CODEOWNERS 可見;仍需 webhook 與 branch protection evidence |
|
||||
| `owenhytsai/wooo-infra-config` | `partial_local_evidence` | 1 | 2 | 0 | GitHub validate workflow 可見;infra secret value 不可搬移 |
|
||||
| `owenhytsai/ewoooc` | `partial_local_evidence` | 2 | 4 | 0 | 以本機 `momo-pro-system` working tree 作為 ewoooc/momo canonical review 的暫時 evidence |
|
||||
| `owenhytsai/bitan-pharmacy` | `local_repo_visible_no_workflow_files` | 0 | 0 | 0 | 本機 repo 可見,但未找到 workflow / CODEOWNERS |
|
||||
| `owenhytsai/tsenyang-website` | `local_repo_visible_no_workflow_files` | 0 | 0 | 0 | 本機 repo 可見,但未找到 workflow / CODEOWNERS |
|
||||
| `nexu-io/open-design` | `missing_local_repo` | 0 | 0 | 0 | 外部 scope review;未納入 GitHub primary cutover queue |
|
||||
|
||||
## 3. 已知 runner labels
|
||||
|
||||
本 snapshot 只保存 runner label 名稱:
|
||||
|
||||
| Label |
|
||||
|-------|
|
||||
| `awoooi-host` |
|
||||
| `harbor` |
|
||||
| `k8s` |
|
||||
| `self-hosted` |
|
||||
| `ubuntu-latest` |
|
||||
|
||||
## 4. 仍需補齊
|
||||
|
||||
1. Gitea / GitHub webhook inventory:只列 destination host、event types、enabled flag,不保存 webhook secret。
|
||||
2. Deploy key / machine key inventory:只列 key name、read-only flag、owner,不保存 private key。
|
||||
3. Branch protection inventory:只列 protected branch、required status checks、review count。
|
||||
4. Repository secret parity:只比對 secret 名稱與 owner,不輸出 value。
|
||||
5. 逐 repo owner review:確認本機可見 workflow 是否為 canonical,尤其是 `ewoooc` / `momo-pro-system`。
|
||||
|
||||
## 5. 永久禁止
|
||||
|
||||
1. 不收集 secret value、token value、private key、webhook secret、runner registration token。
|
||||
2. 不修改 workflow、webhook、runner、deploy key、branch protection 或 CODEOWNERS。
|
||||
3. 不建立 GitHub repo、不 sync refs、不切 GitHub primary。
|
||||
4. 不把本機 evidence 當成 primary cutover approval。
|
||||
5. 不把 LOW / MEDIUM observation 變成 runtime blocker。
|
||||
@@ -333,9 +333,15 @@
|
||||
"consumption_mode": "approval_only",
|
||||
"mirror_allowed": true,
|
||||
"execution_allowed": false,
|
||||
"snapshot_paths": ["docs/security/source-control-workflow-secret-name-inventory.snapshot.json"],
|
||||
"human_docs": ["docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md"],
|
||||
"notes": "可 mirror workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;inventory_complete_count=0,secret_value_collection_allowed=false。"
|
||||
"snapshot_paths": [
|
||||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json"
|
||||
],
|
||||
"human_docs": [
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md"
|
||||
],
|
||||
"notes": "可 mirror workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;S4.2 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names;secret_value_collection_allowed=false。"
|
||||
},
|
||||
{
|
||||
"contract": "local_repo_canonical_probe_v1",
|
||||
|
||||
@@ -21,6 +21,7 @@
|
||||
"docs/security/security-followup-runtime-gate.snapshot.json",
|
||||
"docs/security/source-control-primary-readiness-gate.snapshot.json",
|
||||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||||
"docs/security/security-rollout-policy.snapshot.json"
|
||||
],
|
||||
"summary": {
|
||||
@@ -38,7 +39,11 @@
|
||||
"github_primary_ready_count": 0,
|
||||
"workflow_secret_inventory_candidate_repo_count": 8,
|
||||
"workflow_secret_inventory_complete_count": 0,
|
||||
"workflow_secret_inventory_local_evidence_repo_count": 4,
|
||||
"workflow_secret_inventory_local_workflow_file_count": 31,
|
||||
"workflow_secret_inventory_unique_secret_name_count": 43,
|
||||
"secret_value_collection_allowed": false,
|
||||
"secret_value_detected": false,
|
||||
"pending_approval_count": 7,
|
||||
"block_candidate_count": 1,
|
||||
"dry_run_status": "contract_defined_not_executed",
|
||||
@@ -73,8 +78,8 @@
|
||||
{
|
||||
"phase_id": "S4_migration_execution",
|
||||
"state": "not_started",
|
||||
"current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約,inventory_complete_count=0。",
|
||||
"next_gate": "Gitea authenticated inventory、refs truth、redacted workflow/runner/secret name inventory、rollback ADR 與逐 repo 人工批准。"
|
||||
"current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的本機 evidence,inventory_complete_count=0。",
|
||||
"next_gate": "Gitea authenticated inventory、refs truth、webhook / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR 與逐 repo 人工批准。"
|
||||
}
|
||||
],
|
||||
"next_safe_actions": [
|
||||
@@ -215,7 +220,7 @@
|
||||
"mode": "approval_required",
|
||||
"source_contract": "source_control_workflow_secret_name_inventory_v1",
|
||||
"allowed_processing": [
|
||||
"顯示 8 個 candidate repos 的 inventory lanes",
|
||||
"顯示 8 個 candidate repos 的 inventory lanes 與 4 個 repos 的 local evidence",
|
||||
"要求 repo owner 補 redacted workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 snapshot",
|
||||
"只保存 secret name、owner 與 present/absent metadata,不保存 value"
|
||||
],
|
||||
@@ -251,7 +256,8 @@
|
||||
"S3.3 只新增人工決策狀態轉移語義;approve_scope 只進入 waiting runtime gate,不代表可立即執行。",
|
||||
"S3.4 只新增後續 runtime gate 準備模板;active_runtime_gates=0,不新增 action button。",
|
||||
"S4.0 只新增 GitHub primary readiness gate;github_primary_ready_count=0,不新增 repo / refs / primary switch action。",
|
||||
"S4.1 只新增 workflow / secret 名稱 inventory 契約;workflow_secret_inventory_complete_count=0,secret_value_collection_allowed=false,不新增 workflow、secret、repo、refs 或 primary switch action。"
|
||||
"S4.1 只新增 workflow / secret 名稱 inventory 契約;workflow_secret_inventory_complete_count=0,secret_value_collection_allowed=false,不新增 workflow、secret、repo、refs 或 primary switch action。",
|
||||
"S4.2 只新增本機可見 workflow / CODEOWNERS / referenced secret name evidence;local_evidence_repo_count=4、workflow_file_count=31、unique_secret_name_count=43,secret_value_detected=false。"
|
||||
],
|
||||
"forbidden_actions": [
|
||||
"start_kali_scan",
|
||||
|
||||
@@ -538,8 +538,14 @@
|
||||
{
|
||||
"contract": "source_control_workflow_secret_name_inventory_v1",
|
||||
"schema_path": "docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json",
|
||||
"snapshot_paths": ["docs/security/source-control-workflow-secret-name-inventory.snapshot.json"],
|
||||
"human_docs": ["docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md"],
|
||||
"snapshot_paths": [
|
||||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json"
|
||||
],
|
||||
"human_docs": [
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md"
|
||||
],
|
||||
"consumer": "AwoooP source-control review / Secret hygiene audit / Operator Console",
|
||||
"consumption_mode": "approval_only",
|
||||
"allowed_actions": [
|
||||
@@ -555,7 +561,7 @@
|
||||
"sync_refs",
|
||||
"switch_github_primary"
|
||||
],
|
||||
"notes": "定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 契約;目前 inventory_complete_count=0,不保存 secret value。"
|
||||
"notes": "定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 契約;S4.2 已補 local evidence:4 repos、31 workflow files、43 個 referenced secret names;仍不保存 secret value。"
|
||||
},
|
||||
{
|
||||
"contract": "local_repo_canonical_probe_v1",
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
"runtime_execution_authorized": false,
|
||||
"source_indexes": [
|
||||
"docs/security/source-control-primary-readiness-gate.snapshot.json",
|
||||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||||
"docs/security/github-target-decision.snapshot.json",
|
||||
"docs/security/source-control-approval-board.snapshot.json",
|
||||
"docs/security/source-control-reconcile-plan.snapshot.json",
|
||||
@@ -409,6 +410,7 @@
|
||||
"secret_name_inventory 只允許保存 secret_name、scope、owner 與 used_by_workflow_name,禁止保存 value。",
|
||||
"任何 raw secret、token、cookie、private key、webhook secret 或 credential value 都必須被拒收並進 quarantine。",
|
||||
"此 inventory 完成前,GitHub primary readiness gate 必須維持 blocked。",
|
||||
"S4.2 已補本機可見 workflow / CODEOWNERS / referenced secret name evidence,但 webhook、deploy key、branch protection 與 repository secret parity 仍未完成。",
|
||||
"inventory snapshot 只能 mirror 成 Operator Console / Audit evidence,不得新增 execution action。"
|
||||
],
|
||||
"forbidden_actions": [
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user