82 lines
5.0 KiB
Markdown
82 lines
5.0 KiB
Markdown
# Workflow / Secret 名稱本機 Evidence Snapshot
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-11 |
|
||
| 狀態 | 草案,partial local evidence |
|
||
| Schema | `docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json` |
|
||
| Snapshot | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` |
|
||
| 來源契約 | `source_control_workflow_secret_name_inventory_v1` |
|
||
| 收集器 | `scripts/security/source-control-workflow-secret-name-local-inventory.py` |
|
||
| runtime 執行授權 | `false` |
|
||
|
||
## 0. 核心結論
|
||
|
||
S4.2 先補本機可見 working tree 的只讀 workflow / secret 名稱 evidence。2026-06-11 refresh 已改用本輪乾淨 worktree `/private/tmp/awoooi-agent-bounty-iwooos-20260611` 重跑 `awoooi` evidence,並把 `VibeWork` 與 `agent-bounty-protocol` 納入資安控管候選範圍。
|
||
|
||
本 snapshot 只從 `.github/workflows/`、`.gitea/workflows/`、`CODEOWNERS` 與 `.github/CODEOWNERS` 萃取名稱級 metadata。它不呼叫 GitHub / Gitea API、不讀 `.env`、不讀 secret store、不收集 secret value、不修改 workflow。
|
||
|
||
這仍不代表 GitHub primary ready。webhook、deploy key、branch protection 與 repository secret parity 還需要後續 redacted export 或 read-only API evidence。
|
||
|
||
S4.3 已把這些後續缺口整理成 redacted export request,並額外納入 runner owner / GitHub hosted minutes 風險 lane;仍禁止 write token 與 secret value。
|
||
|
||
## 1. 摘要
|
||
|
||
| 指標 | 數量 |
|
||
|------|------|
|
||
| Candidate repos | 10 |
|
||
| Local repo visible | 9 |
|
||
| Local evidence repos | 5 |
|
||
| Workflow files | 33 |
|
||
| Gitea workflow files | 12 |
|
||
| GitHub workflow files | 21 |
|
||
| CODEOWNERS files | 2 |
|
||
| Unique referenced secret names | 42 |
|
||
| Runner labels | 5 |
|
||
| Secret value detected | `false` |
|
||
|
||
## 2. Repo 結果
|
||
|
||
| Repo | Local status | Workflow files | Secret names | CODEOWNERS | 說明 |
|
||
|------|--------------|----------------|--------------|------------|------|
|
||
| `owenhytsai/awoooi` | `partial_local_evidence` | 15 | 34 | 0 | Gitea / GitHub workflows 都可見;本輪移除舊 worktree evidence 漂移後,仍需 webhook、branch protection、repository secret parity evidence |
|
||
| `owenhytsai/clawbot-v5` | `local_repo_visible_no_workflow_files` | 0 | 0 | 0 | 本機 repo 可見,但未找到 workflow / CODEOWNERS |
|
||
| `owenhytsai/wooo-aiops` | `partial_local_evidence` | 14 | 12 | 2 | GitHub / Gitea workflow 與 CODEOWNERS 可見;仍需 webhook 與 branch protection evidence |
|
||
| `owenhytsai/wooo-infra-config` | `partial_local_evidence` | 1 | 2 | 0 | GitHub validate workflow 可見;infra secret value 不可搬移 |
|
||
| `owenhytsai/ewoooc` | `partial_local_evidence` | 2 | 4 | 0 | 以本機 `momo-pro-system` working tree 作為 ewoooc/momo canonical review 的暫時 evidence |
|
||
| `owenhytsai/bitan-pharmacy` | `local_repo_visible_no_workflow_files` | 0 | 0 | 0 | 本機 repo 可見,但未找到 workflow / CODEOWNERS |
|
||
| `owenhytsai/tsenyang-website` | `local_repo_visible_no_workflow_files` | 0 | 0 | 0 | 本機 repo 可見,但未找到 workflow / CODEOWNERS |
|
||
| `nexu-io/open-design` | `missing_local_repo` | 0 | 0 | 0 | 外部 scope review;未納入 GitHub primary cutover queue |
|
||
| `owenhytsai/VibeWork` | `local_repo_visible_no_workflow_files` | 0 | 0 | 0 | 本機 repo 可見;保留 VibeWork 獨立產品邊界,仍需 owner 確認 workflow / secret / deploy surface |
|
||
| `owenhytsai/agent-bounty-protocol` | `partial_local_evidence` | 1 | 0 | 0 | 新納入資安控管範圍;已見 1 個 Gitea workflow 與 `ubuntu-latest` runner label,仍需 agent / bounty / treasury / execution surface owner response |
|
||
|
||
## 3. 已知 runner labels
|
||
|
||
本 snapshot 只保存 runner label 名稱:
|
||
|
||
| Label |
|
||
|-------|
|
||
| `awoooi-host` |
|
||
| `harbor` |
|
||
| `k8s` |
|
||
| `self-hosted` |
|
||
| `ubuntu-latest` |
|
||
|
||
## 4. 仍需補齊
|
||
|
||
1. Gitea / GitHub webhook inventory:只列 destination host、event types、enabled flag,不保存 webhook secret。
|
||
2. Runner owner / hosted minutes 風險 inventory:只列 label、executor、self-hosted / hosted、owner,不保存 registration token。
|
||
3. Deploy key / machine key inventory:只列 key name、read-only flag、owner,不保存 private key。
|
||
4. Branch protection inventory:只列 protected branch、required status checks、review count。
|
||
5. Repository secret parity:只比對 secret 名稱與 owner,不輸出 value。
|
||
6. 逐 repo owner review:確認本機可見 workflow 是否為 canonical,尤其是 `ewoooc` / `momo-pro-system`、`VibeWork` 與 `agent-bounty-protocol`。
|
||
7. Snapshot freshness:本機 evidence 必須標示可重現路徑與刷新日期;過期暫存 worktree 只能作歷史參考,不可當 current readiness。
|
||
|
||
## 5. 永久禁止
|
||
|
||
1. 不收集 secret value、token value、private key、webhook secret、runner registration token。
|
||
2. 不修改 workflow、webhook、runner、deploy key、branch protection 或 CODEOWNERS。
|
||
3. 不建立 GitHub repo、不 sync refs、不切 GitHub primary。
|
||
4. 不把本機 evidence 當成 primary cutover approval。
|
||
5. 不把 LOW / MEDIUM observation 變成 runtime blocker。
|