Files
awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md
Your Name e8e15faf28
All checks were successful
CD Pipeline / tests (push) Successful in 1m26s
Code Review / ai-code-review (push) Successful in 12s
CD Pipeline / build-and-deploy (push) Successful in 4m31s
CD Pipeline / post-deploy-checks (push) Successful in 1m32s
feat(security): 擴充 source-control 納管範圍
2026-06-11 19:23:40 +08:00

82 lines
5.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Workflow / Secret 名稱本機 Evidence Snapshot
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-11 |
| 狀態 | 草案partial local evidence |
| Schema | `docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json` |
| Snapshot | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` |
| 來源契約 | `source_control_workflow_secret_name_inventory_v1` |
| 收集器 | `scripts/security/source-control-workflow-secret-name-local-inventory.py` |
| runtime 執行授權 | `false` |
## 0. 核心結論
S4.2 先補本機可見 working tree 的只讀 workflow / secret 名稱 evidence。2026-06-11 refresh 已改用本輪乾淨 worktree `/private/tmp/awoooi-agent-bounty-iwooos-20260611` 重跑 `awoooi` evidence並把 `VibeWork``agent-bounty-protocol` 納入資安控管候選範圍。
本 snapshot 只從 `.github/workflows/``.gitea/workflows/``CODEOWNERS``.github/CODEOWNERS` 萃取名稱級 metadata。它不呼叫 GitHub / Gitea API、不讀 `.env`、不讀 secret store、不收集 secret value、不修改 workflow。
這仍不代表 GitHub primary ready。webhook、deploy key、branch protection 與 repository secret parity 還需要後續 redacted export 或 read-only API evidence。
S4.3 已把這些後續缺口整理成 redacted export request並額外納入 runner owner / GitHub hosted minutes 風險 lane仍禁止 write token 與 secret value。
## 1. 摘要
| 指標 | 數量 |
|------|------|
| Candidate repos | 10 |
| Local repo visible | 9 |
| Local evidence repos | 5 |
| Workflow files | 33 |
| Gitea workflow files | 12 |
| GitHub workflow files | 21 |
| CODEOWNERS files | 2 |
| Unique referenced secret names | 42 |
| Runner labels | 5 |
| Secret value detected | `false` |
## 2. Repo 結果
| Repo | Local status | Workflow files | Secret names | CODEOWNERS | 說明 |
|------|--------------|----------------|--------------|------------|------|
| `owenhytsai/awoooi` | `partial_local_evidence` | 15 | 34 | 0 | Gitea / GitHub workflows 都可見;本輪移除舊 worktree evidence 漂移後,仍需 webhook、branch protection、repository secret parity evidence |
| `owenhytsai/clawbot-v5` | `local_repo_visible_no_workflow_files` | 0 | 0 | 0 | 本機 repo 可見,但未找到 workflow / CODEOWNERS |
| `owenhytsai/wooo-aiops` | `partial_local_evidence` | 14 | 12 | 2 | GitHub / Gitea workflow 與 CODEOWNERS 可見;仍需 webhook 與 branch protection evidence |
| `owenhytsai/wooo-infra-config` | `partial_local_evidence` | 1 | 2 | 0 | GitHub validate workflow 可見infra secret value 不可搬移 |
| `owenhytsai/ewoooc` | `partial_local_evidence` | 2 | 4 | 0 | 以本機 `momo-pro-system` working tree 作為 ewoooc/momo canonical review 的暫時 evidence |
| `owenhytsai/bitan-pharmacy` | `local_repo_visible_no_workflow_files` | 0 | 0 | 0 | 本機 repo 可見,但未找到 workflow / CODEOWNERS |
| `owenhytsai/tsenyang-website` | `local_repo_visible_no_workflow_files` | 0 | 0 | 0 | 本機 repo 可見,但未找到 workflow / CODEOWNERS |
| `nexu-io/open-design` | `missing_local_repo` | 0 | 0 | 0 | 外部 scope review未納入 GitHub primary cutover queue |
| `owenhytsai/VibeWork` | `local_repo_visible_no_workflow_files` | 0 | 0 | 0 | 本機 repo 可見;保留 VibeWork 獨立產品邊界,仍需 owner 確認 workflow / secret / deploy surface |
| `owenhytsai/agent-bounty-protocol` | `partial_local_evidence` | 1 | 0 | 0 | 新納入資安控管範圍;已見 1 個 Gitea workflow 與 `ubuntu-latest` runner label仍需 agent / bounty / treasury / execution surface owner response |
## 3. 已知 runner labels
本 snapshot 只保存 runner label 名稱:
| Label |
|-------|
| `awoooi-host` |
| `harbor` |
| `k8s` |
| `self-hosted` |
| `ubuntu-latest` |
## 4. 仍需補齊
1. Gitea / GitHub webhook inventory只列 destination host、event types、enabled flag不保存 webhook secret。
2. Runner owner / hosted minutes 風險 inventory只列 label、executor、self-hosted / hosted、owner不保存 registration token。
3. Deploy key / machine key inventory只列 key name、read-only flag、owner不保存 private key。
4. Branch protection inventory只列 protected branch、required status checks、review count。
5. Repository secret parity只比對 secret 名稱與 owner不輸出 value。
6. 逐 repo owner review確認本機可見 workflow 是否為 canonical尤其是 `ewoooc` / `momo-pro-system``VibeWork``agent-bounty-protocol`
7. Snapshot freshness本機 evidence 必須標示可重現路徑與刷新日期;過期暫存 worktree 只能作歷史參考,不可當 current readiness。
## 5. 永久禁止
1. 不收集 secret value、token value、private key、webhook secret、runner registration token。
2. 不修改 workflow、webhook、runner、deploy key、branch protection 或 CODEOWNERS。
3. 不建立 GitHub repo、不 sync refs、不切 GitHub primary。
4. 不把本機 evidence 當成 primary cutover approval。
5. 不把 LOW / MEDIUM observation 變成 runtime blocker。