19 KiB
Workflow / Secret Name Owner Response 收件包
| 項目 | 內容 |
|---|---|
| 日期 | 2026-06-04 |
| 狀態 | 草案與 P1-4 handoff 已整理,等待 owner response |
| 資料契約 | docs/schemas/source_control_workflow_secret_name_owner_response_v1.schema.json |
| 快照 | docs/security/source-control-workflow-secret-name-owner-response.snapshot.json |
| 來源契約 | source_control_workflow_secret_name_inventory_v1 |
| 目標契約 | source_control_workflow_secret_name_export_request_v1 |
| 模式 | owner_workflow_secret_name_response_intake_only |
| 執行面授權 | false |
0. 核心結論
S4.12 補的是「AwoooP 要怎麼請 owner 回覆,以及 owner 要怎麼回覆 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / repository secret 名稱 parity」。
S4.12 不是 secret 搬移、不是 workflow 修改、不是 runner 啟用、不是 deploy key 變更,也不是 GitHub primary approval。它只把 owner response 的欄位、可接受決策、驗收規則、拒收規則與允許輸出固定下來,讓 AwoooP 可以只讀顯示並等待人工補證。
此文件不要求貼 token,不接受 raw secret,不使用 write token,不修改 workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 或 repository secret,不建立 repo、不 sync refs、不切 primary,也不停用 Gitea。
1. Response 摘要
| 指標 | 值 |
|---|---|
| owner response 狀態 | waiting_owner_response |
| candidate repos | 8 |
| in-scope repos | 7 |
| redacted export requests | 7 |
| export lanes | 5 |
| local evidence repos | 4 |
| local workflow files | 31 |
| local referenced secret names | 42 |
| owner response request packet | 1 |
| template status ledger | 5 |
| audit event templates | 3 |
| redaction examples | 5 |
| collection checks | 6 |
| intake preflight checks | 6 |
| response templates | 5 |
| 已收到 response | 0 |
| 已接受 response | 0 |
| 已拒收 response | 0 |
| acceptance checks | 8 |
| rejection rules | 10 |
| 允許收集 secret value | false |
| 允許 write token | false |
| 授權修改 workflow / webhook / runner / deploy key / branch protection / secret | false |
| 授權啟用 GitHub hosted runner | false |
| 授權 sync refs / 切 GitHub primary | false |
| P1-4 handoff package | ready |
| request dispatch authorized | false |
| secret value / hash / partial token collection | false |
1.0 2026-06-04 P1-4 Workflow / Secret Owner Handoff
本段把 S4.12 從「收件包已定義」推到「P1-4 可交接請 owner 逐項回覆」。這是 workflow / runner / secret parity 的 handoff readiness,不是 request sent、不是 owner response received、不是 secret parity complete,也不是 workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 或 repository secret 變更批准。
| 指標 | 值 |
|---|---|
| P1-4 handoff package | ready |
| handoff completion | 100% |
| local workflow files | 31 |
| local referenced secret names | 42 |
| runner label names | 5 |
| request dispatch authorized | false |
| owner response received | 0 |
| owner response accepted | 0 |
| workflow / secret modification authorized | false |
| secret value collection allowed | false |
1.0.1 送件前檢查
| 順序 | 檢查項 | 完成條件 | 目前狀態 |
|---|---|---|---|
| 1 | 基線同步 | 送件前確認 gitea/main、local evidence、S4.9-S4.12 source packets 最新狀態 |
已定義,未送件 |
| 2 | local evidence freshness | 以 2026-06-04 local evidence 的 31 個 workflow files、42 個 unique secret names、5 個 runner labels 為基準 | 已定義,未送件 |
| 3 | 五個 response lane | webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 逐項追蹤 | 已定義,未送件 |
| 4 | metadata only | 只收 redacted host、runner label、key name、ruleset / CODEOWNERS metadata、secret name / scope / present-absent | 已定義,未送件 |
| 5 | secret material 拒收 | secret value、hash、masked token、partial token、private key、runner token、webhook secret 全部拒收或隔離 | 已定義,未送件 |
| 6 | 執行要求拒收 | workflow / webhook / runner / deploy key / branch protection / repository secret 修改、hosted runner enable、refs sync、primary switch 全部 hard reject | 已定義,未送件 |
1.0.2 交接封套欄位
| 欄位 | 內容規則 |
|---|---|
request_id |
p1_4_workflow_secret_owner_response_handoff |
stage_id |
S4.12 |
source_evidence_summary |
local repos 4、workflow files 31、unique secret names 42、runner labels 5 |
requested_templates |
只引用本文件第 3 節五個 template id |
recipient_role_or_team |
只填 role / team,不收個人敏感資料或 credential |
required_response_fields |
owner role/team、decision、repo、provider、lane、lane-specific owner、lane-specific metadata、redacted evidence refs、followup owner |
allowed_metadata |
redacted host、event types、runner label、key name、required checks、CODEOWNERS path、secret name、scope、present-absent |
forbidden_inputs |
secret value、secret hash、masked token、partial token、token value、runner token、webhook secret、private key、deploy key private key、authorization header |
not_approval |
必須為 true |
1.0.3 送件後不變條件
即使後續 owner 實際回覆,也只能先進 S4.12 intake preflight 與 reviewer validation。通過後可更新 read-only workflow / secret name inventory、export request、primary readiness blocker wording 與 status rollup;不得建立、複製、rotate、修改或刪除 secret,不得改 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS,不得啟用 GitHub hosted runner,不得 sync refs、切 GitHub primary 或停用 Gitea。
1.1 Owner Response Request Packet
| 欄位 | 值 |
|---|---|
| request id | s4_12_workflow_secret_name_owner_response_request |
| 顯示狀態 | ready_to_request_owner_response |
| 要求回覆 templates | 5 |
| 顯示模式 | display_owner_response_request_only |
| 執行授權 | false |
| 是否為批准 | false |
這個 request packet 只讓 AwoooP 顯示「請 owner 回覆哪五類 workflow / secret 名稱問題、允許填哪些欄位、evidence 要怎麼脫敏、哪些 payload 必須拒收」。它不是 request sent、不是 response received、不是 response accepted,也不是 secret 搬移、workflow 修改、runner 啟用、deploy key 變更、branch protection 修改、repo secret 建立、refs sync 或 GitHub primary approval。
Owner 回覆只能使用脫敏 metadata 或既有文件引用。不得貼 secret value、token、runner token、webhook secret、private key、deploy key value、完整 URL credential、request body、header、未脫敏截圖或任何 workflow / secret / runner 執行要求。
1.2 Template Status Ledger
| Template | 狀態 | request | received / accepted / rejected |
|---|---|---|---|
response-webhook-redacted-export |
waiting_owner_response |
request_ready_not_sent |
0 / 0 / 0 |
response-runner-label-owner |
waiting_owner_response |
request_ready_not_sent |
0 / 0 / 0 |
response-deploy-key-redacted-export |
waiting_owner_response |
request_ready_not_sent |
0 / 0 / 0 |
response-branch-protection-codeowners |
waiting_owner_response |
request_ready_not_sent |
0 / 0 / 0 |
response-repository-secret-name-parity |
waiting_owner_response |
request_ready_not_sent |
0 / 0 / 0 |
Template status ledger 只讓 AwoooP 逐項顯示哪一類 workflow / secret name response 還在等待 owner。request_ready_not_sent 不代表 request 已送出,waiting_owner_response 不代表 owner 已回覆,任何單項狀態也不代表 secret value collection、workflow 修改、webhook 修改、runner 啟用、deploy key 變更、branch protection 修改、repository secret 建立、refs sync 或 GitHub primary approval。
1.3 Audit Event Templates
| Template | 觸發點 | emitted |
|---|---|---|
audit-workflow-secret-response-request-shown |
顯示 S4.12 request packet | 0 |
audit-workflow-secret-response-received-metadata |
收到脫敏 owner response metadata pointer | 0 |
audit-workflow-secret-response-outcome-classified |
依 acceptance checks / rejection rules 分類 outcome | 0 |
Audit event templates 只定義 AwoooP 未來可記錄的 workflow / secret name owner response 脫敏 metadata 欄位,全部維持 template_only_not_emitted、emitted_event_count=0、stored_raw_payload_allowed=false。它們不是 production ingestion,不代表 owner response 已收到,也不授權 secret value collection、workflow 修改、webhook 修改、runner 啟用、deploy key rotation、branch protection change、repository secret change、refs sync 或 GitHub primary。
1.4 Redaction Examples
| Example | 用途 |
|---|---|
redaction-webhook-redacted-host-metadata |
用 redacted host、event types、enabled flag 與 owner 表示 webhook inventory |
redaction-runner-label-owner-metadata |
用 runner label、executor type、owner 與 hosted minutes risk 表示 runner review |
redaction-deploy-key-name-scope-metadata |
用 key name、read-only flag、repo scope 與 owner 表示 deploy key scope |
redaction-branch-protection-codeowners-metadata |
用 branch/ruleset/CODEOWNERS metadata 表示 branch protection review |
redaction-secret-name-parity-quarantine-pointer |
用 secret name / scope / present-absent metadata 或 quarantine pointer 表示 secret parity |
Redaction examples 只示範 owner 可以怎麼安全回覆,全部維持 template_example_only、stored_raw_payload_allowed=false。它們不是 owner response received、不是 accepted,也不讓 AwoooP 保存 webhook secret、runner token、private key、deploy key value、secret value、hash、masked token、partial credential、未脫敏截圖或 execution request payload。
1.5 Collection Checks
| Check | 用途 |
|---|---|
collection-workflow-secret-request-packet-displayed |
只顯示 request packet,不附加 secret / workflow / runner 執行要求 |
collection-workflow-secret-read-only-submission-mode |
只允許 read-only markdown、脫敏 metadata pointer、既有文件引用或人工 review note |
collection-five-workflow-secret-template-tracking |
五個 response templates 分開追蹤 received / accepted / rejected |
collection-workflow-secret-redacted-evidence-only |
只收 repo path、snapshot path、secret name metadata、redacted host、runner label、key name 或 ruleset metadata |
collection-workflow-secret-no-approval-language |
不把 owner wording 的「同意 / OK / 可進行」升級成 workflow / secret / runner / primary 批准 |
collection-workflow-secret-audit-metadata-only |
只記錄 request shown、response metadata、template id、lane、repo、owner、evidence refs 與 outcome lane |
Collection checks 只維持 request / received / accepted 分離,全部維持 required=true、execution_authorized=false 與 not_approval=true。即使 collection check pass,也不代表 owner response received、accepted、secret value collection、workflow 修改、webhook 修改、runner 啟用、deploy key rotation、branch protection change、repository secret change、refs sync 或 GitHub primary approval。
1.6 Intake Preflight Checks
| Check | 用途 |
|---|---|
preflight-known-workflow-secret-lane |
確認 response 對應 S4.12 五個 workflow / secret name templates 之一 |
preflight-required-workflow-secret-owner-fields |
確認 owner、decision、repo、provider、lane-specific metadata 與 evidence refs 完整 |
preflight-allowed-workflow-secret-decision |
確認 decision 落在該 template 的 acceptable decisions |
preflight-workflow-secret-redacted-evidence-only |
只接受 repo 文件、snapshot、secret name list、redacted host、runner label、key name 或 ruleset metadata |
preflight-no-workflow-secret-execution-request |
拒收 secret 建立 / rotate、workflow 修改、runner 啟用、write token、refs sync、Kali scan 或 runtime 要求 |
preflight-all-five-workflow-secret-lanes-before-accepted |
接受前必須覆蓋五個 workflow / secret response templates |
Intake preflight checks 只在收件前後分類 ready_for_owner_review、request_more_evidence、quarantine_sensitive_payload 或 reject_execution_request,全部維持 required=true 與 execution_authorized=false。Preflight pass 不是 accepted,不會建立 secret、改 workflow、啟用 runner、rotate key、修改 branch protection、sync refs、切 GitHub primary 或觸發 Kali scan。
2. Owner Response 必填欄位
每筆 response 至少要能回答:
owner_role_or_team:回覆者角色或團隊,不要求個人敏感資訊。decision:必須是該 lane template 允許的決策值。decision_reason:為什麼做此 redacted export / no-data / hold 判定。repo與provider:必須標示 GitHub / Gitea / local evidence 來源。- lane-specific owner:例如
webhook_owner、runner_owner、key_owner、ruleset_owner、rotation_owner。 - lane-specific metadata:只能填允許欄位,例如 host redacted、runner label、key name、required check names、secret name list。
evidence_refs:只能指向 repo 內文件、snapshot 或 owner 提供的脫敏 metadata。
3. 五個 Response Template
| Template | Lane | 覆蓋範圍 | 驗收重點 |
|---|---|---|---|
response-webhook-redacted-export |
webhook_redacted_export_request |
awoooi、wooo-aiops |
只收 redacted host / event types / owner,不收 webhook secret 或 URL token |
response-runner-label-owner |
runner_label_owner_export_request |
awoooi、wooo-aiops、wooo-infra-config、ewoooc |
確認 self-hosted / hosted 與額度風險,不授權啟用 GitHub hosted runner |
response-deploy-key-redacted-export |
deploy_key_redacted_export_request |
wooo-infra-config |
只收 key name / read-only flag / owner,不收 private key 或完整 public key |
response-branch-protection-codeowners |
branch_protection_codeowners_export_request |
awoooi、clawbot-v5、wooo-infra-config、ewoooc |
只收 required checks / CODEOWNERS path / ruleset owner,不修改規則 |
response-repository-secret-name-parity |
repository_secret_name_parity_export_request |
7 個 in-scope repos | 只收 secret name / scope / present-absent / owner,不收 value、hash、partial token |
4. 可接受決策值
| Lane | Decision |
|---|---|
webhook_redacted_export_request |
provide_redacted_webhook_inventory_candidate、mark_no_webhook_candidate、hold_pending_webhook_owner、unknown_requires_more_evidence |
runner_label_owner_export_request |
keep_self_hosted_runner_candidate、approve_hosted_runner_risk_review_candidate、mark_no_runner_candidate、hold_pending_runner_owner、unknown_requires_more_evidence |
deploy_key_redacted_export_request |
provide_deploy_key_name_scope_candidate、mark_no_deploy_key_candidate、mark_write_capable_key_risk_candidate、hold_pending_key_owner、unknown_requires_more_evidence |
branch_protection_codeowners_export_request |
provide_branch_protection_codeowners_candidate、mark_no_branch_protection_candidate、hold_pending_ruleset_owner、unknown_requires_more_evidence |
repository_secret_name_parity_export_request |
provide_secret_name_presence_map_candidate、mark_no_repository_secret_candidate、hold_pending_secret_owner、unknown_requires_more_evidence |
5. 驗收規則
- response 必須對應 S4.3 既有 export lane。
decision必須在該 lane template 的允許值內。- 必須標示 repo、provider 與 lane;批次 secret name parity 必須有可重現 repo list。
- 必須有 owner 或補證 owner;未知時要明確選 hold / unknown。
- 只能包含 lane allowed fields,不得加入 request body、header、credential 或 raw config。
- 不得包含 secret、token、cookie、private key、deploy key、runner token、webhook secret、password、hash、masked token 或 partial credential。
- 不得要求 write API、rotate secret、修改 workflow、webhook、runner、deploy key 或 branch protection。
- 不得要求建立 repo、sync refs、切 GitHub primary、停用 Gitea,或把 inventory 視為 primary ready。
6. 必須拒收
- secret value、PAT、cookie、session、CSRF token、private key、deploy key value、runner token、webhook secret 或 partial credential。
- 完整 webhook payload URL、query token、authorization header、request body 或未脫敏截圖。
- runner registration token、runner admin token、SSH private key、host password 或 API token。
- deploy key private material、完整 public key、token value、password 或 credential value。
- secret value、secret hash、partial token、masked token 或任何可還原片段。
- 要求 write API、修改 workflow/webhook/runner/deploy key/branch protection/CODEOWNERS 或 rotate secret。
- 要求建立 repo、sync refs、切 GitHub primary、停用或封存 Gitea。
- 缺 repo、provider、lane owner 或 no-data disposition。
- 把 owner response 當成 inventory complete、workflow ready、secret parity complete 或 GitHub primary ready。
- 任何不確定是否含敏感值、私有 URL 憑證、完整 key material 或未脫敏截圖的回覆。
7. AwoooP 可做
- 顯示 1 個 owner response request packet。
- 顯示 5 個 template statuses,逐項維持
waiting_owner_response。 - 顯示 3 個 audit event templates,全部維持
template_only_not_emitted與emitted_event_count=0。 - 顯示 5 個 redaction examples,全部維持
template_example_only與stored_raw_payload_allowed=false。 - 顯示 6 個 collection checks,全部維持
required=true、execution_authorized=false與not_approval=true。 - 顯示 6 個 intake preflight checks,只分類可審、補證、隔離或拒收。
- 顯示 5 個 owner response templates。
- 顯示 8 個 acceptance checks 與 10 個 rejection rules。
- 顯示 GitHub hosted runner 額度風險 review lane,但不啟用 hosted runner。
- 在 owner response 到來後,只更新 read-only inventory、export request、primary readiness blocker wording 與 status rollup。
- 將不完整或可疑 response 放進 mirror quarantine。
- 持續顯示
received_response_count=0、accepted_response_count=0,直到真的收到脫敏 response。
8. AwoooP 不可做
- 不要求使用者貼 token、secret、private key、cookie、session、deploy key 或 runner token。
- 不把 response 當成 workflow 修改批准。
- 不把 response 當成 secret 建立 / 複製 / rotate 批准。
- 不把 response 當成 GitHub hosted runner 啟用批准。
- 不把 response 當成 GitHub primary approval。
- 不建立 GitHub repo。
- 不修改 GitHub/Gitea repo。
- 不新增執行按鈕。
9. 階段定位
S4.12 是 S4.1 / S4.2 / S4.3 後面的 owner response 收件包。
它讓 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / repository secret 名稱 parity 的 owner request 與 owner response 變得可審、可驗收、可拒收,但仍停在框架期。真正進入 GitHub primary 前,仍必須等 Gitea inventory、GitHub target response、refs truth、workflow-secret parity、rollback ADR、owner approval 與後續 runtime gate 全部補齊。