Files
awoooi/docs/security/source-control-workflow-secret-name-export-request.snapshot.json
Your Name e8e15faf28
All checks were successful
CD Pipeline / tests (push) Successful in 1m26s
Code Review / ai-code-review (push) Successful in 12s
CD Pipeline / build-and-deploy (push) Successful in 4m31s
CD Pipeline / post-deploy-checks (push) Successful in 1m32s
feat(security): 擴充 source-control 納管範圍
2026-06-11 19:23:40 +08:00

506 lines
19 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "source_control_workflow_secret_name_export_request_v1",
"status": "draft_waiting_owner_export",
"date": "2026-06-11",
"mode": "redacted_export_request_only",
"runtime_execution_authorized": false,
"source_contract": "source_control_workflow_secret_name_inventory_v1",
"source_indexes": [
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
"summary": {
"candidate_repo_count": 10,
"in_scope_request_count": 9,
"external_scope_review_count": 1,
"export_request_count": 9,
"export_lane_count": 5,
"owner_response_template_count": 5,
"owner_response_received_count": 0,
"owner_response_accepted_count": 0,
"webhook_export_request_repo_count": 2,
"runner_export_request_repo_count": 5,
"deploy_key_export_request_repo_count": 1,
"branch_protection_codeowners_export_request_repo_count": 6,
"repository_secret_name_parity_export_request_repo_count": 9,
"secret_value_collection_allowed": false,
"write_token_allowed": false,
"runtime_actions_authorized": false,
"action_buttons_allowed": false
},
"owner_response_packet": {
"schema_version": "source_control_workflow_secret_name_owner_response_v1",
"snapshot_path": "docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
"human_doc": "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
"response_template_count": 5,
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"execution_authorized": false,
"allowed_effect": "response 通過後只更新 read-only inventory / export request / readiness wording不授權 workflow/secret/runner/deploy key 變更"
},
"export_lanes": [
{
"lane_id": "webhook_redacted_export_request",
"title": "Webhook 名稱、目的地 host 與事件類型 redacted export",
"request_status": "waiting_owner_or_readonly_export",
"allowed_fields": [
"provider",
"webhook_name",
"destination_host_redacted",
"event_types",
"active_enabled_flag",
"owner",
"last_updated_metadata"
],
"forbidden_fields": [
"webhook_secret",
"full_payload_url_with_token",
"authorization_header",
"cookie",
"request_body",
"secret_value"
],
"accepted_producer_modes": [
"owner_attested_redacted_export",
"read_only_api_summary",
"admin_export_after_manual_redaction"
],
"acceptance_gate": [
"每筆 webhook 必須只保留 host 或 redacted URL不得包含 query token。",
"必須標示 Gitea / GitHub 哪一端在 primary cutover 後負責發 webhook。",
"若偵測到 secret value 或 token value整份 export 必須進 mirror quarantine。"
],
"execution_authorized": false
},
{
"lane_id": "runner_label_owner_export_request",
"title": "Runner label / executor / hosted minutes 風險 redacted export",
"request_status": "waiting_owner_or_readonly_export",
"allowed_fields": [
"provider",
"runner_label",
"runner_scope",
"executor_type",
"host_alias",
"hosted_or_self_hosted",
"owner",
"maintenance_window"
],
"forbidden_fields": [
"runner_registration_token",
"runner_admin_token",
"ssh_private_key",
"host_password",
"api_token"
],
"accepted_producer_modes": [
"owner_attested_redacted_export",
"read_only_runner_inventory_summary"
],
"acceptance_gate": [
"必須確認 GitHub primary 後哪些 workflow 仍使用 self-hosted runner避免誤用 GitHub hosted minutes。",
"只保存 label、owner 與 executor metadata不保存 runner token。",
"若 runner label 無 owner必須保持 primary readiness blocked。"
],
"execution_authorized": false
},
{
"lane_id": "deploy_key_redacted_export_request",
"title": "Deploy key / machine key 名稱與 read-only 狀態 redacted export",
"request_status": "waiting_owner_or_readonly_export",
"allowed_fields": [
"provider",
"key_name",
"read_only_flag",
"repo_scope",
"owner",
"last_seen_metadata"
],
"forbidden_fields": [
"private_key",
"public_key_full_value",
"token_value",
"password",
"credential_value"
],
"accepted_producer_modes": [
"owner_attested_redacted_export",
"read_only_api_summary",
"admin_export_after_manual_redaction"
],
"acceptance_gate": [
"只允許列 key 名稱、read-only flag、repo scope 與 owner。",
"不得保存 private key 或完整 public key material。",
"write-capable key 必須只標成風險與 owner review不得自動 rotate。"
],
"execution_authorized": false
},
{
"lane_id": "branch_protection_codeowners_export_request",
"title": "Branch protection / required checks / CODEOWNERS redacted export",
"request_status": "waiting_owner_or_readonly_export",
"allowed_fields": [
"provider",
"protected_branch_name",
"required_review_count",
"required_status_check_names",
"codeowners_path",
"owner_team_names"
],
"forbidden_fields": [
"team_secret",
"personal_access_token",
"admin_override_token",
"session_cookie"
],
"accepted_producer_modes": [
"owner_attested_redacted_export",
"read_only_api_summary",
"local_codeowners_snapshot"
],
"acceptance_gate": [
"必須列出 GitHub primary 前 main/dev branch 的 protection 差異。",
"required status checks 名稱必須與實際 workflow 或 runner label 對上。",
"缺 CODEOWNERS 不等於 blocked runtime只代表 primary readiness 未完成。"
],
"execution_authorized": false
},
{
"lane_id": "repository_secret_name_parity_export_request",
"title": "Repository secret 名稱 parity redacted export",
"request_status": "waiting_owner_or_readonly_export",
"allowed_fields": [
"provider",
"secret_name",
"secret_scope",
"owning_team",
"used_by_workflow_name",
"rotation_owner",
"present_in_gitea",
"present_in_github"
],
"forbidden_fields": [
"secret_value",
"secret_plaintext",
"token_value",
"private_key",
"credential_value"
],
"accepted_producer_modes": [
"owner_attested_redacted_export",
"read_only_secret_name_summary",
"admin_export_after_manual_redaction"
],
"acceptance_gate": [
"只比對 secret 名稱、scope、owner 與 present/absent metadata。",
"不得輸出 value、hash、partial token 或可還原片段。",
"缺漏 secret 只建立 owner review lane不自動建立或 rotate secret。"
],
"execution_authorized": false
}
],
"repo_export_requests": [
{
"repo_key": "awoooi",
"github_repo": "owenhytsai/awoooi",
"source_key": "wooo/awoooi",
"scope_status": "in_scope",
"risk": "HIGH",
"request_state": "waiting_owner_export",
"requested_lanes": [
"webhook_redacted_export_request",
"runner_label_owner_export_request",
"branch_protection_codeowners_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"此 repo 是核心產品與 deploy workflow 主線,必須先確認 webhook、runner label、branch protection 與 secret name parity。",
"若未證明 self-hosted runner owner 與 label 對齊,不可宣告 GitHub primary ready。"
],
"still_forbidden": [
"修改 workflow",
"rotate secret",
"sync refs",
"switch_github_primary"
]
},
{
"repo_key": "clawbot-v5",
"github_repo": "owenhytsai/clawbot-v5",
"source_key": "wooo/clawbot-v5",
"scope_status": "in_scope",
"risk": "MEDIUM",
"request_state": "waiting_owner_export",
"requested_lanes": [
"branch_protection_codeowners_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"本機 repo 可見但未找到 workflow / CODEOWNERS仍需 owner 確認是否真的不需要 workflow 與 repo secret。",
"若 GitHub target 另有 private workflow必須用 redacted export 補證。"
],
"still_forbidden": [
"建立 secret",
"修改 branch protection",
"push refs",
"switch_github_primary"
]
},
{
"repo_key": "wooo-aiops",
"github_repo": "owenhytsai/wooo-aiops",
"source_key": "wooo/wooo-aiops",
"scope_status": "in_scope",
"risk": "MEDIUM",
"request_state": "waiting_owner_export",
"requested_lanes": [
"webhook_redacted_export_request",
"runner_label_owner_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"S4.2 workflow CODEOWNERS webhook secret name parity",
" workflow 使 hosted runner runner"
],
"still_forbidden": [
"delete GitHub-only refs",
" webhook",
" secret value",
"switch_github_primary"
]
},
{
"repo_key": "wooo-infra-config",
"github_repo": "owenhytsai/wooo-infra-config",
"source_key": "wooo/wooo-infra-config",
"scope_status": "in_scope",
"risk": "MEDIUM",
"request_state": "waiting_owner_export",
"requested_lanes": [
"runner_label_owner_export_request",
"deploy_key_redacted_export_request",
"branch_protection_codeowners_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"infra repo key read-only flag owner key material",
"110 internal remote owner request remote"
],
"still_forbidden": [
" private key",
" infra secret value",
" remote",
"switch_github_primary"
]
},
{
"repo_key": "ewoooc",
"github_repo": "owenhytsai/ewoooc",
"source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees",
"scope_status": "in_scope",
"risk": "HIGH",
"request_state": "waiting_owner_export",
"requested_lanes": [
"runner_label_owner_export_request",
"branch_protection_codeowners_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
" repo canonical target unrelated history export request workflow / secret evidence",
" canonical repo primary readiness"
],
"still_forbidden": [
"auto_create_repo",
"auto_merge_unrelated_histories",
" secret value",
"switch_github_primary"
]
},
{
"repo_key": "bitan-pharmacy",
"github_repo": "owenhytsai/bitan-pharmacy",
"source_key": "bitan-pharmacy",
"scope_status": "in_scope",
"risk": "MEDIUM",
"request_state": "waiting_owner_export",
"requested_lanes": [
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
" repo workflow owner repo secret deploy key",
" repo active owner primary readiness board "
],
"still_forbidden": [
"auto_create_repo",
"push refs",
" secret value",
"switch_github_primary"
]
},
{
"repo_key": "tsenyang-website",
"github_repo": "owenhytsai/tsenyang-website",
"source_key": "tsenyang-website",
"scope_status": "in_scope",
"risk": "MEDIUM",
"request_state": "waiting_owner_export",
"requested_lanes": [
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
" repo workflow owner repo secret deploy key",
" repo active owner primary readiness board "
],
"still_forbidden": [
"auto_create_repo",
"push refs",
" secret value",
"switch_github_primary"
]
},
{
"repo_key": "open-design",
"github_repo": "nexu-io/open-design",
"source_key": "open-design",
"scope_status": "external_scope_review",
"risk": "LOW",
"request_state": "waiting_scope_review",
"requested_lanes": [],
"owner_export_required": false,
"read_only_api_allowed": false,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
" repo external scope review AWOOOI GitHub primary cutover queue",
" in-scope approval item"
],
"still_forbidden": [
" primary cutover queue",
" repo visibility",
"sync refs"
]
},
{
"repo_key": "vibework",
"github_repo": "owenhytsai/VibeWork",
"source_key": "vibework",
"scope_status": "in_scope",
"risk": "HIGH",
"request_state": "waiting_owner_export",
"requested_lanes": [
"branch_protection_codeowners_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
" repo workflow / CODEOWNERS owner workflowrepo secretdeploy key ",
" VibeWork request primary switchrepo creation workflow "
],
"still_forbidden": [
"auto_create_repo",
"push_refs",
" secret value",
"switch_github_primary",
" VibeWork AWOOOI "
]
},
{
"repo_key": "agent-bounty-protocol",
"github_repo": "owenhytsai/agent-bounty-protocol",
"source_key": "agent-bounty-protocol",
"scope_status": "in_scope",
"risk": "HIGH",
"request_state": "waiting_owner_export",
"requested_lanes": [
"runner_label_owner_export_request",
"branch_protection_codeowners_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
" 1 Gitea workflow ubuntu-latest runner label owner runner ownerbranch protection / CODEOWNERS secret name parity",
"agent / bounty / treasury / MCP / A2A owner response runtime execution"
],
"still_forbidden": [
"auto_create_repo",
"push_refs",
" workflow",
" runner",
" secret value",
"switch_github_primary",
" bounty / agent runtime "
]
}
],
"acceptance_rules": [
" export producercollection timestampredaction_status evidence_ref",
" API export 使 read-only token token write scope owner attestation ",
" secret valuetoken valuecookieprivate keywebhook secretrunner registration token mirror quarantine",
"export request evidence review GitHub primary ready",
" owner review lane repoworkflowwebhookrunnerdeploy keybranch protection secret"
],
"redaction_rules": [
"URL usernamepasswordtoken query secret host redacted path",
"secret scopeownerused_by_workflow present/absent metadata",
"key key nameread_only_flagrepo_scopeowner key material",
"runner labelscopeexecutor_typehost_aliashosted_or_self_hosted owner",
" credential hashprefixsuffix partial token "
],
"forbidden_actions": [
"collect_secret_value",
"store_secret_token_cookie_private_key_or_webhook_secret",
"use_write_token",
"call_runtime_execute",
"modify_workflow",
"modify_webhook",
"modify_runner",
"modify_deploy_key",
"modify_branch_protection",
"create_or_rotate_secret",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"disable_gitea",
"add_action_button"
]
}