wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity
Files
main
awoooi/docs/evaluations/gitea_workflow_runner_health_2026-06-05.json
Your Name 943faaeef7
All checks were successful
CD Pipeline / tests (push) Successful in 1m30s
Details
Code Review / ai-code-review (push) Successful in 13s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m2s
Details
CD Pipeline / post-deploy-checks (push) Successful in 1m56s
Details
feat(governance): 新增 Gitea workflow runner 健康合約
2026-06-05 11:30:56 +08:00

566 lines
22 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "gitea_workflow_runner_health_v1",
"generated_at": "2026-06-05T10:56:16+08:00",
"program_status": {
"overall_completion_percent": 100,
"current_priority": "P1",
"current_task_id": "P1-002",
"next_task_id": "P1-003",
"read_only_mode": true
},
"source_refs": [
"docs/schemas/gitea_workflow_runner_health_v1.schema.json",
".gitea/workflows/agent-market-watch.yaml",
".gitea/workflows/ansible-lint.yml",
".gitea/workflows/cd-dev.yaml",
".gitea/workflows/cd.yaml",
".gitea/workflows/code-review.yaml",
".gitea/workflows/deploy-alerts.yaml",
".gitea/workflows/e2e-health.yaml",
".gitea/workflows/run-migration.yml",
".gitea/workflows/type-sync-check.yaml",
"scripts/ci/check-gitea-step-env-secrets.js",
"scripts/ci/cleanup-host-runner-workspace.sh",
"scripts/ci/wait-host-web-build-pressure.sh",
"scripts/ci/notify-awoooi-cicd.sh",
"scripts/setup-runner-watchdog.sh",
"scripts/ops/stop-stale-gitea-actions-jobs.sh"
],
"rollups": {
"total_workflows": 9,
"by_workflow_status": {
"manifest_mapped": 9
},
"by_runner_evidence_status": {
"owner_attestation_required": 7,
"host_runner_mapped": 1,
"comment_ambiguous": 1
},
"workflows_with_schedule": 2,
"workflows_with_workflow_dispatch": 7,
"workflows_with_notify_bridge": 6,
"workflows_with_actionable_or_failure_quiet_policy": 2,
"workflow_ids_requiring_runner_attestation": [
"agent_market_watch",
"ansible_lint",
"cd_dev",
"code_review",
"deploy_alerts",
"e2e_health",
"run_migration",
"type_sync_check"
],
"total_runner_contracts": 4,
"runner_contracts_requiring_action": [
"ubuntu_latest_gitea_runner_label"
],
"notification_contracts_total": 6,
"notification_contracts_quiet_success_count": 2,
"notification_contracts_quiet_success_ids": [
"agent_market_watch_actionable_only",
"e2e_health_failure_only"
]
},
"workflow_records": [
{
"workflow_id": "agent_market_watch",
"file_ref": ".gitea/workflows/agent-market-watch.yaml",
"display_name": "Agent Market Watch",
"scope": "每週市場觀察與手動觀察;只產生報告、分類與推廣候選,不做 SDK/API/replay/shadow/canary 或 OpenClaw 替換批准。",
"status": "manifest_mapped",
"risk_level": "medium",
"triggers": [
"workflow_dispatch",
"schedule"
],
"schedule_cadence": "每週一 09:00 Asia/Taipeicron=0 1 * * 1 UTC",
"runner_labels": [
"ubuntu-latest"
],
"runner_evidence_status": "owner_attestation_required",
"job_count": 1,
"notification_policy": "actionable_only_no_success_noise",
"notify_bridge_calls": 0,
"secrets_policy_status": "未讀取 Secret只由 workflow 條件與 committed script 形成只讀證據。",
"evidence_refs": [
".gitea/workflows/agent-market-watch.yaml",
"docs/evaluations/agent_market_watch_report_2026-06-04_watch_expanded.json"
],
"next_action": "保留 actionable-only下一步只補 runner label owner attestation不啟用額外通知或 paid API。"
},
{
"workflow_id": "ansible_lint",
"file_ref": ".gitea/workflows/ansible-lint.yml",
"display_name": "Ansible Lint",
"scope": "Ansible 檔案 lint無通知橋接。",
"status": "manifest_mapped",
"risk_level": "low",
"triggers": [
"push"
],
"schedule_cadence": "無定期排程",
"runner_labels": [
"ubuntu-latest"
],
"runner_evidence_status": "owner_attestation_required",
"job_count": 1,
"notification_policy": "read_only_no_notify",
"notify_bridge_calls": 0,
"secrets_policy_status": "未見通知或 Secret payload 使用;仍需只讀 secret-name hygiene 持續檢查。",
"evidence_refs": [
".gitea/workflows/ansible-lint.yml"
],
"next_action": "補 ubuntu-latest 在 Gitea Actions 的 owner attestation不改 workflow label。"
},
{
"workflow_id": "cd_dev",
"file_ref": ".gitea/workflows/cd-dev.yaml",
"display_name": "CD Pipeline (Dev)",
"scope": "dev branch build / deploy屬部署狀態通知例外不套用 success-noise 全靜音。",
"status": "manifest_mapped",
"risk_level": "high",
"triggers": [
"push:dev",
"workflow_dispatch"
],
"schedule_cadence": "無定期排程",
"runner_labels": [
"ubuntu-latest"
],
"runner_evidence_status": "owner_attestation_required",
"job_count": 1,
"notification_policy": "deployment_status_exception",
"notify_bridge_calls": 3,
"secrets_policy_status": "需維持 scripts/ci/check-gitea-step-env-secrets.js 類型的 step env / action input hygiene。",
"evidence_refs": [
".gitea/workflows/cd-dev.yaml",
"scripts/ci/notify-awoooi-cicd.sh"
],
"next_action": "保留部署狀態例外;補 runner owner attestation 與通知降噪邊界,不直接改 dev CD。"
},
{
"workflow_id": "cd_pipeline",
"file_ref": ".gitea/workflows/cd.yaml",
"display_name": "CD Pipeline",
"scope": "main branch code-review 後的正式測試、build、deploy、post-deploy使用 awoooi-host runner。",
"status": "manifest_mapped",
"risk_level": "critical",
"triggers": [
"push:main",
"workflow_dispatch"
],
"schedule_cadence": "無定期排程",
"runner_labels": [
"awoooi-host"
],
"runner_evidence_status": "host_runner_mapped",
"job_count": 3,
"notification_policy": "deployment_status_exception",
"notify_bridge_calls": 9,
"secrets_policy_status": "正式 CD 使用 check-gitea-step-env-secrets guard不在本 snapshot 讀取任何 Secret payload。",
"evidence_refs": [
".gitea/workflows/cd.yaml",
"scripts/ci/check-gitea-step-env-secrets.js",
"scripts/ci/cleanup-host-runner-workspace.sh",
"scripts/ci/wait-host-web-build-pressure.sh"
],
"next_action": "保留 awoooi-host 合約與 post-deploy smoke任何 CD 修改仍需獨立 review / deploy gate。"
},
{
"workflow_id": "code_review",
"file_ref": ".gitea/workflows/code-review.yaml",
"display_name": "Code Review",
"scope": "AI code review 與 stale-main guard不等於自動 merge 或部署批准。",
"status": "manifest_mapped",
"risk_level": "high",
"triggers": [
"push",
"workflow_dispatch"
],
"schedule_cadence": "無定期排程",
"runner_labels": [
"ubuntu-latest"
],
"runner_evidence_status": "owner_attestation_required",
"job_count": 1,
"notification_policy": "manual_status_exception",
"notify_bridge_calls": 2,
"secrets_policy_status": "不讀 Secret payload仍需 owner attestation 證明 runner 與通知 secret name parity。",
"evidence_refs": [
".gitea/workflows/code-review.yaml",
"scripts/ci/notify-awoooi-cicd.sh"
],
"next_action": "保留 review 狀態通知;補 runner label 與 secret-name hygiene 證據。"
},
{
"workflow_id": "deploy_alerts",
"file_ref": ".gitea/workflows/deploy-alerts.yaml",
"display_name": "Deploy Alert Rules",
"scope": "告警規則部署流程;屬人工/部署狀態例外,不在 P1-002 變更 alert rule。",
"status": "manifest_mapped",
"risk_level": "high",
"triggers": [
"workflow_dispatch",
"push"
],
"schedule_cadence": "無定期排程",
"runner_labels": [
"ubuntu-latest"
],
"runner_evidence_status": "owner_attestation_required",
"job_count": 1,
"notification_policy": "manual_status_exception",
"notify_bridge_calls": 1,
"secrets_policy_status": "不讀 Secret payload告警鏈路 E2E 需另走 ADR-025/相關 guard。",
"evidence_refs": [
".gitea/workflows/deploy-alerts.yaml",
"scripts/ci/notify-awoooi-cicd.sh",
"docs/HARD_RULES.md"
],
"next_action": "P1-003 再盤點 Alertmanager / Prometheus 合約P1-002 不改 alert rules。"
},
{
"workflow_id": "e2e_health",
"file_ref": ".gitea/workflows/e2e-health.yaml",
"display_name": "E2E Health Check",
"scope": "每日正式 API health 檢查;失敗才升級通知。",
"status": "manifest_mapped",
"risk_level": "medium",
"triggers": [
"workflow_dispatch",
"schedule"
],
"schedule_cadence": "每日 00:00 Asia/Taipeicron=0 16 * * * UTC",
"runner_labels": [
"ubuntu-latest"
],
"runner_evidence_status": "owner_attestation_required",
"job_count": 1,
"notification_policy": "failure_only",
"notify_bridge_calls": 1,
"secrets_policy_status": "失敗通知透過 notify bridge本 snapshot 不讀 Telegram / webhook Secret payload。",
"evidence_refs": [
".gitea/workflows/e2e-health.yaml",
"scripts/ci/notify-awoooi-cicd.sh"
],
"next_action": "保留 failure-only補 runner owner attestation 與最近 run 證據。"
},
{
"workflow_id": "run_migration",
"file_ref": ".gitea/workflows/run-migration.yml",
"display_name": "run-migration",
"scope": "手動 migration workflow不得由 P1-002 觸發。",
"status": "manifest_mapped",
"risk_level": "critical",
"triggers": [
"workflow_dispatch"
],
"schedule_cadence": "無定期排程",
"runner_labels": [
"ubuntu-latest # 或 self-hosted runner on 110"
],
"runner_evidence_status": "comment_ambiguous",
"job_count": 1,
"notification_policy": "manual_status_exception",
"notify_bridge_calls": 1,
"secrets_policy_status": "Migration 相關 secret / DB 權限不得由 P1-002 讀取或擴權。",
"evidence_refs": [
".gitea/workflows/run-migration.yml",
"scripts/ci/notify-awoooi-cicd.sh"
],
"next_action": "只讀補 runner label owner attestation 與 migration approval boundary不觸發 workflow。"
},
{
"workflow_id": "type_sync_check",
"file_ref": ".gitea/workflows/type-sync-check.yaml",
"display_name": "Type Sync Check",
"scope": "型別同步檢查;無通知橋接。",
"status": "manifest_mapped",
"risk_level": "low",
"triggers": [
"push"
],
"schedule_cadence": "無定期排程",
"runner_labels": [
"ubuntu-latest"
],
"runner_evidence_status": "owner_attestation_required",
"job_count": 1,
"notification_policy": "read_only_no_notify",
"notify_bridge_calls": 0,
"secrets_policy_status": "無通知橋接;仍需 runner label attestation。",
"evidence_refs": [
".gitea/workflows/type-sync-check.yaml"
],
"next_action": "補 runner label owner attestation不改 workflow。"
}
],
"runner_contracts": [
{
"contract_id": "awoooi_host_runner",
"display_name": "awoooi-host 正式 CD runner",
"status": "manifest_mapped",
"risk_level": "critical",
"runner_labels": [
"awoooi-host"
],
"used_by_workflows": [
"cd_pipeline"
],
"health_contract": "正式 CD tests/build/post-deploy 均使用 awoooi-hostcleanup 與 build-pressure guard 只做等候 / 清理,不代表可任意重啟 runner。",
"guardrail_refs": [
"scripts/ci/cleanup-host-runner-workspace.sh",
"scripts/ci/wait-host-web-build-pressure.sh"
],
"evidence_refs": [
".gitea/workflows/cd.yaml",
"docs/LOGBOOK.md"
],
"next_action": "維持正式 CD runner 合約;任何 systemd / runner 變更另走人工批准。"
},
{
"contract_id": "ubuntu_latest_gitea_runner_label",
"display_name": "ubuntu-latest Gitea runner label 對應",
"status": "action_required",
"risk_level": "high",
"runner_labels": [
"ubuntu-latest"
],
"used_by_workflows": [
"agent_market_watch",
"ansible_lint",
"cd_dev",
"code_review",
"deploy_alerts",
"e2e_health",
"run_migration",
"type_sync_check"
],
"health_contract": "多數 workflow 仍標示 ubuntu-latest需要 Gitea runner owner 以脫敏 metadata 證明實際 runner 對應、容量與維護責任。",
"guardrail_refs": [
"docs/HARD_RULES.md",
"docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md"
],
"evidence_refs": [
".gitea/workflows/agent-market-watch.yaml",
".gitea/workflows/e2e-health.yaml",
".gitea/workflows/run-migration.yml"
],
"next_action": "建立 owner attestation request不得直接把 label 改成 self-hosted 或啟用新 runner。"
},
{
"contract_id": "runner_watchdog_systemd",
"display_name": "actions.runner systemd watchdog 草案",
"status": "prepared_not_applied_by_snapshot",
"risk_level": "medium",
"runner_labels": [
"actions.runner.owenhytsai-awoooi.awoooi-110.service"
],
"used_by_workflows": [
"cd_pipeline",
"Gitea Actions host runner service"
],
"health_contract": "setup script 只描述 WatchdogSec=300、Restart=always、StartLimitBurst=5P1-002 不套用、不 restart、不 systemctl daemon-reload。",
"guardrail_refs": [
"scripts/setup-runner-watchdog.sh"
],
"evidence_refs": [
"scripts/setup-runner-watchdog.sh",
"docs/MONITORING_COMPLETE_STRATEGY.md"
],
"next_action": "若需套用 watchdog另開批准包與維護窗口本 snapshot 僅展示草案存在。"
},
{
"contract_id": "stale_job_container_guard",
"display_name": "Gitea Actions stale job container guard",
"status": "dry_run_only",
"risk_level": "high",
"runner_labels": [
"GITEA-ACTIONS-* docker containers"
],
"used_by_workflows": [
"all_gitea_actions"
],
"health_contract": "stop-stale-gitea-actions-jobs.sh 預設 dry-run只有 --apply 才停止 container且仍要檢查 recent logs 與 workflow threshold。",
"guardrail_refs": [
"scripts/ops/stop-stale-gitea-actions-jobs.sh"
],
"evidence_refs": [
"scripts/ops/stop-stale-gitea-actions-jobs.sh"
],
"next_action": "維持 dry-run-only不得由治理頁或 API 直接停止 container。"
}
],
"notification_contracts": [
{
"contract_id": "agent_market_watch_actionable_only",
"display_name": "Agent Market Watch actionable-only",
"status": "preserved",
"policy_kind": "actionable_only",
"success_noise_policy": "無 actionable market change 時保持 Telegram 安靜,不發成功洗版訊息。",
"failure_policy": "發現新候選、queue、失敗或需人工 review 時才產生 summary / action-required。",
"workflow_refs": [
"agent_market_watch"
],
"evidence_refs": [
".gitea/workflows/agent-market-watch.yaml"
],
"next_action": "保留每週觀察 cadenceP1-002 不增加外部 API 或通知頻率。"
},
{
"contract_id": "e2e_health_failure_only",
"display_name": "E2E Health failure-only",
"status": "preserved",
"policy_kind": "failure_only",
"success_noise_policy": "健康檢查成功不即時通知。",
"failure_policy": "workflow failure 才呼叫 notify bridge / Alertmanager payload。",
"workflow_refs": [
"e2e_health"
],
"evidence_refs": [
".gitea/workflows/e2e-health.yaml",
"scripts/ci/notify-awoooi-cicd.sh"
],
"next_action": "保留 failure-only後續只補最近 run readback。"
},
{
"contract_id": "cd_pipeline_status_exception",
"display_name": "正式 CD 狀態通知例外",
"status": "exception_documented",
"policy_kind": "deployment_status_exception",
"success_noise_policy": "正式部署成功通知屬 release evidence不套入一般備份成功靜音規則仍不得在非部署情境洗版。",
"failure_policy": "tests/build/deploy/post-deploy 任一失敗必須升級。",
"workflow_refs": [
"cd_pipeline"
],
"evidence_refs": [
".gitea/workflows/cd.yaml",
"scripts/ci/notify-awoooi-cicd.sh"
],
"next_action": "保留 release evidence任何降噪調整另提批准包。"
},
{
"contract_id": "dev_cd_status_exception",
"display_name": "Dev CD 狀態通知例外",
"status": "exception_documented",
"policy_kind": "deployment_status_exception",
"success_noise_policy": "dev deploy status 屬部署流程訊號;不得擴大為其他成功洗版。",
"failure_policy": "dev build/deploy failure 升級到 AwoooP / Telegram contract。",
"workflow_refs": [
"cd_dev"
],
"evidence_refs": [
".gitea/workflows/cd-dev.yaml",
"scripts/ci/notify-awoooi-cicd.sh"
],
"next_action": "保留現況;後續評估 dev 通知是否需要降噪。"
},
{
"contract_id": "review_and_manual_workflow_status_exception",
"display_name": "Review / manual workflow 狀態例外",
"status": "exception_documented",
"policy_kind": "manual_status_exception",
"success_noise_policy": "code-review、alert deploy、migration 的狀態訊號不自動擴張到成功洗版;手動 workflow 成功仍應看情境與 release evidence。",
"failure_policy": "review、alert deploy 或 migration failure 必須留可追蹤證據。",
"workflow_refs": [
"code_review",
"deploy_alerts",
"run_migration"
],
"evidence_refs": [
".gitea/workflows/code-review.yaml",
".gitea/workflows/deploy-alerts.yaml",
".gitea/workflows/run-migration.yml"
],
"next_action": "P1-003 盤點告警流程時再處理 alert deployP1-002 不發通知、不觸發 migration。"
},
{
"contract_id": "lint_and_typecheck_no_notify",
"display_name": "Lint / typecheck no-notify",
"status": "preserved",
"policy_kind": "read_only_no_notify",
"success_noise_policy": "lint / type sync 成功不通知。",
"failure_policy": "失敗只留 workflow 結果,是否升級需由 code-review / CD gate 判斷。",
"workflow_refs": [
"ansible_lint",
"type_sync_check"
],
"evidence_refs": [
".gitea/workflows/ansible-lint.yml",
".gitea/workflows/type-sync-check.yaml"
],
"next_action": "維持 no-notify補 runner attestation。"
}
],
"latest_observations": [
{
"observation_id": "latest_gitea_runs_success_readback",
"status": "verified",
"summary": "P1-001 後續正式部署已由 Gitea code-review run 2597 與 CD run 2596 成功收斂P1-002 只引用既有 deploy evidence不觸發新 run。",
"evidence_refs": [
"docs/LOGBOOK.md",
"docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md"
]
},
{
"observation_id": "gitea_api_unauthenticated_boundary",
"status": "action_required",
"summary": "Gitea Actions API 若無 token 會遇到 401P1-002 以 committed workflow、HTML/DB readback 或 owner attestation 為證據,不猜測 API 狀態。",
"evidence_refs": [
"docs/HARD_RULES.md",
"docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md"
]
},
{
"observation_id": "workflow_secret_guard_present",
"status": "verified",
"summary": "正式 CD 已具備 check-gitea-step-env-secrets guard可阻擋 secrets 掛在 step env / action inputP1-002 不讀任何 Secret payload。",
"evidence_refs": [
"scripts/ci/check-gitea-step-env-secrets.js",
".gitea/workflows/cd.yaml"
]
}
],
"operator_contract": {
"display_mode": "read_only_gitea_workflow_runner_health",
"must_not_interpret_as": [
"workflow 修改批准",
"runner restart / stop 批准",
"Secret 已讀取或可輸出",
"Telegram 測試通知批准",
"排程啟用或變更批准",
"Gitea write token 授權",
"deploy / migration workflow 觸發批准"
],
"secret_display_policy": "只允許顯示 workflow / secret-name hygiene 與 redacted metadata不得讀 token、runner token、webhook secret、authorization header 或任何 Secret payload。",
"runner_mutation_policy": "本 snapshot 只描述 runner label、watchdog 草案與 dry-run guard不得 systemctl restart、docker stop、修改 label、註冊 runner 或套用 watchdog。",
"notification_policy": "成功不洗版是預設治理方向failure-only / actionable-only 合約需保留CD/review/manual workflow 的狀態通知例外需另外標示。"
},
"operation_boundaries": {
"read_only_api_allowed": true,
"workflow_modification_allowed": false,
"runner_restart_allowed": false,
"runner_container_stop_allowed": false,
"runner_label_change_allowed": false,
"runner_registration_allowed": false,
"secret_read_allowed": false,
"secret_plaintext_allowed": false,
"notification_send_allowed": false,
"schedule_enable_allowed": false,
"gitea_api_write_allowed": false,
"deploy_trigger_allowed": false,
"migration_trigger_allowed": false
},
"approval_boundaries": {
"workflow_modification_authorized": false,
"runner_mutation_authorized": false,
"notification_send_authorized": false,
"secret_plaintext_allowed": false,
"runtime_execution_authorized": false,
"schedule_change_authorized": false,
"gitea_write_authorized": false,
"deploy_trigger_authorized": false,
"migration_trigger_authorized": false
}
}
Reference in New Issue View Git Blame Copy Permalink