wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 3 Packages Projects Releases Wiki Activity
Files
main
awoooi/docs/security/CD-RUNNER-SECRET-INJECTION-POST-INCIDENT-READBACK-PLAN.md
Your Name bb459d59f9
Some checks failed
Code Review / ai-code-review (push) Successful in 15s
Details
CD Pipeline / tests (push) Successful in 1m43s
Details
CD Pipeline / post-deploy-checks (push) Has been cancelled
Details
CD Pipeline / build-and-deploy (push) Has been cancelled
Details
feat(iwooos): 新增 CD runner secret 事故回讀 gate
2026-06-16 11:42:38 +08:00

8.2 KiB
Raw Permalink Blame History

CD / Runner / Secret injection 事故後回讀只讀計畫

項目 內容
日期 2026-06-16
狀態 post_incident_readback_plan_ready_no_runtime_action
工具 scripts/security/cd-runner-secret-injection-post-incident-readback-plan.py
Snapshot docs/security/cd-runner-secret-injection-post-incident-readback-plan.snapshot.json
Source evidence docs/security/cd-runner-secret-injection-change-evidence-acceptance.snapshot.json
runtime gate 0

1. 目的

此計畫補在 CD / runner / secret injection change evidence acceptance 之後專門處理事故後回讀workflow / runner / secret injection 相關異常或變更後owner 必須回讀 actor、時間窗、workflow diff state、runner attestation、secret name parity、secret injection route、step-env secret guard、log redaction、deploy marker、Gitea run、webhook / notification receipt、before / after deploy state、rollback、post-check 與防再發。

它只處理 metadata-only evidence ref不呼叫 Gitea / GitHub API、不讀 secret store、不讀 secret value、不修改 workflow、不啟用 runner、不 rotate secret、不 dispatch workflow、不觸發部署也不把 CD success、deploy marker、workflow success、route 200、runner online、AwoooP approval 或 UI 可見狀態當成 runtime 授權。

2. 固定範圍

指標 數值 解讀
readback_candidate_count 5 CD pipeline、Code Review、Deploy alerts、Runner attestation、Secret parity / injection owner 五類候選
c0_readback_candidate_count 4 CD、Code Review、Runner、Secret parity 為 C0
c1_readback_candidate_count 1 Deploy alerts / monitoring route 為 C1
write_capable_readback_candidate_count 5 五類都可能影響 workflow、runner、secret injection、通知或部署路徑
secret_sensitive_readback_candidate_count 5 五類都必須檢查 secret value / hash / partial token / runner token 不可出現
runner_or_workflow_readback_candidate_count 5 五類都必須回讀 workflow / runner 邊界
deploy_or_run_readback_required_candidate_count 5 五類都需要 deploy marker 或 Gitea run readback / 不適用理由
required_readback_field_count 33 事故後回讀必填欄位
reviewer_check_count 30 reviewer 必檢規則
outcome_lane_count 11 收件結果分流
blocked_action_count 52 明確禁止動作

3. 必填事故後回讀欄位

每筆事故後回讀至少需要:

  1. incident_or_change_ref
  2. actor_attribution_ref
  3. change_time_window_ref
  4. change_intent_or_break_glass_ref
  5. workflow_diff_state_ref
  6. runner_attestation_state_ref
  7. runner_executor_host_readback_ref
  8. runner_workspace_cleanup_readback_ref
  9. runner_permission_scope_ref
  10. secret_name_parity_state_ref
  11. secret_injection_route_state_ref
  12. step_env_secret_guard_result_ref
  13. log_redaction_readback_ref
  14. deploy_marker_readback_ref
  15. gitea_action_run_readback_ref
  16. webhook_delivery_state_ref
  17. deploy_key_branch_protection_codeowners_ref
  18. notification_delivery_receipt_ref
  19. before_after_deploy_state_ref
  20. affected_route_or_service_state_ref
  21. cross_project_sync_ref
  22. rollback_validation_ref
  23. postcheck_evidence_ref
  24. post_change_monitoring_ref
  25. recurrence_guard_ref
  26. maintenance_window
  27. rollback_owner
  28. followup_owner
  29. redacted_evidence_refs
  30. no_secret_value_attestation
  31. no_raw_workflow_payload_attestation
  32. no_unredacted_log_attestation
  33. no_false_green_attestation

以上欄位都只能保存脫敏 ref、commit、artifact pointer、run id、job id、ticket 或 hash。不得貼 secret value、secret hash、masked token、partial token、runner token、webhook secret、private key、deploy key private material、cookie、authorization header、完整 credential URL、未脫敏 action log 或未脫敏截圖。

4. Reviewer checks

Reviewer 必須確認:

  • 來源 change evidence acceptance snapshot 是目前版本。
  • incident / change ref、actor、時間窗、intent / break-glass reason 都存在。
  • workflow diff state 只以 ref 呈現,不保存 raw workflow payload。
  • runner label、executor、host alias、workspace cleanup、permission scope 與 hosted runner 風險可追溯。
  • secret name parity、secret injection route、step-env secret guard 與 log redaction readback 完整。
  • deploy marker 與 Gitea run readback 只能作證據,不代表 runtime approval。
  • webhook delivery、deploy key、branch protection、CODEOWNERS、notification receipt 與跨專案同步影響已標示。
  • rollback validation、post-check、post-change monitoring 與 recurrence guard 已明確列出。
  • 不把 CD success、deploy marker、workflow success、route 200、runner online、UI 可見或 AwoooP approval 當驗收。

5. Outcome lanes

Lane 說明
waiting_post_incident_readback 尚未收到事故後回讀包
request_actor_or_time_supplement 缺 actor、時間窗、intent 或 break-glass reason
request_workflow_runner_supplement 缺 workflow diff、runner attestation、executor / host、workspace cleanup 或 permission scope
request_secret_injection_supplement 缺 secret name parity、injection route、step-env guard 或 log redaction readback
request_deploy_run_supplement 缺 deploy marker、Gitea run readback、before / after deploy state 或 post-check
request_webhook_notification_supplement 缺 webhook delivery、notification receipt、SRE route owner 或 cross-project sync
quarantine_sensitive_payload 收到敏感值、runner token、webhook secret、private key、未脫敏 log 或截圖時隔離
reject_false_green_claim 把 CD success、deploy marker、workflow success、route 200、runner online、UI 可見或 AwoooP approval 當驗收時拒收
ready_for_cd_runner_secret_post_incident_review metadata 合格後進 reviewer review
recurrence_guard_backfill_required 需補防再發 guard、owner review、change freeze、automation block 或 runner isolation plan
waiting_runtime_gate 即使 readback acceptedruntime gate 仍需獨立人工批准

6. 禁止動作

此計畫明確禁止修改 workflow、未批准 dispatch workflow、啟用 / 安裝 / 重啟 runner、修改 runner label、使用 runner admin token、啟用 GitHub hosted runner、收集 secret value / hash / partial token / runner token / webhook secret / deploy key private material、保存 raw workflow payload / 未脫敏 action log、建立 / 更新 / rotate / 刪除 repo secret、讀 secret store、修改 secret injection path、修改 webhook、修改 deploy key、修改 branch protection、修改 CODEOWNERS、sync refs、force push、切 GitHub primary、停用 Gitea、把 CD pipeline 當 action 執行、注入 K8s secret、ArgoCD sync、production deploy、新增 action button 或開 runtime gate。

7. 完成度與邊界

工作 完成度 邊界
CD / Runner / Secret injection post-incident readback plan 100% 只讀計畫與 snapshot 已建立
Secret metadata 只讀治理成熟度 68% -> 70% 只代表事故後回讀欄位補齊,不代表可讀或可改 secret
Gitea workflow / runner source-control 只讀治理成熟度 72% -> 74% 只代表 workflow / runner 事故後回讀欄位補齊,不代表 workflow / runner 可修改
post-incident readback received / accepted 0% 尚未收到或接受任何事故後回讀
runtime gate 0 不開 workflow、runner、secret、deploy、ArgoCD 或 production action

8. 下一步

  1. 要求 owner 只提供事故後 readback refworkflow diff state、runner attestation、secret name parity、secret injection route、Gitea run readback、guard result、deploy marker、notification receipt、rollback owner 與 post-check evidence。
  2. reviewer 只檢查 metadata 完整性、no-secret-value、log redaction 與 no-false-green不保存 raw workflow payload、raw action log 或 credential material。
  3. 若未來要進 runtime approval package必須另開維護窗口、rollback owner、跨專案同步與 production post-check gate。
Reference in New Issue View Git Blame Copy Permalink