wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 7 Packages Projects Releases Wiki Activity
Files
2a2cb16c135fd7e5b159d94de9b5ff04f6cf31f5
awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md
Your Name e8e15faf28
All checks were successful
CD Pipeline / tests (push) Successful in 1m26s
Details
Code Review / ai-code-review (push) Successful in 12s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m31s
Details
CD Pipeline / post-deploy-checks (push) Successful in 1m32s
Details
feat(security): 擴充 source-control 納管範圍
2026-06-11 19:23:40 +08:00

5.9 KiB
Raw Blame History

Workflow / Runner / Secret 名稱 Inventory 契約

項目 內容
日期 2026-06-11
狀態 草案missing evidence
Schema docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json
Snapshot docs/security/source-control-workflow-secret-name-inventory.snapshot.json
Local evidence docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json
Export request docs/security/source-control-workflow-secret-name-export-request.snapshot.json
Owner response 收件包 docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md / docs/security/source-control-workflow-secret-name-owner-response.snapshot.json
模式 inventory_contract_only
runtime 執行授權 false

0. 核心結論

source_control_workflow_secret_name_inventory_v1 是 S4.1 的 workflow / runner / secret 名稱 inventory 契約。

它只定義 GitHub primary cutover 前要收集哪些只讀欄位workflow 名稱、trigger、runner label、webhook 目的地、deploy key 名稱、branch protection、CODEOWNERS、secret 名稱與 owner。

它不收集 secret value不修改 workflow不搬移 secrets也不授權 GitHub primary cutover。目前 inventory_complete_count=0

S4.2 已補本機可見 evidence5 個 repos 有 workflow / CODEOWNERS evidence、33 個 workflow files、42 個 referenced secret names、5 個 runner labels。這只是 local partial evidence仍不代表 GitHub primary ready。

S4.3 已補 redacted export request package9 個 in-scope repos 需要 owner / read-only export5 類 export lanes 包含 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity所有 export 都禁止 secret value 與 write token。

S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包1 個 request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 response templates 對應 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity目前 received / accepted response 皆為 0、audit events emitted 仍為 0。response 通過也只更新 read-only evidence不代表修改 workflow、secret、runner、deploy key 或 branch protection。

1. 目前狀態

指標 數量
Candidate repos 10
In-scope repos 9
External scope review 1
Inventory complete 0
Missing inventory 9
Secret value collection allowed false
Local evidence repos 5
Local workflow files 33
Local referenced secret names 42
Redacted export request repos 9
Redacted export lanes 5
S4.12 request packet 1
S4.12 template statuses 5
S4.12 audit event templates 3
S4.12 redaction examples 5
S4.12 collection checks 6
S4.12 intake preflight checks 6
S4.12 response templates 5
S4.12 received / accepted / rejected 0 / 0 / 0

2. Inventory Lanes

Lane 可保存 禁止保存
Workflow workflow path、名稱、trigger、runner label、environment、referenced secret names secret value、token value
Webhook webhook 名稱、目的地 host、事件類型、enabled flag、owner webhook secret、含 token URL
Runner runner label、scope、executor type、host alias、owner registration token、SSH private key
Deploy key key 名稱、read-only flag、repo scope、owner private key
Branch protection / CODEOWNERS protected branch、required checks、CODEOWNERS path、owner team admin override token
Secret names secret name、scope、owning team、used by workflow、rotation owner secret value、credential value
Redaction audit redaction status、evidence ref、producer、reviewer raw secret、raw token、raw private key

3. AwoooP 可做

  1. 顯示每個 repo 缺哪些 inventory lane。
  2. 顯示 secret 只允許名稱與 owner不允許 value。
  3. 將 redacted inventory snapshot 寫入 Audit evidence。
  4. 對缺資料 repo 顯示 owner review lane。
  5. 將失敗或含敏感值 payload 交給 mirror quarantine。
  6. 顯示 S4.2 本機 evidence 與仍缺的 API / export lanes。
  7. 顯示 S4.3 export request 的欄位清單、拒收欄位與 acceptance gate。
  8. 顯示 S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、templates、acceptance checks 與 rejection rules。

4. AwoooP 不可做

  1. 不收集、保存、顯示 secret value。
  2. 不修改 workflow、webhook、runner、deploy key 或 branch protection。
  3. 不建立 GitHub repo。
  4. 不 sync refs。
  5. 不切 GitHub primary。
  6. 不停用或降級 Gitea。
  7. 不顯示 repo、refs、secret、primary switch 類 action button。

5. 階段定位

S4.1 讓 GitHub primary readiness 的「workflow / secret 名稱 parity」缺口變成可追蹤清單。

S4.2 讓本機可見 workflow / CODEOWNERS / referenced secret names 先形成 partial evidence。

S4.3 讓後續 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret parity 的 owner / read-only export 有明確的欄位、拒收規則與驗收 gate。

S4.12 讓 owner response request、template status、audit event templates、redaction examples、collection checks、intake preflight checks 與 response 有固定收件格式與拒收規則,避免 GitHub hosted runner 額度風險、secret value、write token 或未脫敏 payload 被誤接進 AwoooP。

這仍是低摩擦框架期:只定義欄位、只顯示缺口、只留痕,不碰任何實際 secret 或發版流程。後續即使取得 redacted export也只代表 evidence 可 review不代表 GitHub primary ready。

Reference in New Issue View Git Blame Copy Permalink