97 lines
5.9 KiB
Markdown
97 lines
5.9 KiB
Markdown
# Workflow / Runner / Secret 名稱 Inventory 契約
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-11 |
|
||
| 狀態 | 草案,missing evidence |
|
||
| Schema | `docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json` |
|
||
| Snapshot | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` |
|
||
| Local evidence | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` |
|
||
| Export request | `docs/security/source-control-workflow-secret-name-export-request.snapshot.json` |
|
||
| Owner response 收件包 | `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md` / `docs/security/source-control-workflow-secret-name-owner-response.snapshot.json` |
|
||
| 模式 | `inventory_contract_only` |
|
||
| runtime 執行授權 | `false` |
|
||
|
||
## 0. 核心結論
|
||
|
||
`source_control_workflow_secret_name_inventory_v1` 是 S4.1 的 workflow / runner / secret 名稱 inventory 契約。
|
||
|
||
它只定義 GitHub primary cutover 前要收集哪些只讀欄位:workflow 名稱、trigger、runner label、webhook 目的地、deploy key 名稱、branch protection、CODEOWNERS、secret 名稱與 owner。
|
||
|
||
它不收集 secret value,不修改 workflow,不搬移 secrets,也不授權 GitHub primary cutover。目前 `inventory_complete_count=0`。
|
||
|
||
S4.2 已補本機可見 evidence:5 個 repos 有 workflow / CODEOWNERS evidence、33 個 workflow files、42 個 referenced secret names、5 個 runner labels。這只是 local partial evidence,仍不代表 GitHub primary ready。
|
||
|
||
S4.3 已補 redacted export request package:9 個 in-scope repos 需要 owner / read-only export,5 類 export lanes 包含 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity;所有 export 都禁止 secret value 與 write token。
|
||
|
||
S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包:1 個 request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 response templates 對應 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity;目前 received / accepted response 皆為 0、audit events emitted 仍為 0。response 通過也只更新 read-only evidence,不代表修改 workflow、secret、runner、deploy key 或 branch protection。
|
||
|
||
## 1. 目前狀態
|
||
|
||
| 指標 | 數量 |
|
||
|------|------|
|
||
| Candidate repos | 10 |
|
||
| In-scope repos | 9 |
|
||
| External scope review | 1 |
|
||
| Inventory complete | 0 |
|
||
| Missing inventory | 9 |
|
||
| Secret value collection allowed | `false` |
|
||
| Local evidence repos | 5 |
|
||
| Local workflow files | 33 |
|
||
| Local referenced secret names | 42 |
|
||
| Redacted export request repos | 9 |
|
||
| Redacted export lanes | 5 |
|
||
| S4.12 request packet | 1 |
|
||
| S4.12 template statuses | 5 |
|
||
| S4.12 audit event templates | 3 |
|
||
| S4.12 redaction examples | 5 |
|
||
| S4.12 collection checks | 6 |
|
||
| S4.12 intake preflight checks | 6 |
|
||
| S4.12 response templates | 5 |
|
||
| S4.12 received / accepted / rejected | `0 / 0 / 0` |
|
||
|
||
## 2. Inventory Lanes
|
||
|
||
| Lane | 可保存 | 禁止保存 |
|
||
|------|--------|----------|
|
||
| Workflow | workflow path、名稱、trigger、runner label、environment、referenced secret names | secret value、token value |
|
||
| Webhook | webhook 名稱、目的地 host、事件類型、enabled flag、owner | webhook secret、含 token URL |
|
||
| Runner | runner label、scope、executor type、host alias、owner | registration token、SSH private key |
|
||
| Deploy key | key 名稱、read-only flag、repo scope、owner | private key |
|
||
| Branch protection / CODEOWNERS | protected branch、required checks、CODEOWNERS path、owner team | admin override token |
|
||
| Secret names | secret name、scope、owning team、used by workflow、rotation owner | secret value、credential value |
|
||
| Redaction audit | redaction status、evidence ref、producer、reviewer | raw secret、raw token、raw private key |
|
||
|
||
## 3. AwoooP 可做
|
||
|
||
1. 顯示每個 repo 缺哪些 inventory lane。
|
||
2. 顯示 secret 只允許名稱與 owner,不允許 value。
|
||
3. 將 redacted inventory snapshot 寫入 Audit evidence。
|
||
4. 對缺資料 repo 顯示 owner review lane。
|
||
5. 將失敗或含敏感值 payload 交給 mirror quarantine。
|
||
6. 顯示 S4.2 本機 evidence 與仍缺的 API / export lanes。
|
||
7. 顯示 S4.3 export request 的欄位清單、拒收欄位與 acceptance gate。
|
||
8. 顯示 S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、templates、acceptance checks 與 rejection rules。
|
||
|
||
## 4. AwoooP 不可做
|
||
|
||
1. 不收集、保存、顯示 secret value。
|
||
2. 不修改 workflow、webhook、runner、deploy key 或 branch protection。
|
||
3. 不建立 GitHub repo。
|
||
4. 不 sync refs。
|
||
5. 不切 GitHub primary。
|
||
6. 不停用或降級 Gitea。
|
||
7. 不顯示 repo、refs、secret、primary switch 類 action button。
|
||
|
||
## 5. 階段定位
|
||
|
||
S4.1 讓 GitHub primary readiness 的「workflow / secret 名稱 parity」缺口變成可追蹤清單。
|
||
|
||
S4.2 讓本機可見 workflow / CODEOWNERS / referenced secret names 先形成 partial evidence。
|
||
|
||
S4.3 讓後續 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret parity 的 owner / read-only export 有明確的欄位、拒收規則與驗收 gate。
|
||
|
||
S4.12 讓 owner response request、template status、audit event templates、redaction examples、collection checks、intake preflight checks 與 response 有固定收件格式與拒收規則,避免 GitHub hosted runner 額度風險、secret value、write token 或未脫敏 payload 被誤接進 AwoooP。
|
||
|
||
這仍是低摩擦框架期:只定義欄位、只顯示缺口、只留痕,不碰任何實際 secret 或發版流程。後續即使取得 redacted export,也只代表 evidence 可 review,不代表 GitHub primary ready。
|