5.0 KiB
5.0 KiB
Workflow / Secret 名稱本機 Evidence Snapshot
| 項目 | 內容 |
|---|---|
| 日期 | 2026-06-11 |
| 狀態 | 草案,partial local evidence |
| Schema | docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json |
| Snapshot | docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json |
| 來源契約 | source_control_workflow_secret_name_inventory_v1 |
| 收集器 | scripts/security/source-control-workflow-secret-name-local-inventory.py |
| runtime 執行授權 | false |
0. 核心結論
S4.2 先補本機可見 working tree 的只讀 workflow / secret 名稱 evidence。2026-06-11 refresh 已改用本輪乾淨 worktree /private/tmp/awoooi-agent-bounty-iwooos-20260611 重跑 awoooi evidence,並把 VibeWork 與 agent-bounty-protocol 納入資安控管候選範圍。
本 snapshot 只從 .github/workflows/、.gitea/workflows/、CODEOWNERS 與 .github/CODEOWNERS 萃取名稱級 metadata。它不呼叫 GitHub / Gitea API、不讀 .env、不讀 secret store、不收集 secret value、不修改 workflow。
這仍不代表 GitHub primary ready。webhook、deploy key、branch protection 與 repository secret parity 還需要後續 redacted export 或 read-only API evidence。
S4.3 已把這些後續缺口整理成 redacted export request,並額外納入 runner owner / GitHub hosted minutes 風險 lane;仍禁止 write token 與 secret value。
1. 摘要
| 指標 | 數量 |
|---|---|
| Candidate repos | 10 |
| Local repo visible | 9 |
| Local evidence repos | 5 |
| Workflow files | 33 |
| Gitea workflow files | 12 |
| GitHub workflow files | 21 |
| CODEOWNERS files | 2 |
| Unique referenced secret names | 42 |
| Runner labels | 5 |
| Secret value detected | false |
2. Repo 結果
| Repo | Local status | Workflow files | Secret names | CODEOWNERS | 說明 |
|---|---|---|---|---|---|
owenhytsai/awoooi |
partial_local_evidence |
15 | 34 | 0 | Gitea / GitHub workflows 都可見;本輪移除舊 worktree evidence 漂移後,仍需 webhook、branch protection、repository secret parity evidence |
owenhytsai/clawbot-v5 |
local_repo_visible_no_workflow_files |
0 | 0 | 0 | 本機 repo 可見,但未找到 workflow / CODEOWNERS |
owenhytsai/wooo-aiops |
partial_local_evidence |
14 | 12 | 2 | GitHub / Gitea workflow 與 CODEOWNERS 可見;仍需 webhook 與 branch protection evidence |
owenhytsai/wooo-infra-config |
partial_local_evidence |
1 | 2 | 0 | GitHub validate workflow 可見;infra secret value 不可搬移 |
owenhytsai/ewoooc |
partial_local_evidence |
2 | 4 | 0 | 以本機 momo-pro-system working tree 作為 ewoooc/momo canonical review 的暫時 evidence |
owenhytsai/bitan-pharmacy |
local_repo_visible_no_workflow_files |
0 | 0 | 0 | 本機 repo 可見,但未找到 workflow / CODEOWNERS |
owenhytsai/tsenyang-website |
local_repo_visible_no_workflow_files |
0 | 0 | 0 | 本機 repo 可見,但未找到 workflow / CODEOWNERS |
nexu-io/open-design |
missing_local_repo |
0 | 0 | 0 | 外部 scope review;未納入 GitHub primary cutover queue |
owenhytsai/VibeWork |
local_repo_visible_no_workflow_files |
0 | 0 | 0 | 本機 repo 可見;保留 VibeWork 獨立產品邊界,仍需 owner 確認 workflow / secret / deploy surface |
owenhytsai/agent-bounty-protocol |
partial_local_evidence |
1 | 0 | 0 | 新納入資安控管範圍;已見 1 個 Gitea workflow 與 ubuntu-latest runner label,仍需 agent / bounty / treasury / execution surface owner response |
3. 已知 runner labels
本 snapshot 只保存 runner label 名稱:
| Label |
|---|
awoooi-host |
harbor |
k8s |
self-hosted |
ubuntu-latest |
4. 仍需補齊
- Gitea / GitHub webhook inventory:只列 destination host、event types、enabled flag,不保存 webhook secret。
- Runner owner / hosted minutes 風險 inventory:只列 label、executor、self-hosted / hosted、owner,不保存 registration token。
- Deploy key / machine key inventory:只列 key name、read-only flag、owner,不保存 private key。
- Branch protection inventory:只列 protected branch、required status checks、review count。
- Repository secret parity:只比對 secret 名稱與 owner,不輸出 value。
- 逐 repo owner review:確認本機可見 workflow 是否為 canonical,尤其是
ewoooc/momo-pro-system、VibeWork與agent-bounty-protocol。 - Snapshot freshness:本機 evidence 必須標示可重現路徑與刷新日期;過期暫存 worktree 只能作歷史參考,不可當 current readiness。
5. 永久禁止
- 不收集 secret value、token value、private key、webhook secret、runner registration token。
- 不修改 workflow、webhook、runner、deploy key、branch protection 或 CODEOWNERS。
- 不建立 GitHub repo、不 sync refs、不切 GitHub primary。
- 不把本機 evidence 當成 primary cutover approval。
- 不把 LOW / MEDIUM observation 變成 runtime blocker。