Files
awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md
Your Name e8e15faf28
All checks were successful
CD Pipeline / tests (push) Successful in 1m26s
Code Review / ai-code-review (push) Successful in 12s
CD Pipeline / build-and-deploy (push) Successful in 4m31s
CD Pipeline / post-deploy-checks (push) Successful in 1m32s
feat(security): 擴充 source-control 納管範圍
2026-06-11 19:23:40 +08:00

5.0 KiB
Raw Blame History

Workflow / Secret 名稱本機 Evidence Snapshot

項目 內容
日期 2026-06-11
狀態 草案partial local evidence
Schema docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json
Snapshot docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json
來源契約 source_control_workflow_secret_name_inventory_v1
收集器 scripts/security/source-control-workflow-secret-name-local-inventory.py
runtime 執行授權 false

0. 核心結論

S4.2 先補本機可見 working tree 的只讀 workflow / secret 名稱 evidence。2026-06-11 refresh 已改用本輪乾淨 worktree /private/tmp/awoooi-agent-bounty-iwooos-20260611 重跑 awoooi evidence並把 VibeWorkagent-bounty-protocol 納入資安控管候選範圍。

本 snapshot 只從 .github/workflows/.gitea/workflows/CODEOWNERS.github/CODEOWNERS 萃取名稱級 metadata。它不呼叫 GitHub / Gitea API、不讀 .env、不讀 secret store、不收集 secret value、不修改 workflow。

這仍不代表 GitHub primary ready。webhook、deploy key、branch protection 與 repository secret parity 還需要後續 redacted export 或 read-only API evidence。

S4.3 已把這些後續缺口整理成 redacted export request並額外納入 runner owner / GitHub hosted minutes 風險 lane仍禁止 write token 與 secret value。

1. 摘要

指標 數量
Candidate repos 10
Local repo visible 9
Local evidence repos 5
Workflow files 33
Gitea workflow files 12
GitHub workflow files 21
CODEOWNERS files 2
Unique referenced secret names 42
Runner labels 5
Secret value detected false

2. Repo 結果

Repo Local status Workflow files Secret names CODEOWNERS 說明
owenhytsai/awoooi partial_local_evidence 15 34 0 Gitea / GitHub workflows 都可見;本輪移除舊 worktree evidence 漂移後,仍需 webhook、branch protection、repository secret parity evidence
owenhytsai/clawbot-v5 local_repo_visible_no_workflow_files 0 0 0 本機 repo 可見,但未找到 workflow / CODEOWNERS
owenhytsai/wooo-aiops partial_local_evidence 14 12 2 GitHub / Gitea workflow 與 CODEOWNERS 可見;仍需 webhook 與 branch protection evidence
owenhytsai/wooo-infra-config partial_local_evidence 1 2 0 GitHub validate workflow 可見infra secret value 不可搬移
owenhytsai/ewoooc partial_local_evidence 2 4 0 以本機 momo-pro-system working tree 作為 ewoooc/momo canonical review 的暫時 evidence
owenhytsai/bitan-pharmacy local_repo_visible_no_workflow_files 0 0 0 本機 repo 可見,但未找到 workflow / CODEOWNERS
owenhytsai/tsenyang-website local_repo_visible_no_workflow_files 0 0 0 本機 repo 可見,但未找到 workflow / CODEOWNERS
nexu-io/open-design missing_local_repo 0 0 0 外部 scope review未納入 GitHub primary cutover queue
owenhytsai/VibeWork local_repo_visible_no_workflow_files 0 0 0 本機 repo 可見;保留 VibeWork 獨立產品邊界,仍需 owner 確認 workflow / secret / deploy surface
owenhytsai/agent-bounty-protocol partial_local_evidence 1 0 0 新納入資安控管範圍;已見 1 個 Gitea workflow 與 ubuntu-latest runner label仍需 agent / bounty / treasury / execution surface owner response

3. 已知 runner labels

本 snapshot 只保存 runner label 名稱:

Label
awoooi-host
harbor
k8s
self-hosted
ubuntu-latest

4. 仍需補齊

  1. Gitea / GitHub webhook inventory只列 destination host、event types、enabled flag不保存 webhook secret。
  2. Runner owner / hosted minutes 風險 inventory只列 label、executor、self-hosted / hosted、owner不保存 registration token。
  3. Deploy key / machine key inventory只列 key name、read-only flag、owner不保存 private key。
  4. Branch protection inventory只列 protected branch、required status checks、review count。
  5. Repository secret parity只比對 secret 名稱與 owner不輸出 value。
  6. 逐 repo owner review確認本機可見 workflow 是否為 canonical尤其是 ewoooc / momo-pro-systemVibeWorkagent-bounty-protocol
  7. Snapshot freshness本機 evidence 必須標示可重現路徑與刷新日期;過期暫存 worktree 只能作歷史參考,不可當 current readiness。

5. 永久禁止

  1. 不收集 secret value、token value、private key、webhook secret、runner registration token。
  2. 不修改 workflow、webhook、runner、deploy key、branch protection 或 CODEOWNERS。
  3. 不建立 GitHub repo、不 sync refs、不切 GitHub primary。
  4. 不把本機 evidence 當成 primary cutover approval。
  5. 不把 LOW / MEDIUM observation 變成 runtime blocker。