wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
Files
8043eefffa9984cde9ea691fdd0be301bb55be55
awoooi/docs/security/source-control-workflow-secret-name-export-request.snapshot.json
Your Name 9e15fd08b3
All checks were successful
CD Pipeline / tests (push) Successful in 1m39s
Details
Code Review / ai-code-review (push) Successful in 15s
Details
CD Pipeline / build-and-deploy (push) Successful in 5m19s
Details
CD Pipeline / post-deploy-checks (push) Successful in 2m11s
Details
feat(web): land iwooos security posture surfaces
2026-05-25 20:35:52 +08:00

449 lines
16 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "source_control_workflow_secret_name_export_request_v1",
"status": "draft_waiting_owner_export",
"date": "2026-05-13",
"mode": "redacted_export_request_only",
"runtime_execution_authorized": false,
"source_contract": "source_control_workflow_secret_name_inventory_v1",
"source_indexes": [
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
"summary": {
"candidate_repo_count": 8,
"in_scope_request_count": 7,
"external_scope_review_count": 1,
"export_request_count": 7,
"export_lane_count": 5,
"owner_response_template_count": 5,
"owner_response_received_count": 0,
"owner_response_accepted_count": 0,
"webhook_export_request_repo_count": 2,
"runner_export_request_repo_count": 4,
"deploy_key_export_request_repo_count": 1,
"branch_protection_codeowners_export_request_repo_count": 4,
"repository_secret_name_parity_export_request_repo_count": 7,
"secret_value_collection_allowed": false,
"write_token_allowed": false,
"runtime_actions_authorized": false,
"action_buttons_allowed": false
},
"owner_response_packet": {
"schema_version": "source_control_workflow_secret_name_owner_response_v1",
"snapshot_path": "docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
"human_doc": "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
"response_template_count": 5,
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"execution_authorized": false,
"allowed_effect": "response 通過後只更新 read-only inventory / export request / readiness wording不授權 workflow/secret/runner/deploy key 變更"
},
"export_lanes": [
{
"lane_id": "webhook_redacted_export_request",
"title": "Webhook 名稱、目的地 host 與事件類型 redacted export",
"request_status": "waiting_owner_or_readonly_export",
"allowed_fields": [
"provider",
"webhook_name",
"destination_host_redacted",
"event_types",
"active_enabled_flag",
"owner",
"last_updated_metadata"
],
"forbidden_fields": [
"webhook_secret",
"full_payload_url_with_token",
"authorization_header",
"cookie",
"request_body",
"secret_value"
],
"accepted_producer_modes": [
"owner_attested_redacted_export",
"read_only_api_summary",
"admin_export_after_manual_redaction"
],
"acceptance_gate": [
"每筆 webhook 必須只保留 host 或 redacted URL不得包含 query token。",
"必須標示 Gitea / GitHub 哪一端在 primary cutover 後負責發 webhook。",
"若偵測到 secret value 或 token value整份 export 必須進 mirror quarantine。"
],
"execution_authorized": false
},
{
"lane_id": "runner_label_owner_export_request",
"title": "Runner label / executor / hosted minutes 風險 redacted export",
"request_status": "waiting_owner_or_readonly_export",
"allowed_fields": [
"provider",
"runner_label",
"runner_scope",
"executor_type",
"host_alias",
"hosted_or_self_hosted",
"owner",
"maintenance_window"
],
"forbidden_fields": [
"runner_registration_token",
"runner_admin_token",
"ssh_private_key",
"host_password",
"api_token"
],
"accepted_producer_modes": [
"owner_attested_redacted_export",
"read_only_runner_inventory_summary"
],
"acceptance_gate": [
"必須確認 GitHub primary 後哪些 workflow 仍使用 self-hosted runner避免誤用 GitHub hosted minutes。",
"只保存 label、owner 與 executor metadata不保存 runner token。",
"若 runner label 無 owner必須保持 primary readiness blocked。"
],
"execution_authorized": false
},
{
"lane_id": "deploy_key_redacted_export_request",
"title": "Deploy key / machine key 名稱與 read-only 狀態 redacted export",
"request_status": "waiting_owner_or_readonly_export",
"allowed_fields": [
"provider",
"key_name",
"read_only_flag",
"repo_scope",
"owner",
"last_seen_metadata"
],
"forbidden_fields": [
"private_key",
"public_key_full_value",
"token_value",
"password",
"credential_value"
],
"accepted_producer_modes": [
"owner_attested_redacted_export",
"read_only_api_summary",
"admin_export_after_manual_redaction"
],
"acceptance_gate": [
"只允許列 key 名稱、read-only flag、repo scope 與 owner。",
"不得保存 private key 或完整 public key material。",
"write-capable key 必須只標成風險與 owner review不得自動 rotate。"
],
"execution_authorized": false
},
{
"lane_id": "branch_protection_codeowners_export_request",
"title": "Branch protection / required checks / CODEOWNERS redacted export",
"request_status": "waiting_owner_or_readonly_export",
"allowed_fields": [
"provider",
"protected_branch_name",
"required_review_count",
"required_status_check_names",
"codeowners_path",
"owner_team_names"
],
"forbidden_fields": [
"team_secret",
"personal_access_token",
"admin_override_token",
"session_cookie"
],
"accepted_producer_modes": [
"owner_attested_redacted_export",
"read_only_api_summary",
"local_codeowners_snapshot"
],
"acceptance_gate": [
"必須列出 GitHub primary 前 main/dev branch 的 protection 差異。",
"required status checks 名稱必須與實際 workflow 或 runner label 對上。",
"缺 CODEOWNERS 不等於 blocked runtime只代表 primary readiness 未完成。"
],
"execution_authorized": false
},
{
"lane_id": "repository_secret_name_parity_export_request",
"title": "Repository secret 名稱 parity redacted export",
"request_status": "waiting_owner_or_readonly_export",
"allowed_fields": [
"provider",
"secret_name",
"secret_scope",
"owning_team",
"used_by_workflow_name",
"rotation_owner",
"present_in_gitea",
"present_in_github"
],
"forbidden_fields": [
"secret_value",
"secret_plaintext",
"token_value",
"private_key",
"credential_value"
],
"accepted_producer_modes": [
"owner_attested_redacted_export",
"read_only_secret_name_summary",
"admin_export_after_manual_redaction"
],
"acceptance_gate": [
"只比對 secret 名稱、scope、owner 與 present/absent metadata。",
"不得輸出 value、hash、partial token 或可還原片段。",
"缺漏 secret 只建立 owner review lane不自動建立或 rotate secret。"
],
"execution_authorized": false
}
],
"repo_export_requests": [
{
"repo_key": "awoooi",
"github_repo": "owenhytsai/awoooi",
"source_key": "wooo/awoooi",
"scope_status": "in_scope",
"risk": "HIGH",
"request_state": "waiting_owner_export",
"requested_lanes": [
"webhook_redacted_export_request",
"runner_label_owner_export_request",
"branch_protection_codeowners_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"此 repo 是核心產品與 deploy workflow 主線,必須先確認 webhook、runner label、branch protection 與 secret name parity。",
"若未證明 self-hosted runner owner 與 label 對齊,不可宣告 GitHub primary ready。"
],
"still_forbidden": [
"修改 workflow",
"rotate secret",
"sync refs",
"switch_github_primary"
]
},
{
"repo_key": "clawbot-v5",
"github_repo": "owenhytsai/clawbot-v5",
"source_key": "wooo/clawbot-v5",
"scope_status": "in_scope",
"risk": "MEDIUM",
"request_state": "waiting_owner_export",
"requested_lanes": [
"branch_protection_codeowners_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"本機 repo 可見但未找到 workflow / CODEOWNERS仍需 owner 確認是否真的不需要 workflow 與 repo secret。",
"若 GitHub target 另有 private workflow必須用 redacted export 補證。"
],
"still_forbidden": [
"建立 secret",
"修改 branch protection",
"push refs",
"switch_github_primary"
]
},
{
"repo_key": "wooo-aiops",
"github_repo": "owenhytsai/wooo-aiops",
"source_key": "wooo/wooo-aiops",
"scope_status": "in_scope",
"risk": "MEDIUM",
"request_state": "waiting_owner_export",
"requested_lanes": [
"webhook_redacted_export_request",
"runner_label_owner_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"S4.2 已看到 workflow 與 CODEOWNERS本階段要補 webhook 與 secret name parity。",
"若 workflow 使用 hosted runner必須標出費用與額度風險不自動切換 runner。"
],
"still_forbidden": [
"delete GitHub-only refs",
"修改 webhook",
"搬移 secret value",
"switch_github_primary"
]
},
{
"repo_key": "wooo-infra-config",
"github_repo": "owenhytsai/wooo-infra-config",
"source_key": "wooo/wooo-infra-config",
"scope_status": "in_scope",
"risk": "MEDIUM",
"request_state": "waiting_owner_export",
"requested_lanes": [
"runner_label_owner_export_request",
"deploy_key_redacted_export_request",
"branch_protection_codeowners_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"infra repo 只允許輸出 key 名稱、read-only flag 與 owner不允許輸出 key material。",
"110 internal remote 用途仍需 owner 決策,本 request 不授權改 remote。"
],
"still_forbidden": [
"輸出 private key",
"搬 infra secret value",
"刪除 remote",
"switch_github_primary"
]
},
{
"repo_key": "ewoooc",
"github_repo": "owenhytsai/ewoooc",
"source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees",
"scope_status": "in_scope",
"risk": "HIGH",
"request_state": "waiting_owner_export",
"requested_lanes": [
"runner_label_owner_export_request",
"branch_protection_codeowners_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"此 repo 仍有 canonical target 與 unrelated history 風險export request 只用來補 workflow / secret 名稱 evidence。",
"必須先完成 canonical repo 人工確認,才可談 primary readiness。"
],
"still_forbidden": [
"auto_create_repo",
"auto_merge_unrelated_histories",
"搬 secret value",
"switch_github_primary"
]
},
{
"repo_key": "bitan-pharmacy",
"github_repo": "owenhytsai/bitan-pharmacy",
"source_key": "bitan-pharmacy",
"scope_status": "in_scope",
"risk": "MEDIUM",
"request_state": "waiting_owner_export",
"requested_lanes": [
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"本機 repo 可見但未找到 workflow先要求 owner 確認是否有 repo secret 或外部 deploy key。",
"若 repo 不再 active需 owner 在 primary readiness board 標註,不自動封存。"
],
"still_forbidden": [
"auto_create_repo",
"push refs",
"搬 secret value",
"switch_github_primary"
]
},
{
"repo_key": "tsenyang-website",
"github_repo": "owenhytsai/tsenyang-website",
"source_key": "tsenyang-website",
"scope_status": "in_scope",
"risk": "MEDIUM",
"request_state": "waiting_owner_export",
"requested_lanes": [
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"本機 repo 可見但未找到 workflow先要求 owner 確認是否有 repo secret 或外部 deploy key。",
"若 repo 不再 active需 owner 在 primary readiness board 標註,不自動封存。"
],
"still_forbidden": [
"auto_create_repo",
"push refs",
"搬 secret value",
"switch_github_primary"
]
},
{
"repo_key": "open-design",
"github_repo": "nexu-io/open-design",
"source_key": "open-design",
"scope_status": "external_scope_review",
"risk": "LOW",
"request_state": "waiting_scope_review",
"requested_lanes": [],
"owner_export_required": false,
"read_only_api_allowed": false,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"此 repo 目前只做 external scope review不進 AWOOOI GitHub primary cutover queue。",
"若未來確認納入範圍,必須先建立新的 in-scope approval item。"
],
"still_forbidden": [
"加入 primary cutover queue",
"修改 repo visibility",
"sync refs"
]
}
],
"acceptance_rules": [
"每份 export 必須標示 producer、collection timestamp、redaction_status 與 evidence_ref。",
"只讀 API export 只能使用 read-only token若 token 具有 write scope必須停止並改用 owner attestation 或管理匯出後手動脫敏。",
"任何 secret value、token value、cookie、private key、webhook secret、runner registration token 都必須拒收並進 mirror quarantine。",
"export request 完成只代表 evidence 可 review不代表 GitHub primary ready。",
"缺漏欄位只建立 owner review lane不自動修改 repo、workflow、webhook、runner、deploy key、branch protection 或 secret。"
],
"redaction_rules": [
"URL 必須移除 username、password、token 與 query secret只保留 host 或 redacted path。",
"secret 只能保存名稱、scope、owner、used_by_workflow 與 present/absent metadata。",
"key 只能保存 key name、read_only_flag、repo_scope、owner不保存 key material。",
"runner 只能保存 label、scope、executor_type、host_alias、hosted_or_self_hosted 與 owner。",
"任何可還原 credential 的 hash、prefix、suffix 或 partial token 都不得保存。"
],
"forbidden_actions": [
"collect_secret_value",
"store_secret_token_cookie_private_key_or_webhook_secret",
"use_write_token",
"call_runtime_execute",
"modify_workflow",
"modify_webhook",
"modify_runner",
"modify_deploy_key",
"modify_branch_protection",
"create_or_rotate_secret",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"disable_gitea",
"add_action_button"
]
}
Reference in New Issue View Git Blame Copy Permalink