wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 3 Packages Projects Releases Wiki Activity
Files
9ca6eec2ee7d764e64b112bb81e976dc331eebe6
awoooi/docs/security/CD-RUNNER-SECRET-INJECTION-POST-INCIDENT-READBACK-PLAN.md
Your Name bb459d59f9
Some checks failed
Code Review / ai-code-review (push) Successful in 15s
Details
CD Pipeline / tests (push) Successful in 1m43s
Details
CD Pipeline / post-deploy-checks (push) Has been cancelled
Details
CD Pipeline / build-and-deploy (push) Has been cancelled
Details
feat(iwooos): 新增 CD runner secret 事故回讀 gate
2026-06-16 11:42:38 +08:00

123 lines
8.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# CD / Runner / Secret injection 事故後回讀只讀計畫
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-16 |
| 狀態 | `post_incident_readback_plan_ready_no_runtime_action` |
| 工具 | `scripts/security/cd-runner-secret-injection-post-incident-readback-plan.py` |
| Snapshot | `docs/security/cd-runner-secret-injection-post-incident-readback-plan.snapshot.json` |
| Source evidence | `docs/security/cd-runner-secret-injection-change-evidence-acceptance.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
此計畫補在 CD / runner / secret injection change evidence acceptance 之後專門處理事故後回讀workflow / runner / secret injection 相關異常或變更後owner 必須回讀 actor、時間窗、workflow diff state、runner attestation、secret name parity、secret injection route、step-env secret guard、log redaction、deploy marker、Gitea run、webhook / notification receipt、before / after deploy state、rollback、post-check 與防再發。
它只處理 metadata-only evidence ref不呼叫 Gitea / GitHub API、不讀 secret store、不讀 secret value、不修改 workflow、不啟用 runner、不 rotate secret、不 dispatch workflow、不觸發部署也不把 CD success、deploy marker、workflow success、route `200`、runner online、AwoooP approval 或 UI 可見狀態當成 runtime 授權。
## 2. 固定範圍
| 指標 | 數值 | 解讀 |
|------|------|------|
| `readback_candidate_count` | `5` | CD pipeline、Code Review、Deploy alerts、Runner attestation、Secret parity / injection owner 五類候選 |
| `c0_readback_candidate_count` | `4` | CD、Code Review、Runner、Secret parity 為 C0 |
| `c1_readback_candidate_count` | `1` | Deploy alerts / monitoring route 為 C1 |
| `write_capable_readback_candidate_count` | `5` | 五類都可能影響 workflow、runner、secret injection、通知或部署路徑 |
| `secret_sensitive_readback_candidate_count` | `5` | 五類都必須檢查 secret value / hash / partial token / runner token 不可出現 |
| `runner_or_workflow_readback_candidate_count` | `5` | 五類都必須回讀 workflow / runner 邊界 |
| `deploy_or_run_readback_required_candidate_count` | `5` | 五類都需要 deploy marker 或 Gitea run readback / 不適用理由 |
| `required_readback_field_count` | `33` | 事故後回讀必填欄位 |
| `reviewer_check_count` | `30` | reviewer 必檢規則 |
| `outcome_lane_count` | `11` | 收件結果分流 |
| `blocked_action_count` | `52` | 明確禁止動作 |
## 3. 必填事故後回讀欄位
每筆事故後回讀至少需要:
1. `incident_or_change_ref`
2. `actor_attribution_ref`
3. `change_time_window_ref`
4. `change_intent_or_break_glass_ref`
5. `workflow_diff_state_ref`
6. `runner_attestation_state_ref`
7. `runner_executor_host_readback_ref`
8. `runner_workspace_cleanup_readback_ref`
9. `runner_permission_scope_ref`
10. `secret_name_parity_state_ref`
11. `secret_injection_route_state_ref`
12. `step_env_secret_guard_result_ref`
13. `log_redaction_readback_ref`
14. `deploy_marker_readback_ref`
15. `gitea_action_run_readback_ref`
16. `webhook_delivery_state_ref`
17. `deploy_key_branch_protection_codeowners_ref`
18. `notification_delivery_receipt_ref`
19. `before_after_deploy_state_ref`
20. `affected_route_or_service_state_ref`
21. `cross_project_sync_ref`
22. `rollback_validation_ref`
23. `postcheck_evidence_ref`
24. `post_change_monitoring_ref`
25. `recurrence_guard_ref`
26. `maintenance_window`
27. `rollback_owner`
28. `followup_owner`
29. `redacted_evidence_refs`
30. `no_secret_value_attestation`
31. `no_raw_workflow_payload_attestation`
32. `no_unredacted_log_attestation`
33. `no_false_green_attestation`
以上欄位都只能保存脫敏 ref、commit、artifact pointer、run id、job id、ticket 或 hash。不得貼 secret value、secret hash、masked token、partial token、runner token、webhook secret、private key、deploy key private material、cookie、authorization header、完整 credential URL、未脫敏 action log 或未脫敏截圖。
## 4. Reviewer checks
Reviewer 必須確認:
- 來源 change evidence acceptance snapshot 是目前版本。
- incident / change ref、actor、時間窗、intent / break-glass reason 都存在。
- workflow diff state 只以 ref 呈現,不保存 raw workflow payload。
- runner label、executor、host alias、workspace cleanup、permission scope 與 hosted runner 風險可追溯。
- secret name parity、secret injection route、step-env secret guard 與 log redaction readback 完整。
- deploy marker 與 Gitea run readback 只能作證據,不代表 runtime approval。
- webhook delivery、deploy key、branch protection、CODEOWNERS、notification receipt 與跨專案同步影響已標示。
- rollback validation、post-check、post-change monitoring 與 recurrence guard 已明確列出。
- 不把 CD success、deploy marker、workflow success、route `200`、runner online、UI 可見或 AwoooP approval 當驗收。
## 5. Outcome lanes
| Lane | 說明 |
|------|------|
| `waiting_post_incident_readback` | 尚未收到事故後回讀包 |
| `request_actor_or_time_supplement` | 缺 actor、時間窗、intent 或 break-glass reason |
| `request_workflow_runner_supplement` | 缺 workflow diff、runner attestation、executor / host、workspace cleanup 或 permission scope |
| `request_secret_injection_supplement` | 缺 secret name parity、injection route、step-env guard 或 log redaction readback |
| `request_deploy_run_supplement` | 缺 deploy marker、Gitea run readback、before / after deploy state 或 post-check |
| `request_webhook_notification_supplement` | 缺 webhook delivery、notification receipt、SRE route owner 或 cross-project sync |
| `quarantine_sensitive_payload` | 收到敏感值、runner token、webhook secret、private key、未脫敏 log 或截圖時隔離 |
| `reject_false_green_claim` | 把 CD success、deploy marker、workflow success、route `200`、runner online、UI 可見或 AwoooP approval 當驗收時拒收 |
| `ready_for_cd_runner_secret_post_incident_review` | metadata 合格後進 reviewer review |
| `recurrence_guard_backfill_required` | 需補防再發 guard、owner review、change freeze、automation block 或 runner isolation plan |
| `waiting_runtime_gate` | 即使 readback acceptedruntime gate 仍需獨立人工批准 |
## 6. 禁止動作
此計畫明確禁止修改 workflow、未批准 dispatch workflow、啟用 / 安裝 / 重啟 runner、修改 runner label、使用 runner admin token、啟用 GitHub hosted runner、收集 secret value / hash / partial token / runner token / webhook secret / deploy key private material、保存 raw workflow payload / 未脫敏 action log、建立 / 更新 / rotate / 刪除 repo secret、讀 secret store、修改 secret injection path、修改 webhook、修改 deploy key、修改 branch protection、修改 CODEOWNERS、sync refs、force push、切 GitHub primary、停用 Gitea、把 CD pipeline 當 action 執行、注入 K8s secret、ArgoCD sync、production deploy、新增 action button 或開 runtime gate。
## 7. 完成度與邊界
| 工作 | 完成度 | 邊界 |
|------|--------|------|
| CD / Runner / Secret injection post-incident readback plan | `100%` | 只讀計畫與 snapshot 已建立 |
| Secret metadata 只讀治理成熟度 | `68% -> 70%` | 只代表事故後回讀欄位補齊,不代表可讀或可改 secret |
| Gitea workflow / runner source-control 只讀治理成熟度 | `72% -> 74%` | 只代表 workflow / runner 事故後回讀欄位補齊,不代表 workflow / runner 可修改 |
| post-incident readback received / accepted | `0%` | 尚未收到或接受任何事故後回讀 |
| runtime gate | `0` | 不開 workflow、runner、secret、deploy、ArgoCD 或 production action |
## 8. 下一步
1. 要求 owner 只提供事故後 readback refworkflow diff state、runner attestation、secret name parity、secret injection route、Gitea run readback、guard result、deploy marker、notification receipt、rollback owner 與 post-check evidence。
2. reviewer 只檢查 metadata 完整性、no-secret-value、log redaction 與 no-false-green不保存 raw workflow payload、raw action log 或 credential material。
3. 若未來要進 runtime approval package必須另開維護窗口、rollback owner、跨專案同步與 production post-check gate。
Reference in New Issue View Git Blame Copy Permalink