wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
Files
d7b5dfd85e3e16ffbd0a66a8d963ca2145eb0f21
awoooi/docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json

1167 lines
32 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "source_control_workflow_secret_name_local_evidence_v1",
"status": "draft_partial_local_evidence",
"date": "2026-06-04",
"mode": "local_read_only_redacted_inventory",
"runtime_execution_authorized": false,
"source_contract": "source_control_workflow_secret_name_inventory_v1",
"summary": {
"candidate_repo_count": 8,
"local_repo_visible_count": 7,
"local_evidence_repo_count": 4,
"workflow_file_count": 31,
"gitea_workflow_file_count": 10,
"github_workflow_file_count": 21,
"codeowners_file_count": 2,
"unique_secret_name_count": 42,
"runner_label_count": 5,
"secret_value_collection_allowed": false,
"secret_value_detected": false,
"runtime_actions_authorized": false,
"action_buttons_allowed": false
},
"unique_secret_names": [
"ARGOCD_API_TOKEN",
"AWOOOI_GITEA_API_TOKEN",
"AWOOOI_GITEA_WEBHOOK_SECRET",
"AWOOOP_OPERATOR_API_KEY",
"CD_PUSH_TOKEN",
"CLAUDE_API_KEY",
"CODECOV_TOKEN",
"DATABASE_URL",
"DEPLOY_SSH_KEY",
"GEMINI_API_KEY",
"GITEA_MIRROR_TOKEN",
"GITHUB_TOKEN",
"HARBOR_PASSWORD",
"HARBOR_USER",
"HARBOR_USERNAME",
"INTERNAL_WEBHOOK_TOKEN",
"JWT_ALGORITHM",
"JWT_SECRET",
"KUBE_CONFIG_PREVIEW",
"KUBE_CONFIG_PROD",
"KUBE_CONFIG_PRODUCTION",
"KUBE_CONFIG_STAGING",
"LANGFUSE_PUBLIC_KEY",
"LANGFUSE_SECRET_KEY",
"MIGRATION_DATABASE_URL",
"NEMOTRON_BOT_TOKEN",
"NVIDIA_API_KEY",
"OPENCLAW_BOT_TOKEN",
"OPENCLAW_TG_BOT_TOKEN",
"OPENCLAW_TG_CHAT_ID",
"OPENCLAW_TG_USER_WHITELIST",
"REDIS_URL",
"RUNNER_ADMIN_TOKEN",
"SENTRY_AUTH_TOKEN",
"SENTRY_DSN",
"SMTP_HOST",
"SRE_GROUP_CHAT_ID",
"STAGING_API_URL",
"STAGING_FRONTEND_URL",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID",
"WEBHOOK_HMAC_SECRET"
],
"runner_label_names": [
"awoooi-host",
"harbor",
"k8s",
"self-hosted",
"ubuntu-latest"
],
"repos": [
{
"repo_key": "awoooi",
"repo_path": "/private/tmp/awoooi-iwooos-governance-p0-20260604",
"github_repo": "owenhytsai/awoooi",
"source_key": "wooo/awoooi",
"scope_status": "in_scope",
"risk": "HIGH",
"local_status": "partial_local_evidence",
"workflow_files": [
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/ansible-lint.yml",
"workflow_display_name": "Ansible Lint",
"trigger_names": [
"paths",
"pull_request",
"push"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": []
},
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/cd-dev.yaml",
"workflow_display_name": "CD Pipeline (Dev)",
"trigger_names": [
"branches",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"DEPLOY_SSH_KEY",
"GEMINI_API_KEY",
"HARBOR_PASSWORD",
"HARBOR_USERNAME",
"NVIDIA_API_KEY",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
]
},
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/cd.yaml",
"workflow_display_name": "CD Pipeline",
"trigger_names": [
"branches",
"paths",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"awoooi-host"
],
"environment_names": [],
"referenced_secret_names": [
"ARGOCD_API_TOKEN",
"AWOOOI_GITEA_API_TOKEN",
"AWOOOI_GITEA_WEBHOOK_SECRET",
"AWOOOP_OPERATOR_API_KEY",
"CD_PUSH_TOKEN",
"CLAUDE_API_KEY",
"DATABASE_URL",
"DEPLOY_SSH_KEY",
"GEMINI_API_KEY",
"HARBOR_PASSWORD",
"HARBOR_USERNAME",
"JWT_ALGORITHM",
"JWT_SECRET",
"LANGFUSE_PUBLIC_KEY",
"LANGFUSE_SECRET_KEY",
"MIGRATION_DATABASE_URL",
"NEMOTRON_BOT_TOKEN",
"NVIDIA_API_KEY",
"OPENCLAW_BOT_TOKEN",
"OPENCLAW_TG_USER_WHITELIST",
"REDIS_URL",
"SENTRY_AUTH_TOKEN",
"SENTRY_DSN",
"SMTP_HOST",
"SRE_GROUP_CHAT_ID",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID",
"WEBHOOK_HMAC_SECRET"
]
},
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/code-review.yaml",
"workflow_display_name": "Code Review",
"trigger_names": [
"branches",
"paths",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"TELEGRAM_BOT_TOKEN"
]
},
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/deploy-alerts.yaml",
"workflow_display_name": "Deploy Alert Rules",
"trigger_names": [
"branches",
"paths",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"DEPLOY_SSH_KEY",
"TELEGRAM_BOT_TOKEN"
]
},
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/e2e-health.yaml",
"workflow_display_name": "E2E Health Check",
"trigger_names": [
"schedule",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"AWOOOP_OPERATOR_API_KEY",
"OPENCLAW_TG_BOT_TOKEN"
]
},
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/run-migration.yml",
"workflow_display_name": "run-migration",
"trigger_names": [
"branches",
"paths",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"DATABASE_URL",
"MIGRATION_DATABASE_URL",
"TELEGRAM_BOT_TOKEN"
]
},
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/type-sync-check.yaml",
"workflow_display_name": "Type Sync Check",
"trigger_names": [
"branches",
"paths",
"pull_request",
"push"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": []
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/cd.yaml",
"workflow_display_name": "CD",
"trigger_names": [
"default",
"description",
"force_deploy",
"inputs",
"skip_api",
"skip_web",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [
"production"
],
"referenced_secret_names": [
"CLAUDE_API_KEY",
"DATABASE_URL",
"GEMINI_API_KEY",
"GITEA_MIRROR_TOKEN",
"HARBOR_PASSWORD",
"HARBOR_USER",
"KUBE_CONFIG_PROD",
"NVIDIA_API_KEY",
"OPENCLAW_TG_BOT_TOKEN",
"OPENCLAW_TG_CHAT_ID",
"REDIS_URL",
"SENTRY_AUTH_TOKEN",
"SENTRY_DSN",
"WEBHOOK_HMAC_SECRET"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/ci.yaml",
"workflow_display_name": "CI",
"trigger_names": [
"branches",
"pull_request",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"CODECOV_TOKEN"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/daily-e2e-health.yaml",
"workflow_display_name": "Daily E2E Health Check",
"trigger_names": [
"api_url",
"default",
"description",
"dry_run",
"inputs",
"options",
"required",
"schedule",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"OPENCLAW_TG_BOT_TOKEN",
"OPENCLAW_TG_CHAT_ID",
"WEBHOOK_HMAC_SECRET"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/deploy-prod.yml",
"workflow_display_name": "Deploy to Production",
"trigger_names": [
"default",
"deploy_api",
"deploy_web",
"deploy_worker",
"description",
"inputs",
"required",
"skip_tests",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"HARBOR_PASSWORD",
"HARBOR_USER",
"OPENCLAW_TG_BOT_TOKEN",
"OPENCLAW_TG_CHAT_ID"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/nightly-llm.yaml",
"workflow_display_name": "Nightly LLM Tests",
"trigger_names": [
"default",
"description",
"inputs",
"required",
"schedule",
"timeout",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": []
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/runner-healthcheck.yml",
"workflow_display_name": "Runner Health Check",
"trigger_names": [
"default",
"description",
"inputs",
"notify_telegram",
"required",
"schedule",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": []
}
],
"codeowners_files": [],
"referenced_secret_names": [
"ARGOCD_API_TOKEN",
"AWOOOI_GITEA_API_TOKEN",
"AWOOOI_GITEA_WEBHOOK_SECRET",
"AWOOOP_OPERATOR_API_KEY",
"CD_PUSH_TOKEN",
"CLAUDE_API_KEY",
"CODECOV_TOKEN",
"DATABASE_URL",
"DEPLOY_SSH_KEY",
"GEMINI_API_KEY",
"GITEA_MIRROR_TOKEN",
"HARBOR_PASSWORD",
"HARBOR_USER",
"HARBOR_USERNAME",
"JWT_ALGORITHM",
"JWT_SECRET",
"KUBE_CONFIG_PROD",
"LANGFUSE_PUBLIC_KEY",
"LANGFUSE_SECRET_KEY",
"MIGRATION_DATABASE_URL",
"NEMOTRON_BOT_TOKEN",
"NVIDIA_API_KEY",
"OPENCLAW_BOT_TOKEN",
"OPENCLAW_TG_BOT_TOKEN",
"OPENCLAW_TG_CHAT_ID",
"OPENCLAW_TG_USER_WHITELIST",
"REDIS_URL",
"SENTRY_AUTH_TOKEN",
"SENTRY_DSN",
"SMTP_HOST",
"SRE_GROUP_CHAT_ID",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID",
"WEBHOOK_HMAC_SECRET"
],
"runner_label_names": [
"awoooi-host",
"harbor",
"k8s",
"self-hosted",
"ubuntu-latest"
],
"environment_names": [
"production"
],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "clawbot-v5",
"repo_path": "/Users/ogt/clawbot-v5",
"github_repo": "owenhytsai/clawbot-v5",
"source_key": "wooo/clawbot-v5",
"scope_status": "in_scope",
"risk": "MEDIUM",
"local_status": "local_repo_visible_no_workflow_files",
"workflow_files": [],
"codeowners_files": [],
"referenced_secret_names": [],
"runner_label_names": [],
"environment_names": [],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "wooo-aiops",
"repo_path": "/Users/ogt/wooo-aiops",
"github_repo": "owenhytsai/wooo-aiops",
"source_key": "wooo/wooo-aiops",
"scope_status": "in_scope",
"risk": "MEDIUM",
"local_status": "partial_local_evidence",
"workflow_files": [
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/deploy-uat.yaml",
"workflow_display_name": "Deploy to UAT",
"trigger_names": [
"branches",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": []
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/cd.yaml",
"workflow_display_name": "CD Pipeline",
"trigger_names": [
"description",
"environment",
"inputs",
"options",
"release",
"required",
"type",
"types",
"version",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [
"description: \"Target environment\"",
"name: production",
"staging"
],
"referenced_secret_names": [
"GITHUB_TOKEN",
"KUBE_CONFIG_PRODUCTION",
"KUBE_CONFIG_STAGING",
"STAGING_API_URL",
"STAGING_FRONTEND_URL"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/ci.yml",
"workflow_display_name": "WOOO AIOps CI/CD (v4.1 Native BuildKit + ClawBot 告警)",
"trigger_names": [
"branches",
"default",
"description",
"force_deploy",
"inputs",
"push",
"required",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"HARBOR_PASSWORD",
"HARBOR_USER",
"SENTRY_DSN",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/clawbot-build.yml",
"workflow_display_name": "ClawBot Build & Push",
"trigger_names": [
"default",
"deploy_to_188",
"description",
"inputs",
"required",
"tag_suffix",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"HARBOR_PASSWORD",
"HARBOR_USER",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/clear-cache.yml",
"workflow_display_name": "🧹 Clear Next.js Cache (Panic Button)",
"trigger_names": [
"confirm",
"default",
"description",
"inputs",
"required",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": []
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/deploy.yml",
"workflow_display_name": "Deploy to K3s",
"trigger_names": [
"default",
"description",
"environment",
"inputs",
"options",
"required",
"skip_tests",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [
"description: 'Deployment environment'"
],
"referenced_secret_names": []
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/fast-deploy-uat.yml",
"workflow_display_name": "🚀 Fast Deploy to UAT",
"trigger_names": [
"default",
"description",
"inputs",
"reason",
"required",
"skip_api",
"skip_frontend",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"SENTRY_DSN"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/pr-check.yml",
"workflow_display_name": "PR Check",
"trigger_names": [
"pull_request",
"types"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"GITHUB_TOKEN"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/preview.yml",
"workflow_display_name": "PR Preview Environment",
"trigger_names": [
"pull_request",
"types"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"KUBE_CONFIG_PREVIEW"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/rollback.yml",
"workflow_display_name": "🔄 Emergency Rollback (OPS.71)",
"trigger_names": [
"confirm",
"default",
"description",
"inputs",
"options",
"required",
"service",
"target_version",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"HARBOR_PASSWORD",
"HARBOR_USER"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/runner-healthcheck.yml",
"workflow_display_name": "Runner Health Check",
"trigger_names": [
"default",
"description",
"inputs",
"notify_telegram",
"required",
"schedule",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted",
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"GITHUB_TOKEN",
"RUNNER_ADMIN_TOKEN",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/scheduled-build.yml",
"workflow_display_name": "Scheduled Snapshot Build",
"trigger_names": [
"default",
"description",
"force_build",
"inputs",
"required",
"schedule",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": []
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/usage-monitor.yml",
"workflow_display_name": "📊 GitHub Actions Usage Monitor",
"trigger_names": [
"default",
"description",
"force_alert",
"inputs",
"required",
"schedule",
"workflow_dispatch"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"GITHUB_TOKEN"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/version-audit.yml",
"workflow_display_name": "🔍 Version Drift Audit",
"trigger_names": [
"default",
"description",
"force_alert",
"inputs",
"required",
"schedule",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"self-hosted"
],
"environment_names": [],
"referenced_secret_names": [
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
]
}
],
"codeowners_files": [
{
"codeowners_path": "CODEOWNERS",
"owner_tokens": [
"@CIO",
"@CISO",
"@CPO",
"@CTO"
],
"owner_token_count": 4
},
{
"codeowners_path": ".github/CODEOWNERS",
"owner_tokens": [
"@owenhytsai"
],
"owner_token_count": 1
}
],
"referenced_secret_names": [
"GITHUB_TOKEN",
"HARBOR_PASSWORD",
"HARBOR_USER",
"KUBE_CONFIG_PREVIEW",
"KUBE_CONFIG_PRODUCTION",
"KUBE_CONFIG_STAGING",
"RUNNER_ADMIN_TOKEN",
"SENTRY_DSN",
"STAGING_API_URL",
"STAGING_FRONTEND_URL",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
],
"runner_label_names": [
"harbor",
"k8s",
"self-hosted",
"ubuntu-latest"
],
"environment_names": [
"description: \"Target environment\"",
"description: 'Deployment environment'",
"name: production",
"staging"
],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "wooo-infra-config",
"repo_path": "/Users/ogt/wooo-infra-config",
"github_repo": "owenhytsai/wooo-infra-config",
"source_key": "wooo/wooo-infra-config",
"scope_status": "in_scope",
"risk": "MEDIUM",
"local_status": "partial_local_evidence",
"workflow_files": [
{
"provider": "github",
"workflow_file_path": ".github/workflows/validate.yml",
"workflow_display_name": "Validate Configs",
"trigger_names": [
"branches",
"pull_request",
"push"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
]
}
],
"codeowners_files": [],
"referenced_secret_names": [
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "ewoooc-momo",
"repo_path": "/Users/ogt/momo-pro-system",
"github_repo": "owenhytsai/ewoooc",
"source_key": "wooo/ewoooc / root/momo-pro-system",
"scope_status": "in_scope",
"risk": "HIGH",
"local_status": "partial_local_evidence",
"workflow_files": [
{
"provider": "gitea",
"workflow_file_path": ".gitea/workflows/cd.yaml",
"workflow_display_name": "CD Pipeline",
"trigger_names": [
"branches",
"paths",
"push",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": [
"DEPLOY_SSH_KEY",
"INTERNAL_WEBHOOK_TOKEN",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
]
},
{
"provider": "github",
"workflow_file_path": ".github/workflows/code-review.yml",
"workflow_display_name": "Aider Code Review",
"trigger_names": [
"branches",
"default",
"description",
"inputs",
"options",
"pull_request",
"push",
"required",
"review_type",
"target_files",
"type",
"workflow_dispatch"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"referenced_secret_names": []
}
],
"codeowners_files": [],
"referenced_secret_names": [
"DEPLOY_SSH_KEY",
"INTERNAL_WEBHOOK_TOKEN",
"TELEGRAM_BOT_TOKEN",
"TELEGRAM_CHAT_ID"
],
"runner_label_names": [
"ubuntu-latest"
],
"environment_names": [],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "bitan-pharmacy",
"repo_path": "/Users/ogt/bitan-pharmacy",
"github_repo": "owenhytsai/bitan-pharmacy",
"source_key": "bitan-pharmacy",
"scope_status": "in_scope",
"risk": "MEDIUM",
"local_status": "local_repo_visible_no_workflow_files",
"workflow_files": [],
"codeowners_files": [],
"referenced_secret_names": [],
"runner_label_names": [],
"environment_names": [],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "tsenyang-website",
"repo_path": "/Users/ogt/tsenyang-website",
"github_repo": "owenhytsai/tsenyang-website",
"source_key": "tsenyang-website",
"scope_status": "in_scope",
"risk": "MEDIUM",
"local_status": "local_repo_visible_no_workflow_files",
"workflow_files": [],
"codeowners_files": [],
"referenced_secret_names": [],
"runner_label_names": [],
"environment_names": [],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"repo_key": "open-design",
"repo_path": "/Users/ogt/open-design",
"github_repo": "nexu-io/open-design",
"source_key": "open-design",
"scope_status": "external_scope_review",
"risk": "LOW",
"local_status": "missing_local_repo",
"workflow_files": [],
"codeowners_files": [],
"referenced_secret_names": [],
"runner_label_names": [],
"environment_names": [],
"api_required_lanes": [
"webhook_inventory",
"deploy_key_inventory",
"branch_protection_inventory",
"repository_secret_name_parity"
],
"still_forbidden": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
}
],
"redaction_rules": [
"只保存 workflow 內引用的 secret 名稱,不保存 secret value。",
"不讀取 .env、secrets、private key、runner registration token 或 webhook secret。",
"不呼叫 GitHub / Gitea API因此 webhook、deploy key、branch protection 與 repository secret parity 仍需後續 redacted export 或 read-only API evidence。",
"任何含 raw secret/token/private key 的 payload 都必須拒收並進 quarantine。"
],
"forbidden_actions": [
"collect secret value",
"read .env or secret store",
"modify workflow",
"modify webhook",
"rotate secret",
"create GitHub repo",
"sync refs",
"switch GitHub primary",
"disable Gitea"
]
}
Reference in New Issue View Git Blame Copy Permalink