wooo/awoooi

Fork 0

Files

Your Name 5034e715fb

Code Review / ai-code-review (push) Successful in 14s

Details

CD Pipeline / tests (push) Successful in 1m29s

Details

CD Pipeline / build-and-deploy (push) Successful in 4m8s

Details

CD Pipeline / post-deploy-checks (push) Successful in 1m29s

Details

fix(iwooos): 新增 cd runner secret 變更證據驗收

2026-06-15 03:46:07 +08:00

8.3 KiB

Raw Blame History

CD / Runner / Secret 注入變更證據驗收只讀帳本

項目	內容
日期	2026-06-15
狀態	`change_evidence_acceptance_ledger_ready_no_runtime_action`
工具	`scripts/security/cd-runner-secret-injection-change-evidence-acceptance.py`
Snapshot	`docs/security/cd-runner-secret-injection-change-evidence-acceptance.snapshot.json`
Source evidence	`docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json`
Source export request	`docs/security/source-control-workflow-secret-name-export-request.snapshot.json`
Source owner response	`docs/security/source-control-workflow-secret-name-owner-response.snapshot.json`
runtime gate	`0`

1. 目的

此帳本補在 workflow / runner / secret 名稱 inventory、redacted export request 與 owner response 收件包之後，專門驗收「CD / runner / secret injection 變更證據」是否足夠進入 reviewer acceptance。

它只處理 metadata-only evidence ref，不呼叫 Gitea / GitHub API、不讀 secret store、不讀 secret value、不修改 workflow、不啟用 runner、不 rotate secret、不 dispatch workflow、不觸發部署，也不把 deploy marker、Gitea Actions success、AwoooP approval 或 UI 可見狀態當成 runtime 授權。

2. 固定範圍

指標	數值	解讀
`change_evidence_candidate_count`	`5`	CD pipeline、Code Review、Deploy alerts、Runner attestation、Secret parity 五類候選
`c0_change_evidence_candidate_count`	`4`	CD、Code Review、Runner、Secret parity 為 C0
`c1_change_evidence_candidate_count`	`1`	Deploy alerts / monitoring route 為 C1
`write_capable_candidate_count`	`5`	五類都可能影響 workflow、runner、secret injection、通知或部署路徑
`local_workflow_file_count`	`33`	本機只讀 workflow evidence 數
`gitea_workflow_file_count`	`12`	Gitea workflow evidence 數
`github_workflow_file_count`	`21`	GitHub workflow evidence 數
`local_referenced_secret_name_count`	`42`	只保存 secret 名稱，不保存 value
`runner_label_count`	`5`	`awoooi-host`、`harbor`、`k8s`、`self-hosted`、`ubuntu-latest`
`export_request_count`	`9`	九個 in-scope repo 仍需 owner / read-only export
`export_lane_count`	`5`	webhook、runner、deploy key、branch protection / CODEOWNERS、secret name parity
`required_evidence_field_count`	`19`	變更證據必填欄位
`reviewer_check_count`	`19`	reviewer 必檢規則
`outcome_lane_count`	`8`	收件結果分流
`blocked_action_count`	`32`	明確禁止動作

3. 必填變更證據欄位

proposed_workflow_or_config_change_ref
workflow_diff_ref
runner_attestation_ref
secret_name_parity_ref
secret_injection_route_ref
deploy_marker_readback_ref
gitea_action_run_ref
guard_result_ref
log_redaction_review_ref
notification_route_owner_ref
blast_radius
maintenance_window
rollback_owner
rollback_plan_ref
postcheck_evidence_ref
affected_scope
redacted_evidence_refs
reviewer_outcome
not_approval

以上欄位都只能保存脫敏 ref、commit、artifact pointer、run id、job id、ticket 或 hash。不得貼 secret value、secret hash、masked token、partial token、runner token、webhook secret、private key、deploy key private material、cookie、authorization header、完整 credential URL 或未脫敏截圖。

4. Reviewer checks

Check	用途
`change_ref_present`	確認有 proposed workflow / config / policy change ref
`workflow_diff_ref_only`	確認只收 workflow diff ref 或 committed patch ref
`gitea_actions_run_readback_ref_shape`	確認 Gitea Actions readback 只保存 run / job / status ref
`deploy_marker_not_runtime_approval`	deploy marker 只能當部署證據，不代表 runtime approval
`runner_owner_attestation_present`	runner label、executor、host alias、owner 與維護窗口可追溯
`hosted_minutes_risk_review_present`	hosted runner 額度與供應鏈風險需獨立 review
`secret_name_parity_ref_only`	secret parity 只能保存名稱、scope、present-absent 與 owner metadata
`no_secret_value_or_hash`	確認沒有 secret value、hash、partial token 或 credential derivative
`secret_injection_path_called_out`	涉及 CD / K8s secret injection 時標出 injection path 與 owner
`step_env_with_secret_guard_result_present`	必須有 `check-gitea-step-env-secrets` 或等價 guard result
`telegram_route_owner_present`	通知路徑必須確認 SRE route owner，不得新增 legacy route
`deploy_key_and_webhook_material_absent`	不保存 webhook secret、deploy key private material、runner token 或 write token
`branch_protection_or_required_checks_impact_called_out`	影響 required checks / CODEOWNERS / branch protection 時需標出影響
`blast_radius_present`	標出 repo、workflow、runner、secret metadata、notification、deploy path 影響
`maintenance_window_present`	future workflow / runner / secret injection 變更需獨立維護窗口
`rollback_owner_present`	rollback owner 與回復方式必須可追溯
`postcheck_evidence_present`	需有 guard result、run status、route smoke 或 notification receipt ref
`no_execution_claim`	不把帳本、owner response、CD success 或 AwoooP approval 當執行批准
`cross_project_sync_noted`	影響 AwoooP、IwoooS、代理賞金協議、監控或公開服務時需跨專案同步 ref

5. Outcome lanes

Lane	說明
`waiting_change_evidence`	尚未收到 CD / runner / secret injection 變更證據
`quarantine_sensitive_payload`	收到敏感值、runner token、webhook secret、private key 或未脫敏截圖時隔離
`reject_unredacted_or_runtime_claim`	出現未脫敏 payload 或把 evidence 誤當執行批准時拒收
`request_supplement`	缺 workflow diff、runner owner、secret parity、guard result、rollback 或 post-check 時補件
`ready_for_reviewer_acceptance`	metadata 合格後進 reviewer acceptance
`ready_for_runtime_approval_package`	reviewer 接受後只能形成 runtime approval package
`waiting_maintenance_window`	future workflow / runner / secret injection 仍需獨立維護窗口
`waiting_runtime_gate`	change evidence accepted 後 runtime gate 仍等待獨立人工批准

6. 禁止動作

此帳本明確禁止修改 workflow、未批准 dispatch workflow、啟用或重啟 runner、修改 runner label、使用 runner admin token、啟用 GitHub hosted runner、收集 secret value / hash / partial token、建立 / 更新 / rotate / 刪除 repo secret、讀 secret store、修改 secret injection path、修改 webhook、修改 webhook secret、修改 deploy key、修改 branch protection、修改 CODEOWNERS、sync refs、force push、切 GitHub primary、停用 Gitea、把 CD pipeline 當 action 執行、注入 K8s secret、ArgoCD sync、production deploy 或新增 action button。

7. 完成度與邊界

工作	完成度	邊界
CD / Runner / Secret injection change evidence acceptance artifact	`100%`	只讀帳本與 snapshot 已建立
Gitea workflow / runner source-control 只讀治理成熟度	`70% -> 72%`	只代表變更證據驗收規則補齊，不代表 workflow / runner 可修改
Secret metadata 只讀治理成熟度	`66% -> 68%`	只代表 secret name / injection owner evidence gate 補齊，不代表可讀或可改 secret
change evidence received / accepted	`0%`	尚未收到或接受任何變更證據
runtime approval package	`0%`	尚未形成 runtime approval package
active runtime gate	`0`	不開 workflow、runner、secret、deploy、ArgoCD 或 production action

8. 下一步

要求 owner 只提供 workflow diff ref、runner attestation ref、secret name parity ref、secret injection route ref、Gitea run readback ref、guard result ref、rollback owner 與 post-check evidence。
reviewer 只檢查 metadata 完整性、no-secret-value 與 no-execution-claim，不保存 raw workflow payload 或 credential material。
若未來要進 runtime approval package，必須另開維護窗口、rollback owner、跨專案同步與 production post-check gate。

8.3 KiB Raw Blame History Unescape Escape

CD / Runner / Secret 注入變更證據驗收只讀帳本

1. 目的

2. 固定範圍

3. 必填變更證據欄位

4. Reviewer checks

5. Outcome lanes

6. 禁止動作

7. 完成度與邊界

8. 下一步

8.3 KiB

Raw Blame History