recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

review: M7/D6 PASS — secret-grep clean across logs+dashboard+git; sops rotation doc matches reality
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
autonomic-bot
2026-05-27 07:55:33 +01:00
parent 537fd47818
commit 6bb3df0139
1 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
REVIEW.md
View File

@ -311,3 +311,28 @@ assertions + 3 separately-reported stages each; clean teardown):
Verdict: **M6.5 PASS.** Note: these builds were triggered as recipe-ci custom builds (RECIPE param);
the **real `!testme`-on-a-PR** end-to-end for the breadth set is D10/M10, still to verify.
## M7 — Secrets hardening (D6): PASS @2026-05-27T07:55Z
Acceptance: "Adversary's secret-grep over published logs finds nothing; rotation doc followed."
Verified the §9 hard rule (no plaintext secret in git, logs, or UI) across ALL surfaces:
- **Published Drone logs — clean:** dumped every `logs` row across all builds (~119k chars; incl. the
6 recipe runs that generate app secrets). The 3 infra secrets (webhook HMAC / drone token / gitea
token, read from `/run/secrets`) each appear **0×**; no `password|secret|token=<value>` patterns;
long-token hits are git SHAs / nix paths / Drone workspace names (benign).
- **Dashboard — clean:** `https://ci.commoninternet.net/` (200) + `/badge/*.svg`: 0 secret patterns,
0 infra-secret values.
- **Git (all history) — clean:** each infra secret **0×**; `secrets/secrets.yaml` is sops-encrypted
(7× `ENC[…]`). No plaintext infra secret committed.
- **Redaction filter** (`run_recipe_ci.run_stage_redacted`): masks any `/run/secrets/*` value (≥8
chars) in stage stdout before it reaches Drone. Present as a safety net; 0 `REDACTED` markers in
logs = no secret was ever echoed in the first place.
- **Rotation doc (`docs/secrets.md`) matches reality:** `.sops.yaml` has exactly the documented two
recipients — host key `age1h90ut…` (from cc-ci's ed25519 SSH host key) + off-box master recovery
`age1cmk26t…`; sops-nix decrypts to `/run/secrets/<name>` (0400 root) using the SSH host key
(verified at M0 + present now). A1/A2 split + rotation steps are coherent.
Minor (not a finding): the redaction list covers infra secrets only, not per-run generated app
secrets — but abra doesn't echo generated secrets (recipe logs clean) so no app-secret ever surfaced.
Verdict: **M7 PASS.**