[Backlog Discovery] feat(backlog): workflow-log-redaction-and-sensitive-data-guardrails

[bestony]

[Backlog Discovery]

• Requirement title: 为工作流日志/摘要增加敏感信息脱敏与泄露阻断
• Priority: P1
• Requirement file: backlog/20260221085515-workflow-log-redaction-and-sensitive-data-guardrails.md
• Dedupe key: workflow-log-redaction-and-sensitive-data-guardrails
• Source run: https://github.com/bestony/self/actions/runs/22253890389

[gemini-code-assist]

Summary of Changes

Hello @bestony, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

此拉取请求引入了一份关键的需求文档，旨在解决自动化工作流日志和摘要中敏感信息泄露的风险。该文档明确了当前系统在敏感数据处理方面的不足，并提出了一个全面的解决方案，以提升日志安全性、确保合规性，并为未来的开发工作奠定基础。

Highlights

• 新增需求定义: 添加了一份新的需求文档，详细阐述了在工作流日志和摘要中实现敏感信息脱敏与泄露阻断的必要性、目标、解决方案设想及验收标准。

Changelog

• backlog/20260221085515-workflow-log-redaction-and-sensitive-data-guardrails.md
  • 新增了关于工作流日志敏感信息脱敏与泄露阻断的详细需求文档。

Activity

• 此拉取请求自创建以来尚未有任何人工活动。

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

该 PR 新增了一个关于“工作流日志/摘要敏感信息脱敏与泄露阻断”的待办需求文档。文档结构完整，包含了需求背景、目标用户、核心场景、外部调研证据以及明确的验收标准。内容详实且符合安全最佳实践（如使用 ::add-mask:: 和 fail-fast 机制）。未发现中高风险问题。

[github-actions]

[Reviewer Workflow]
Reviewer: Product Manager

需求价值评估

• 是否有价值: 有价值
• 优先级: P1
• Reviewer 视角结论: 针对 self 自动化日志与归档的敏感信息暴露风险，该需求能显著提升安全与合规可信度，值得纳入近期迭代。

价值点

• 降低 self 工作流日志、Job Summary、自动评论中的敏感信息泄露风险，保护仓库协作者与系统安全边界。
• 提升自驱系统在安全/合规场景的可审计性与可信度，为后续规模化自动化奠定基础。
• 通过统一脱敏与可配置策略，减少维护者处理泄露事故的运维成本与风险敞口。

风险与建议

• 证据多为通用安全指南，缺少对 self 现有泄露案例或影响规模的量化证据；建议补充近期日志样本或历史事故数据以支撑优先级。
• 方案涉及多处输出与归档环节，可能引入性能与误报风险；建议明确核心场景的检测边界与 fail-fast/观察模式的默认策略。