21 KiB
Gitea 到 GitHub 全量版本轉移 Inventory
| 項目 | 內容 |
|---|---|
| 日期 | 2026-05-12 |
| 狀態 | 第二版 read-only inventory,尚未開始同步或主控切換 |
| 範圍 | Source control / CI/CD supply chain security |
| 上游 handoff | docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md |
| branch/tag/SHA 盤點工具 | scripts/security/source-control-migration-inventory.py |
| repo list 盤點工具 | scripts/security/gitea-repo-inventory.py |
| 本機 remote 盤點工具 | scripts/security/local-git-remote-inventory.py |
| 最新 branch/tag/SHA snapshot | docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md / docs/security/gitea-github-awoooi-inventory.snapshot.json |
| 最新 repo list snapshot | docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md / docs/security/gitea-repo-inventory.snapshot.json |
| Gitea org endpoint blocked snapshot | docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md / docs/security/gitea-org-repo-inventory-blocked.snapshot.json |
| Gitea public search snapshot | docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md / docs/security/gitea-public-repo-search.snapshot.json |
| Gitea server-side inventory runbook | docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md |
| Gitea read-only inventory approval package | docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md / docs/security/gitea-readonly-inventory-approval.snapshot.json |
| Gitea admin export redaction checklist | docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md |
| 最新本機 remote snapshot | docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md / docs/security/local-git-remote-inventory.snapshot.json |
| GitHub target probe | docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md / docs/security/github-target-probe.snapshot.json |
| 本機 canonical lineage probe | docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md / docs/security/local-repo-canonical-ewoooc-momo.snapshot.json |
| Internal 110 refs probe | docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md / docs/security/git-remote-refs-bitan-tsenyang.snapshot.json |
| wooo-infra-config refs probe | docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md / docs/security/git-remote-refs-wooo-infra-config.snapshot.json |
| GitHub target 決策表 | docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md / docs/security/github-target-decision.snapshot.json |
| GitHub target repo-by-repo approval package | docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md / docs/security/github-target-repo-approval-package.snapshot.json |
| Source Control draft reconcile plan | docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md / docs/security/source-control-reconcile-plan.snapshot.json |
| Source Control branch/tag detail diff | docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md / docs/security/source-control-ref-detail-diff.snapshot.json |
| Source Control ref truth classification | docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md / docs/security/source-control-ref-truth-classification.snapshot.json |
| Source Control ref truth owner response | docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md / docs/security/source-control-ref-truth-owner-response.snapshot.json |
| Workflow / secret name owner response | docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md / docs/security/source-control-workflow-secret-name-owner-response.snapshot.json |
| Owner response validation rollup | docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md / docs/security/source-control-owner-response-validation-rollup.snapshot.json |
| Source Control 遷移矩陣 | docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md |
| Canonical repo 判定表 | docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md |
0. 重要結論
目前不能直接把 GitHub 切成 primary。
第二輪只讀盤點顯示,至少目前工作中的 awoooi repo 存在以下差異:
- GitHub
origin與 Giteagitea的mainSHA 不一致。 - Gitea 有大量
drift/adopt-*分支,GitHub 沒有;截至 2026-05-13 最新 ref detail diff,忽略本 PR 分支後 Gitea heads 為 117 條,GitHub heads 為 2 條。 - Gitea 有 release tags,GitHub 目前查不到 tags。
- 本機
gitearemote URL 內嵌憑證,這是 credential hygiene 風險;不得寫入文件、不得複製到 GitHub,後續需移除並輪替。 - Gitea
wooouser endpoint 在未提供 token 時可見wooo/awoooi與wooo/ewoooc,目前gitea_repo_inventory_v1.status=partial。 - Gitea org endpoint 未認證查詢仍回 404;未提供 token 的結果只代表 public-only 可見範圍,不代表 private/internal repos 已完整盤到。
- Gitea read-only inventory approval package 已建立;取得只讀 token 或管理匯出前,必須先經人工批准,且不得保存 token value。
- GitHub target probe 顯示 8 個候選中 5 個可讀、3 個為
not_found_or_private:owenhytsai/ewoooc、owenhytsai/bitan-pharmacy、owenhytsai/tsenyang-website。 ewoooc-momo-pro-system本機 lineage probe 顯示三個 working tree 近期 sample 內無共同 commit,因此不得自動視為複本或同一 repo 分支。bitan-pharmacy與tsenyang-website的 110 remote refs probe 顯示本機main與 remotemain對齊,各 1 head / 0 tags;但 GitHub target 仍未確認。wooo-infra-config的 GitHub remote 與本機main對齊;110 internal remote 目前 read-only probe 不可讀,需判斷是否為舊 remote、mirror 或權限問題。- GitHub target 決策表已建立,8 個候選中 7 個需人工批准;其中
ewoooc、bitan-pharmacy、tsenyang-website在 target visibility / owner 決策前不得自動建立或同步。 - GitHub target repo-by-repo approval package 已建立,7 個 approval-required targets 拆成 refs reconcile、target 建立 / 授權、internal remote 用途確認三條路徑;此 package 採低摩擦原則,只 gate 高風險執行,不阻擋 read-only evidence。
- Source Control ref truth classification 已建立,141 個 refs review items 已拆成 4 個真相來源判定、114 個 drift deprecated 候選、3 個 release tag review、20 個 GitHub-only refs review;S4.11 已補 5 個 owner response templates,received / accepted response 皆為 0。這是人工判定隊列與收件框架,不是同步批准。
- Workflow / secret 名稱 owner response 已建立,S4.12 補 5 個 response templates,received / accepted response 皆為 0;這只允許 owner 補 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted disposition,不授權收 secret value、修改 workflow、啟用 GitHub hosted runner 或切 GitHub primary。
- Owner response validation rollup 已建立,S4.13 彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets,共 22 個 response templates、received / accepted response 皆為 0;這只是驗收總覽,不是 approval、runtime gate 或執行授權。
- 本機可見 Git working tree 輔助盤點已找到 13 個 repo,其中去重後 Gitea repo 4 個、GitHub repo 5 個、110 內部 repo 4 個;此結果可用來補遷移矩陣,但不能取代 Gitea server 全量清單。
因此後續必須先完成「repo/branch/tag/workflow/webhook/permission/secrets 名稱」全量 inventory,再逐步 mirror 與驗證。
1. 本輪 read-only 探測
| 檢查 | 結果 |
|---|---|
git remote -v |
已確認 origin 指向 GitHub,gitea 指向本地 Gitea;未在文件中保存憑證 |
| GitHub heads | 2 條 |
| Gitea heads | 117 條,已忽略本 PR 分支 |
| GitHub tags | 0 條 |
| Gitea tag refs | 4 條 raw refs,實際 tag 為 v7.2.0、v7.3.0 |
| Gitea org API | 未認證查詢 http://192.168.0.110:3001/api/v1/orgs/wooo/repos 回 404,保留為 endpoint 判定 evidence |
| Gitea user API | 未認證查詢 http://192.168.0.110:3001/api/v1/users/wooo/repos 回 200,取得 public repos 2 個 |
| Gitea public search API | 未認證查詢 /api/v1/repos/search 回 200,取得 wooo/awoooi、wooo/ewoooc |
| 可重跑工具 | python3 scripts/security/source-control-migration-inventory.py --repo . --gitea-remote gitea --github-remote origin --output-json docs/security/gitea-github-awoooi-inventory.snapshot.json --output-md docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md |
| Gitea repo list 工具 | python3 scripts/security/gitea-repo-inventory.py --base-url http://192.168.0.110:3001 --org wooo --scope user --github-owner owenhytsai --output-json docs/security/gitea-repo-inventory.snapshot.json --output-md docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md |
| Gitea read-only inventory approval | docs/security/gitea-readonly-inventory-approval.snapshot.json |
| Gitea public search 工具 | python3 scripts/security/gitea-repo-inventory.py --base-url http://192.168.0.110:3001 --org public-search --github-owner owenhytsai --scope search --limit 100 --output-json docs/security/gitea-public-repo-search.snapshot.json --output-md docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md |
| 本機 remote 盤點工具 | python3 scripts/security/local-git-remote-inventory.py --root /Users/ogt --root "/Users/ogt/Library/Mobile Documents/com~apple~CloudDocs" --max-depth 4 --output-json docs/security/local-git-remote-inventory.snapshot.json --output-md docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md |
| GitHub target probe 工具 | python3 scripts/security/github-target-probe.py --candidate owenhytsai/awoooi --candidate owenhytsai/clawbot-v5 --candidate owenhytsai/wooo-aiops --candidate owenhytsai/wooo-infra-config --candidate owenhytsai/ewoooc --candidate owenhytsai/bitan-pharmacy --candidate owenhytsai/tsenyang-website --candidate nexu-io/open-design --output-json docs/security/github-target-probe.snapshot.json --output-md docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md |
| 本機 canonical lineage 工具 | python3 scripts/security/local-repo-canonical-probe.py --group-name ewoooc-momo-pro-system --repo local-momo-gitea=/Users/ogt/momo-pro-system --repo icloud-momo-gitea="/Users/ogt/Library/Mobile Documents/com~apple~CloudDocs/momo-pro-system" --repo local-momo-gitlab=/Users/ogt/momo_pro_system --sample-limit 100 --git-timeout 8 --output-json docs/security/local-repo-canonical-ewoooc-momo.snapshot.json --output-md docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md |
| Internal 110 refs 工具 | python3 scripts/security/git-remote-refs-probe.py --group-name internal-110-bitan-tsenyang --repo bitan-pharmacy=/Users/ogt/bitan-pharmacy=origin --repo tsenyang-website=/Users/ogt/tsenyang-website=origin --output-json docs/security/git-remote-refs-bitan-tsenyang.snapshot.json --output-md docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md |
| wooo-infra-config refs 工具 | python3 scripts/security/git-remote-refs-probe.py --group-name wooo-infra-config-remotes --repo wooo-infra-config-gitea=/Users/ogt/wooo-infra-config=gitea --repo wooo-infra-config-github=/Users/ogt/wooo-infra-config=origin --output-json docs/security/git-remote-refs-wooo-infra-config.snapshot.json --output-md docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md |
| GitHub target 決策 snapshot | docs/security/github-target-decision.snapshot.json,依前述 read-only evidence 人工彙整,非執行工具,不授權 repo 建立或 visibility 修改 |
| GitHub target repo-by-repo approval snapshot | docs/security/github-target-repo-approval-package.snapshot.json,逐 repo 拆分 approval path,不授權執行 |
| Source Control draft reconcile plan | docs/security/source-control-reconcile-plan.snapshot.json,只產生 draft_blocked 草案,不授權 refs sync |
| Source Control branch/tag detail diff | docs/security/source-control-ref-detail-diff.snapshot.json,保存 3 個 refs-blocked mapped repos 的 branch/tag 明細,不授權 fetch/push |
| Source Control ref truth classification | docs/security/source-control-ref-truth-classification.snapshot.json,將 ref diff 轉成單 ref 人工判定隊列,不授權 sync/delete |
| Workflow / secret name owner response | docs/security/source-control-workflow-secret-name-owner-response.snapshot.json,固定 5 類 response templates,不授權 secret value collection、workflow modification、hosted runner enablement 或 primary switch |
| Owner response validation rollup | docs/security/source-control-owner-response-validation-rollup.snapshot.json,集中顯示 S4.9-S4.12 四包 response validation,不授權 approval 或 runtime action |
1.1 Gitea repo list snapshot
| 欄位 | 值 |
|---|---|
| Schema | gitea_repo_inventory_v1 |
| Status | partial |
| Query mode | user |
| Visibility scope | public_only |
| HTTP status | 200 |
| Repo count | 2 |
| Token present | false |
| Snapshot | docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md / docs/security/gitea-repo-inventory.snapshot.json |
| Org endpoint blocked snapshot | docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md / docs/security/gitea-org-repo-inventory-blocked.snapshot.json |
| 阻塞原因 | 未提供 token,結果只代表公開可見 repo;private/internal repos 仍需只讀 token 或管理匯出 |
此結果代表目前已完成 public-only server-side repo list,但尚未完成「Gitea 所有專案」盤點。不得開始批量同步、刪除、封存或 GitHub primary 切換。
1.1.1 Gitea public search snapshot
| 欄位 | 值 |
|---|---|
| Schema | gitea_repo_inventory_v1 |
| Status | partial |
| HTTP status | 200 |
| Repo count | 2 |
| Token present | false |
| 可見 repos | wooo/awoooi、wooo/ewoooc |
| Snapshot | docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md / docs/security/gitea-public-repo-search.snapshot.json |
此結果代表 Gitea 有公開 repo 可被 read-only search 看到,但 private/internal repos 仍可能缺席。因此它只能補強 evidence,不能取代只讀 token 或管理匯出。完整操作方式見 docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md。
1.2 本機 Git remote snapshot
| 欄位 | 值 |
|---|---|
| Schema | local_git_remote_inventory_v1 |
| Status | partial |
| 掃描 roots | /Users/ogt、/Users/ogt/Library/Mobile Documents/com~apple~CloudDocs |
| Working tree count | 13 |
| Gitea linked working trees | 6 |
| GitHub linked working trees | 6 |
| Mapped working trees | 4 |
| Gitea-only working trees | 2 |
| GitHub-only working trees | 2 |
| 110 internal-only working trees | 3 |
| 去重後 Gitea repos | wooo/awoooi、wooo/clawbot-v5、wooo/ewoooc、wooo/wooo-aiops |
| 去重後 GitHub repos | nexu-io/open-design、owenhytsai/awoooi、owenhytsai/clawbot-v5、owenhytsai/wooo-aiops、owenhytsai/wooo-infra-config |
| 去重後 110 internal repos | bitan-pharmacy、root/momo-pro-system、tsenyang-website、wooo/wooo-infra-config |
| Snapshot | docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md / docs/security/local-git-remote-inventory.snapshot.json |
此 snapshot 只能代表本機可見 working tree。它揭露了 Gitea API 之外的 source control 風險:仍有專案只連到 110 內部 remote 或 GitLab 類 remote,GitHub primary 切換前也要納入遷移矩陣。
第一版派工矩陣已建立於 docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md。該矩陣將 awoooi、ewoooc、clawbot-v5、wooo-aiops、bitan-pharmacy、tsenyang-website、wooo-infra-config 等 source-control target 拆成 P0/P1/P2,不授權任何自動同步或刪除。
2026-05-12 追加 refs diff:已對 wooo/clawbot-v5 與 wooo/wooo-aiops 產生 read-only refs snapshot,兩者皆為 blocked。因此目前已驗證的 mapped repos 中,awoooi、clawbot-v5、wooo-aiops 都不是 GitHub primary ready。
Canonical repo 判定表已建立於 docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md。wooo/ewoooc、root/momo-pro-system、momo-pro-system、momo_pro_system 目前列為待人工判定,不可自動合併。
GitHub target probe 已建立於 docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md。owenhytsai/ewoooc、owenhytsai/bitan-pharmacy、owenhytsai/tsenyang-website 目前未授權 read-only probe 看不到,因此不能視為已完成 GitHub target。
GitHub target 建立與可見性決策表已建立於 docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md。目前 github_target_decision_v1.status=draft,8 個 target 候選中 7 個 approval_required=true。此表只能作為下一階段 approval evidence,不能自動建立 repo、修改 visibility、同步 refs 或切 GitHub primary。
GitHub target repo-by-repo approval package 已建立於 docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md。目前 github_target_repo_approval_package_v1.status=draft,7 個 approval items 全部 pending。此 package 用於分段批准與 owner / visibility / canonical 判定,不得被解讀為已批准推版或同步。
2. 目前 repo 對照
| 欄位 | Gitea | GitHub | 狀態 |
|---|---|---|---|
| Repo | wooo/awoooi |
owenhytsai/awoooi |
已有對應 |
main |
5294f0712f1a3370d0155c0d88e5d10c6ec0250e |
202071f7a8724d5e8c29de441c3f380575a0ea94 |
不一致,阻塞主控切換 |
release/v1.0 |
d15fb7d9f4bac86873d5c16b9c17c527b8f38bef |
d15fb7d9f4bac86873d5c16b9c17c527b8f38bef |
一致 |
dev |
25889d4b8edcb83b6ec707c5eef3c21ae5d432b0 |
無 | GitHub 缺分支 |
drift/adopt-* |
多條 | 無 | GitHub 缺分支 |
v7.2.0 |
有 | 無 | GitHub 缺 tag |
v7.3.0 |
有 | 無 | GitHub 缺 tag |
3. Gitea-only 分支類型
| 類型 | 說明 | 建議處理 |
|---|---|---|
dev |
Gitea 上存在,GitHub 不存在 | 判斷是否仍使用;若使用,需同步 |
drift/adopt-* |
GitOps / drift adoption 類分支 | 先保留並同步或封存,不可直接刪除 |
main |
Gitea 與 GitHub SHA 不一致 | 需確認哪一端是部署真相 |
release/v1.0 |
兩端 SHA 一致 | 可標為已對齊 |
4. Credential Hygiene
本輪發現本機 git remote 內嵌 Gitea 憑證。後續處理原則:
- 不把憑證值寫入任何文件、LOGBOOK、issue、PR 或 chat。
- 切換前移除 local remote URL 中的 embedded credential。
- 改用 credential helper、只讀 token、或部署專用 secret store。
- 對既有 token 做 rotation。
- 在 AwoooP / AWOOOI audit 中記錄「已輪替」的 evidence,不記錄 token value。
5. 全量專案盤點待辦
目前只完成本工作目錄的 awoooi repo 初步盤點。要滿足「Gitea 目前所有專案版本都轉移到 GitHub」,仍需完成:
| 項目 | 狀態 | 備註 |
|---|---|---|
| Gitea org/repo list | 部分完成 | public-only user endpoint 已確認 2 個 repo;private/internal 仍需要只讀 token 或管理匯出 |
| 本機可見 Git remotes | 部分完成 | 只能當輔助 evidence,不等同 server 全量 |
| 每個 repo 的 GitHub 對應目標 | 部分完成 | 已有 8 個 target 候選與決策草案;仍需 owner / visibility / server-side refs 決策 |
| branches 全量 diff | 待盤點 | 每 repo 執行 heads 比對 |
| tags 全量 diff | 待盤點 | 每 repo 執行 tags 比對 |
| releases / artifacts | 待盤點 | Gitea API 或 UI 匯出 |
| issues / PR | 待盤點 | 需決定搬遷或封存 |
| workflows | 待盤點 | .gitea/workflows 改寫或保留 fallback |
| webhooks | 待盤點 | 對接 GitHub webhook 或 AwoooP event adapter |
| secrets 名稱 | 待盤點 | 只盤名稱與 owner,不搬 value |
| branch protection / CODEOWNERS | 待設計 | GitHub primary 前必備 |
6. source_control_migration_event_v1 範例
{
"schema_version": "source_control_migration_event_v1",
"gitea_repo": "wooo/awoooi",
"github_repo": "owenhytsai/awoooi",
"branch_count_gitea": 117,
"branch_count_github": 2,
"tag_count_gitea": 2,
"tag_count_github": 0,
"latest_sha_gitea": "5294f0712f1a3370d0155c0d88e5d10c6ec0250e",
"latest_sha_github": "202071f7a8724d5e8c29de441c3f380575a0ea94",
"workflows_mapped": false,
"webhooks_mapped": false,
"secrets_inventory_only": true,
"status": "blocked",
"blocking_reason": "Gitea 與 GitHub main SHA 不一致,且 GitHub 缺 Gitea-only branches/tags。"
}
此範例已由 docs/security/gitea-github-awoooi-inventory.snapshot.json 產生,並通過 source_control_migration_event_v1 必填欄位與 additional-properties 檢查。
7. 下一步
- 依
docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md取得 Gitea 只讀 repo inventory 批准,不使用寫入 token。 - 依
github_target_decision_v1對需要人工批准的 target 做 owner / visibility / canonical 決策。 - 依
docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md由 repo owner 對 main/dev、release tags、GitHub-only refs 與 drift deprecated 候選逐項判定;仍不 push refs。 - 標記「可 mirror」、「需人工判斷」、「需封存」、「不可搬」。
- 依 S4.12 workflow / secret name owner response 收件包驗收 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity;仍不得收 secret value、改 workflow 或啟用 hosted runner。
- 依 S4.13 owner response validation rollup 集中檢查 S4.9-S4.12 四包 response validation;仍不得把 rollup 當 approval 或 execution authorization。
- 產出 GitHub primary ADR,定義切換 gate 與 rollback。
- 將
source_control_migration_event_v1、gitea_repo_inventory_v1、local_git_remote_inventory_v1mirror 到 AwoooP,初期只作為 evidence。