Files
awoooi/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md
2026-05-19 11:04:34 +08:00

22 KiB
Raw Blame History

Gitea 到 GitHub 全量版本轉移 Inventory

項目 內容
日期 2026-05-12
狀態 第二版 read-only inventory尚未開始同步或主控切換
範圍 Source control / CI/CD supply chain security
上游 handoff docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md
branch/tag/SHA 盤點工具 scripts/security/source-control-migration-inventory.py
repo list 盤點工具 scripts/security/gitea-repo-inventory.py
本機 remote 盤點工具 scripts/security/local-git-remote-inventory.py
最新 branch/tag/SHA snapshot docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md / docs/security/gitea-github-awoooi-inventory.snapshot.json
最新 repo list snapshot docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md / docs/security/gitea-repo-inventory.snapshot.json
Gitea org endpoint blocked snapshot docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md / docs/security/gitea-org-repo-inventory-blocked.snapshot.json
Gitea public search snapshot docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md / docs/security/gitea-public-repo-search.snapshot.json
Gitea server-side inventory runbook docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md
Gitea read-only inventory approval package docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md / docs/security/gitea-readonly-inventory-approval.snapshot.json
Gitea admin export redaction checklist docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md
最新本機 remote snapshot docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md / docs/security/local-git-remote-inventory.snapshot.json
GitHub target probe docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md / docs/security/github-target-probe.snapshot.json
本機 canonical lineage probe docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md / docs/security/local-repo-canonical-ewoooc-momo.snapshot.json
Internal 110 refs probe docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md / docs/security/git-remote-refs-bitan-tsenyang.snapshot.json
wooo-infra-config refs probe docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md / docs/security/git-remote-refs-wooo-infra-config.snapshot.json
GitHub target 決策表 docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md / docs/security/github-target-decision.snapshot.json
GitHub target repo-by-repo approval package docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md / docs/security/github-target-repo-approval-package.snapshot.json
Source Control draft reconcile plan docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md / docs/security/source-control-reconcile-plan.snapshot.json
Source Control branch/tag detail diff docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md / docs/security/source-control-ref-detail-diff.snapshot.json
Source Control ref truth classification docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md / docs/security/source-control-ref-truth-classification.snapshot.json
Source Control ref truth owner response docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md / docs/security/source-control-ref-truth-owner-response.snapshot.json
Workflow / secret name owner response docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md / docs/security/source-control-workflow-secret-name-owner-response.snapshot.json
Owner response validation rollup docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md / docs/security/source-control-owner-response-validation-rollup.snapshot.json
Source Control 遷移矩陣 docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md
Canonical repo 判定表 docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md

0. 重要結論

目前不能直接把 GitHub 切成 primary。

第二輪只讀盤點顯示,至少目前工作中的 awoooi repo 存在以下差異:

  • GitHub origin 與 Gitea giteamain SHA 不一致。
  • Gitea 有大量 drift/adopt-* 分支GitHub 沒有;截至 2026-05-13 最新 ref detail diff忽略本 PR 分支後 Gitea heads 為 117 條GitHub heads 為 2 條。
  • Gitea 有 release tagsGitHub 目前查不到 tags。
  • 本機 gitea remote URL 內嵌憑證,這是 credential hygiene 風險;不得寫入文件、不得複製到 GitHub後續需移除並輪替。
  • Gitea wooo user endpoint 在未提供 token 時可見 wooo/awoooiwooo/ewoooc,目前 gitea_repo_inventory_v1.status=partial
  • Gitea org endpoint 未認證查詢仍回 404未提供 token 的結果只代表 public-only 可見範圍,不代表 private/internal repos 已完整盤到。
  • Gitea read-only inventory approval package 已建立;取得只讀 token 或管理匯出前,必須先經人工批准,且不得保存 token value。
  • GitHub target probe 顯示 8 個候選中 5 個可讀、3 個為 not_found_or_privateowenhytsai/ewooocowenhytsai/bitan-pharmacyowenhytsai/tsenyang-website
  • ewoooc-momo-pro-system 本機 lineage probe 顯示三個 working tree 近期 sample 內無共同 commit因此不得自動視為複本或同一 repo 分支。
  • bitan-pharmacytsenyang-website 的 110 remote refs probe 顯示本機 main 與 remote main 對齊,各 1 head / 0 tags但 GitHub target 仍未確認。
  • wooo-infra-config 的 GitHub remote 與本機 main 對齊110 internal remote 目前 read-only probe 不可讀,需判斷是否為舊 remote、mirror 或權限問題。
  • GitHub target 決策表已建立8 個候選中 7 個需人工批准;其中 ewooocbitan-pharmacytsenyang-website 在 target visibility / owner 決策前不得自動建立或同步。
  • GitHub target repo-by-repo approval package 已建立7 個 approval-required targets 拆成 refs reconcile、target 建立 / 授權、internal remote 用途確認三條路徑;此 package 採低摩擦原則,只 gate 高風險執行,不阻擋 read-only evidence。
  • Source Control ref truth classification 已建立141 個 refs review items 已拆成 4 個真相來源判定、114 個 drift deprecated 候選、3 個 release tag review、20 個 GitHub-only refs reviewS4.11 已補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 owner response templatesreceived / accepted response 皆為 0、audit events emitted 仍為 0。這是人工判定隊列與收件框架不是同步批准。
  • Workflow / secret 名稱 owner response 已建立S4.12 補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 response templatesreceived / accepted response 皆為 0、audit events emitted 仍為 0這只允許 owner 補 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted disposition不授權收 secret value、修改 workflow、啟用 GitHub hosted runner 或切 GitHub primary。
  • Owner response validation rollup 已建立S4.13 彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets共 22 個 response templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、received / accepted response 皆為 0 且 reviewer audit emitted 仍為 0這只是驗收總覽、只讀路由、顯示順序、狀態語義、人工審查提示、結果分類與脫敏稽核格式不是 approval、runtime gate、production ingestion 或執行授權。
  • 本機可見 Git working tree 輔助盤點已找到 13 個 repo其中去重後 Gitea repo 4 個、GitHub repo 5 個、110 內部 repo 4 個;此結果可用來補遷移矩陣,但不能取代 Gitea server 全量清單。

因此後續必須先完成「repo/branch/tag/workflow/webhook/permission/secrets 名稱」全量 inventory再逐步 mirror 與驗證。

1. 本輪 read-only 探測

檢查 結果
git remote -v 已確認 origin 指向 GitHubgitea 指向本地 Gitea未在文件中保存憑證
GitHub heads 2 條
Gitea heads 117 條,已忽略本 PR 分支
GitHub tags 0 條
Gitea tag refs 4 條 raw refs實際 tag 為 v7.2.0v7.3.0
Gitea org API 未認證查詢 http://192.168.0.110:3001/api/v1/orgs/wooo/repos 回 404保留為 endpoint 判定 evidence
Gitea user API 未認證查詢 http://192.168.0.110:3001/api/v1/users/wooo/repos 回 200取得 public repos 2 個
Gitea public search API 未認證查詢 /api/v1/repos/search 回 200取得 wooo/awoooiwooo/ewoooc
可重跑工具 python3 scripts/security/source-control-migration-inventory.py --repo . --gitea-remote gitea --github-remote origin --output-json docs/security/gitea-github-awoooi-inventory.snapshot.json --output-md docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md
Gitea repo list 工具 python3 scripts/security/gitea-repo-inventory.py --base-url http://192.168.0.110:3001 --org wooo --scope user --github-owner owenhytsai --output-json docs/security/gitea-repo-inventory.snapshot.json --output-md docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md
Gitea read-only inventory approval docs/security/gitea-readonly-inventory-approval.snapshot.json
Gitea public search 工具 python3 scripts/security/gitea-repo-inventory.py --base-url http://192.168.0.110:3001 --org public-search --github-owner owenhytsai --scope search --limit 100 --output-json docs/security/gitea-public-repo-search.snapshot.json --output-md docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md
本機 remote 盤點工具 python3 scripts/security/local-git-remote-inventory.py --root /Users/ogt --root "/Users/ogt/Library/Mobile Documents/com~apple~CloudDocs" --max-depth 4 --output-json docs/security/local-git-remote-inventory.snapshot.json --output-md docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md
GitHub target probe 工具 python3 scripts/security/github-target-probe.py --candidate owenhytsai/awoooi --candidate owenhytsai/clawbot-v5 --candidate owenhytsai/wooo-aiops --candidate owenhytsai/wooo-infra-config --candidate owenhytsai/ewoooc --candidate owenhytsai/bitan-pharmacy --candidate owenhytsai/tsenyang-website --candidate nexu-io/open-design --output-json docs/security/github-target-probe.snapshot.json --output-md docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md
本機 canonical lineage 工具 python3 scripts/security/local-repo-canonical-probe.py --group-name ewoooc-momo-pro-system --repo local-momo-gitea=/Users/ogt/momo-pro-system --repo icloud-momo-gitea="/Users/ogt/Library/Mobile Documents/com~apple~CloudDocs/momo-pro-system" --repo local-momo-gitlab=/Users/ogt/momo_pro_system --sample-limit 100 --git-timeout 8 --output-json docs/security/local-repo-canonical-ewoooc-momo.snapshot.json --output-md docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md
Internal 110 refs 工具 python3 scripts/security/git-remote-refs-probe.py --group-name internal-110-bitan-tsenyang --repo bitan-pharmacy=/Users/ogt/bitan-pharmacy=origin --repo tsenyang-website=/Users/ogt/tsenyang-website=origin --output-json docs/security/git-remote-refs-bitan-tsenyang.snapshot.json --output-md docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md
wooo-infra-config refs 工具 python3 scripts/security/git-remote-refs-probe.py --group-name wooo-infra-config-remotes --repo wooo-infra-config-gitea=/Users/ogt/wooo-infra-config=gitea --repo wooo-infra-config-github=/Users/ogt/wooo-infra-config=origin --output-json docs/security/git-remote-refs-wooo-infra-config.snapshot.json --output-md docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md
GitHub target 決策 snapshot docs/security/github-target-decision.snapshot.json,依前述 read-only evidence 人工彙整,非執行工具,不授權 repo 建立或 visibility 修改
GitHub target repo-by-repo approval snapshot docs/security/github-target-repo-approval-package.snapshot.json,逐 repo 拆分 approval path不授權執行
Source Control draft reconcile plan docs/security/source-control-reconcile-plan.snapshot.json,只產生 draft_blocked 草案,不授權 refs sync
Source Control branch/tag detail diff docs/security/source-control-ref-detail-diff.snapshot.json,保存 3 個 refs-blocked mapped repos 的 branch/tag 明細,不授權 fetch/push
Source Control ref truth classification docs/security/source-control-ref-truth-classification.snapshot.json,將 ref diff 轉成單 ref 人工判定隊列,不授權 sync/delete
Workflow / secret name owner response docs/security/source-control-workflow-secret-name-owner-response.snapshot.json,固定 5 類 response templates不授權 secret value collection、workflow modification、hosted runner enablement 或 primary switch
Owner response validation rollup docs/security/source-control-owner-response-validation-rollup.snapshot.json,集中顯示 S4.9-S4.12 四包 response validation、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes 與 reviewer audit event templates不授權 approval、production ingestion 或 runtime action

1.1 Gitea repo list snapshot

欄位
Schema gitea_repo_inventory_v1
Status partial
Query mode user
Visibility scope public_only
HTTP status 200
Repo count 2
Token present false
Snapshot docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md / docs/security/gitea-repo-inventory.snapshot.json
Org endpoint blocked snapshot docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md / docs/security/gitea-org-repo-inventory-blocked.snapshot.json
阻塞原因 未提供 token結果只代表公開可見 repoprivate/internal repos 仍需只讀 token 或管理匯出

此結果代表目前已完成 public-only server-side repo list但尚未完成「Gitea 所有專案」盤點。不得開始批量同步、刪除、封存或 GitHub primary 切換。

1.1.1 Gitea public search snapshot

欄位
Schema gitea_repo_inventory_v1
Status partial
HTTP status 200
Repo count 2
Token present false
可見 repos wooo/awoooiwooo/ewoooc
Snapshot docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md / docs/security/gitea-public-repo-search.snapshot.json

此結果代表 Gitea 有公開 repo 可被 read-only search 看到,但 private/internal repos 仍可能缺席。因此它只能補強 evidence不能取代只讀 token 或管理匯出。完整操作方式見 docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md

1.2 本機 Git remote snapshot

欄位
Schema local_git_remote_inventory_v1
Status partial
掃描 roots /Users/ogt/Users/ogt/Library/Mobile Documents/com~apple~CloudDocs
Working tree count 13
Gitea linked working trees 6
GitHub linked working trees 6
Mapped working trees 4
Gitea-only working trees 2
GitHub-only working trees 2
110 internal-only working trees 3
去重後 Gitea repos wooo/awoooiwooo/clawbot-v5wooo/ewooocwooo/wooo-aiops
去重後 GitHub repos nexu-io/open-designowenhytsai/awoooiowenhytsai/clawbot-v5owenhytsai/wooo-aiopsowenhytsai/wooo-infra-config
去重後 110 internal repos bitan-pharmacyroot/momo-pro-systemtsenyang-websitewooo/wooo-infra-config
Snapshot docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md / docs/security/local-git-remote-inventory.snapshot.json

此 snapshot 只能代表本機可見 working tree。它揭露了 Gitea API 之外的 source control 風險:仍有專案只連到 110 內部 remote 或 GitLab 類 remoteGitHub primary 切換前也要納入遷移矩陣。

第一版派工矩陣已建立於 docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md。該矩陣將 awoooiewooocclawbot-v5wooo-aiopsbitan-pharmacytsenyang-websitewooo-infra-config 等 source-control target 拆成 P0/P1/P2不授權任何自動同步或刪除。

2026-05-12 追加 refs diff已對 wooo/clawbot-v5wooo/wooo-aiops 產生 read-only refs snapshot兩者皆為 blocked。因此目前已驗證的 mapped repos 中,awoooiclawbot-v5wooo-aiops 都不是 GitHub primary ready。

Canonical repo 判定表已建立於 docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.mdwooo/ewooocroot/momo-pro-systemmomo-pro-systemmomo_pro_system 目前列為待人工判定,不可自動合併。

GitHub target probe 已建立於 docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.mdowenhytsai/ewooocowenhytsai/bitan-pharmacyowenhytsai/tsenyang-website 目前未授權 read-only probe 看不到,因此不能視為已完成 GitHub target。

GitHub target 建立與可見性決策表已建立於 docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md。目前 github_target_decision_v1.status=draft8 個 target 候選中 7 個 approval_required=true。此表只能作為下一階段 approval evidence不能自動建立 repo、修改 visibility、同步 refs 或切 GitHub primary。

GitHub target repo-by-repo approval package 已建立於 docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md。目前 github_target_repo_approval_package_v1.status=draft7 個 approval items 全部 pending。此 package 用於分段批准與 owner / visibility / canonical 判定,不得被解讀為已批准推版或同步。

2. 目前 repo 對照

欄位 Gitea GitHub 狀態
Repo wooo/awoooi owenhytsai/awoooi 已有對應
main 5294f0712f1a3370d0155c0d88e5d10c6ec0250e 202071f7a8724d5e8c29de441c3f380575a0ea94 不一致,阻塞主控切換
release/v1.0 d15fb7d9f4bac86873d5c16b9c17c527b8f38bef d15fb7d9f4bac86873d5c16b9c17c527b8f38bef 一致
dev 25889d4b8edcb83b6ec707c5eef3c21ae5d432b0 GitHub 缺分支
drift/adopt-* 多條 GitHub 缺分支
v7.2.0 GitHub 缺 tag
v7.3.0 GitHub 缺 tag

3. Gitea-only 分支類型

類型 說明 建議處理
dev Gitea 上存在GitHub 不存在 判斷是否仍使用;若使用,需同步
drift/adopt-* GitOps / drift adoption 類分支 先保留並同步或封存,不可直接刪除
main Gitea 與 GitHub SHA 不一致 需確認哪一端是部署真相
release/v1.0 兩端 SHA 一致 可標為已對齊

4. Credential Hygiene

本輪發現本機 git remote 內嵌 Gitea 憑證。後續處理原則:

  1. 不把憑證值寫入任何文件、LOGBOOK、issue、PR 或 chat。
  2. 切換前移除 local remote URL 中的 embedded credential。
  3. 改用 credential helper、只讀 token、或部署專用 secret store。
  4. 對既有 token 做 rotation。
  5. 在 AwoooP / AWOOOI audit 中記錄「已輪替」的 evidence不記錄 token value。

5. 全量專案盤點待辦

目前只完成本工作目錄的 awoooi repo 初步盤點。要滿足「Gitea 目前所有專案版本都轉移到 GitHub」仍需完成

項目 狀態 備註
Gitea org/repo list 部分完成 public-only user endpoint 已確認 2 個 repoprivate/internal 仍需要只讀 token 或管理匯出
本機可見 Git remotes 部分完成 只能當輔助 evidence不等同 server 全量
每個 repo 的 GitHub 對應目標 部分完成 已有 8 個 target 候選與決策草案;仍需 owner / visibility / server-side refs 決策
branches 全量 diff 待盤點 每 repo 執行 heads 比對
tags 全量 diff 待盤點 每 repo 執行 tags 比對
releases / artifacts 待盤點 Gitea API 或 UI 匯出
issues / PR 待盤點 需決定搬遷或封存
workflows 待盤點 .gitea/workflows 改寫或保留 fallback
webhooks 待盤點 對接 GitHub webhook 或 AwoooP event adapter
secrets 名稱 待盤點 只盤名稱與 owner不搬 value
branch protection / CODEOWNERS 待設計 GitHub primary 前必備

6. source_control_migration_event_v1 範例

{
  "schema_version": "source_control_migration_event_v1",
  "gitea_repo": "wooo/awoooi",
  "github_repo": "owenhytsai/awoooi",
  "branch_count_gitea": 117,
  "branch_count_github": 2,
  "tag_count_gitea": 2,
  "tag_count_github": 0,
  "latest_sha_gitea": "5294f0712f1a3370d0155c0d88e5d10c6ec0250e",
  "latest_sha_github": "202071f7a8724d5e8c29de441c3f380575a0ea94",
  "workflows_mapped": false,
  "webhooks_mapped": false,
  "secrets_inventory_only": true,
  "status": "blocked",
  "blocking_reason": "Gitea 與 GitHub main SHA 不一致,且 GitHub 缺 Gitea-only branches/tags。"
}

此範例已由 docs/security/gitea-github-awoooi-inventory.snapshot.json 產生,並通過 source_control_migration_event_v1 必填欄位與 additional-properties 檢查。

7. 下一步

  1. docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md 取得 Gitea 只讀 repo inventory 批准,不使用寫入 token。
  2. github_target_decision_v1 對需要人工批准的 target 做 owner / visibility / canonical 決策。
  3. docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md 由 repo owner 對 main/dev、release tags、GitHub-only refs 與 drift deprecated 候選逐項判定;仍不 push refs。
  4. 標記「可 mirror」、「需人工判斷」、「需封存」、「不可搬」。
  5. 依 S4.12 workflow / secret name owner response request packet、template status ledger、audit event templates、redaction examples 與收件包驗收 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity仍不得收 secret value、改 workflow 或啟用 hosted runner。
  6. 依 S4.13 owner response validation rollup 集中檢查 S4.9-S4.12 四包 response validation、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes 與 reviewer audit event templates仍不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes 或 reviewer audit templates 當 approval、production ingestion 或 execution authorization。
  7. 產出 GitHub primary ADR定義切換 gate 與 rollback。
  8. source_control_migration_event_v1gitea_repo_inventory_v1local_git_remote_inventory_v1 mirror 到 AwoooP初期只作為 evidence。