fix(security): 停用 GitHub production deploy

.github/workflows/cd.yaml

@@ -13,12 +13,10 @@
 
 name: CD
 
+# 2026-05-12 Codex: GitHub 僅保留唯讀備份；生產 CI/CD 只能從 Gitea 執行。
+# 本 workflow 曾可 push / workflow_dispatch 後 build、patch secret、kubectl apply，
+# 會和 `.gitea/workflows/cd.yaml` 競爭 K3s production 狀態，因此硬停用。
 on:
-  push:
-    branches: [main]
-    paths-ignore:
-      - 'docs/**'
-      - '*.md'
   workflow_dispatch:
     inputs:
       force_deploy:
@@ -60,6 +58,7 @@ jobs:
   # ==================== Pre-flight Check (10s Fail-Fast) ====================
   pre-flight-check:
     name: "Pre-flight Check"
+    if: ${{ false }}
     runs-on: [self-hosted, harbor, k8s]
     timeout-minutes: 1
     steps:
@@ -133,6 +132,7 @@ jobs:
   # 2026-03-29 Claude Code: 確保監控覆蓋率 >= 90%
   monitoring-coverage:
     name: "Monitoring Coverage"
+    if: ${{ false }}
     runs-on: [self-hosted, harbor, k8s]
     needs: pre-flight-check
     timeout-minutes: 2
@@ -152,6 +152,7 @@ jobs:
   # ==================== 路徑偵測 (使用 dorny/paths-filter) ====================
   detect-changes:
     name: Detect Changes
+    if: ${{ false }}
     runs-on: [self-hosted, harbor, k8s]
     needs: [pre-flight-check, monitoring-coverage]
     timeout-minutes: 1
@@ -197,11 +198,7 @@ jobs:
     runs-on: [self-hosted, harbor, k8s]
     needs: [detect-changes, build-web]
     timeout-minutes: 20
-    if: |
-      !inputs.skip_api && (
-        needs.detect-changes.outputs.api == 'true' ||
-        (needs.detect-changes.outputs.api == 'false' && needs.detect-changes.outputs.web == 'false')
-      )
+    if: ${{ false }}
     outputs:
       image_tag: ${{ steps.tag.outputs.tag }}
     steps:
@@ -238,11 +235,7 @@ jobs:
     runs-on: [self-hosted, harbor, k8s]
     needs: detect-changes
     timeout-minutes: 20
-    if: |
-      !inputs.skip_web && (
-        needs.detect-changes.outputs.web == 'true' ||
-        (needs.detect-changes.outputs.api == 'false' && needs.detect-changes.outputs.web == 'false')
-      )
+    if: ${{ false }}
     outputs:
       image_tag: ${{ steps.tag.outputs.tag }}
     steps:
@@ -293,7 +286,7 @@ jobs:
     concurrency:
       group: runner-awoooi-cd-mutex
       cancel-in-progress: false
-    if: always() && (needs.build-api.result == 'success' || needs.build-api.result == 'skipped') && (needs.build-web.result == 'success' || needs.build-web.result == 'skipped')
+    if: ${{ false }}
     environment: production
     steps:
       # 2026-03-29: Runner 診斷檔案清理 (防止並行衝突)

.github/workflows/deploy-prod.yml

@@ -14,15 +14,10 @@
 
 name: Deploy to Production
 
+# 2026-05-12 Codex: GitHub 是唯讀備份，production deploy 只能從 Gitea 進入。
+# 這份歷史 workflow 仍含 Harbor build/push 與 kubectl apply/rollout，會和 Gitea CD 競爭。
+# 保留檔案供稽核，但停用所有 job。
 on:
-  push:
-    branches:
-      - main
-    paths:
-      - 'apps/api/**'
-      - 'apps/web/**'
-      - 'k8s/awoooi-prod/**'
-      - '.github/workflows/deploy-prod.yml'
   workflow_dispatch:
     inputs:
       deploy_api:
@@ -70,6 +65,7 @@ jobs:
   # ===========================================================================
   build:
     name: "Build Images"
+    if: ${{ false }}
     runs-on: [self-hosted, harbor, k8s]
     outputs:
       image_tag: ${{ steps.meta.outputs.tag }}
@@ -138,6 +134,7 @@ jobs:
   deploy:
     name: "Deploy to K3s"
     needs: build
+    if: ${{ false }}
     runs-on: [self-hosted, harbor, k8s]
 
     steps:
@@ -210,7 +207,7 @@ jobs:
   smoke-test:
     name: "Smoke Tests"
     needs: deploy
-    if: ${{ !inputs.skip_tests }}
+    if: ${{ false }}
     runs-on: [self-hosted, harbor, k8s]
 
     steps:
@@ -248,7 +245,7 @@ jobs:
   notify:
     name: "Send Notification"
     needs: [build, deploy, smoke-test]
-    if: always()
+    if: ${{ false }}
     runs-on: [self-hosted, harbor, k8s]
 
     steps: