wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity
Files
2a2cb16c135fd7e5b159d94de9b5ff04f6cf31f5
awoooi/docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md

141 lines
5.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Source Control Draft Reconcile Plan
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-04 |
| 狀態 | `draft_blocked` |
| 預設模式 | `plan_only` |
| inventory gate | `blocked` |
| gate 原因 | Gitea authenticated / admin_export server-side inventory 尚未完成;本 plan 只能作草案,不可執行 refs sync。 |
| plan count | 3 |
## 0. 核心結論
這份文件只是 refs reconcile 草案,不是同步腳本,也不授權任何 GitHub primary 切換。AwoooP 可以 mirror 成 approval candidate但不得執行 board item 或呼叫任何 push / sync 工具。
若已存在 `source_control_ref_truth_classification_v1`,請把它視為本 plan 的人工 review lane 補充:分類結果只協助 repo owner 判定,不授權同步或刪除。
## 1. Repo 差異摘要
| Repo | Risk | Gitea branches | GitHub branches | Gitea tags | GitHub tags | Gitea main | GitHub main |
|------|------|----------------|-----------------|------------|-------------|------------|-------------|
| `wooo/awoooi -> owenhytsai/awoooi` | `HIGH` | `170` | `2` | `2` | `0` | `64490d32` | `202071f7` |
| `wooo/clawbot-v5 -> owenhytsai/clawbot-v5` | `MEDIUM` | `1` | `1` | `1` | `0` | `22074fbe` | `7a769de4` |
| `wooo/wooo-aiops -> owenhytsai/wooo-aiops` | `MEDIUM` | `2` | `3` | `0` | `19` | `507384a2` | `7c7aa109` |
## 2. Draft Plan
### wooo/awoooi -> owenhytsai/awoooi
- 狀態:`blocked`
- 阻塞原因branches 尚未完全對齊tags 尚未完全對齊
- 允許現在做:
- 更新 read-only evidence
- 更新 approval board
- 產生 draft reconcile plan
- 讓 AwoooP mirror plan 狀態
- 草案步驟:
- 先確認目前 production deploy 真相來源與 deploy marker 流程,避免主控切換影響發版。
- 針對 `wooo/awoooi``owenhytsai/awoooi` 產生 branch-by-branch diff 表。
- 針對 `wooo/awoooi``owenhytsai/awoooi` 產生 tag-by-tag diff 表。
- 標記每個 diff 的真相來源候選Gitea、GitHub、人工指定或 deprecated。
- 列出 workflow / webhook / runner / secret 名稱差異,只記名稱不記 value。
- 產生 dry-run PR / ADR 草案,仍不 push refs。
- 執行前 gate
- Gitea authenticated 或 admin_export server-side repo inventory status=ok
- branch-by-branch SHA diff 已完成
- tag-by-tag SHA diff 已完成
- workflow / webhook / runner / secret 名稱 inventory 已完成
- repo owner / visibility / branch protection / CODEOWNERS 已確認
- rollback plan 與 GitHub primary ADR 已完成
- 人工批准只針對單一 repo 生效,不得批次套用到所有 repo
- 仍然禁止:
- push refs
- force push
- delete refs
- create GitHub repo
- change repo visibility
- switch GitHub primary
- disable Gitea
- move secret values
- Evidence refs
- `docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md`
### wooo/clawbot-v5 -> owenhytsai/clawbot-v5
- 狀態:`blocked`
- 阻塞原因branches 尚未完全對齊tags 尚未完全對齊
- 允許現在做:
- 更新 read-only evidence
- 更新 approval board
- 產生 draft reconcile plan
- 讓 AwoooP mirror plan 狀態
- 草案步驟:
- 針對 `wooo/clawbot-v5``owenhytsai/clawbot-v5` 產生 branch-by-branch diff 表。
- 針對 `wooo/clawbot-v5``owenhytsai/clawbot-v5` 產生 tag-by-tag diff 表。
- 標記每個 diff 的真相來源候選Gitea、GitHub、人工指定或 deprecated。
- 列出 workflow / webhook / runner / secret 名稱差異,只記名稱不記 value。
- 產生 dry-run PR / ADR 草案,仍不 push refs。
- 執行前 gate
- Gitea authenticated 或 admin_export server-side repo inventory status=ok
- branch-by-branch SHA diff 已完成
- tag-by-tag SHA diff 已完成
- workflow / webhook / runner / secret 名稱 inventory 已完成
- repo owner / visibility / branch protection / CODEOWNERS 已確認
- rollback plan 與 GitHub primary ADR 已完成
- 人工批准只針對單一 repo 生效,不得批次套用到所有 repo
- 仍然禁止:
- push refs
- force push
- delete refs
- create GitHub repo
- change repo visibility
- switch GitHub primary
- disable Gitea
- move secret values
- Evidence refs
- `docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md`
### wooo/wooo-aiops -> owenhytsai/wooo-aiops
- 狀態:`blocked`
- 阻塞原因branches 尚未完全對齊tags 尚未完全對齊
- 允許現在做:
- 更新 read-only evidence
- 更新 approval board
- 產生 draft reconcile plan
- 讓 AwoooP mirror plan 狀態
- 草案步驟:
- 針對 `wooo/wooo-aiops``owenhytsai/wooo-aiops` 產生 branch-by-branch diff 表。
- 針對 `wooo/wooo-aiops``owenhytsai/wooo-aiops` 產生 tag-by-tag diff 表。
- 標記每個 diff 的真相來源候選Gitea、GitHub、人工指定或 deprecated。
- 列出 workflow / webhook / runner / secret 名稱差異,只記名稱不記 value。
- 產生 dry-run PR / ADR 草案,仍不 push refs。
- 執行前 gate
- Gitea authenticated 或 admin_export server-side repo inventory status=ok
- branch-by-branch SHA diff 已完成
- tag-by-tag SHA diff 已完成
- workflow / webhook / runner / secret 名稱 inventory 已完成
- repo owner / visibility / branch protection / CODEOWNERS 已確認
- rollback plan 與 GitHub primary ADR 已完成
- 人工批准只針對單一 repo 生效,不得批次套用到所有 repo
- 仍然禁止:
- push refs
- force push
- delete refs
- create GitHub repo
- change repo visibility
- switch GitHub primary
- disable Gitea
- move secret values
- Evidence refs
- `docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md`
## 3. AwoooP 消費方式
1. 只 mirror `source_control_reconcile_plan_v1`
2. 只顯示 `draft_blocked` 與 blocking reason。
3. 可產生 approval candidate但不得自動批准。
4. 不得新增 execution action button。
5. 真相來源分類請讀 `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md`,並維持單 repo / 單 ref 人工 gate。
Reference in New Issue View Git Blame Copy Permalink