73 lines
4.2 KiB
Markdown
73 lines
4.2 KiB
Markdown
# GitHub Target 建立與可見性決策表
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-05-12 |
|
||
| 狀態 | 草案,等待人工決策 |
|
||
| 上游 evidence | `docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md`、`docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md` |
|
||
| JSON snapshot | `docs/security/github-target-decision.snapshot.json` |
|
||
| Repo-by-repo approval package | `docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md` |
|
||
| Owner response 收件包 | `docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` |
|
||
| 原則 | 不自動建立 repo、不改 visibility、不同步 refs、不切 primary |
|
||
|
||
## 0. 核心結論
|
||
|
||
目前 GitHub target 分成四類:
|
||
|
||
1. 已存在但 refs blocked:`awoooi`、`clawbot-v5`、`wooo-aiops`。
|
||
2. 已存在且本機 GitHub remote 對齊,但 110 internal remote 用途待判定:`wooo-infra-config`。
|
||
3. GitHub target 未授權 probe 看不到:`ewoooc`、`bitan-pharmacy`、`tsenyang-website`。
|
||
4. 外部/設計 repo,需 scope review:`nexu-io/open-design`。
|
||
|
||
因此現階段不得建立自動 mirror,也不得把 GitHub primary 視為 ready。
|
||
|
||
S4.10 已補 owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包;它只定義 7 個 approval-required targets 的回覆請求、回覆欄位、驗收規則與拒收規則,目前 received / accepted response 皆為 0,不代表 repo creation、visibility change、refs sync 或 primary approval。
|
||
|
||
## 1. 決策表
|
||
|
||
| GitHub target | Source key | Probe | Target state | 建議動作 | 風險 | 人工批准 |
|
||
|---------------|------------|-------|--------------|----------|------|----------|
|
||
| `owenhytsai/awoooi` | `wooo/awoooi` | `exists` | `exists_refs_blocked` | hold refs reconcile | HIGH | 是 |
|
||
| `owenhytsai/clawbot-v5` | `wooo/clawbot-v5` | `exists` | `exists_refs_blocked` | hold refs reconcile | MEDIUM | 是 |
|
||
| `owenhytsai/wooo-aiops` | `wooo/wooo-aiops` | `exists` | `exists_refs_blocked` | hold refs reconcile | MEDIUM | 是 |
|
||
| `owenhytsai/wooo-infra-config` | `wooo/wooo-infra-config` | `exists` | `exists_aligned` | confirm internal remote purpose | MEDIUM | 是 |
|
||
| `owenhytsai/ewoooc` | `wooo/ewoooc` / `root/momo-pro-system` | `not_found_or_private` | `not_found_or_private` | create or grant access after approval | HIGH | 是 |
|
||
| `owenhytsai/bitan-pharmacy` | `bitan-pharmacy` | `not_found_or_private` | `not_found_or_private` | create or grant access after approval | MEDIUM | 是 |
|
||
| `owenhytsai/tsenyang-website` | `tsenyang-website` | `not_found_or_private` | `not_found_or_private` | create or grant access after approval | MEDIUM | 是 |
|
||
| `nexu-io/open-design` | `open-design` | `exists` | `external_scope` | scope review only | LOW | 否 |
|
||
|
||
## 2. 建立 / 授權前 gate
|
||
|
||
| Repo | Blocked until |
|
||
|------|---------------|
|
||
| `owenhytsai/ewoooc` | `ewoooc/momo-pro-system` canonical 關係人工確認、server-side refs diff、visibility/owner 決策 |
|
||
| `owenhytsai/bitan-pharmacy` | 確認仍 active、visibility/owner 決策 |
|
||
| `owenhytsai/tsenyang-website` | 確認仍 active、visibility/owner 決策 |
|
||
| `owenhytsai/wooo-infra-config` | 110 internal remote 用途確認、若為舊主控則降級或移除 |
|
||
|
||
## 3. AwoooP 消費方式
|
||
|
||
AwoooP 可以 mirror `github_target_decision_v1` 作為 migration planning evidence,但只能做:
|
||
|
||
- Runtime State / Channel Event 顯示。
|
||
- read-only policy 建議。
|
||
- approval candidate 建立。
|
||
|
||
AwoooP 不得直接做:
|
||
|
||
- 建立 GitHub repo。
|
||
- 修改 repo visibility。
|
||
- 新增 secret。
|
||
- 同步 refs。
|
||
- 切 GitHub primary。
|
||
|
||
## 4. 下一步
|
||
|
||
1. 統帥或 repo owner 決定 `ewoooc`、`bitan-pharmacy`、`tsenyang-website` 的 GitHub target visibility。
|
||
2. 針對 `ewoooc/momo-pro-system` 完成 server-side refs diff 與 canonical 判定。
|
||
3. 確認 `bitan-pharmacy`、`tsenyang-website` 是否仍 active。
|
||
4. 確認 `wooo-infra-config` 的 110 internal remote 是否應移除或保留為 mirror。
|
||
5. 依 S4.10 `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` 收到並驗收 owner / visibility / canonical response。
|
||
6. 任何 repo 建立、visibility 修改或 mirror 行為,都必須先走 approval。
|
||
7. Approval 只套用高風險執行動作;read-only inventory 與 evidence mirror 不應被過度阻擋。
|