Records what works (SSH forgejo-remote, CI smoke, HTTPS mirror) and what is still blocked before state-hub cutover. Updates CUST-WP-0054-T04 progress.
4.9 KiB
4.9 KiB
Forgejo Repo Migration Pilot — glas-harness
Date: 2026-07-03
Workplan: CUST-WP-0054-T04, RAIL-HO-WP-0005
Pilot repo: coulomb/glas-harness (non-production tooling; safe routing drill)
Why this repo
| Criterion | glas-harness |
|---|---|
| Production dependency | None — harness meta-framework, not deployed |
| Size / complexity | 3 commits, no container image, no submodules |
| Blast radius | Low — wrong remote or CI failure does not break triage, State Hub, or emission |
| State Hub registration | Not in active production sweep set |
Use lessons here before migrating state-hub (high value, high risk).
Pilot outcome (2026-07-03)
| Step | Result | Notes |
|---|---|---|
| Create repo on Forgejo | pass | POST /api/v1/orgs/coulomb/repos |
| Mirror git history (HTTPS) | pass | main @ e35e287 pushed with admin token |
SSH forgejo-remote push |
pass | After adding id_gitea.pub to forgejo_admin; NodePort 92.205.62.239:30022 |
origin → Forgejo, gitea legacy remote |
pass | origin=forgejo-remote:…, gitea=gitea-remote:… |
Actions ci-smoke (host + container) |
pass | host-smoke (self-hosted) + container-smoke (ubuntu-latest) both success |
| Gitea left intact | pass | No delete; Gitea still at e35e287 until mirror sync policy defined |
Routing that works
Git remotes (workstation)
Add to ~/.ssh/config (see FORGEJO-REMOTE block):
Host forgejo-remote
HostName 92.205.62.239
Port 30022
User git
IdentityFile ~/.ssh/id_gitea
StrictHostKeyChecking accept-new
Per-repo layout after cutover:
git remote rename origin gitea # if still on Gitea
git remote add origin forgejo-remote:coulomb/<repo>.git
git push -u origin main
Canonical URL: https://forgejo.coulomb.social/coulomb/<repo>.git
HTTPS fallback (automation / first push)
Admin or user token with write:repository:
git push "https://<user>:<token>@forgejo.coulomb.social/coulomb/<repo>.git" main
CI runner labels (railiance01-build-01)
| Label | Works for | Evidence |
|---|---|---|
self-hosted |
Host runner smoke | glas-harness host-smoke |
ubuntu-latest |
Container step jobs | glas-harness container-smoke |
container-build |
Docker build/push jobs | forgejo-actions-probe image-build |
Registry / image CI (from prior probe)
- Org secrets
REGISTRY_USER/REGISTRY_TOKENviaPUT /api/v1/orgs/coulomb/actions/secrets/{name}with plaintextdata(HTTPS API). - Host runner has no
dockerCLI and cannotapk add(non-root). Use static docker binary in the job step. actions/checkout@v4fails on host runner — usegit clonein the job until resolved.
Routing that does not work yet
| Gap | Impact | Mitigation for next repos |
|---|---|---|
tegwick Gitea user not on Forgejo |
SSH as git@92.205.130.254 (Gitea) ≠ git@92.205.62.239 (Forgejo); keys are per-forge |
Register operator keys on Forgejo users before cutover; or use forgejo_admin interim |
| No automated Gitea→Forgejo mirror | Gitea copy drifts after Forgejo becomes canonical | Staged cutover: freeze Gitea pushes, one-way mirror, or retire Gitea remote after verification |
actions/checkout@v4 on host runner |
Breaks multi-step workflows that depend on checkout | git clone in run: step (see image-build probe) |
| Issues/wiki/releases/LFS | Not exercised in pilot | Classify per repo in migration inventory before production repos |
State Hub remote_url field |
Still points at gitea-remote:… for most repos |
Update registration when repo is promoted (separate step; not done for glas-harness) |
Repeatable procedure (non-production repo)
- Confirm repo is not in a production drain wave or has explicit operator approval.
- Create empty repo on Forgejo (
auto_init: falseif mirroring existing history). - Push all branches/tags from workstation clone (HTTPS or SSH).
- Add
forgejo-remoteremote; rename Gitea remote togitea; setoriginto Forgejo. - Add
.forgejo/workflows/smoke (and image workflow if applicable). - Verify Actions green on Forgejo runner.
- Leave Gitea repo read-only; do not delete (safety contract).
- Record results in this doc or a per-repo row in the migration inventory.
Not ready for state-hub yet
Before state-hub, the pilot still needs:
- Operator/user SSH identity on Forgejo (not only
forgejo_admin) - Reusable workflow template with
hub-corebuild context andgit clonecheckout pattern - State Hub
remote_url+ sweep checkout path update playbook - Gitea read-only mirror or push-disable policy for repos after cutover
References
docs/forgejo-production-decisions.mdrailiance-forge/docs/forgejo-actions-runner-substrate.mdrailiance-apps/docs/forgejo-on-railiance01.md- Forgejo repo: https://forgejo.coulomb.social/coulomb/glas-harness