GitLab Migration โ Operational Follow-ups¶
The migration is essentially complete. Latest release v0.2.2 built end-to-end with notarized macOS binaries, checksums, SBOMs, and a homebrew cask pushed to the GitLab-hosted tap. The docs site is live at https://gtb.phpboyscout.uk.
1. Release automation โ โ DONE (semantic-release โ releaser-pleaser)¶
Status: semantic-release has been replaced by releaser-pleaser (Release-MR pattern, GitLab CI/CD component). Prerequisites confirmed:
RELEASER_PLEASER_TOKENCI/CD variable exists with Maintainer role and scopesapi,read_repository,write_repository.- Project merge settings: Fast-forward merge (
merge_method: ff) and Require squash (squash_option: always).
Cleanup (optional): the old GITLAB_TOKEN variable was only used by semantic-release (GoReleaser authenticates with the CI job token via use_job_token: true). Confirm nothing else references it, then remove it.
2. Renovate runner schedule + token โ โ DONE¶
Status: Daily pipeline schedule id 4245076 runs at 03:00 UTC on main with RENOVATE_TASK=scan. RENOVATE_TOKEN mirrors GITLAB_TOKEN.
Caveat โ Python toolchain bumps: renovate.json disables the pip_requirements manager. Renovate bumps the version line in requirements-lock.txt but cannot regenerate the SHA-256 hashes that pip install --require-hashes enforces, breaking the pages job. Bumps to that lockfile stay manual via the recipe in the file's own header. Re-enable when self-hosted postUpgradeTasks are wired in.
3. GoReleaser secrets โ โ DONE¶
Status: All required secrets are set as masked + protected CI/CD variables. v0.2.x releases ship with notarized + signed macOS binaries.
GTB_OTEL_AUTHโ base64 of1576673:<token>, real OTel write token.APPLE_NOTARY_KEYโ base64-encoded.p8(App Store Connect API key).APPLE_NOTARY_KEY_IDโV89487UH6J.APPLE_NOTARY_ISSUER_IDโcff1b5c3-a4bf-4adc-b3cd-db492f195207.APPLE_DEV_CERTโ base64 of the re-encrypted.p12(PKCS#12 modern cipher).APPLE_DEV_CERT_PASSWORDโ set; recommend rotating since it was shared in chat during setup.
4. Homebrew tap โ โ DONE (migrated to GitLab)¶
Status: Mirrored github.com/phpboyscout/homebrew โ gitlab.com/phpboyscout/homebrew. The homebrew_casks block in .goreleaser.yaml pushes to the GitLab tap over SSH using a dedicated Ed25519 deploy key (registered on the tap with can_push=true). Private key lives in the HOMEBREW_TAP_SSH_KEY CI variable.
Users install with:
5. Branch protection โ โ DONE (Free-tier subset)¶
Status: main is protected (Maintainer-level push + merge, no force-push, no deletions). Project settings enforce FF-only merges, pipelines must pass, discussions resolved before merge.
Pending (Premium): Conventional-Commits push-rule regex and required-status-check enforcement at the protected-branch level. Merge-must-pass-pipeline currently covers the same window.
6. GitLab Pages custom domain โ โ DONE¶
Status: gtb.phpboyscout.uk verified, Let's Encrypt cert issued (CN=gtb.phpboyscout.uk, valid through Aug 2026), site responds HTTP 200. pages_access_level=enabled (previously private, which made every request hit GitLab's auth redirect).
DNS resolves through Cloudflare proxy in front of GitLab Pages โ TLS terminates at Cloudflare. No further action.
7. Archive the GitHub repository โ โ ๏ธ STILL OUTSTANDING¶
This is the last step. Once you're confident the GitLab migration is stable:
Settings โ Archive this repositoryongithub.com/phpboyscout/go-tool-base.- Edit the GitHub README on the archived repo to point at
https://gitlab.com/phpboyscout/go-tool-baseand pin an issue titled "Moved to GitLab" with the new URL. - The repo stays read-only forever; existing
go get github.com/phpboyscout/go-tool-basecalls still resolve via the module proxy cache for previously-resolved versions, but new resolution will fail (intentional โ module path is nowgitlab.com/phpboyscout/go-tool-base).
I can run the archive via gh api -X PATCH repos/phpboyscout/go-tool-base -F archived=true on your authorisation.