Files
GitHop/docs/adr/0001-gitea-as-forge-foundation.md

70 lines
2.8 KiB
Markdown

# ADR 0001: Use Gitea as the forge foundation
- Status: Accepted
- Date: 2026-07-11
## Context
HopWeb needs reliable Git hosting, repository permissions, users and
organizations, review primitives, webhooks, CI integration, packages, releases,
and administration. Rebuilding this foundation would delay the Hop-native
workflow and create a large security and maintenance burden.
Gitea is a mature, MIT-licensed, Go-based forge with a REST API, OAuth2 provider,
webhooks, Git LFS, package registries, and a production-capable Actions system.
It supports custom assets, themes, templates, and repository tabs, which are
enough to prototype a unified Hop experience without immediately carrying a
large source fork.
## Decision
Use a pinned upstream Gitea release as the forge substrate. Build Hop as a
separate control-plane service and Hop-native web experience that integrates
with Gitea through stable APIs, webhooks, OAuth, and Git protocols.
Adopt a staged customization policy:
1. configuration, branding, templates, assets, and API integration;
2. small upstreamable extension points where integration seams are missing;
3. a shallow maintained fork only for essential Hop-native behavior.
Hop domain data will live outside the Gitea schema. Cross-service operations
will use stable IDs, idempotency keys, and explicit reconciliation rather than
distributed database writes.
## Consequences
### Positive
- The team can focus on Hop's state model and collaboration experience.
- Standard Git clients and familiar forge features work from the beginning.
- Gitea security fixes and features can be consumed from upstream.
- A separable control plane makes the Hop model portable to another Git host.
### Costs and risks
- A visually unified product must compose two service boundaries.
- Some acceptance operations need careful compensation and reconciliation.
- Template overrides are version-sensitive.
- A deep fork would make upstream upgrades expensive.
- Public multi-tenant runners require a stronger isolation model than Gitea's
default trusted-runner assumptions.
## Guardrails
- Pin exact Gitea versions and test upgrades in automation.
- Keep a patch ledger for every source-level deviation from upstream.
- Never edit vendored Gitea code for branding alone.
- Prefer contributing generic extension points upstream.
- Keep the Hop control plane independently testable and deployable.
- Threat-model Git hooks, webhooks, runner registration, job tokens, and
untrusted repository content before supporting public execution.
## Revisit when
- Gitea's architecture prevents a core Hop invariant;
- the source patch set grows beyond a routinely rebaseable size;
- transactional acceptance cannot be made reliable across the boundary; or
- operating two services costs more than owning a cohesive fork.