KB-26C2
S171C — Git VPS→GH Sync Verify: DRIFT
4 min read Revision 1
reports171cgit-syncdriftgsm-token2026-04-07
S171C — Git VPS → GitHub Sync Verify
Date: 2026-04-07 | Agent: Claude Code (Opus 4.6) | READ-ONLY mission
V1: Crontab entry
$ crontab -l | grep git-push-gh
0 6,18 * * * /opt/incomex/scripts/git-push-gh-daily.sh >> /var/log/incomex/git-push-gh.log 2>&1
Schedule: 06:00 + 18:00 UTC daily. ✅ EXISTS
V2: Script + executable
$ ls -la /opt/incomex/scripts/git-push-gh-daily.sh
-rwxr-xr-x 1 root root 3166 Apr 5 16:55 .../git-push-gh-daily.sh
$ head -2
#!/bin/bash
# git-push-gh-daily.sh — VPS→GH daily backup (both repos)
Repos pushed: Huyen1974/web-test.git + Huyen1974/agent-data-test.git. ✅ EXISTS
V3: Last run log — FAILING
$ tail -4 /var/log/incomex/git-push-gh.log
2026-04-06 04:00:11 UTC [git-push-gh] Done. Both repos pushed to branch vps-daily-20260406
2026-04-06 16:00:28 UTC [git-push-gh] FATAL: no token
2026-04-07 04:00:28 UTC [git-push-gh] FATAL: no token
Last SUCCESS: 2026-04-06 04:00 UTC (branch vps-daily-20260406).
Last 2 runs: FATAL: no token. 🔴 FAILING
Root cause: GSM permission denied
gcloud secrets versions access latest --secret="gh_pat_sync_secrets"
→ PERMISSION_DENIED: cursor-ci-builder@...iam.gserviceaccount.com
Service account lost secretmanager.versions.access permission.
Cached .git-token (41 chars, valid PAT) expired (>47h, cache TTL 24h).
V4: VPS HEAD vs GitHub — DRIFT
| Repo | VPS HEAD | GitHub last pushed | Match? |
|---|---|---|---|
| /opt/incomex (scripts) | 6e6ed66 |
branch vps-daily-20260406 |
🔴 DRIFT: 4 commits |
4 commits on VPS NOT on GitHub:
6e6ed66 feat(security): db-permissions-guard
995e8bb chore(monitoring): remove S171B workaround cron scripts
98b8c29 feat(monitoring): S171B VPS health alert scripts
b5937c9 S170: DOT-317 sync-orphan-scan + cron stagger + cleanup
V5: Test restore — PARTIAL
$ git clone --depth 1 --branch vps-daily-20260406 .../web-test.git /tmp/git-test-restore
→ Clone successful (cached PAT still works as credential)
$ diff scripts/db-permissions-guard.sh /tmp/git-test-restore/...
→ "not in backup branch" (file committed AFTER last push)
$ rm -rf /tmp/git-test-restore
→ Cleanup done
GitHub backup clone WORKS but is 1 day stale (missing 4 commits).
Kết luận: DRIFT
| Item | Status |
|---|---|
| Cron exists | ✅ |
| Script executable | ✅ |
| Last run success | 🔴 2 FAILURES (token expired + GSM permission denied) |
| VPS == GitHub | 🔴 DRIFT (4 commits behind) |
| Backup usable | ⚠️ STALE (clone works, but 1 day old) |
Immediate actions needed (Desktop):
- Fix GSM permission: Grant
cursor-ci-builderSAsecretmanager.versions.accessongh_pat_sync_secrets, OR manually refresh.git-tokenwith a valid PAT - Manual push: Run
/opt/incomex/scripts/git-push-gh-daily.shafter token fix to sync 4 missing commits - Verify: Check both
web-testandagent-data-testrepos on GitHub have latest
DOT đề xuất: DOT-GIT-SYNC-MONITOR (priority HIGH)
- Cron daily:
git log origin/main..HEAD --oneline→ count. If >0 → Telegram alert - Also check:
git-push-gh.loglast line contains "Done" within 24h. If not → alert - Đóng CQ-1 (vĩnh viễn), NT-02 (auto), NT-05 (tự phát hiện)
- Desktop tạo sau. KHÔNG tạo trong mission này.
S171C DRIFT. 4 commits chưa push. Root cause: GSM permission denied. Cần Desktop fix token.