The Great Migration: Moving from GHES to GHEC Without Breaking Production
In the modern DevOps landscape, the shift from GitHub Enterprise Server (GHES)—the “on-prem” fortress—to GitHub Enterprise Cloud (GHEC) is more than just a server move; it is a fundamental shift in operational philosophy. For years, large enterprises clung to GHES for the illusion of total control. However, the overhead of patching, scaling, and the lag in receiving cutting-edge features like GitHub Copilot or advanced GitHub Actions capabilities has made GHEC the gold standard for high-performing teams.
Why the Migration Matters
Migrating to GHEC unlocks the “GitHub-first” experience. You move from being a sysadmin of your own version control system to a consumer of a highly available, globally distributed platform. This transition allows teams to focus on developer velocity rather than infrastructure maintenance. In an interview setting, understanding this migration isn’t just about knowing the git clone command; it’s about understanding Identity Provider (IdP) integration, data residency, and migration of metadata (PRs, Issues, and Actions history).
Real-World Workflows & Collaboration
On GHEC, collaboration often expands. While GHES usually sits behind a VPN, GHEC allows for more seamless integration with third-party SaaS tools and external collaborators via Enterprise Managed Users (EMU). This shifts the security model from “network-perimeter” (VPN) to “identity-perimeter” (SAML/SCIM). Developers must adapt to new branching strategies that leverage GitHub Actions’ cloud-hosted runners, which often provide more elasticity than the static runner pools typical in on-prem environments.
Common Pitfalls & Anti-Patterns
- The “Big Bang” Fallacy: Attempting to move 5,000 repos in one weekend. Solution: Use a phased approach by business unit.
- Ignoring Metadata: Simply pushing code to a new remote loses the “Why” behind the “What.” Solution: Use the GitHub Enterprise Importer (GEI) to preserve PR conversations and history.
- Hardcoded Internal URLs: Many CI/CD scripts or internal tools might point to
github.internal.company.com. Solution: Audit your codebase for internal domain references before the cutover.
Study Guide: GHES to GHEC Migration Strategy
Overview & The Analogy
Migrating from GHES to GHEC is like moving from owning a private library in your basement to renting a premium, managed suite in a world-class skyscraper. In your basement (GHES), you control the temperature and the locks, but you also have to fix the roof when it leaks. In the skyscraper (GHEC), the building management handles security and maintenance, and you get access to high-tech amenities (Copilot, Cloud Runners) that were impossible to install at home.
Core Concepts & Terminology
1. GitHub Enterprise Importer (GEI)
The primary tool used to migrate repositories and their associated metadata (Issues, PRs, Releases). It is a CLI tool that automates the “export-from-source” and “import-to-target” workflow.
2. Enterprise Managed Users (EMU)
A specific type of GHEC enterprise where the company manages the lifecycle of accounts via an IdP (like Okta or Azure AD). This is critical for security-conscious migrations.
3. Data Residency
While GHEC is cloud-based, organizations can now choose specific regions (e.g., EU) for data residency to meet regulatory requirements, a common concern when leaving GHES.
Typical Migration Workflow
- Discovery: Inventory all repos, teams, and permissions on GHES.
- Identity Mapping: Ensure GHES usernames align with IdP identities in GHEC.
- Dry Run: Use GEI to migrate a subset of repos to a test GHEC organization.
- Code Freeze: Set GHES repos to “Read-Only” during the final cutover.
- Final Migration: Run GEI for the production migration.
- Validation: Check CI/CD pipelines, webhooks, and team access.
Real-World Scenarios
Scenario A: The “Legacy” Monolith
Context: A large bank moving a 50GB repository with 10 years of history.
Application: Instead of a standard migration, the team uses Git LFS (Large File Storage) to prune the history before moving to GHEC to ensure performance. They leverage GEI specifically to keep the compliance-required PR audit trails.
Scenario B: High-Security EMU Transition
Context: A biotech firm requiring strict SCIM provisioning.
Application: They set up an EMU enterprise first. Migration must map the old GHES handles to the new username_company format provided by the EMU-SAML integration.
Interview Questions (Q&A)
- What is the biggest technical hurdle when moving from GHES to GHEC?
Identity management. Moving from local GHES accounts to SAML-based Enterprise Managed Users (EMU) requires careful planning of username mapping and permission structures.
- How does GEI differ from a simple
git push --mirror?A mirror push only moves git objects (branches, tags). GEI moves metadata: PRs, comments, reviews, issues, and labels, which are essential for historical context.
- What happens to GitHub Actions during migration?
The YAML definitions move, but secrets do not. You must re-provision secrets and update runner groups if moving from self-hosted GHES runners to GHEC runners.
- How do you handle “Internal” visibility in GHEC?
In GHEC, “Internal” visibility means anyone within the entire Enterprise account can see the repo, mirroring the GHES “Internal” behavior but at a cloud scale.
- Why would a company choose GHEC over GHES today?
Access to GitHub-hosted runners, global availability without VPN, and immediate access to new features like Advanced Security (GHAS) and Copilot.
- How do you minimize downtime during migration?
By using a “Dry Run” phase to identify errors and then script the final cutover during off-hours using the GEI CLI.
- What is an “IP Allow List” in GHEC?
Since GHEC is on the public internet, IP Allow Lists restrict access to specific corporate VPN ranges or office IPs, replacing the network-level security of GHES.
- How do you migrate large binary files?
Ensure Git LFS is enabled on the target. GEI supports LFS, but bandwidth and storage quotas on GHEC must be pre-purchased.
- Can you migrate from GHES to a standard “Dotcom” org?
Yes, but you lose the centralized management and security features of GHEC/EMU. For enterprises, GHEC is the recommended target.
- What is the role of a “Migration Token”?
It is a Personal Access Token (PAT) with specific scopes (
read:org,admin:org) used by GEI to authenticate against both the source and target APIs.
Interview Tips & Golden Nuggets
- The EMU Distinction: If asked about security, mention Enterprise Managed Users. It shows you understand the difference between a “personal account used for work” and a “company-owned account.”
- The “Three-Legged Stool”: A migration isn’t just code. It’s Code + Metadata + Identity. Mentioning all three demonstrates seniority.
- Dry Runs: Always emphasize that you would never perform a production migration without at least two successful dry runs.
- Rate Limiting: Mention that the GitHub API has rate limits. High-volume migrations might need to be throttled or coordinated with GitHub Support.
Comparison: GHES vs. GHEC
| Feature | GHES (On-Prem) | GHEC (Cloud) |
|---|---|---|
| Maintenance | User-managed (Patches/Backups) | GitHub-managed (SaaS) |
| Feature Availability | Delayed (Quarterly releases) | Instant (Continuous) |
| Network Security | VPN/Internal Network | SAML SSO / IP Allow Lists |
| CI/CD Runners | Self-hosted only | GitHub-hosted + Self-hosted |
Migration Architecture
📦 Repository Ecosystem
- Migrate Git history & LFS
- Transfer PRs, Issues, Labels
- Re-map team permissions
- Update
remote originURLs
🤝 Collaboration
- SAML SSO / SCIM Provisioning
- Enterprise Managed Users (EMU)
- CODEOWNERS enforcement
- Branch Protection Rules
🤖 Automation
- GitHub Actions Cloud Runners
- Migrate Action Secrets
- Update Webhook endpoints
- Reconnect 3rd party SaaS
Decision Tree: Migration Strategy
- 1. Need metadata (PRs/Issues)?
- Yes: Use GitHub Enterprise Importer (GEI).
- No: Simple
git push --mirror.
- 2. High security / Identity control needed?
- Yes: Opt for Enterprise Managed Users (EMU).
- No: Standard GHEC Enterprise.
- 3. Regulatory Data Residency (EU/Asia)?
- Yes: Choose GHEC with Data Residency.
- No: Standard Global GHEC.