From ae5a0f39cd3d0098ca684c7dfb83ebfe3acca8b6 Mon Sep 17 00:00:00 2001 From: rl1987 Date: Wed, 20 Feb 2019 09:35:27 +0200 Subject: [PATCH 1/4] Update git pre-push hook so that only upstream branches can get pushed to origin --- changes/feature29532 | 4 ++++ scripts/maint/pre-push.git-hook | 21 ++++++++++++++++++--- 2 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 changes/feature29532 diff --git a/changes/feature29532 b/changes/feature29532 new file mode 100644 index 0000000000..4d95e6bca8 --- /dev/null +++ b/changes/feature29532 @@ -0,0 +1,4 @@ + o Minor features (developer tooling): + - Modify git pre-push hook script to disallow pushing branches other than + master, release-* and maint-* to origin remote. Implements feature + 29532. diff --git a/scripts/maint/pre-push.git-hook b/scripts/maint/pre-push.git-hook index 26296023fb..78d62527e0 100755 --- a/scripts/maint/pre-push.git-hook +++ b/scripts/maint/pre-push.git-hook @@ -1,17 +1,32 @@ #!/bin/bash +# git pre-push hook script to prevent "fixup!" and "squash!" commit +# from ending up in master, or in any branch if CUR_BRANCH check is removed. +# Furthermore, it disallows pushing branches other than master, release-* +# and maint-* to origin (e.g. gitweb.torproject.org). +# # To install this script, copy it into .git/hooks/pre-push path in your # local copy of git repository. Make sure it has permission to execute. # -# This is git pre-push hook script to prevent "fixup!" and "squash!" commits -# from ending up in upstream branches (master, release-* or maint-*). -# # The following sample script was used as starting point: # https://github.com/git/git/blob/master/templates/hooks--pre-push.sample z40=0000000000000000000000000000000000000000 +remote="$1" CUR_BRANCH=$(git rev-parse --abbrev-ref HEAD) + +# Only allow pushing master, release-* and maint-* branches to origin. +if [ "$remote" == "origin" ] +then + if [ "$CUR_BRANCH" != "master" ] && [[ $CUR_BRANCH != release-* ]] && + [[ $CUR_BRANCH != maint-* ]] + then + echo >&2 "Not pushing $CUR_BRANCH to origin" + exit 1 + fi +fi + if [ "$CUR_BRANCH" != "master" ] && [[ $CUR_BRANCH != release-* ]] && [[ $CUR_BRANCH != maint-* ]] then From f3eac74ed9c68212a9df1a1acbdf146662469a5a Mon Sep 17 00:00:00 2001 From: rl1987 Date: Wed, 20 Feb 2019 19:48:52 +0200 Subject: [PATCH 2/4] In pre-push hook script, actually check local and remote refs --- scripts/maint/pre-push.git-hook | 38 ++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/scripts/maint/pre-push.git-hook b/scripts/maint/pre-push.git-hook index 78d62527e0..14bc0690c1 100755 --- a/scripts/maint/pre-push.git-hook +++ b/scripts/maint/pre-push.git-hook @@ -11,29 +11,20 @@ # The following sample script was used as starting point: # https://github.com/git/git/blob/master/templates/hooks--pre-push.sample +echo "Running pre-push hook" + z40=0000000000000000000000000000000000000000 remote="$1" -CUR_BRANCH=$(git rev-parse --abbrev-ref HEAD) -# Only allow pushing master, release-* and maint-* branches to origin. -if [ "$remote" == "origin" ] -then - if [ "$CUR_BRANCH" != "master" ] && [[ $CUR_BRANCH != release-* ]] && - [[ $CUR_BRANCH != maint-* ]] +ref_is_upstream_branch() { + if [ "$1" == "refs/heads/master" ] || + [[ "$1" == refs/heads/release-* ]] || + [[ "$1" == refs/heads/maint-* ]] then - echo >&2 "Not pushing $CUR_BRANCH to origin" - exit 1 + return 1 fi -fi - -if [ "$CUR_BRANCH" != "master" ] && [[ $CUR_BRANCH != release-* ]] && - [[ $CUR_BRANCH != maint-* ]] -then - exit 0 -fi - -echo "Running pre-push hook" +} # shellcheck disable=SC2034 while read -r local_ref local_sha remote_ref remote_sha @@ -52,6 +43,19 @@ do range="$remote_sha..$local_sha" fi + if ref_is_upstream_branch "$local_ref" == 0 || + ref_is_upstream_branch "$remote_ref" == 0 + then + if [ "$remote" == "origin" ] + then + echo >&2 "Not pushing: $local_ref to $remote_ref" + echo >&2 "If you really want to push this, use --no-verify." + exit 1 + else + continue + fi + fi + # Check for fixup! commit commit=$(git rev-list -n 1 --grep '^fixup!' "$range") if [ -n "$commit" ] From 0deea98d021d105eeb5dc5c43c144847ad188ea5 Mon Sep 17 00:00:00 2001 From: rl1987 Date: Wed, 20 Feb 2019 19:56:37 +0200 Subject: [PATCH 3/4] Improve pre-push.git-hook description --- scripts/maint/pre-push.git-hook | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/scripts/maint/pre-push.git-hook b/scripts/maint/pre-push.git-hook index 14bc0690c1..24043978b6 100755 --- a/scripts/maint/pre-push.git-hook +++ b/scripts/maint/pre-push.git-hook @@ -1,9 +1,10 @@ #!/bin/bash -# git pre-push hook script to prevent "fixup!" and "squash!" commit -# from ending up in master, or in any branch if CUR_BRANCH check is removed. -# Furthermore, it disallows pushing branches other than master, release-* -# and maint-* to origin (e.g. gitweb.torproject.org). +# git pre-push hook script to: +# 1) prevent "fixup!" and "squash!" commit from ending up in master, release-* +# or maint-* +# 2) Disallow pushing branches other than master, release-* +# and maint-* to origin (e.g. gitweb.torproject.org). # # To install this script, copy it into .git/hooks/pre-push path in your # local copy of git repository. Make sure it has permission to execute. From 7f0516022bb84378df13136273b42019e54157f9 Mon Sep 17 00:00:00 2001 From: rl1987 Date: Fri, 22 Feb 2019 17:05:07 +0200 Subject: [PATCH 4/4] Also disallow pushing to/from upstream branch when branch names do not match --- scripts/maint/pre-push.git-hook | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/maint/pre-push.git-hook b/scripts/maint/pre-push.git-hook index 24043978b6..e7a72efa08 100755 --- a/scripts/maint/pre-push.git-hook +++ b/scripts/maint/pre-push.git-hook @@ -44,8 +44,9 @@ do range="$remote_sha..$local_sha" fi - if ref_is_upstream_branch "$local_ref" == 0 || - ref_is_upstream_branch "$remote_ref" == 0 + if (ref_is_upstream_branch "$local_ref" == 0 || + ref_is_upstream_branch "$remote_ref" == 0) && + [ "$local_ref" != "$remote_ref" ] then if [ "$remote" == "origin" ] then