Ubuntu CVE Tracker

Merge ~rodrigo-zaiden/ubuntu-cve-tracker:git-hooks into ubuntu-cve-tracker:master

  1. Git
  2. lp:~rodrigo-zaiden/ubuntu-cve-tracker
  3. git-hooks
  4. Merge into master
Proposed by Rodrigo Figueiredo Zaiden
Status: Rejected
Rejected by: Steve Beattie
Proposed branch: ~rodrigo-zaiden/ubuntu-cve-tracker:git-hooks
Merge into: ubuntu-cve-tracker:master
Diff against target: 38 lines (+21/-0)
2 files modified
Makefile (+3/-0)
scripts/git-hooks/pre-push (+18/-0)
Reviewer Review Type Date Requested Status
Steve Beattie Disapprove
Review via email: mp+436417@code.launchpad.net

Description of the change

Suggestion of a new git hook:
prevent us from forcing a push to the main branch.

 $ git push --force
 FORCE pushing to MASTER is blocked
 If you know what you are doing and need to ignore this, use:
   git push --force --no-verify
 error: failed to push some refs to '<repo>'

also adding it to the Makefile so it can be installed with
 make dev_setup

To post a comment you must log in.
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks, this is a clever way to approach this. However, I have gone ahead and corrected the permissions on the master branch in launchpad https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/+git/ubuntu-cve-tracker/+permissions to block force pushes.

(If it turns out we need to do a force push to remove something from the repo, we can adjust the permissions temporarily to do so.)

review: Disapprove

Unmerged commits

294bc2d... by Rodrigo Figueiredo Zaiden

add pre-push hook and install with make dev_setup

 the pre-push hook will prevent the usage of --force when
 pushing a commit.

Signed-off-by: Rodrigo Figueiredo Zaiden <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/Makefile b/Makefile
2index 2c0abb7..c0d24af 100644
3--- a/Makefile
4+++ b/Makefile
5@@ -58,6 +58,9 @@ dev_setup:
6 install -m 755 -b -S .backup scripts/git-hooks/pre-commit-pyflakes3 .git/hooks ; \
7 echo install -m 755 -b -S .backup scripts/git-hooks/pre-commit-emacs .git/hooks ; \
8 install -m 755 -b -S .backup scripts/git-hooks/pre-commit-emacs .git/hooks ; \
9+ # install git push hook in UCT repo \
10+ echo install -m 755 -b -S .backup scripts/git-hooks/pre-push .git/hooks ; \
11+ install -m 755 -b -S .backup scripts/git-hooks/pre-push .git/hooks ; \
12 # install git prepare message hook; this is used to do a \
13 # check-syntax run for merge commits, which the regular git \
14 # commit hook mind-bogglingly does not get run on \
15diff --git a/scripts/git-hooks/pre-push b/scripts/git-hooks/pre-push
16new file mode 100755
17index 0000000..4cfbde4
18--- /dev/null
19+++ b/scripts/git-hooks/pre-push
20@@ -0,0 +1,18 @@
21+#!/bin/bash
22+#
23+# This hook will prevent 'git push' with '--force' argument
24+# To enable this hook, place it in .git/hooks/pre-push.
25+
26+PROTECTED_BRANCH='master'
27+CURRENT_BRANCH=$(git symbolic-ref HEAD | sed -e 's,.*/\(.*\),\1,')
28+
29+COMMAND=$(ps -ocommand= -p $PPID)
30+FILTER='--force'
31+
32+if [[ $PROTECTED_BRANCH == $CURRENT_BRANCH ]] &&
33+ [[ "$COMMAND" =~ .*"$FILTER".* ]]; then
34+ echo -e "\e[1;31mFORCE pushing to MASTER is blocked \e[0m"
35+ echo -e "\e[1;33mIf you know what you are doing and need to ignore this, use: \e[0m"
36+ echo -e "\e[1;33m $COMMAND --no-verify \e[0m"
37+ exit 1
38+fi

Subscribers

People subscribed via source and target branches