[jackhill/guix/guix.git] / etc / git / pre-push

#!/bin/sh

# This hook script prevents the user from pushing to Savannah if any of the new
# commits' OpenPGP signatures cannot be verified.

# Called by "git push" after it has checked the remote status, but before
# anything has been pushed.  If this script exits with a non-zero status nothing
# will be pushed.
#
# This hook is called with the following parameters:
#
# $1 -- Name of the remote to which the push is being done
# $2 -- URL to which the push is being done
#
# If pushing without using a named remote those arguments will be equal.
#
# Information about the commits which are being pushed is supplied as lines to
# the standard input in the form:
#
#   <local ref> <local sha1> <remote ref> <remote sha1>

z40=0000000000000000000000000000000000000000

# Only use the hook when pushing to Savannah.
case "$2" in
*git.sv.gnu.org*)
	break
	;;
*)
	exit 0
	;;
esac

while read local_ref local_sha remote_ref remote_sha
do
	if [ "$local_sha" = $z40 ]
	then
		# Handle delete
		:
	else
		if [ "$remote_sha" = $z40 ]
		then
			# We are pushing a new branch. To prevent wasting too
			# much time for this relatively rare case, we examine
			# all commits since the first signed commit, rather than
			# the full history. This check *will* fail, and the user
			# will need to temporarily disable the hook to push the
			# new branch.
			range="e3d0fcbf7e55e8cbe8d0a1c5a24d73f341d7243b..$local_sha"
		else
			# Update to existing branch, examine new commits
			range="$remote_sha..$local_sha"
		fi

		# Verify the signatures of all commits being pushed.
		ret=0
		for commit in $(git rev-list $range)
		do
			if ! git verify-commit $commit >/dev/null 2>&1
			then
				printf "%s failed signature check\n" $commit
				ret=1
			fi
		done
		exit $ret
	fi
done

exit 0
Commit	Line	Data
69355e12 LF	1	#!/bin/sh
	2
	3	# This hook script prevents the user from pushing to Savannah if any of the new
	4	# commits' OpenPGP signatures cannot be verified.
	5
	6	# Called by "git push" after it has checked the remote status, but before
	7	# anything has been pushed. If this script exits with a non-zero status nothing
	8	# will be pushed.
	9	#
	10	# This hook is called with the following parameters:
	11	#
	12	# $1 -- Name of the remote to which the push is being done
	13	# $2 -- URL to which the push is being done
	14	#
	15	# If pushing without using a named remote those arguments will be equal.
	16	#
	17	# Information about the commits which are being pushed is supplied as lines to
	18	# the standard input in the form:
	19	#
	20	# <local ref> <local sha1> <remote ref> <remote sha1>
	21
	22	z40=0000000000000000000000000000000000000000
	23
	24	# Only use the hook when pushing to Savannah.
	25	case "$2" in
	26	git.sv.gnu.org)
	27	break
	28	;;
	29	*)
	30	exit 0
	31	;;
	32	esac
	33
	34	while read local_ref local_sha remote_ref remote_sha
	35	do
	36	if [ "$local_sha" = $z40 ]
	37	then
	38	# Handle delete
	39	:
	40	else
	41	if [ "$remote_sha" = $z40 ]
	42	then
f0d0c5bb LF	43	# We are pushing a new branch. To prevent wasting too
	44	# much time for this relatively rare case, we examine
	45	# all commits since the first signed commit, rather than
	46	# the full history. This check will fail, and the user
	47	# will need to temporarily disable the hook to push the
	48	# new branch.
	49	range="e3d0fcbf7e55e8cbe8d0a1c5a24d73f341d7243b..$local_sha"
69355e12 LF	50	else
	51	# Update to existing branch, examine new commits
	52	range="$remote_sha..$local_sha"
	53	fi
	54
	55	# Verify the signatures of all commits being pushed.
f0d0c5bb LF	56	ret=0
	57	for commit in $(git rev-list $range)
	58	do
	59	if ! git verify-commit $commit >/dev/null 2>&1
	60	then
	61	printf "%s failed signature check\n" $commit
	62	ret=1
	63	fi
	64	done
	65	exit $ret
69355e12 LF	66	fi
	67	done
	68
	69	exit 0