Git钩子检测推--mirror [英] Git hook to detect push --mirror
问题描述
在服务器上的主要Git存储库(带有Gitolite)旁边,我希望每个开发人员都可以建立自己的本地存储库的镜像.那并不困难.
但是,我想在主Git服务器存储库上禁用git push --mirror,以防止开发人员拧镜像时出错.我认为最好的地方是一个钩子,也许是更新钩子.但是我找不到在服务器挂钩中如何检测到push --mirror命令已在客户端计算机上执行的方法.
不可能使用客户端解决方案,因为我们也使用Eclipse Git(JGit).
如果您确实想使用钩子执行此操作,则要使用的钩子为pre-receive.您无法直接检测到它是镜像推送,因为所发送的数据并没有说明它是正确的,但是您可以很聪明,并且几乎一直都正确无误. pre-receive挂钩会获取要更新的ref列表,其中包含旧值和新值,并且如果以非零状态退出,则整个推送都将中止.镜像推送的主要区别可能在于它还按原样推送远程分支.我想不出有任何正常的情况,所以您可以检查一下,就像这样:
#!/bin/bash
while read old new ref; do
if [[ "$ref" =~ "^refs/remotes/.*" ]]; then
echo "You're pushing remote branches - did you use 'push --mirror'?"
echo "Rejecting push"
exit 1
fi
done
任何push --mirror *都会使该钩子绊倒,因此它应该可以掩盖住您;当然,这有点过分热情,但是除非您打算在中央存储库中维护远程分支,否则没有关系.
*除了真正真正的手册之外,有人通过手动指定git push --mirror <url>从没有远程操作的仓库中推送信息,但我真的希望您不必为此担心.
我仍然会推荐 gitolite .它不能完全让您拒绝镜像推送,但可以有所帮助,并提供许多其他有用的功能.请注意,乙醇钠确实允许您添加自己的钩子,因此,要使用此钩子并不能阻止您获得所有乙醇钠的优点.如果您不打算使用Gitolite,则应该在中央存储库中确实将core.logAllRefUpdates设置为true,这样,如果有人确实受到您的不利推动,您就可以恢复.
gitolite可以为您解决与该问题有关的事情:
- 让您限制大多数开发人员只能访问关键分支,并阻止他们删除任何内容(使用
RW,而不是RW+权限),因此,他们可以造成的损害是有限的-删除分支可能push --mirror中最糟糕的部分
- 更全面地记录访问权限,以便在某人确实造成损害的情况下,您可以准确地看到它是谁以及他们的所作所为,并在将来避免发生这种情况
beside a main Git repository on a server (with Gitolite) I would like to have a possibility for each developer to set up a mirror it's own local repository. That's not difficult.
However, I want to disable git push --mirror on the main Git server repository, to prevent mistakes if a developer screw the mirroring. I think the best place is a hook, maybe the update hook. But I cannot find how to detect in a server hook, that push --mirror command has been executed on the client machine.
Client side solution is not possible because we use Eclipse Git (JGit), too.
If you really wanted to do this with hooks, the hook to use would be pre-receive. You can't directly detect that it's a mirror push, because there's nothing about the data being sent that says it is, but you could be smart and get it right almost all the time. The pre-receive hook gets a list of refs to be updated, with old and new values, and if it exits with non-zero status, the entire push is aborted. Probably the main distinguishing feature of a mirror push is that it also pushes remote branches, as-is. I can't think of any normal cases you'd do this in, so you could just check for that, something like:
#!/bin/bash
while read old new ref; do
if [[ "$ref" =~ "^refs/remotes/.*" ]]; then
echo "You're pushing remote branches - did you use 'push --mirror'?"
echo "Rejecting push"
exit 1
fi
done
Any push --mirror* would trip this hook, so it should cover you; it is of course a bit overzealous but unless you intend to maintain remote branches in your central repo, it won't matter.
*Except a really really manual one, where someone pushes from a repo with no remotes by manually specifying git push --mirror <url>, but I really hope you don't have to worry about that.
I would still recommend gitolite. It doesn't exactly let you deny mirror pushes, but it can help somewhat, and provide a lot of other helpful things. Note that gitolite does allow you to add your own hooks, so wanting to use this shouldn't stop you from getting all the gitolite goodness. If you're not going to use Gitolite, you should really, really set core.logAllRefUpdates to true in the central repo, so that if someone does get a bad push by you, you can recover.
Things related to this problem that gitolite would do for you:
- let you restrict most developers to only be able to access key branches, and prevent them from deleting anything (use
RW, notRW+permissions), so the damage they can do is limited - deletion of branches is probably the worst part of apush --mirror - log access more fully, so that if someone does do damage, you can see exactly who it was and what they did, and avoid it in the future
这篇关于Git钩子检测推--mirror的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
