diff options
| author |   Michał Górny <mgorny@gentoo.org> | 2014-09-23 23:41:45 +0200 |
|---|---|---|
| committer | Michał Górny <mgorny@gentoo.org> | 2019-04-09 13:05:55 +0200 |
| commit | 275f08df560fd2dd158f1781c23b6f2bf3eb4426 (patch) | |
| tree | 3ac213e2b713d6212c0fda67aee7ba0f615b61de | |
| parent | local/agefile: import from cgit (diff) | |
| download | githooks-275f08df560fd2dd158f1781c23b6f2bf3eb4426.tar.gz githooks-275f08df560fd2dd158f1781c23b6f2bf3eb4426.tar.bz2 githooks-275f08df560fd2dd158f1781c23b6f2bf3eb4426.zip | |
Initial import of my work so far
| -rwxr-xr-x | local/update | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/local/update b/local/update new file mode 100755 index 0000000..8b6461f --- /dev/null +++ b/local/update @@ -0,0 +1,114 @@ +#!/bin/sh + +egencached_pidfile=/home/mgorny/egencache.pid + +# --- Command line +refname=${1} +oldrev=${2} +newrev=${3} + +# --- Safety check +if [ -z "${GIT_DIR}" ]; then + echo "Don't run this script from the command line." >&2 + echo " (if you want, you could supply GIT_DIR then run" >&2 + echo " ${0} <ref> <oldrev> <newrev>)" >&2 + exit 1 +fi + +if [ -z "${refname}" -o -z "${oldrev}" -o -z "${newrev}" ]; then + echo "usage: ${0} <ref> <oldrev> <newrev>" >&2 + exit 1 +fi + +# check for no description +projectdesc=$(sed -e '1q' "${GIT_DIR}/description") +case ${projectdesc} in + "Unnamed repository"* | "") + echo "*** Project description file hasn't been set" >&2 + exit 1 + ;; +esac + +# --- Check types +# if $newrev is 0000...0000, it's a commit to delete a ref. +zero="0000000000000000000000000000000000000000" + +case ${refname} in + refs/tags/*) + echo "*** Tags are not allowed in gx86" >&2 + exit 1 + ;; + refs/heads/master) + if [ "${newrev}" = "${zero}" ]; then + echo "*** Errr, removing master is not allowed" >&2 + exit 1 + fi + + # prevent forced updates + # http://stackoverflow.com/questions/10319110/how-to-detect-a-forced-update + if [ -n "$(git rev-list "${oldrev}" "^${newrev}")" ]; then + echo "*** Forced update disallowed!" >&2 + exit 1 + fi + + IFS=' +' + + # check that tree is sane + # (we don't have to filter out removals -- the files weren't + # allowed, so we won't remove them :)) + cfiles=$(git diff --name-only "${oldrev}".."${newrev}") + for name in ${cfiles}; do + case ${name} in + */ChangeLog) + echo "*** ChangeLogs are not allowed in the repository" + exit 1 + ;; + esac + done + + # verify that everything on the left-hand side of commit history is signed + # (further branches of merges can be unsigned) + revs=$(git rev-list --first-parent "${newrev}" "^${oldrev}") + for r in ${revs}; do + signst=$(git show -q --pretty=format:'%G?' "${r}") + case ${signst} in + G) + ;; + U) + echo "*** Untrusted signature on ${r}, refusing" + exit 1 + ;; + B) + echo "*** Bad signature on ${r}, refusing" + exit 1 + ;; + N) + echo "*** No signature on ${r}, refusing" + exit 1 + ;; + *) + echo "*** Unknown signature status '${signst}', refusing" + exit 1 + ;; + esac + done + + # trigger cache regen + # TODO: better do this post-update + kill -HUP "$(cat "${egencached_pidfile}")" + ;; + refs/heads/*) + # dev branches are fine whatever they are + ;; + refs/notes/*) + # allow git notes, why not? + ;; + *) + echo "*** Unknown object refused" >&2 + exit 1 + ;; +esac + +# --- Finished +exit 0 |