#4071 Block pushes to origin/ in gitolite ACLs
Closed: Fixed None Opened 10 years ago by jkeating.

Common typo to create a new branch that starts with "origin/". We can stop that at the ACL level.

This update-hook should allow this:

! /bin/sh


echo "${refname}" | grep -q '^origin/' && exit 1 || exit 0

The above patch adds the update hook to ansible, and sets it up for dist-git.

After this is deployed, new git repos would use the hook and block pushes of {{{origin/*}}} branches.

However, existing git repos wouldn't.

How do we want to go about doing that? Run a one-time script that sets the hooks for older repos? Should that be part of the Ansible deployment of dist-git?

Here are the new patches, based on the discussion in the last releng meeting.

First patch is the same as before: it implements the hook (now with a better regexp than before) and sets it to be deployed in '''newly created''' git repositories.

Second patch is just some reorganization of a role in Ansible, to make the existing git check script easier to reuse.

Third patch adds to the git check script a new test, to verify that the update hooks are properly set up, and optionally fix it if not. This is what we can use to go over all '''existing''' git repositories and add the new hook to them. The command to run would be:

$ git check-perms --check=update-hook [--fix] /srv/git/rpms

Fourth patch is completely optional, but I figured I'd throw it out there, in case it is useful. It just schedules a weekly execution of the check script, to ensure that we don't have any repositories left that somehow don't have the right update hooks.

Dropping "meeting" as this has been reviewed, approved and now push to ansible so it'll be in pkgs01.stg and ready when we do the switch.

This has been deployed in production for a while now, we just forgot to close this ticket.

Metadata Update from @jkeating:
- Issue assigned to bochecha

4 years ago

Login to comment on this ticket.