feat(git): add protected refs.

6 files changed, 66 insertions, 5 deletions

diff --git a/.editorconfig b/.editorconfig
index a688414..97c3ded 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -7,5 +7,9 @@ indent_style = space
 indent_size = 2
 trim_trailing_whitespace = true
 
+[gitconfig]
+indent_style = tab
+tab_width = 8
+
 [*.py]
 profile = black
diff --git a/services/common.bash b/services/common.bash
deleted file mode 100644
index ad08a34..0000000
--- a/services/common.bash
+++ /dev/null
@@ -1,5 +0,0 @@
-# shellcheck disable=SC2046
-export $(xargs < "${script_dir:?}/base-config") 
-
-CRUPEST_PROJECT_DIR="$(realpath "$script_dir/..")"
-export CRUPEST_PROJECT_DIR
diff --git a/services/docker/git-server/Dockerfile b/services/docker/git-server/Dockerfile
index 8a671d7..b725122 100644
--- a/services/docker/git-server/Dockerfile
+++ b/services/docker/git-server/Dockerfile
@@ -4,6 +4,10 @@ RUN apt-get update && apt-get install -y \
     tar gzip bzip2 zip unzip tini && \
     rm -rf /var/lib/apt/lists/*
 
+ENV GIT_CONFIG_SYSTEM=/etc/gitconfig GIT_CONFIG_GLOBAL=/git/private/gitconfig
+
+ADD gitconfig /etc/gitconfig
+ADD --chmod=755 hooks/* /etc/git/hooks/
 ADD git-lighttpd.conf git-auth.conf /app/
 ADD --chmod=755 lighttpd-wrapper.bash /app/
 
diff --git a/services/docker/git-server/gitconfig b/services/docker/git-server/gitconfig
new file mode 100644
index 0000000..0019ba9
--- /dev/null
+++ b/services/docker/git-server/gitconfig
@@ -0,0 +1,6 @@
+[core]
+	autocrlf = false
+	hooksPath = /etc/git/hooks/
+
+[receive]
+	advertisePushOptions = true
diff --git a/services/docker/git-server/hooks/pre-receive b/services/docker/git-server/hooks/pre-receive
new file mode 100644
index 0000000..c5981dc
--- /dev/null
+++ b/services/docker/git-server/hooks/pre-receive
@@ -0,0 +1,51 @@
+#!/usr/bin/bash
+
+set -e -o pipefail
+
+if test -n "$GIT_PUSH_OPTION_COUNT"; then
+  i=0
+  while test "$i" -lt "$GIT_PUSH_OPTION_COUNT"; do
+    eval "value=\$GIT_PUSH_OPTION_$i"
+    case "$value" in
+    real-force)
+      REAL_FORCE=1
+      echo "WARNING: Real force is set. All branches will be unprotected."
+      ;;
+    esac
+    i=$((i + 1))
+  done
+fi
+
+stdin_record=$(cat)
+
+handle_line() {
+  old=$(expr substr "$1" 1 8)
+  new=$(expr substr "$2" 1 8)
+  ref_name="$3"
+  protected_file="$GIT_DIR/protected"
+
+  if [[ -f "$protected_file" ]] && ! git merge-base --is-ancestor "$old" "$new"; then
+    while read -r line; do
+      if grep -q "^$ref_name$" <<<"$line"; then
+        echo "ERROR: $ref_name is not fast-forward and protected by rule $line : $old -> $new" 1>&2
+        has_error=1
+      fi
+    done <"$protected_file"
+  fi
+  if [[ -n "$has_error" ]]; then
+    [[ -n "$REAL_FORCE" ]] || exit 1
+    echo "WARNING: Real force is set. Continuing with the push."
+  fi
+}
+
+while read -r line; do
+  handle_line $line
+done <<<"$stdin_record"
+
+if [[ -x /git/private/git/hooks/pre-receive ]]; then
+  /git/private/git/hooks/pre-receive "$@"
+fi
+
+if [[ -x "$GIT_DIR/hooks/pre-receive" ]]; then
+  "$GIT_DIR/hooks/pre-receive" "$@"
+fi
diff --git a/services/templates/cgitrc.template b/services/templates/cgitrc.template
index f3c61eb..ffffaae 100644
--- a/services/templates/cgitrc.template
+++ b/services/templates/cgitrc.template
@@ -17,4 +17,5 @@ about-filter=/usr/lib/cgit/filters/about-formatting.sh
 readme=:README.md
 readme=:README
 
+remove-suffix=1
 scan-path=/git/