diff options
| author | Yuqian Yang <crupest@crupest.life> | 2025-02-26 22:31:34 +0800 |
|---|---|---|
| committer | Yuqian Yang <crupest@crupest.life> | 2025-02-26 23:59:57 +0800 |
| commit | 23fd6e8fc96065f3229c42d21c83e9ca1309aa6c (patch) | |
| tree | 3e3b410a506ba84abc46fb4e2d8e331dd208d1db /services/docker | |
| parent | 311dfdcc6b5712dd6085287ada5ebe48e02116c4 (diff) | |
| download | crupest-23fd6e8fc96065f3229c42d21c83e9ca1309aa6c.tar.gz crupest-23fd6e8fc96065f3229c42d21c83e9ca1309aa6c.tar.bz2 crupest-23fd6e8fc96065f3229c42d21c83e9ca1309aa6c.zip | |
feat(git): add protected refs.
Diffstat (limited to 'services/docker')
| -rw-r--r-- | services/docker/git-server/Dockerfile | 4 | ||||
| -rw-r--r-- | services/docker/git-server/gitconfig | 6 | ||||
| -rw-r--r-- | services/docker/git-server/hooks/pre-receive | 51 |
3 files changed, 61 insertions, 0 deletions
diff --git a/services/docker/git-server/Dockerfile b/services/docker/git-server/Dockerfile index 8a671d7..b725122 100644 --- a/services/docker/git-server/Dockerfile +++ b/services/docker/git-server/Dockerfile @@ -4,6 +4,10 @@ RUN apt-get update && apt-get install -y \ tar gzip bzip2 zip unzip tini && \ rm -rf /var/lib/apt/lists/* +ENV GIT_CONFIG_SYSTEM=/etc/gitconfig GIT_CONFIG_GLOBAL=/git/private/gitconfig + +ADD gitconfig /etc/gitconfig +ADD --chmod=755 hooks/* /etc/git/hooks/ ADD git-lighttpd.conf git-auth.conf /app/ ADD --chmod=755 lighttpd-wrapper.bash /app/ diff --git a/services/docker/git-server/gitconfig b/services/docker/git-server/gitconfig new file mode 100644 index 0000000..0019ba9 --- /dev/null +++ b/services/docker/git-server/gitconfig @@ -0,0 +1,6 @@ +[core] + autocrlf = false + hooksPath = /etc/git/hooks/ + +[receive] + advertisePushOptions = true diff --git a/services/docker/git-server/hooks/pre-receive b/services/docker/git-server/hooks/pre-receive new file mode 100644 index 0000000..c5981dc --- /dev/null +++ b/services/docker/git-server/hooks/pre-receive @@ -0,0 +1,51 @@ +#!/usr/bin/bash + +set -e -o pipefail + +if test -n "$GIT_PUSH_OPTION_COUNT"; then + i=0 + while test "$i" -lt "$GIT_PUSH_OPTION_COUNT"; do + eval "value=\$GIT_PUSH_OPTION_$i" + case "$value" in + real-force) + REAL_FORCE=1 + echo "WARNING: Real force is set. All branches will be unprotected." + ;; + esac + i=$((i + 1)) + done +fi + +stdin_record=$(cat) + +handle_line() { + old=$(expr substr "$1" 1 8) + new=$(expr substr "$2" 1 8) + ref_name="$3" + protected_file="$GIT_DIR/protected" + + if [[ -f "$protected_file" ]] && ! git merge-base --is-ancestor "$old" "$new"; then + while read -r line; do + if grep -q "^$ref_name$" <<<"$line"; then + echo "ERROR: $ref_name is not fast-forward and protected by rule $line : $old -> $new" 1>&2 + has_error=1 + fi + done <"$protected_file" + fi + if [[ -n "$has_error" ]]; then + [[ -n "$REAL_FORCE" ]] || exit 1 + echo "WARNING: Real force is set. Continuing with the push." + fi +} + +while read -r line; do + handle_line $line +done <<<"$stdin_record" + +if [[ -x /git/private/git/hooks/pre-receive ]]; then + /git/private/git/hooks/pre-receive "$@" +fi + +if [[ -x "$GIT_DIR/hooks/pre-receive" ]]; then + "$GIT_DIR/hooks/pre-receive" "$@" +fi |