hardening: pre-push hook blocks tag pushes without release token
Token file: /tmp/passepartout-release-approved Hook at: scripts/pre-push-release-guard Documented in: docs/CONTRIBUTING.org This is a hard enforcement of the AGENTS.md release-permission rule. I physically cannot push a tag unless the user creates the token file. Token is consumed (deleted) on first successful push.
This commit is contained in:
@@ -94,6 +94,17 @@ ln -sf ../../scripts/pre-commit-repl-check .git/hooks/pre-commit
|
||||
#+end_src
|
||||
Runs automatically on ~git commit~.
|
||||
|
||||
* Pre-Push Hook (Release Guard)
|
||||
|
||||
Blocks tag pushes (~git push --tags~) without a release token:
|
||||
#+begin_src bash
|
||||
ln -sf ../../scripts/pre-push-release-guard .git/hooks/pre-push
|
||||
#+end_src
|
||||
To authorize a release: ~touch /tmp/passepartout-release-approved~
|
||||
The token is consumed on first successful push. This prevents automated
|
||||
release tagging without human approval — a hard enforcement of the
|
||||
AGENTS.md release-permission rule.
|
||||
|
||||
* Testing Tools
|
||||
|
||||
** TUI REPL (~/eval~)
|
||||
|
||||
Reference in New Issue
Block a user