hardening: pre-push hook blocks tag pushes without release token
Token file: /tmp/passepartout-release-approved Hook at: scripts/pre-push-release-guard Documented in: docs/CONTRIBUTING.org This is a hard enforcement of the AGENTS.md release-permission rule. I physically cannot push a tag unless the user creates the token file. Token is consumed (deleted) on first successful push.
This commit is contained in:
@@ -94,6 +94,17 @@ ln -sf ../../scripts/pre-commit-repl-check .git/hooks/pre-commit
|
|||||||
#+end_src
|
#+end_src
|
||||||
Runs automatically on ~git commit~.
|
Runs automatically on ~git commit~.
|
||||||
|
|
||||||
|
* Pre-Push Hook (Release Guard)
|
||||||
|
|
||||||
|
Blocks tag pushes (~git push --tags~) without a release token:
|
||||||
|
#+begin_src bash
|
||||||
|
ln -sf ../../scripts/pre-push-release-guard .git/hooks/pre-push
|
||||||
|
#+end_src
|
||||||
|
To authorize a release: ~touch /tmp/passepartout-release-approved~
|
||||||
|
The token is consumed on first successful push. This prevents automated
|
||||||
|
release tagging without human approval — a hard enforcement of the
|
||||||
|
AGENTS.md release-permission rule.
|
||||||
|
|
||||||
* Testing Tools
|
* Testing Tools
|
||||||
|
|
||||||
** TUI REPL (~/eval~)
|
** TUI REPL (~/eval~)
|
||||||
|
|||||||
34
scripts/pre-push-release-guard
Executable file
34
scripts/pre-push-release-guard
Executable file
@@ -0,0 +1,34 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Pre-push hook: block tag pushes without release token.
|
||||||
|
# Tag pushes are blocked unless /tmp/passepartout-release-approved exists.
|
||||||
|
# The token is consumed (deleted) on first successful push.
|
||||||
|
#
|
||||||
|
# Install:
|
||||||
|
# ln -sf ../../scripts/pre-push-release-guard .git/hooks/pre-push
|
||||||
|
#
|
||||||
|
# Returns 0 (pass) or 1 (blocked).
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
BLOCKED=0
|
||||||
|
|
||||||
|
while read -r local_ref local_oid remote_ref remote_oid; do
|
||||||
|
case "$remote_ref" in
|
||||||
|
refs/tags/*)
|
||||||
|
if [ ! -f /tmp/passepartout-release-approved ]; then
|
||||||
|
echo "" >&2
|
||||||
|
echo "============================================================" >&2
|
||||||
|
echo " BLOCKED: tag push requires release token" >&2
|
||||||
|
echo " Only the user may authorize a release." >&2
|
||||||
|
echo " To grant permission: touch /tmp/passepartout-release-approved" >&2
|
||||||
|
echo "============================================================" >&2
|
||||||
|
echo "" >&2
|
||||||
|
BLOCKED=1
|
||||||
|
else
|
||||||
|
rm /tmp/passepartout-release-approved
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
exit $BLOCKED
|
||||||
Reference in New Issue
Block a user