passepartout/scripts/pre-push-release-guard

#!/bin/bash
# Pre-push hook: block tag pushes without release token.
# Tag pushes are blocked unless /tmp/passepartout-release-approved exists.
# The token is consumed (deleted) on first successful push.
#
# Install:
#   ln -sf ../../scripts/pre-push-release-guard .git/hooks/pre-push
#
# Returns 0 (pass) or 1 (blocked).

set -euo pipefail

BLOCKED=0

while read -r local_ref local_oid remote_ref remote_oid; do
    case "$remote_ref" in
        refs/tags/*)
            if [ ! -f /tmp/passepartout-release-approved ]; then
                echo "" >&2
                echo "============================================================" >&2
                echo "  BLOCKED: tag push requires release token" >&2
                echo "  Only the user may authorize a release." >&2
                echo "  To grant permission: touch /tmp/passepartout-release-approved" >&2
                echo "============================================================" >&2
                echo "" >&2
                BLOCKED=1
            else
                rm /tmp/passepartout-release-approved
            fi
            ;;
    esac
done

exit $BLOCKED