Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add first version of "block skip checks" hook #222

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions pre-receive-hooks/block_skip_checks.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#!/usr/bin/env bash
#
# Check and reject commits with "skip-checks: true" trailer lines.
#
# This hook basically disables the following feature:
# https://help.github.com/articles/about-status-checks/#skipping-and-requesting-checks-for-individual-commits

ERROR_MSG="[POLICY] Skipping checks is not allowed. Please remove trailer lines with \"skip-checks: true\"."

while read OLDREV NEWREV REFNAME ; do
for COMMIT in `git rev-list $OLDREV..$NEWREV`;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this call would fail if you push a new branch as $OLDREV is 40 zeros in that case. See https://github.com/github/platform-samples/blob/master/pre-receive-hooks/block_confidentials.sh#L38

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would also wonder whether you like to recheck all commits again if somebody was copying a branch and pushing it again with a new commit on top, have a look at https://github.com/github/platform-samples/blob/master/pre-receive-hooks/block_unsigned_commits.sh#L15-L42 for an example how to exclude commits already in the repo

do
MESSAGE=`git cat-file commit $COMMIT | git interpret-trailers --parse`
if echo $MESSAGE | grep -iq "skip-checks: true"; then
echo "$ERROR_MSG" >&2
exit 1
fi
done
done
exit 0