Login/Register
Is there a way to lock a branch in GIT
Asked Answered
Solved gitgit-branch
M

4

59

I have an idea of locking a repository from users pushing files into it by having a lock script in the GIT update hook since the push can only recognize the userid as arguments and not the branches. So i can lock the entire repo which is just locking a directory.

Is there a way to lock a specific branch in GIT?

Or is there a way an Update Hook can identify from which branch the user is pushing and to which branch the code is pushed?

Maturity answered 18/3, 2010 at 16:2 Comment(3)
do you want to lock the branch name forever (use tags then), or just prevent other people from pushing to it?Madden
See also https://mcmap.net/q/277120/-git-support-for-branch-based-user-authorization-best-practices-or-toolsCallie
What's wrong with having a separate repo and pulling into it? It would be a more standard workflow.Maggio
S
52

The branch being pushed to is the first parameter to the update hook. If you want to lock the branch myfeature for pushing, this code (placed in hooks/update) will do it:

#!/bin/sh
# lock the myfeature branch for pushing
refname="$1"

if [[ $refname == "refs/heads/myfeature" ]]
then
    echo "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    echo "You cannot push to myfeature! It's locked"
    echo "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    exit 1
fi
exit 0
Swung answered 26/7, 2011 at 8:6 Comment(2)
I do not see a .git directory in the remote repo on GitHub. I see a .git directory only in my local cloned repo. But I do not think that putting this code in .git/hooks/update in my local repo will have the effect of locking anyone from pushing to that remote branch from their local repo. Am I missing something?Unlay
@AjoyBhatia There has to be a .git directory. If it is a bare repository, then the main directory is already the .git directory. (It is a bare repo if you have files/folders like HEAD, branches, hooks, config, etc.) Put your hook into the hook/ dirChandless
W
10

The update hook, from the docs:

The hook executes once for each ref to be updated, and takes three parameters:

  • the name of the ref being updated,
  • the old object name stored in the ref,
  • and the new objectname to be stored in the ref.

So... yes, it knows exactly what branch is being pushed, and can simply check that parameter and exit failure if it doesn't want the branch pushed to.

And if you want to (intelligently) do this before the user has uploaded the objects, you can use the pre-receive hook:

This hook executes once for the receive operation. It takes no arguments, but for each ref to be updated it receives on standard input a line of the format:

<old-value> SP <new-value> SP <ref-name> LF

where <old-value> is the old object name stored in the ref, <new-value> is the new object name to be stored in the ref and <ref-name> is the full name of the ref.

(those are spaces and line-feed)

Weismann answered 18/3, 2010 at 16:7 Comment(1)
This informational does help me, but update hook knows only the branch being pushed (source branch), is there a way to capture from the update hook, which branch the code is being pushed to (target branch)?Maturity
P
7

A tool like gitolite has this kind of feature I believe: http://github.com/sitaramc/gitolite

Parboil answered 18/3, 2010 at 16:24 Comment(0)
C
3

You can use pre-commit to do this. It has a built in no-commit-to-branch hook that can be used to prevent commits to one or more branches.

Setup

The basic setup process is:

  • Install using pip or brew (instructions at https://pre-commit.com/#install)
  • Create a .pre-commit-config.yaml file in the root of your project (see below for a first draft)
  • Install the hooks into your git config by running pre-commit install.

Basic config for protecting branches

Here is a basic config that includes just the no-commit-to-branch hook:

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
  rev: v2.2.5
  hooks:
    - id: no-commit-to-branch
      args: ['--branch', 'master']

If you want to protect multiple branches you can use include multiple --branch args in the argument list:

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
  rev: v2.2.5
  hooks:
    - id: no-commit-to-branch
      args: ['--branch', 'master', '--branch', 'staging']

Isn't this all overkill?

Pre-commit has many other built-in hooks, and a large collection of community-built hooks that will transform the way you clean-up and validate your commits. The reason I mention this is because, while this tool may be overkill for just preventing commits to a protected branch, it has many other features that make it a compelling and simple addition to any git project.

Cleanly answered 19/3, 2020 at 17:12 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.