How can I prevent non-fastforward pushes to selected branch(es) in git?

B

7

9

I would like to protect my git repository so only non master branches can be overwritten. Is there a way to protect only selected branches?

Breathed answered 16/7, 2012 at 7:26 Comment(0)

J

4

You can use GitEnterprise to setup per-branch permissions (admin) to block non-fastforward pushes using fine-grained access permission.

And git config --system receive.denyNonFastForwards true will simply do the job if you need to block history changing for all branches.

Jenjena answered 16/7, 2012 at 8:8 Comment(9)

denyNonFastForwards is not the 'resolution' that you should use. Set a git hook to deny force pushes...That is the correct way to do this. – Uropygium 2/9, 2016 at 15:9

@Uropygium Denying non-fastforward pushes is actually the way to go on GitHub/BitBucket . No new bicycles invented. – Jenjena 2/9, 2016 at 20:57

If you deny all non fastforwards on every branch then how would you merge your feature branches in? – Uropygium 3/9, 2016 at 3:56

@Eric, rebase local feature branch on top of the remote master and merge it into master. Always fast forward. – Jenjena 3/9, 2016 at 12:59

Even for larger teams? I thought rebase should be used sparingly. Just because they are a physical rewrite of history. You are changing the original commit. – Uropygium 4/9, 2016 at 19:30

@Uropygium Where is any rewrite in this case? – Jenjena 4/9, 2016 at 20:50

Make a commit and track the commit ID. Rebase and then compare the commit id. The commit id is no longer the same. It is a new commit. A rewrite. – Uropygium 6/9, 2016 at 12:46

@Uropygium this happens only in your local repo. If you now merge this rebased branch back into master and push it to the remote repo, it gonna be a safe fast-forward push with crystal clean history. – Jenjena 6/9, 2016 at 14:40

Okay I think I understand the context that the "rewriting of commits is a bad idea" should be applied in. It isn't the blanket coverage of "all re writing of commits is bad". Rather, only rewriting commits that are on the remote. I recognized that before however I was informed that "all rewriting of commits" should be shunned. When they misinterpreted originally why rewriting of commits is bad. Just a different way to read between the lines! Thanks!! – Uropygium 17/10, 2016 at 20:16

F

9

Here's an update hook (copy to hooks/update) that I wrote for my own use. This script by default denies all non-fast-forward updates but allows them for explicitly configured branches. It should be easy enough to invert it so that non-fast-forward updates are allowed for all but the master branch.

#!/bin/sh
#
# A hook script to block non-fast-forward updates for branches that haven't
# been explicitly configured to allow it. Based on update.sample.
# Called by "git receive-pack" with arguments: refname sha1-old sha1-new
#
# Config
# ------
# hooks.branch.<name>.allownonfastforward
#   This boolean sets whether non-fast-forward updates will be allowed for
#   branch <name>. By default they won't be.

# --- Command line
refname="$1"
oldrev="$2"
newrev="$3"

# --- Safety check
if [ -z "$GIT_DIR" ]; then
        echo "Don't run this script from the command line." >&2
        echo " (if you want, you could supply GIT_DIR then run" >&2
        echo "  $0 <ref> <oldrev> <newrev>)" >&2
        exit 1
fi

if [ -z "$refname" -o -z "$oldrev" -o -z "$newrev" ]; then
        echo "Usage: $0 <ref> <oldrev> <newrev>" >&2
        exit 1
fi

# --- Check types
# if $newrev is 0000...0000, it's a commit to delete a ref.
zero="0000000000000000000000000000000000000000"
if [ "$newrev" = "$zero" ]; then
        newrev_type=delete
else
        newrev_type=$(git cat-file -t $newrev)
fi

case "$refname","$newrev_type" in
        refs/tags/*,commit)
                # un-annotated tag
                ;;
        refs/tags/*,delete)
                # delete tag
                ;;
        refs/tags/*,tag)
                # annotated tag
                ;;
        refs/heads/*,commit)
                # branch
                # git rev-list doesn't print anything on fast-forward updates
                if test $(git rev-list "$newrev".."$oldrev"); then
                        branch=${refname##refs/heads/}
                        nonfastforwardallowed=$(git config --bool hooks.branch."$branch".allownonfastforward)

                        if [ "$nonfastforwardallowed" != "true" ]; then
                                echo "hooks/update: Non-fast-forward updates are not allowed for branch $branch"
                                exit 1
                        fi
                fi
                ;;
        refs/heads/*,delete)
                # delete branch
                ;;
        refs/remotes/*,commit)
                # tracking branch
                ;;
        refs/remotes/*,delete)
                # delete tracking branch
                ;;
        *)
                # Anything else (is there anything else?)
                echo "hooks/update: Unknown type of update to ref $refname of type $newrev_type" >&2
                exit 1
                ;;
esac

# --- Finished
exit 0

Finegrained answered 2/4, 2013 at 9:33 Comment(2)

It would be useful if you could amend the script so that non-fast-forward updates are allowed for all but the master branch – Cochineal 2/4, 2013 at 9:53

See my post below for a slight modification to this script that allows for wild-carding of allowed branches – Hutment 16/3, 2020 at 20:43