mirror of
https://github.com/kemko/nomad.git
synced 2026-01-01 16:05:42 +03:00
ff8ca8a4c5
Our git pre-push hook already prevents Nomad Enterprise code from getting pushed anywhere but its own repo. But this hook only works for files on the current worktree (checkout). Were you to fetch an Enterprise tag into your local Community Edition repo but not have it checked out, and then `git push --tags`, you'd push that tag and the associated commit history. Add tag filtering to the pre-push hook to prevent Enterprise tags (and the older `+pro` SKU) tags from getting pushed to the Community Edition repo.
59 lines
1.7 KiB
Bash
Executable File
59 lines
1.7 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
set -euo pipefail
|
|
|
|
fail () {
|
|
echo "pre-push hook: $@" >&2
|
|
echo " --no-verify to bypass this hook" >&2
|
|
exit 1
|
|
}
|
|
|
|
if ! git rev-parse --show-toplevel > /dev/null; then
|
|
fail "this hook must be run from a worktree."
|
|
fi
|
|
|
|
# only push to oss when the enterprise sentinel file is absent
|
|
# ====================
|
|
if [ -f version/version_ent.go ]; then
|
|
|
|
# isEnterprise exits with a 0 when its first parameter matches the
|
|
# nomad-enterprise repo, regardless of additional optional and variable
|
|
# components of the remote URL, like the terminal ".git" extension
|
|
isEnterprise () {
|
|
local ent="hashicorp/nomad-enterprise"
|
|
local remote_url="${1}"
|
|
echo "${remote_url}" | grep -q -E "^((https://|((ssh://)?git@))?(www\.)?github\.com[:/])?hashicorp/nomad-enterprise(.git)?$"
|
|
}
|
|
|
|
if ! isEnterprise "${2}"; then
|
|
fail "found version/version_ent.go pushing to non-enterprise remote \"${2}\""
|
|
fi
|
|
fi
|
|
|
|
# do not push directly to main, stable-*, release/*
|
|
# do not push Enterprise tags
|
|
# ====================
|
|
while read local_ref local_sha remote_ref remote_sha
|
|
do
|
|
if [ "$remote_ref" = "refs/heads/main" ]; then
|
|
fail "refusing to push directly to main"
|
|
fi
|
|
|
|
if echo "$remote_ref"|grep -q 'refs/heads/stable-.*'; then
|
|
fail "refusing to push directly to a branch prefixed \`stable-\`"
|
|
fi
|
|
|
|
if echo "$remote_ref"|grep -q 'refs/heads/release/.*'; then
|
|
fail "refusing to push directly to a branch prefixed \`release/\`"
|
|
fi
|
|
|
|
if echo "$remote_ref" | grep -q 'refs/tags/v.*\+ent'; then
|
|
fail "refusing to push Nomad Enterprise tag"
|
|
fi
|
|
|
|
if echo "$remote_ref" | grep -q 'refs/tags/v.*\+pro'; then
|
|
fail "refusing to push Nomad Enterprise (pro) tag"
|
|
fi
|
|
|
|
done
|