Matthew Blackwind Matthew Blackwind - 10 months ago 38
Linux Question

Enforcing and creating Git policies

I have been tasked with changing Git a bit, and have failed to find anything of relevance on the interwebs - and I am in dire need of directions.

What we have:
a bunch of branches, with the main being

) and
is untouched most of the times.

Now, I have created a continuous integration environment using TeamCity, Jira and Crucible as well as a service written by myself.

What we want to achieve:

  1. disallow pushing to
    - unless it's TeamCity

  2. reject push on feature branch if the Jira issue of id==branchName is in wrong state

ad1) I have no clue how is such a thing achieved. I might be simply misunderstanding what Git helpers were saying to me, but as I read, I can either disallow completely, or allow completely.

ad2) is nominally easy, as I understand a pre-push hook script has to be used, but it also has to be placed on each dev's local git repository, or can I enforce that somehow?

Answer Source

As @chicks said, you can absolutely get the features you want using something like GitLab. User restrictions (as in "only teamcity has write-access to this branch") are available out of the box, and there is generally support for server-side hooks that you could use to implement your second requirement.

It's certainly possible to implement the same restrictions on your own, simply serving out git repositories over ssh, but it requires some development effort on your part. The general model is:

  • Configure .ssh/authorized_keys for your git user to include metadata that can be used to identify the user associated with an incoming push,
  • Write Git hook scripts to perform the per-branch access control or policy enforcement.

There are examples of doing these things here and there; for example, this is an older answer I wrote describing how to ensure that the email address on commits matches the identity of the connecting user.

Using a pre-packaged solution like GitLab will almost invariabely make more sense than trying to roll-your-own.