git/Documentation/githooks.txt
Stefan Beller 77a9745d19 push options: {pre,post}-receive hook learns about push options
The environment variable GIT_PUSH_OPTION_COUNT is set to the number of
push options sent, and GIT_PUSH_OPTION_{0,1,..} is set to the transmitted
option.

The code is not executed as the push options are set to NULL, nor is the
new capability advertised.

There was some discussion back and forth how to present these push options
to the user as there are some ways to do it:

Keep all options in one environment variable
============================================
+ easiest way to implement in Git
- This would make things hard to parse correctly in the hook.

Put the options in files instead,
filenames are in GIT_PUSH_OPTION_FILES
======================================
+ After a discussion about environment variables and shells, we may not
  want to put user data into an environment variable (see [1] for example).
+ We could transmit binaries, i.e. we're not bound to C strings as
  we are when using environment variables to the user.
+ Maybe easier to parse than constructing environment variable names
  GIT_PUSH_OPTION_{0,1,..} yourself
- cleanup of the temporary files is hard to do reliably
- we have race conditions with multiple clients pushing, hence we'd need
  to use mkstemp. That's not too bad, but still.

Use environment variables, but restrict to key/value pairs
==========================================================
(When the user pushes a push option `foo=bar`, we'd
GIT_PUSH_OPTION_foo=bar)
+ very easy to parse for a simple model of push options
- it's not sufficient for more elaborate models, e.g.
  it doesn't allow doubles (e.g. cc=reviewer@email)

Present the options in different environment variables
======================================================
(This is implemented)
* harder to parse as a user, but we have a sample hook for that.
- doesn't allow binary files
+ allows the same option twice, i.e. is not restrictive about
  options, except for binary files.
+ doesn't clutter a remote directory with (possibly stale)
  temporary files

As we first want to focus on getting simple strings to work
reliably, we go with the last option for now. If we want to
do transmission of binaries later, we can just attach a
'side-channel', e.g. "any push option that contains a '\0' is
put into a file instead of the environment variable and we'd
have new GIT_PUSH_OPTION_FILES, GIT_PUSH_OPTION_FILENAME_{0,1,..}
environment variables".

[1] 'Shellshock' https://lwn.net/Articles/614218/

Signed-off-by: Stefan Beller <sbeller@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-07-14 15:50:17 -07:00

449 lines
16 KiB
Plaintext

githooks(5)
===========
NAME
----
githooks - Hooks used by Git
SYNOPSIS
--------
$GIT_DIR/hooks/* (or \`git config core.hooksPath`/*)
DESCRIPTION
-----------
Hooks are programs you can place in a hooks directory to trigger
actions at certain points in git's execution. Hooks that don't have
the executable bit set are ignored.
By default the hooks directory is `$GIT_DIR/hooks`, but that can be
changed via the `core.hooksPath` configuration variable (see
linkgit:git-config[1]).
Before Git invokes a hook, it changes its working directory to either
the root of the working tree in a non-bare repository, or to the
$GIT_DIR in a bare repository.
Hooks can get their arguments via the environment, command-line
arguments, and stdin. See the documentation for each hook below for
details.
'git init' may copy hooks to the new repository, depending on its
configuration. See the "TEMPLATE DIRECTORY" section in
linkgit:git-init[1] for details. When the rest of this document refers
to "default hooks" it's talking about the default template shipped
with Git.
The currently supported hooks are described below.
HOOKS
-----
applypatch-msg
~~~~~~~~~~~~~~
This hook is invoked by 'git am'. It takes a single
parameter, the name of the file that holds the proposed commit
log message. Exiting with a non-zero status causes 'git am' to abort
before applying the patch.
The hook is allowed to edit the message file in place, and can
be used to normalize the message into some project standard
format. It can also be used to refuse the commit after inspecting
the message file.
The default 'applypatch-msg' hook, when enabled, runs the
'commit-msg' hook, if the latter is enabled.
pre-applypatch
~~~~~~~~~~~~~~
This hook is invoked by 'git am'. It takes no parameter, and is
invoked after the patch is applied, but before a commit is made.
If it exits with non-zero status, then the working tree will not be
committed after applying the patch.
It can be used to inspect the current working tree and refuse to
make a commit if it does not pass certain test.
The default 'pre-applypatch' hook, when enabled, runs the
'pre-commit' hook, if the latter is enabled.
post-applypatch
~~~~~~~~~~~~~~~
This hook is invoked by 'git am'. It takes no parameter,
and is invoked after the patch is applied and a commit is made.
This hook is meant primarily for notification, and cannot affect
the outcome of 'git am'.
pre-commit
~~~~~~~~~~
This hook is invoked by 'git commit', and can be bypassed
with the `--no-verify` option. It takes no parameters, and is
invoked before obtaining the proposed commit log message and
making a commit. Exiting with a non-zero status from this script
causes the 'git commit' command to abort before creating a commit.
The default 'pre-commit' hook, when enabled, catches introduction
of lines with trailing whitespaces and aborts the commit when
such a line is found.
All the 'git commit' hooks are invoked with the environment
variable `GIT_EDITOR=:` if the command will not bring up an editor
to modify the commit message.
prepare-commit-msg
~~~~~~~~~~~~~~~~~~
This hook is invoked by 'git commit' right after preparing the
default log message, and before the editor is started.
It takes one to three parameters. The first is the name of the file
that contains the commit log message. The second is the source of the commit
message, and can be: `message` (if a `-m` or `-F` option was
given); `template` (if a `-t` option was given or the
configuration option `commit.template` is set); `merge` (if the
commit is a merge or a `.git/MERGE_MSG` file exists); `squash`
(if a `.git/SQUASH_MSG` file exists); or `commit`, followed by
a commit SHA-1 (if a `-c`, `-C` or `--amend` option was given).
If the exit status is non-zero, 'git commit' will abort.
The purpose of the hook is to edit the message file in place, and
it is not suppressed by the `--no-verify` option. A non-zero exit
means a failure of the hook and aborts the commit. It should not
be used as replacement for pre-commit hook.
The sample `prepare-commit-msg` hook that comes with Git comments
out the `Conflicts:` part of a merge's commit message.
commit-msg
~~~~~~~~~~
This hook is invoked by 'git commit', and can be bypassed
with the `--no-verify` option. It takes a single parameter, the
name of the file that holds the proposed commit log message.
Exiting with a non-zero status causes the 'git commit' to
abort.
The hook is allowed to edit the message file in place, and can be used
to normalize the message into some project standard format. It
can also be used to refuse the commit after inspecting the message
file.
The default 'commit-msg' hook, when enabled, detects duplicate
"Signed-off-by" lines, and aborts the commit if one is found.
post-commit
~~~~~~~~~~~
This hook is invoked by 'git commit'. It takes no parameters, and is
invoked after a commit is made.
This hook is meant primarily for notification, and cannot affect
the outcome of 'git commit'.
pre-rebase
~~~~~~~~~~
This hook is called by 'git rebase' and can be used to prevent a
branch from getting rebased. The hook may be called with one or
two parameters. The first parameter is the upstream from which
the series was forked. The second parameter is the branch being
rebased, and is not set when rebasing the current branch.
post-checkout
~~~~~~~~~~~~~
This hook is invoked when a 'git checkout' is run after having updated the
worktree. The hook is given three parameters: the ref of the previous HEAD,
the ref of the new HEAD (which may or may not have changed), and a flag
indicating whether the checkout was a branch checkout (changing branches,
flag=1) or a file checkout (retrieving a file from the index, flag=0).
This hook cannot affect the outcome of 'git checkout'.
It is also run after 'git clone', unless the --no-checkout (-n) option is
used. The first parameter given to the hook is the null-ref, the second the
ref of the new HEAD and the flag is always 1.
This hook can be used to perform repository validity checks, auto-display
differences from the previous HEAD if different, or set working dir metadata
properties.
post-merge
~~~~~~~~~~
This hook is invoked by 'git merge', which happens when a 'git pull'
is done on a local repository. The hook takes a single parameter, a status
flag specifying whether or not the merge being done was a squash merge.
This hook cannot affect the outcome of 'git merge' and is not executed,
if the merge failed due to conflicts.
This hook can be used in conjunction with a corresponding pre-commit hook to
save and restore any form of metadata associated with the working tree
(e.g.: permissions/ownership, ACLS, etc). See contrib/hooks/setgitperms.perl
for an example of how to do this.
pre-push
~~~~~~~~
This hook is called by 'git push' and can be used to prevent a push from taking
place. The hook is called with two parameters which provide the name and
location of the destination remote, if a named remote is not being used both
values will be the same.
Information about what is to be pushed is provided on the hook's standard
input with lines of the form:
<local ref> SP <local sha1> SP <remote ref> SP <remote sha1> LF
For instance, if the command +git push origin master:foreign+ were run the
hook would receive a line like the following:
refs/heads/master 67890 refs/heads/foreign 12345
although the full, 40-character SHA-1s would be supplied. If the foreign ref
does not yet exist the `<remote SHA-1>` will be 40 `0`. If a ref is to be
deleted, the `<local ref>` will be supplied as `(delete)` and the `<local
SHA-1>` will be 40 `0`. If the local commit was specified by something other
than a name which could be expanded (such as `HEAD~`, or a SHA-1) it will be
supplied as it was originally given.
If this hook exits with a non-zero status, 'git push' will abort without
pushing anything. Information about why the push is rejected may be sent
to the user by writing to standard error.
[[pre-receive]]
pre-receive
~~~~~~~~~~~
This hook is invoked by 'git-receive-pack' on the remote repository,
which happens when a 'git push' is done on a local repository.
Just before starting to update refs on the remote repository, the
pre-receive hook is invoked. Its exit status determines the success
or failure of the update.
This hook executes once for the receive operation. It takes no
arguments, but for each ref to be updated it receives on standard
input a line of the format:
<old-value> SP <new-value> SP <ref-name> LF
where `<old-value>` is the old object name stored in the ref,
`<new-value>` is the new object name to be stored in the ref and
`<ref-name>` is the full name of the ref.
When creating a new ref, `<old-value>` is 40 `0`.
If the hook exits with non-zero status, none of the refs will be
updated. If the hook exits with zero, updating of individual refs can
still be prevented by the <<update,'update'>> hook.
Both standard output and standard error output are forwarded to
'git send-pack' on the other end, so you can simply `echo` messages
for the user.
The number of push options given on the command line of
`git push --push-option=...` can be read from the environment
variable `GIT_PUSH_OPTION_COUNT`, and the options themselves are
found in `GIT_PUSH_OPTION_0`, `GIT_PUSH_OPTION_1`,...
If it is negotiated to not use the push options phase, the
environment variables will not be set. If the client selects
to use push options, but doesn't transmit any, the count variable
will be set to zero, `GIT_PUSH_OPTION_COUNT=0`.
[[update]]
update
~~~~~~
This hook is invoked by 'git-receive-pack' on the remote repository,
which happens when a 'git push' is done on a local repository.
Just before updating the ref on the remote repository, the update hook
is invoked. Its exit status determines the success or failure of
the ref update.
The hook executes once for each ref to be updated, and takes
three parameters:
- the name of the ref being updated,
- the old object name stored in the ref,
- and the new object name to be stored in the ref.
A zero exit from the update hook allows the ref to be updated.
Exiting with a non-zero status prevents 'git-receive-pack'
from updating that ref.
This hook can be used to prevent 'forced' update on certain refs by
making sure that the object name is a commit object that is a
descendant of the commit object named by the old object name.
That is, to enforce a "fast-forward only" policy.
It could also be used to log the old..new status. However, it
does not know the entire set of branches, so it would end up
firing one e-mail per ref when used naively, though. The
<<post-receive,'post-receive'>> hook is more suited to that.
In an environment that restricts the users' access only to git
commands over the wire, this hook can be used to implement access
control without relying on filesystem ownership and group
membership. See linkgit:git-shell[1] for how you might use the login
shell to restrict the user's access to only git commands.
Both standard output and standard error output are forwarded to
'git send-pack' on the other end, so you can simply `echo` messages
for the user.
The default 'update' hook, when enabled--and with
`hooks.allowunannotated` config option unset or set to false--prevents
unannotated tags to be pushed.
[[post-receive]]
post-receive
~~~~~~~~~~~~
This hook is invoked by 'git-receive-pack' on the remote repository,
which happens when a 'git push' is done on a local repository.
It executes on the remote repository once after all the refs have
been updated.
This hook executes once for the receive operation. It takes no
arguments, but gets the same information as the
<<pre-receive,'pre-receive'>>
hook does on its standard input.
This hook does not affect the outcome of 'git-receive-pack', as it
is called after the real work is done.
This supersedes the <<post-update,'post-update'>> hook in that it gets
both old and new values of all the refs in addition to their
names.
Both standard output and standard error output are forwarded to
'git send-pack' on the other end, so you can simply `echo` messages
for the user.
The default 'post-receive' hook is empty, but there is
a sample script `post-receive-email` provided in the `contrib/hooks`
directory in Git distribution, which implements sending commit
emails.
The number of push options given on the command line of
`git push --push-option=...` can be read from the environment
variable `GIT_PUSH_OPTION_COUNT`, and the options themselves are
found in `GIT_PUSH_OPTION_0`, `GIT_PUSH_OPTION_1`,...
If it is negotiated to not use the push options phase, the
environment variables will not be set. If the client selects
to use push options, but doesn't transmit any, the count variable
will be set to zero, `GIT_PUSH_OPTION_COUNT=0`.
[[post-update]]
post-update
~~~~~~~~~~~
This hook is invoked by 'git-receive-pack' on the remote repository,
which happens when a 'git push' is done on a local repository.
It executes on the remote repository once after all the refs have
been updated.
It takes a variable number of parameters, each of which is the
name of ref that was actually updated.
This hook is meant primarily for notification, and cannot affect
the outcome of 'git-receive-pack'.
The 'post-update' hook can tell what are the heads that were pushed,
but it does not know what their original and updated values are,
so it is a poor place to do log old..new. The
<<post-receive,'post-receive'>> hook does get both original and
updated values of the refs. You might consider it instead if you need
them.
When enabled, the default 'post-update' hook runs
'git update-server-info' to keep the information used by dumb
transports (e.g., HTTP) up-to-date. If you are publishing
a Git repository that is accessible via HTTP, you should
probably enable this hook.
Both standard output and standard error output are forwarded to
'git send-pack' on the other end, so you can simply `echo` messages
for the user.
push-to-checkout
~~~~~~~~~~~~~~~~
This hook is invoked by 'git-receive-pack' on the remote repository,
which happens when a 'git push' is done on a local repository, when
the push tries to update the branch that is currently checked out
and the `receive.denyCurrentBranch` configuration variable is set to
`updateInstead`. Such a push by default is refused if the working
tree and the index of the remote repository has any difference from
the currently checked out commit; when both the working tree and the
index match the current commit, they are updated to match the newly
pushed tip of the branch. This hook is to be used to override the
default behaviour.
The hook receives the commit with which the tip of the current
branch is going to be updated. It can exit with a non-zero status
to refuse the push (when it does so, it must not modify the index or
the working tree). Or it can make any necessary changes to the
working tree and to the index to bring them to the desired state
when the tip of the current branch is updated to the new commit, and
exit with a zero status.
For example, the hook can simply run `git read-tree -u -m HEAD "$1"`
in order to emulate 'git fetch' that is run in the reverse direction
with `git push`, as the two-tree form of `read-tree -u -m` is
essentially the same as `git checkout` that switches branches while
keeping the local changes in the working tree that do not interfere
with the difference between the branches.
pre-auto-gc
~~~~~~~~~~~
This hook is invoked by 'git gc --auto'. It takes no parameter, and
exiting with non-zero status from this script causes the 'git gc --auto'
to abort.
post-rewrite
~~~~~~~~~~~~
This hook is invoked by commands that rewrite commits (`git commit
--amend`, 'git-rebase'; currently 'git-filter-branch' does 'not' call
it!). Its first argument denotes the command it was invoked by:
currently one of `amend` or `rebase`. Further command-dependent
arguments may be passed in the future.
The hook receives a list of the rewritten commits on stdin, in the
format
<old-sha1> SP <new-sha1> [ SP <extra-info> ] LF
The 'extra-info' is again command-dependent. If it is empty, the
preceding SP is also omitted. Currently, no commands pass any
'extra-info'.
The hook always runs after the automatic note copying (see
"notes.rewrite.<command>" in linkgit:git-config[1]) has happened, and
thus has access to these notes.
The following command-specific comments apply:
rebase::
For the 'squash' and 'fixup' operation, all commits that were
squashed are listed as being rewritten to the squashed commit.
This means that there will be several lines sharing the same
'new-sha1'.
+
The commits are guaranteed to be listed in the order that they were
processed by rebase.
GIT
---
Part of the linkgit:git[1] suite