cuuurrl
ffa2ea8 · gmorell · 2026-05-15 04:52
Files changed
modified
Dockerfile
+6
−1
@@ -99,12 +99,17 @@ FROM ${RUNNER_IMAGE} AS final
| 99 | 99 | # * openssh-client — ships `ssh-keygen`, which `GitGud.Ssh.Server` |
| 100 | 100 | # shells out to on first boot to generate the host keys (ed25519, |
| 101 | 101 | # rsa, ecdsa) if they're absent from `SSH_HOST_KEY_DIR`. |
| 102 | +# * curl — `priv/scripts/gitgud-hook` (pre-receive + post-receive | |
| 103 | +# bridge) POSTs ref-update payloads to the Phoenix endpoint via | |
| 104 | +# curl. Without it, branch protection checks and the | |
| 105 | +# CommitBackfill / push-event publishing chain never fire on | |
| 106 | +# SSH-side pushes. Mandatory. | |
| 102 | 107 | # * tini — proper PID 1 / zombie reaping, recommended for any container |
| 103 | 108 | # image running long-lived child processes (we fork git per session). |
| 104 | 109 | RUN apt-get update \ |
| 105 | 110 | && apt-get install -y --no-install-recommends \ |
| 106 | 111 | libstdc++6 openssl libncurses6 locales ca-certificates \ |
| 107 | − git openssh-client tini \ | |
| 112 | + git openssh-client curl tini \ | |
| 108 | 113 | && rm -rf /var/lib/apt/lists/* |
| 109 | 114 | |
| 110 | 115 | # Set the locale |
modified
priv/scripts/gitgud-prereceive
+23
−2
@@ -5,6 +5,13 @@
| 5 | 5 | # Phoenix node for branch-protection evaluation. If Phoenix says DENY, |
| 6 | 6 | # we print the reason on stderr (visible to the pushing client) and |
| 7 | 7 | # exit non-zero so git aborts the push. |
| 8 | +# | |
| 9 | +# **Fail-closed**: if the protection backend is unreachable (curl | |
| 10 | +# missing, Phoenix down, DNS broken, etc.), the push is REJECTED. | |
| 11 | +# Better to refuse than to silently bypass branch protection. Operator | |
| 12 | +# can override by setting `GITGUD_PREHOOK_FAIL_OPEN=1` if they | |
| 13 | +# explicitly want fail-open behavior (e.g. during an emergency | |
| 14 | +# unblock). | |
| 8 | 15 | |
| 9 | 16 | set -eu |
| 10 | 17 |
@@ -14,13 +21,27 @@ REPO_PATH="$(cd "$REPO_PATH" && pwd)"
| 14 | 21 | |
| 15 | 22 | STDIN_PAYLOAD="$(cat)" |
| 16 | 23 | |
| 24 | +if ! command -v curl >/dev/null 2>&1; then | |
| 25 | + echo "gitgud: curl not installed; cannot reach protection backend" >&2 | |
| 26 | + if [ "${GITGUD_PREHOOK_FAIL_OPEN:-}" = "1" ]; then | |
| 27 | + echo "gitgud: GITGUD_PREHOOK_FAIL_OPEN=1 — allowing push anyway" >&2 | |
| 28 | + exit 0 | |
| 29 | + fi | |
| 30 | + exit 1 | |
| 31 | +fi | |
| 32 | + | |
| 17 | 33 | RESP=$(curl -sf -X POST \ |
| 18 | 34 | -H "content-type: text/plain" \ |
| 19 | 35 | -H "x-repo-path: ${REPO_PATH}" \ |
| 20 | 36 | --data-binary "${STDIN_PAYLOAD}" \ |
| 21 | 37 | "${GITGUD_PREHOOK_URL}" 2>/dev/null) || { |
| 22 | − echo "gitgud: protection backend unreachable; allowing push" >&2 | |
| 23 | − exit 0 | |
| 38 | + echo "gitgud: protection backend unreachable at ${GITGUD_PREHOOK_URL}" >&2 | |
| 39 | + if [ "${GITGUD_PREHOOK_FAIL_OPEN:-}" = "1" ]; then | |
| 40 | + echo "gitgud: GITGUD_PREHOOK_FAIL_OPEN=1 — allowing push anyway" >&2 | |
| 41 | + exit 0 | |
| 42 | + fi | |
| 43 | + echo "gitgud: refusing push (branch protection cannot be evaluated)" >&2 | |
| 44 | + exit 1 | |
| 24 | 45 | } |
| 25 | 46 | |
| 26 | 47 | STATUS=$(printf '%s' "$RESP" | head -n1 | awk '{print $1}') |
Parents: 7387a13