1 files changed, 130 insertions, 0 deletions

diff --git a/scripts/git/pre-push.git-hook b/scripts/git/pre-push.git-hook
new file mode 100755
index 0000000000..f0a3a250ec
--- /dev/null
+++ b/scripts/git/pre-push.git-hook
@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+
+# git pre-push hook script to:
+# 0) Call the pre-commit hook, if it is available
+# 1) prevent "fixup!" and "squash!" commit from ending up in master, release-*
+#    or maint-*
+# 2) Disallow pushing branches other than master, release-*
+#    and maint-* to origin (e.g. gitweb.torproject.org)
+#
+# To install this script, copy it into .git/hooks/pre-push path in your
+# local copy of git repository. Make sure it has permission to execute.
+# Furthermore, make sure that TOR_UPSTREAM_REMOTE_NAME environment
+# variable is set to local name of git remote that corresponds to upstream
+# repository on e.g. git.torproject.org.
+#
+# The following sample script was used as starting point:
+# https://github.com/git/git/blob/master/templates/hooks--pre-push.sample
+
+# Are you adding a new check to the git hooks?
+#  - Common checks belong in the pre-commit hook
+#  - Push-only checks belong in the pre-push hook
+
+echo "Running pre-push hook"
+
+z40=0000000000000000000000000000000000000000
+
+upstream_name=${TOR_UPSTREAM_REMOTE_NAME:-"upstream"}
+
+# The working directory
+workdir=$(git rev-parse --show-toplevel)
+# The .git directory
+# If $workdir is a worktree, then $gitdir is not $workdir/.git
+gitdir=$(git rev-parse --git-dir)
+
+cd "$workdir" || exit 1
+
+remote="$1"
+remote_name=$(git remote --verbose | grep "$2" | awk '{print $1}' | head -n 1)
+
+
+ref_is_upstream_branch() {
+    if [ "$1" == "refs/heads/master" ] ||
+        [[ "$1" == refs/heads/release-* ]] ||
+        [[ "$1" == refs/heads/maint-* ]]; then
+        return 1
+    fi
+}
+
+# shellcheck disable=SC2034
+while read -r local_ref local_sha remote_ref remote_sha
+do
+    if [ "$local_sha" = $z40 ]; then
+        # Handle delete
+        :
+    else
+        if [ "$remote_sha" = $z40 ]; then
+            # New branch, examine commits not in master
+            range="master...$local_sha"
+        else
+            # Update to existing branch, examine new commits
+            range="$remote_sha..$local_sha"
+        fi
+
+        # Call the pre-commit hook for the common checks, if it is executable
+        pre_commit=${gitdir}/hooks/pre-commit
+        if [ -x "$pre_commit" ]; then
+            # Only check the files newly modified in this branch
+            CHECK_FILTER="git diff --name-only --diff-filter=ACMR $range"
+            # Use the appropriate owned tor source list to filter the changed
+            # files
+            # This is the layout in 0.3.5
+            # Keep these lists consistent:
+            #   - OWNED_TOR_C_FILES in Makefile.am
+            #   - CHECK_FILES in pre-commit.git-hook and pre-push.git-hook
+            #   - try_parse in check_cocci_parse.sh
+            CHECK_FILES="$($CHECK_FILTER \
+                                   src/lib/*/*.[ch] \
+                                   src/core/*/*.[ch] \
+                                   src/feature/*/*.[ch] \
+                                   src/app/*/*.[ch] \
+                                   src/test/*.[ch] \
+                                   src/test/*/*.[ch] \
+                                   src/tools/*.[ch] \
+                          )"
+
+            export TOR_EXTRA_PRE_COMMIT_CHECKS=1
+            # We want word splitting here, because file names are space
+            # separated
+            # shellcheck disable=SC2086
+            if ! "$pre_commit" $CHECK_FILES ; then
+                exit 1
+            fi
+        fi
+
+        if [[ "$remote_name" != "$upstream_name" ]]; then
+            echo "Not pushing to upstream - refraining from further checks"
+            continue
+        fi
+
+        if (ref_is_upstream_branch "$local_ref" == 0 ||
+                ref_is_upstream_branch "$remote_ref"  == 0) &&
+            [ "$local_ref" != "$remote_ref" ]; then
+            if [ "$remote" == "origin" ]; then
+                echo >&2 "Not pushing: $local_ref to $remote_ref"
+                echo >&2 "If you really want to push this, use --no-verify."
+                exit 1
+            else
+                continue
+            fi
+        fi
+
+        # Check for fixup! commit
+        commit=$(git rev-list -n 1 --grep '^fixup!' "$range")
+        if [ -n "$commit" ]; then
+            echo >&2 "Found fixup! commit in $local_ref, not pushing"
+            echo >&2 "If you really want to push this, use --no-verify."
+            exit 1
+        fi
+
+        # Check for squash! commit
+        commit=$(git rev-list -n 1 --grep '^squash!' "$range")
+        if [ -n "$commit" ]; then
+            echo >&2 "Found squash! commit in $local_ref, not pushing"
+            echo >&2 "If you really want to push this, use --no-verify."
+            exit 1
+        fi
+    fi
+done
+
+exit 0