chore: harden dual-remote git workflow

2026-03-31 12:32:36 +02:00
parent 8f61e43e9b
commit 5867d85e96
4 changed files with 63 additions and 1 deletions
--- a/.githooks/pre-push
+++ b/.githooks/pre-push
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+remote_name="${1:-}"
+remote_url="${2:-}"
+
+if [[ "$remote_name" != "tubco" && "$remote_url" != *"git.tub.co"* ]]; then
+  exit 0
+fi
+
+allowed=0
+
+while read -r local_ref local_sha remote_ref remote_sha; do
+  [[ -z "${local_ref:-}" ]] && continue
+
+  case "$local_ref" in
+    refs/heads/release/tubco-*)
+      allowed=1
+      ;;
+    refs/tags/tubco-baseline-*)
+      allowed=1
+      ;;
+    *)
+      echo "Blocked push to 'tubco': '$local_ref' is not an approved customer ref." >&2
+      echo "Allowed refs:" >&2
+      echo "  refs/heads/release/tubco-*" >&2
+      echo "  refs/tags/tubco-baseline-*" >&2
+      echo "Use origin for normal product work." >&2
+      exit 1
+      ;;
+  esac
+done
+
+if [[ "$allowed" -eq 0 ]]; then
+  echo "Blocked push to 'tubco': no approved TUBCO refs were detected." >&2
+  exit 1
+fi
+
+exit 0