diff options
| author |   Robin H. Johnson <robbat2@gentoo.org> | 2023-04-18 23:14:55 -0700 |
|---|---|---|
| committer | Robin H. Johnson <robbat2@gentoo.org> | 2023-04-18 23:14:55 -0700 |
| commit | fcdf81c107d20fa8e8c836b1672dd149498dc245 (patch) | |
| tree | eda6035a7f4a71b3d80756c3c1777763995334ec | |
| parent | Merge remote-tracking branch 'upstream/master' (diff) | |
| download | gitolite-gentoo-fcdf81c107d20fa8e8c836b1672dd149498dc245.tar.gz gitolite-gentoo-fcdf81c107d20fa8e8c836b1672dd149498dc245.tar.bz2 gitolite-gentoo-fcdf81c107d20fa8e8c836b1672dd149498dc245.zip | |
save-push-signatures: use refs/meta/push-certs instead of refs/push-certs
Historically, this hook put the certs in a ref named refs/push-certs.
However, git does *NOT* replicate single-level refs, and this meant that
gitolite mirroring did not replicate the push-certs!
Trying to push them explicitly causes this error:
```
remote: error: refusing to create funny ref 'refs/push-certs' remotely
```
Upstream Git has good reasons as to why not to replicate single-level
refs: https://lore.kernel.org/git/robbat2-20211115T063838-612792475Z@orbis-terrarum.net/
As a good-enough solution, use the namespace of meta/ for the refs.
This is already used in other systems:
- kernel.org refs/meta/cgit
- gerrit refs/meta/config
- GitBlit reflog: refs/meta/gitblit https://www.gitblit.com/administration.html#H12
- cc-utils refs/meta/ci
- JGit refs/meta/push-certs https://www.ibm.com/docs/en/radfws/9.6.1?topic=SSRTLW_9.6.1/org.eclipse.egit.doc/help/JGit/New_and_Noteworthy/4.1/4.1.htm
To migrate from old to new, for each repo, you must explicitly run:
git update-ref refs/meta/push-certs refs/push-certs
Then the hook will populate both refs.
You can remove the old ref after that:
git update-ref -d refs/push-certs
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
| -rwxr-xr-x | contrib/hooks/repo-specific/save-push-signatures | 45 |
1 files changed, 42 insertions, 3 deletions
diff --git a/contrib/hooks/repo-specific/save-push-signatures b/contrib/hooks/repo-specific/save-push-signatures index 2470491..b541a68 100755 --- a/contrib/hooks/repo-specific/save-push-signatures +++ b/contrib/hooks/repo-specific/save-push-signatures @@ -143,7 +143,42 @@ then GIT_INDEX_FILE=push_certs_index; export GIT_INDEX_FILE # prepare the special ref to receive commits - PUSH_CERTS=refs/push-certs + # historically this hook put the certs in a ref named refs/push-certs + # however, git does *NOT* replicate single-level refs + # trying to push them explicitly causes this error: + # remote: error: refusing to create funny ref 'refs/push-certs' remotely + # https://lore.kernel.org/git/robbat2-20211115T063838-612792475Z@orbis-terrarum.net/ + # + # As a good-enough solution, use the namespace of meta/ for the refs. + # This is already used in other systems: + # - kernel.org refs/meta/cgit + # - gerrit refs/meta/config + # - GitBlit reflog: refs/meta/gitblit https://www.gitblit.com/administration.html#H12 + # - cc-utils refs/meta/ci + # - JGit refs/meta/push-certs https://www.ibm.com/docs/en/radfws/9.6.1?topic=SSRTLW_9.6.1/org.eclipse.egit.doc/help/JGit/New_and_Noteworthy/4.1/4.1.htm + # + # To migrate from old to new, for each repo: + # git update-ref refs/meta/push-certs refs/push-certs + PUSH_CERTS_EXTRA_REFS='' PUSH_CERTS='' # These vars will be populated after checks. + # others vars are temp + _OLD_PUSH_CERTS=refs/push-certs + _NEW_PUSH_CERTS=refs/meta/push-certs + _OLD_PUSH_CERTS_EXISTS=0 + _NEW_PUSH_CERTS_EXISTS=0 + git show-ref --verify --quiet -- "$_OLD_PUSH_CERTS" && _OLD_PUSH_CERTS_EXISTS=1 + git show-ref --verify --quiet -- "$_NEW_PUSH_CERTS" && _NEW_PUSH_CERTS_EXISTS=1 + case "${_OLD_PUSH_CERTS_EXISTS}${_NEW_PUSH_CERTS_EXISTS}" in + # neither or new only: + # let's push to the NEW name only + '00'|'01') PUSH_CERTS=$_NEW_PUSH_CERTS ;; + # old-only: stick to the same, the migration is opt-in + '10') PUSH_CERTS=$_OLD_PUSH_CERTS ;; + # Both: Push to the old name, duplicate to the new name + '11') PUSH_CERTS=$_OLD_PUSH_CERTS PUSH_CERTS_EXTRA_REFS=$_NEW_PUSH_CERTS ;; + esac + # cleanup vars + unset _OLD_PUSH_CERTS_EXISTS _NEW_PUSH_CERTS_EXISTS _OLD_PUSH_CERTS _NEW_PUSH_CERTS + if git rev-parse -q --verify $PUSH_CERTS >/dev/null then git read-tree $PUSH_CERTS @@ -151,7 +186,9 @@ then git read-tree --empty T=$(git write-tree) C=$(echo 'start' | git commit-tree $T) - git update-ref $PUSH_CERTS $C + for _ref in $PUSH_CERTS $PUSH_CERTS_EXTRA_REFS ; do + git update-ref "${_ref}" "${C}" + done fi # for each cert blob... @@ -179,7 +216,9 @@ then T=$(git write-tree) C=$( git commit-tree -p $PUSH_CERTS $T < $cf ) - git update-ref $PUSH_CERTS $C + for _ref in $PUSH_CERTS $PUSH_CERTS_EXTRA_REFS ; do + git update-ref "${_ref}" "${C}" + done rm -f $cf done |