As many of you I’m also using Gitlab to manage some of my projects. What I have recently been doing – was discovering how great it is to enable pipeline within your projects.
That have enabled me to install several runners and configure different stages of deployments for my repositories. While this all sounds cool it relies on single file called .gitlab-ci.yml
This would not be a big problem if not the fact that some of repositories have other developers working on it and potentially changing that file could present a security risk for my services/servers. So to overcome this I have come up with pre-receive hook that is now sort of ACL for my file unless secret commit message is included.
Installing
In repository create folder called *custom_hooks* i.e.
/var/opt/gitlab/git-data-disk/repositories/rafpe/ci-test.git/custom_hooks
Then create file called *pre-receive* and apply permissions to it
chmod +x pre-receive
chown git.git pre-receive
AfterwardsΒ you can just select the language you are interested in programming your custom git hook – below is my Ruby attempt.
What it does it check if thr push is not by any chance unathorised change to our gitlab-ci.yml file.
You would be able to change this file if your commit message will be done with specific secret. But I leave this forΒ ppl to adapt for their needs.
Script
#!/usr/bin/env ruby
our_secret = "aaaa"
params = gets
oldref = params.split()[0]
newref = params.split()[1]
refname = params.split()[2]
changed_files = `git diff --no-commit-id --name-only #{oldref}..#{newref}`
if changed_files.include? '.gitlab-ci.yml' then
commit_messages = `git log --pretty=%s #{newref} | head -3`.split("\n")
unless commit_messages.include? our_secret
puts "================================================================= "
puts "βββββββ ββββββββ βββββββββββ βββββββββββββββββββββββββββββββ "
puts "ββββββββββββββββ ββββββββββββββββββββββββββββββββββββββββββββ "
puts "ββββββββββββββ βββββββββ βββ βββ ββββββ βββ βββ "
puts "ββββββββββββββ ββ βββββββββ βββ βββ ββββββ βββ βββ "
puts "βββ βββββββββββββββββββββββββββββββββββ βββ ββββββββββββββββ "
puts "βββ βββββββββββ ββββββ ββββββββ βββββββ βββ βββββββββββββββ "
puts "================================================================= "
puts ""
puts " oldref is #{oldref}"
puts " newref is #{newref}"
puts " refname is #{refname}"
puts " "
puts " We are very very sorry but your change seems to violate our policies! "
puts " Please check with your nearest Guru! π ERROR_ID: 001 "
puts "================================================================= "
exit 1
end
end # if changed_files.include?
exit 0
I hope this will get you going and leave comments if you make some interesting changes to it π
