6

Gitlab – custom pre-receive hook

As many of you I’m also using Gitlab to manage some of my projects. What I have recently been doing – was discovering how great it is to enable pipeline within your projects.

That have enabled me to install several runners and configure different stages of deployments for my repositories. While this all sounds cool it relies on single file called .gitlab-ci.yml

This would not be a big problem if not the fact that some of repositories have other developers working on it and potentially changing that file could present a security risk for my services/servers. So to overcome this I have come up with pre-receive hook that is now sort of ACL for my file unless secret commit message is included.

Installing

In repository create folder called *custom_hooks* i.e.

/var/opt/gitlab/git-data-disk/repositories/rafpe/ci-test.git/custom_hooks

Then create file called *pre-receive* and apply permissions to it

chmod +x pre-receive
chown git.git pre-receive

Afterwards you can just select the language you are interested in programming your custom git hook – below is my Ruby attempt.

What it does it check if thr push is not by any chance unathorised change to our gitlab-ci.yml file.

You would be able to change this file if your commit message will be done with specific secret. But I leave this for ppl to adapt for their needs.

Script

#!/usr/bin/env ruby

our_secret = "aaaa"

params = gets
oldref = params.split()[0]
newref = params.split()[1]
refname = params.split()[2]



changed_files = `git diff --no-commit-id --name-only #{oldref}..#{newref}`

            if changed_files.include? '.gitlab-ci.yml' then
            commit_messages = `git log --pretty=%s #{newref} | head -3`.split("\n")

             unless commit_messages.include? our_secret
              puts "================================================================= "
              puts "██████╗ ███████╗     ██╗███████╗ ██████╗████████╗███████╗██████╗  "
              puts "██╔══██╗██╔════╝     ██║██╔════╝██╔════╝╚══██╔══╝██╔════╝██╔══██╗ "
              puts "██████╔╝█████╗       ██║█████╗  ██║        ██║   █████╗  ██║  ██║ "
              puts "██╔══██╗██╔══╝  ██   ██║██╔══╝  ██║        ██║   ██╔══╝  ██║  ██║ "
              puts "██║  ██║███████╗╚█████╔╝███████╗╚██████╗   ██║   ███████╗██████╔╝ "
              puts "╚═╝  ╚═╝╚══════╝ ╚════╝ ╚══════╝ ╚═════╝   ╚═╝   ╚══════╝╚═════╝  "
              puts "================================================================= "
              puts ""
              puts " oldref is #{oldref}"
              puts " newref is #{newref}"
              puts " refname is #{refname}"
              puts " "
              puts " We are very very sorry but your change seems to violate our policies! "
              puts " Please check with your nearest Guru! :) ERROR_ID: 001        "
              puts "================================================================= "

              exit 1
             end

            end # if changed_files.include?
exit 0

 

I hope this will get you going and leave comments if you make some interesting changes to it 🙂

rafpe

6 Comments

  1. Hey, works good, but how do I handle a case when oldRef is 0000000000000000000000000000000000000000 (the branch hasn’t been pushed yet) ?

    • Most likely create exception condition ? I would be interested to hear what would be your approach in this scenario

  2. Hi,
    Great post, I’m trying to achieve the exactly same thing, this is a good approach but how can I hide the secret code from the commit msg if every developer has access to it?

Leave a Reply

Your email address will not be published. Required fields are marked *