Automation Ninja's Dojo

Gitlab – custom pre-receive hook

As many of you I’m also using Gitlab to manage some of my projects. What I have recently been doing – was discovering how great it is to enable pipeline within your projects.

That have enabled me to install several runners and configure different stages of deployments for my repositories. While this all sounds cool it relies on single file called .gitlab-ci.yml

This would not be a big problem if not the fact that some of repositories have other developers working on it and potentially changing that file could present a security risk for my services/servers. So to overcome this I have come up with pre-receive hook that is now sort of ACL for my file unless secret commit message is included.


In repository create folder called *custom_hooks* i.e.

Then create file called *pre-receive* and apply permissions to it

Afterwards you can just select the language you are interested in programming your custom git hook – below is my Ruby attempt.

What it does it check if thr push is not by any chance unathorised change to our gitlab-ci.yml file.

You would be able to change this file if your commit message will be done with specific secret. But I leave this for ppl to adapt for their needs.



I hope this will get you going and leave comments if you make some interesting changes to it 🙂

6 thoughts on “Gitlab – custom pre-receive hook

  1. Hey, works good, but how do I handle a case when oldRef is 0000000000000000000000000000000000000000 (the branch hasn’t been pushed yet) ?

    1. Most likely create exception condition ? I would be interested to hear what would be your approach in this scenario

  2. Hi,
    Great post, I’m trying to achieve the exactly same thing, this is a good approach but how can I hide the secret code from the commit msg if every developer has access to it?

Leave a Reply to rafpe Cancel reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: