add hooks to check for Signed-off-by in a series of repos

5 files changed, 58 insertions, 0 deletions

diff --git a/lib/hooks/git/dgit/pre-push b/lib/hooks/git/dgit/pre-push
new file mode 120000
index 00000000..b095f34d
--- /dev/null
+++ b/lib/hooks/git/dgit/pre-push
@@ -0,0 +1 @@
+../pre-push-signed-off-by
\ No newline at end of file
diff --git a/lib/hooks/git/git-remote-gcrypt/pre-push b/lib/hooks/git/git-remote-gcrypt/pre-push
new file mode 120000
index 00000000..b095f34d
--- /dev/null
+++ b/lib/hooks/git/git-remote-gcrypt/pre-push
@@ -0,0 +1 @@
+../pre-push-signed-off-by
\ No newline at end of file
diff --git a/lib/hooks/git/mailscripts/pre-push b/lib/hooks/git/mailscripts/pre-push
new file mode 120000
index 00000000..b095f34d
--- /dev/null
+++ b/lib/hooks/git/mailscripts/pre-push
@@ -0,0 +1 @@
+../pre-push-signed-off-by
\ No newline at end of file
diff --git a/lib/hooks/git/org-d20/pre-push b/lib/hooks/git/org-d20/pre-push
new file mode 120000
index 00000000..b095f34d
--- /dev/null
+++ b/lib/hooks/git/org-d20/pre-push
@@ -0,0 +1 @@
+../pre-push-signed-off-by
\ No newline at end of file
diff --git a/lib/hooks/git/pre-push-signed-off-by b/lib/hooks/git/pre-push-signed-off-by
new file mode 100755
index 00000000..3c500deb
--- /dev/null
+++ b/lib/hooks/git/pre-push-signed-off-by
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+# some of this is from
+# https://lubomir.github.io/en/2016-05-04-signoff-hooks.html
+
+remote="$1"
+url="$2"
+
+z40=0000000000000000000000000000000000000000
+
+while read local_ref local_sha remote_ref remote_sha; do
+    if [ "$local_sha" = $z40 ]; then
+        # Permit deletion of branches
+        :
+    elif echo "$remote_ref" | grep -q "^refs/heads/wip/"; then
+        # wip/ branches may contain commits which are not signed off
+        :
+    else
+        if [ "$remote_sha" = $z40 ]
+        then
+            # New branch, examine all commits
+            range="$local_sha"
+        else
+            # Update to existing branch, examine new commits
+            range="$remote_sha..$local_sha"
+        fi
+
+        # Check for WIP commit
+        commit=$(git rev-list -n 1 --grep '^WIP' "$range")
+        if [ -n "$commit" ]
+        then
+            echo >&2 "Found WIP commit in $local_ref, not pushing"
+            exit 1
+        fi
+
+        # Check for commits without sign-off
+        if [ "$remote_sha" = $z40 ]; then
+            # New branch is pushed, we only want to check commits that are not
+            # on master.
+            range="$(git merge-base master "$local_sha")..$local_sha"
+        fi
+        while read ref; do
+            msg=$(git log -n 1 --format=%B "$ref")
+            if ! grep -q '^Signed-off-by: ' <<<"$msg"; then
+                echo >&2 "Unsigned-off commit $ref"
+                exit 1
+            fi
+        done < <(git rev-list "$range")
+        # The process substitution above is a hack to make sure loop runs in
+        # the same shell and can actually exit the whole script.
+    fi
+done
+
+exit 0