Lock branch but allow gitlab merge request

2
votes

We are using GitLab version 8.5.0. I am writing a custom server side update hook to lock specific branches. It works great, however, I would like to allow GitLab merge requests to be processed. All GitLab merge requests will usually have "See Merge request" comment in the commit description. Hence, I thought to allow only those commits, which contains commit message "See Merge request". However, it doesnt work the way I thought.

Any other possible ways to allow only gitlab merge requests?

#!/usr/bin/env bash

GIT_COMMIT_MSG=`git log -1 HEAD --pretty=format:%s`

if [[ "$1" == refs/heads/master ]]; then
if [[ "$GIT_COMMIT_MSG" =~ *"See Merge request"* ]]; then
    echo "This is GitLab Merge Request"
else
    echo $GIT_COMMIT_MSG
    echo "ERROR:  you are not allowed to update master" >&2
    exit 1
fi

fi
1
gitgitlabgithooks
If you allow any commits with the text See Merge request to get through, then what would stop a malicious user from inserting this text to spoof your scripts?Tim Biegeleisen
I know this is not a right way.. I am open for suggestions if there is any other right mechanism to track gitlab commitGanga

1 Answers

8
votes

I understand you are using GitLab 8.5, but if possible, consider upgrading to 8.11 where this has been natively (and more securely) implemented.
See "Using the Allowed to merge and Allowed to push settings"

You could set "Allowed to push" to "No one", and "Allowed to merge" to "Developers + Masters", to require everyone to submit a merge request for changes going into the protected branch.

enter image description here

Then all you need is to protect some branches, and they will be modified only through merge request.