RE: Detecting source of a push in a pre-receive hook

[<rsbecker@nexbridge.com>]

On January 20, 2026 3:46 PM, Chris Packham wrote:
>At $dayjob we're moving from a mix of plain git repositories on a server accessed via
>ssh with a secondary Gerrit server tacked on the side for code review to using the
>Gerrit server as the primary source of truth.
>
>So that people don't have to update origin.url for all their local repositories, we're
>using the Gerrit replication plugin to keep the old server in sync (and will likely do so
>for the foreseeable future).
>We have installed a pre-receive hook for the migrated repositories on the old server
>that rejects pushes from anyone except the user that the replication runs as.
>
>For various reasons we also have a CI system that pushes some things (mostly tags
>but some automated merge commits as well) that runs as the same user. We'd
>really like to be able to have the pre-receive hook reject pushes from the CI system
>but allow them from the Gerrit server. Does the pre-receive hook have any way of
>knowing the source of a push operation?

Let me first say that I have not tried this, but had a similar request on an exotic
platform. Let me then say that the next paragraph contains likely very bad ideas.

You *might* be able to as the OS what the end point is for stdin to your hook. I
am in no way certain that git passes the originating pipe to you, but some systems
may allow this. Some other systems allow you to walk though process context
given the originating pipe, but that's probably less likely to work. Other OS
environments allow you to install hooks into the OS to track pipe operations.
If any of this even slightly works, it is highly unlikely to be portable.

Perhaps a better way (more reliable, easier, portable) is to use a firewall to
block the requests from the CI system to a specific port your git subsystem
is listening on.

My $0.0002 thoughts,
Randall