Detecting source of a push in a pre-receive hook

Detecting source of a push in a pre-receive hook

[Chris Packham]

Hi Git,

At $dayjob we're moving from a mix of plain git repositories on a
server accessed via ssh with a secondary Gerrit server tacked on the
side for code review to using the Gerrit server as the primary source
of truth.

So that people don't have to update origin.url for all their local
repositories, we're using the Gerrit replication plugin to keep the
old server in sync (and will likely do so for the foreseeable future).
We have installed a pre-receive hook for the migrated repositories on
the old server that rejects pushes from anyone except the user that
the replication runs as.

For various reasons we also have a CI system that pushes some things
(mostly tags but some automated merge commits as well) that runs as
the same user. We'd really like to be able to have the pre-receive
hook reject pushes from the CI system but allow them from the Gerrit
server. Does the pre-receive hook have any way of knowing the source
of a push operation?

Thanks,
Chris

RE: Detecting source of a push in a pre-receive hook

[rsbecker]

On January 20, 2026 3:46 PM, Chris Packham wrote:
>At $dayjob we're moving from a mix of plain git repositories on a server accessed via
>ssh with a secondary Gerrit server tacked on the side for code review to using the
>Gerrit server as the primary source of truth.
>
>So that people don't have to update origin.url for all their local repositories, we're
>using the Gerrit replication plugin to keep the old server in sync (and will likely do so
>for the foreseeable future).
>We have installed a pre-receive hook for the migrated repositories on the old server
>that rejects pushes from anyone except the user that the replication runs as.
>
>For various reasons we also have a CI system that pushes some things (mostly tags
>but some automated merge commits as well) that runs as the same user. We'd
>really like to be able to have the pre-receive hook reject pushes from the CI system
>but allow them from the Gerrit server. Does the pre-receive hook have any way of
>knowing the source of a push operation?

Let me first say that I have not tried this, but had a similar request on an exotic
platform. Let me then say that the next paragraph contains likely very bad ideas.

You *might* be able to as the OS what the end point is for stdin to your hook. I
am in no way certain that git passes the originating pipe to you, but some systems
may allow this. Some other systems allow you to walk though process context
given the originating pipe, but that's probably less likely to work. Other OS
environments allow you to install hooks into the OS to track pipe operations.
If any of this even slightly works, it is highly unlikely to be portable.

Perhaps a better way (more reliable, easier, portable) is to use a firewall to
block the requests from the CI system to a specific port your git subsystem
is listening on.

My $0.0002 thoughts,
Randall

Re: Detecting source of a push in a pre-receive hook

[Jeff King]

On Wed, Jan 21, 2026 at 09:45:51AM +1300, Chris Packham wrote:

> For various reasons we also have a CI system that pushes some things
> (mostly tags but some automated merge commits as well) that runs as
> the same user. We'd really like to be able to have the pre-receive
> hook reject pushes from the CI system but allow them from the Gerrit
> server. Does the pre-receive hook have any way of knowing the source
> of a push operation?

Git doesn't do any authentication or know about the push sources itself;
it just sees that stdin/stdout have somehow been hooked up to a client.

But the protocol layer that does that hooking up sometimes leaves
information in the environment. If clients are connecting over ssh, for
example, then you'll probably have an $SSH_CLIENT variable set. For
HTTP, you'd probably get $REMOTE_ADDR, I think.

How do you want to identify the CI system versus the Gerrit system? The
suggestions above would look at the source IP. If you're using ssh and
have different keys for each incoming entity, you could probably add an
"environment=" field to your authorized_keys file, and then check that
field in the pre-receive hook (or if you wanted, even use a "command="
field to restrict git-receive-pack to only specific keys).

Over HTTP, you'd have to look at how authentication is done for the two
entities. I _think_ you reliably get $REMOTE_USER if there was the usual
HTTP auth done, and you could check that. But you could probably also do
some server-specific magic to reject receive-pack quests. There are some
hints for Apache in the git-http-backend manpage, but you might also be
able to copy ideas from the test config we use in t/lib-httpd.

-Peff

Re: Detecting source of a push in a pre-receive hook

[Jeff King]

On Wed, Jan 21, 2026 at 12:27:05AM -0500, Jeff King wrote:

> But the protocol layer that does that hooking up sometimes leaves
> information in the environment. If clients are connecting over ssh, for
> example, then you'll probably have an $SSH_CLIENT variable set. For
> HTTP, you'd probably get $REMOTE_ADDR, I think.

BTW, one easy way to investigate this is to just put:

  env >&2

into your pre-receive, and then try a push. We forward stderr from the
hook back to the client, so you can see what the server has available in
the environment.

-Peff