Re: Detecting source of a push in a pre-receive hook

[Jeff King <peff@peff.net>]

On Wed, Jan 21, 2026 at 09:45:51AM +1300, Chris Packham wrote:

> For various reasons we also have a CI system that pushes some things
> (mostly tags but some automated merge commits as well) that runs as
> the same user. We'd really like to be able to have the pre-receive
> hook reject pushes from the CI system but allow them from the Gerrit
> server. Does the pre-receive hook have any way of knowing the source
> of a push operation?

Git doesn't do any authentication or know about the push sources itself;
it just sees that stdin/stdout have somehow been hooked up to a client.

But the protocol layer that does that hooking up sometimes leaves
information in the environment. If clients are connecting over ssh, for
example, then you'll probably have an $SSH_CLIENT variable set. For
HTTP, you'd probably get $REMOTE_ADDR, I think.

How do you want to identify the CI system versus the Gerrit system? The
suggestions above would look at the source IP. If you're using ssh and
have different keys for each incoming entity, you could probably add an
"environment=" field to your authorized_keys file, and then check that
field in the pre-receive hook (or if you wanted, even use a "command="
field to restrict git-receive-pack to only specific keys).

Over HTTP, you'd have to look at how authentication is done for the two
entities. I _think_ you reliably get $REMOTE_USER if there was the usual
HTTP auth done, and you could check that. But you could probably also do
some server-specific magic to reject receive-pack quests. There are some
hints for Apache in the git-http-backend manpage, but you might also be
able to copy ideas from the test config we use in t/lib-httpd.

-Peff