Git 预提交挂钩：防止更改特定文件的提交

Question

我的项目下有一些 .json 文件，其中包含多个密钥。这些密钥不得处于版本控制之下。我在项目中用假密钥替换了这些实际密钥，以防止持续集成时构建失败。

但是，开发人员需要将这些文件复制/粘贴到笔记本电脑上，然后才能测试应用程序。

现在的问题是开发人员可能会忘记并错误地将它们提交到 git 中。我想运行一个pre-commit脚本来检查修改的文件，如果添加其中之一，则提交失败。

我有什么办法可以做到这一点吗？

Answer 1

使用钩子在开发者端防止它pre-commit。注意，git commit --no-verify会绕过这个安全机制。

下面的代码阻止对文件dir/key1.json和key2.json.

#!/bin/sh

# full paths from the repo root separated by newlines
MUST_NOT_CHANGE='dir/key1.json
key2.json'

if git rev-parse --verify HEAD >/dev/null 2>&1
then
  against=HEAD
else
  # Initial commit: diff against an empty tree object
  against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
fi

exec 1>&2

if git diff --cached --name-only $against |
   grep --quiet --line-regexp --fixed-strings "$MUST_NOT_CHANGE"
then
  echo Commit would modify one or more files that must not change.
  exit 1
else
  exit 0
fi

pre-receive下面必须安装在中央存储库上的挂钩会拒绝任何会修改受保护文件的推送。

#!/bin/sh

# full paths from the repo root separated by newlines
MUST_NOT_CHANGE='dir/key1.json
key2.json'

z40=0000000000000000000000000000000000000000

while read old_value new_value ref_name
do
  if [ "$old_value" = $z40 ]; then
    # New branch: diff against an empty tree object
    against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
  else
    against=$old_value
  fi

  if git diff --name-only $against..$new_value |
     grep --quiet --line-regexp --fixed-strings "$MUST_NOT_CHANGE"
  then
    echo "$ref_name" may commit key, rejected ... >&2
    exit 1
  fi
done

行动中：

$ git push origin master
Counting objects: 10, done.
Delta compression using up to 40 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (10/10), 820 bytes | 410.00 KiB/s, done.
Total 10 (delta 1), reused 0 (delta 0)
remote: refs/heads/master may commit key, rejected ...
To '<URL>'
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to '<URL>'