feat(git): global pre-push hook rejecting unsigned commits

Activated via core.hooksPath = ~/.config/git/hooks in the global git config. The hook walks each ref being pushed (range: remote..local or, for new branches, local --not --remotes) and checks %G? on every commit. Accepts G/U/X/Y (good signature variants), rejects N/B/E/R (no signature, bad, missing key, revoked). Bypass: git push --no-verify This repo overrides hooksPath to .githooks/ for its just-check pre-commit gate, so a thin .githooks/pre-push delegates to the global hook to keep the policy enforced here too.
author: sommerfeld <sommerfeld@sommerfeld.dev> 2026-05-13 13:43:34 +0100
committer: sommerfeld <sommerfeld@sommerfeld.dev> 2026-05-13 13:43:34 +0100
commit: 0ee8f260727f3e88d26d06f59e5c2fa71211a06d (patch)
tree: a5beb8045e63298142eeabd5049a110e20ea2758 /.githooks
parent: 9b2756e4b8ffcce1a2d494cf32a99b971c5ae13f (diff)
download: dotfiles-0ee8f260727f3e88d26d06f59e5c2fa71211a06d.tar.gz
dotfiles-0ee8f260727f3e88d26d06f59e5c2fa71211a06d.tar.bz2
dotfiles-0ee8f260727f3e88d26d06f59e5c2fa71211a06d.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/.githooks/pre-push b/.githooks/pre-push
new file mode 100755
index 0000000..a04e596
--- /dev/null
+++ b/.githooks/pre-push
@@ -0,0 +1,5 @@
+#!/bin/sh
+# Delegate to the global pre-push (signed-commits gate). This repo
+# overrides core.hooksPath to .githooks, so the global hook would not
+# otherwise run here.
+exec "$HOME/.config/git/hooks/pre-push" "$@"
author	sommerfeld <sommerfeld@sommerfeld.dev>	2026-05-13 13:43:34 +0100
committer	sommerfeld <sommerfeld@sommerfeld.dev>	2026-05-13 13:43:34 +0100
commit	0ee8f260727f3e88d26d06f59e5c2fa71211a06d (patch)
tree	a5beb8045e63298142eeabd5049a110e20ea2758 /.githooks
parent	9b2756e4b8ffcce1a2d494cf32a99b971c5ae13f (diff)
download	dotfiles-0ee8f260727f3e88d26d06f59e5c2fa71211a06d.tar.gz dotfiles-0ee8f260727f3e88d26d06f59e5c2fa71211a06d.tar.bz2 dotfiles-0ee8f260727f3e88d26d06f59e5c2fa71211a06d.zip