From 0ee8f260727f3e88d26d06f59e5c2fa71211a06d Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Wed, 13 May 2026 13:43:34 +0100
Subject: feat(git): global pre-push hook rejecting unsigned commits

Activated via core.hooksPath = ~/.config/git/hooks in the global
git config. The hook walks each ref being pushed (range: remote..local
or, for new branches, local --not --remotes) and checks %G? on every
commit. Accepts G/U/X/Y (good signature variants), rejects N/B/E/R
(no signature, bad, missing key, revoked).

Bypass: git push --no-verify

This repo overrides hooksPath to .githooks/ for its just-check
pre-commit gate, so a thin .githooks/pre-push delegates to the global
hook to keep the policy enforced here too.
---
 .githooks/pre-push | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100755 .githooks/pre-push

(limited to '.githooks/pre-push')

diff --git a/.githooks/pre-push b/.githooks/pre-push
new file mode 100755
index 0000000..a04e596
--- /dev/null
+++ b/.githooks/pre-push
@@ -0,0 +1,5 @@
+#!/bin/sh
+# Delegate to the global pre-push (signed-commits gate). This repo
+# overrides core.hooksPath to .githooks, so the global hook would not
+# otherwise run here.
+exec "$HOME/.config/git/hooks/pre-push" "$@"
-- 
cgit v1.3.1