Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 604395a516c13cff80d4b0400e43a4c322dbb32f https://github.com/WebKit/WebKit/commit/604395a516c13cff80d4b0400e43a4c322dbb32f Author: Jonathan Bedard <jbed...@apple.com> Date: 2023-03-10 (Fri, 10 Mar 2023)
Changed paths: A Tools/Scripts/hooks/pre-push M Tools/Scripts/libraries/webkitscmpy/setup.py M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/clean.py M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/land.py M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/publish.py M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/setup.py M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/git_unittest.py M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/setup_unittest.py Log Message: ----------- [git-webkit] Add pre-push hook to prevent publication of security sensative commits https://bugs.webkit.org/show_bug.cgi?id=253354 rdar://106216593 Reviewed by Elliott Williams. Write a pre-push hook to block or prompt the user in 3 situations to prevent the inadvertent publication of security sensative commits: - Class 1: A commit exists on a remote more secure than the one a contributor is pushing to - Class 2: A commit is a cherry-pick of a commit from a more secure remote - Class 3: The commit references a security bug the target remote is public The goal of this hook is to prevent class 1 and 2 without relying on code in the checkout, while class 3 relies on webkitbugspy to determine if a linked issue is redacted. * Tools/Scripts/hooks/pre-push: Added. * Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version. * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto. * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py: (Git): Add `git config --get-regexp` * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/clean.py: (Clean.cleanup): Forward verbosity into `git push`. (Clean.main): Ditto. (DeletePRBranches.main): Ditto. * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/land.py: (Land.main): Forward verbosity into `git push`. * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/publish.py: (Publish.main): Change operating mode of our pre-push hook to allow class-1 security publication with a prompt. * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py: (PullRequest.create_pull_request): Forward verbosity into `git push`. * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/setup.py: (Setup._security_levels): Provide a security level for source and fork remotes based on the order of our source remotes. (Setup.git): Pass arguments to template for our pre-push hook. * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/git_unittest.py: * Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/setup_unittest.py: Canonical link: https://commits.webkit.org/261526@main _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes