block pushes to canary via https in addition to ssh

vercel · Jul 19, 2024 · af66b0f · af66b0f
1 parent b704582
commit af66b0f
Showing 1 changed file with 21 additions and 4 deletions.
diff --git a/.husky/pre-push b/.husky/pre-push
@@ -1,18 +1,36 @@
 #!/usr/bin/env bash
 
-protected_branch="canary"
-protected_remote_url="git@github.com:vercel/next.js.git"
+protected_branch='canary'
+
+protected_remote_urls=(
+  'git@github.com:vercel/next.js.git'
+  'https://github.com/vercel/next.js.git' # github blocks password-based auth, but still usable via API token
+)
+
 
 # The pre-push hook [...] receives the name and location of the remote as parameters
 # https://git-scm.com/book/en/v2/Customizing-Git-Git-Hooks
 remote_name="$1"
 remote_url="$2"
 
+
+
 # if we're pushing to a fork, we don't need to protect canary.
-if [ "$remote_url" != "$protected_remote_url" ]; then
+# check if the remote is one of the protected ones.
+is_remote_protected=0
+for protected_remote_url in "${protected_remote_urls[@]}"; do
+  if [ "$remote_url" = "$protected_remote_url" ]; then
+    is_remote_protected=1
+    break
+  fi
+done
+
+if [ "$is_remote_protected" = 0 ]; then
   exit 0
 fi
 
+
+
 # check if the push is targeting canary on the remote
 # https://stackoverflow.com/a/44156933
 push_targets_protected_branch=0
@@ -24,7 +42,6 @@ while read -r _local_ref _local_sha remote_ref _remote_sha; do
   fi
 done
 
-
 if [ "$push_targets_protected_branch" = "1" ]; then
   echo "You probably didn't intend to push directly to '$protected_branch' on '$remote_name' ($remote_url)." >&2
   echo "If you're sure that that's what you want to do, bypass this check via" >&2