Git pre-push hook to prevent force pushing master branch

pre-push.sh

#!/bin/sh

# Called by "git push" after it has checked the remote status,
# but before anything has been pushed.
#
# If this script exits with a non-zero status nothing will be pushed.
#
# Steps to install, from the root directory of your repo...
# 1. Copy the file into your repo at `.git/hooks/pre-push`
# 2. Set executable permissions, run `chmod +x .git/hooks/pre-push`
# 3. Or, use `rake hooks:pre_push` to install
#
# Try a force push to master, you should get a message `*** [Policy] never force push...`
#
# The commands below will not be allowed...
# `git push --force origin master`
# `git push --delete origin master`
# `git push origin :master`
#
# Nor will a force push while on the master branch be allowed...
# `git co master`
# `git push --force origin`
# 
# Requires git 1.8.2 or newer
#
# Git 1.8.2 release notes cover the new pre-push hook:
# <https://github.com/git/git/blob/master/Documentation/RelNotes/1.8.2.txt>
#
# See Sample pre-push script:
# <https://github.com/git/git/blob/87c86dd14abe8db7d00b0df5661ef8cf147a72a3/templates/hooks--pre-push.sample>


protected_branch='master'

policy='[Policy] Never force push or delete the '$protected_branch' branch! (Prevented with pre-push hook.)'

current_branch=$(git symbolic-ref HEAD | sed -e 's,.*/\(.*\),\1,')

push_command=$(ps -ocommand= -p $PPID)

is_destructive='force|delete|\-f'

will_remove_protected_branch=':'$protected_branch

do_exit(){
  echo $policy
  exit 1
}

if [[ $push_command =~ $is_destructive ]] && [ $current_branch = $protected_branch ]; then
  do_exit
fi

if [[ $push_command =~ $is_destructive ]] && [[ $push_command =~ $protected_branch ]]; then
  do_exit
fi

if [[ $push_command =~ $will_remove_protected_branch ]]; then
  do_exit
fi

unset do_exit

exit 0

Steps to install, from the root directory of your repo...

• Copy the file pre-push.sh file into your repo at .git/hooks/pre-push
• Set executable permissions, run chmod +x .git/hooks/pre-push

Try a force push to master, you should get a message *** [Policy] never force push master

Note: Requires git 1.8.2 or newer

See Sample pre-push script: https://github.com/git/git/blob/87c86dd14abe8db7d00b0df5661ef8cf147a72a3/templates/hooks--pre-push.sample

1.8.2 release notes talking about the new pre-push hook: https://github.com/git/git/blob/master/Documentation/RelNotes/1.8.2.txt

Steps to install, from the root directory of your repo...

• Copy the file pre-push.sh file into your repo at .git/hooks/pre-push
• Set executable permissions, run chmod +x .git/hooks/pre-push

Try a force push to master, you should get a message *** [Policy] never force push master

Note: Requires git 1.8.2 or newer

See Sample pre-push script: https://github.com/git/git/blob/87c86dd14abe8db7d00b0df5661ef8cf147a72a3/templates/hooks--pre-push.sample

1.8.2 release notes talking about the new pre-push hook: https://github.com/git/git/blob/master/Documentation/RelNotes/1.8.2.txt

how to enable normal push without force in this script

i enable this script in my windows environment everything is work but it denies normal fush and force fush
with bellow warning
.git/hooks/pre-push: line 50: PID: command not found

i done the bellow changes in the script

before
$(ps -ocommand= -p $PPID)

after

$(ps --ocommand= -p $PPID)

before

$push_command =~ $is_destructive

after

test $push_command | grep -c "$is_destructive"

thanks in advance

how to enable normal push without force in this script

i enable this script in my windows environment everything is work but it denies normal fush and force fush
with bellow warning
.git/hooks/pre-push: line 50: PID: command not found

i done the bellow changes in the script

before
$(ps -ocommand= -p $PPID)

after

$(ps --ocommand= -p $PPID)

before

$push_command =~ $is_destructive

after

test $push_command | grep -c "$is_destructive"

thanks in advance

I have added an array of protected branches (eg. production and master or your team branch etc)

I have also added a more strict check if you are pushing to any protected branch (see comments in the code)

I hope this helps anybody :) and thanks to @pixelhandler for the original script

protected_branches=( production master )
for i in "${protected_branches[@]}"
do

    protected_branch=$i

    policy='[Policy] Never push, force push or delete the '$protected_branch' branch! (Prevented with pre-push hook.)'

    current_branch=$(git symbolic-ref HEAD | sed -e 's,.*/\(.*\),\1,')

    push_command=$(ps -ocommand= -p $PPID)

    is_destructive='force|delete|\-f'

    will_remove_protected_branch=':'$protected_branch

    do_exit(){
      echo $policy
      exit 1
    }

    if [[ $push_command =~ $is_destructive ]] && [ $current_branch = $protected_branch ]; then
      do_exit
    fi

    if [[ $push_command =~ $is_destructive ]] && [[ $push_command =~ $protected_branch ]]; then
      do_exit
    fi

    if [[ $push_command =~ $will_remove_protected_branch ]]; then
      do_exit
    fi

    # This check makes sure that you dont make a *git push* while on master
    # This check is very strict so you might want to consider removeing it if it does not fit your purpose
    if [[ $protected_branch == $current_branch ]]; then
      do_exit
    fi

done

unset do_exit

exit 0

I have added an array of protected branches (eg. production and master or your team branch etc)

I have also added a more strict check if you are pushing to any protected branch (see comments in the code)

I hope this helps anybody :) and thanks to @pixelhandler for the original script

protected_branches=( production master )
for i in "${protected_branches[@]}"
do

    protected_branch=$i

    policy='[Policy] Never push, force push or delete the '$protected_branch' branch! (Prevented with pre-push hook.)'

    current_branch=$(git symbolic-ref HEAD | sed -e 's,.*/\(.*\),\1,')

    push_command=$(ps -ocommand= -p $PPID)

    is_destructive='force|delete|\-f'

    will_remove_protected_branch=':'$protected_branch

    do_exit(){
      echo $policy
      exit 1
    }

    if [[ $push_command =~ $is_destructive ]] && [ $current_branch = $protected_branch ]; then
      do_exit
    fi

    if [[ $push_command =~ $is_destructive ]] && [[ $push_command =~ $protected_branch ]]; then
      do_exit
    fi

    if [[ $push_command =~ $will_remove_protected_branch ]]; then
      do_exit
    fi

    # This check makes sure that you dont make a *git push* while on master
    # This check is very strict so you might want to consider removeing it if it does not fit your purpose
    if [[ $protected_branch == $current_branch ]]; then
      do_exit
    fi

done

unset do_exit

exit 0

Thanks for sharing! On Linux, I had to change the shebang line to #!/bin/bash for it to work.

BTW, there's an interesting (and perhaps incomplete) fork written in Ruby.

Thanks for sharing! On Linux, I had to change the shebang line to #!/bin/bash for it to work.

BTW, there's an interesting (and perhaps incomplete) fork written in Ruby.

This script does not allow git push origin HEAD:master due to line 43. if you just change it to will_remove_protected_branch=' :'$protected_branch (add a space before the colon) then it will work

This script does not allow git push origin HEAD:master due to line 43. if you just change it to will_remove_protected_branch=' :'$protected_branch (add a space before the colon) then it will work

Here's my own version of this pre-push hook, along with an install script: https://gist.github.com/stefansundin/d465f1e331fc5c632088

Here's my own version of this pre-push hook, along with an install script: https://gist.github.com/stefansundin/d465f1e331fc5c632088

It's easy to prevent pushing to multiple branches using posix regular expressions. You don't need to create and iterate through an array:

#!/bin/bash
# Prevents force-pushing to master

BRANCH=`git rev-parse --abbrev-ref HEAD`
PUSH_COMMAND=`ps -ocommand= -p $PPID`
PROTECTED_BRANCHES="^(master|dev|release-*|patch-*)"
FORCE_PUSH="force|delete|-f"

if [[ "$BRANCH" =~ $PROTECTED_BRANCHES && "$PUSH_COMMAND" =~ $FORCE_PUSH ]]; then
  echo "Prevented force-push to protected branch \"$BRANCH\" by pre-push hook"
  exit 1
fi

exit 0

It's easy to prevent pushing to multiple branches using posix regular expressions. You don't need to create and iterate through an array:

#!/bin/bash
# Prevents force-pushing to master

BRANCH=`git rev-parse --abbrev-ref HEAD`
PUSH_COMMAND=`ps -ocommand= -p $PPID`
PROTECTED_BRANCHES="^(master|dev|release-*|patch-*)"
FORCE_PUSH="force|delete|-f"

if [[ "$BRANCH" =~ $PROTECTED_BRANCHES && "$PUSH_COMMAND" =~ $FORCE_PUSH ]]; then
  echo "Prevented force-push to protected branch \"$BRANCH\" by pre-push hook"
  exit 1
fi

exit 0

push_command=$(ps -ocommand= -p $PPID) always returns the following error for me:

ps: illegal option -- o

Im currently running bash 3.1.23 for windows

push_command=$(ps -ocommand= -p $PPID) always returns the following error for me:

ps: illegal option -- o

Im currently running bash 3.1.23 for windows

push_command=$(ps -ocommand= -p $PPID) always returns the following error for me:

ps: illegal option -- o

Any ideas? Im currently running bash 3.1.23 for windows

push_command=$(ps -ocommand= -p $PPID) always returns the following error for me:

ps: illegal option -- o

Any ideas? Im currently running bash 3.1.23 for windows

Same issue as @amhed, googled with no luck

Same issue as @amhed, googled with no luck

No windows = no problem.

No windows = no problem.

@stephen-mw - love your version; I am also looking to understand how to stop any push to master, even if I am currently on a non protected branch. Let's say master is protected, but I am on my-branch. The I do git push origin master from my-branch. How would I stop that?

@stephen-mw - love your version; I am also looking to understand how to stop any push to master, even if I am currently on a non protected branch. Let's say master is protected, but I am on my-branch. The I do git push origin master from my-branch. How would I stop that?

@vincenzo, add this line. It seems to work for me.

# Prevents makes sure while you are on different branch, you don't push to master
if [ $current_branch != $protected_branch ] && [[ $push_command =~ $protected_branch ]]; then
  do_exit
fi

@vincenzo, add this line. It seems to work for me.

# Prevents makes sure while you are on different branch, you don't push to master
if [ $current_branch != $protected_branch ] && [[ $push_command =~ $protected_branch ]]; then
  do_exit
fi

Hi, this is very useful thanks. How about if i want to prevent push to master but only in the origin remote, others remote like staging, can push force to master.

Hi, this is very useful thanks. How about if i want to prevent push to master but only in the origin remote, others remote like staging, can push force to master.

It is worth mentioning that the pre-push hook is a local hook, that is a hook that is fired when invoking a command in the local repository, and is potentially editable by a user. If you want to protect your repositories against disgruntled programmers, a pre-receive hook in the remote repository is necessary. Anyway, thanks for sharing! The script is perfect when you can trust all programmers in the team.

It is worth mentioning that the pre-push hook is a local hook, that is a hook that is fired when invoking a command in the local repository, and is potentially editable by a user. If you want to protect your repositories against disgruntled programmers, a pre-receive hook in the remote repository is necessary. Anyway, thanks for sharing! The script is perfect when you can trust all programmers in the team.

@luiskhernandez -

I may be a bit late for the party, but the name of the remote is passed to the hook as the first argument, so you can just put the following lines at the begining of the script:

# Exit early if pushing to a remote that isn't 'origin'
[[ $1 != "origin" ]] && exit 0

# rest of script here

@luiskhernandez -

I may be a bit late for the party, but the name of the remote is passed to the hook as the first argument, so you can just put the following lines at the begining of the script:

# Exit early if pushing to a remote that isn't 'origin'
[[ $1 != "origin" ]] && exit 0

# rest of script here

Over 3 years later and this is still a great script!

Note that this doesn't protect against git push --force with a Git post config as default = matching. You're covered with any other post config, and Git 2.0+ uses simple by default.

Over 3 years later and this is still a great script!

Note that this doesn't protect against git push --force with a Git post config as default = matching. You're covered with any other post config, and Git 2.0+ uses simple by default.

any idea in groovy as pre receieve hook.

any idea in groovy as pre receieve hook.

To prevent "git push --force" on a remote server it is impossible using a hook, because you cannot know the command line options given. In that case you need to set in the repository's configuration (or any level above) these options:

[receive]
        denyNonFastForwards = true
        denyDeletes = true

To prevent "git push --force" on a remote server it is impossible using a hook, because you cannot know the command line options given. In that case you need to set in the repository's configuration (or any level above) these options:

[receive]
        denyNonFastForwards = true
        denyDeletes = true

I tried this but it doesn't show the message, and nothing is pushed to master (which is expected)

$ git push
Everything up-to-date
$ git push --force
Everything up-to-date

Why is this?

I tried this but it doesn't show the message, and nothing is pushed to master (which is expected)

$ git push
Everything up-to-date
$ git push --force
Everything up-to-date

Why is this?