Do not parse git-notes commits during git access checks
What does this MR do and why?
Fixes #207807 (closed) and #209901 (closed)
git-notes
are stored as blobs but a history of the note changes is also recorded in refs/notes/commits
(can be configured but will always begin with refs/notes
). When a user pushes the notes refs with git push origin refs/notes/commits
the Gitlab::GitAccess module performs some checks, as the notes are also stored as commits the backend would find these commits and apply the normal rules against them.
We shouldn't apply push rules against these commits as they are generated by git. e.g.
Notes added by 'git notes add'
Notes removed by 'git notes remove'
This change will prevent changes that are not for refs/heads or refs/tags from being processed as commits.
How to set up and validate locally
- In GDK create a push rule for any project with Reject expression in commit messages set to
^Notes
- Clone the repo locally from your GDK
- Add a note with
git notes add -m 'test note'
- On GDK's master branch attempt to push the notes with
git push gdk_remote refs/notes/commits
, the response should showGitLab: Commit message contains the forbidden pattern '^Notes'
- Now switch to GDK's
fix/push_rule_commit_message_validation
branch and push again. This time the push should succeed
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.