16

I would like to have some hooks always present in a clone of a given repository. Is there a way to add a file in .git/hooks in the repository?

Thanks

Mildred
  • 3,887
  • 4
  • 36
  • 44

2 Answers2

20

It is possible to define your own hooks in a git template, but even there, those hooks would be non-executable ones.

I.e. the user would still have to activate them (rename or activate the executable bit) once the repo is cloned.
That way, said user won't have any unwanted script executed without his/her full knowledge and explicit approval.
Doing otherwise would be too much of a security risk for anyone "blindly" cloning a repo.

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • 2
    Sounds reasonable not to allow a repository to execute code in an open environment. That being said, in a contained environment (internal projects for my company) it could be useful. But scripts installing hooks would have to do. – Mildred Mar 04 '11 at 08:34
  • 1
    I understand the previous comments, however installing and activating a hook sounds to me an advanced user action. In my case, which is a contained environment, I would like to ensure users write the branch name in the commit message, which is pretty simple with a hook. But it seems to me it won't be that simple to explain every user how to configure it, whereas having it in the git repo itself would simplify many things. – Alexis Feb 12 '13 at 13:11
  • "too much of a security risk for anyone "blindly" cloning a repo." This is the answer? Really? I also could include something like "code execution" within my ANT or Maven configuration. This might even be more executed than the pre-commit hook for instance, it is just easier to see. "Blindly" doing something is always a risk. – Adrian Aug 14 '14 at 06:09
  • @Adrian not sure I follow you. By "blindly", I refer to hooks coming from an repo you are cloning, and that would be automatically executed without you realizing they are there (because they are buried in `.git/hooks`, hence the "blind" qualifier). This has nothing to do with sources you get, examine and decide to run (or be run by your hook). – VonC Aug 14 '14 at 06:16
  • @VonC I know what you mean, but I don't think it is entirely true: * hooks are not executed "automatically", add least you have to call a git command * When there are hooks in the repo, I obviously see this and should examine them as I would do with normal code too * I could a lot in a hundreds of code files too and just tell everyone that it is necessary to build it own your own. Just clone and call make or whatever... – Adrian Aug 14 '14 at 06:29
  • @Adrian "I obviously see this and should examine them as I would do with normal code too": I guess this is where we will agree to disagree then. – VonC Aug 14 '14 at 06:49
  • 1
    The commit restriction should only apply to public repos. There are a million reasons why a company/organization will want to have hooks in their repo. – Anthony Awuley May 08 '21 at 17:31
5

Sounds like a security risk to me. Just because you clone some repository doesn't mean you want to give it the right to execute code.

You could put a copy of hooks into the versioned code and include some script file to allow the user to copy them to his hooks directory easily. And of course one you have hooks installed you can use them to keep themselves up-to-date.

CodesInChaos
  • 106,488
  • 23
  • 218
  • 262