0

Our company Has a SVN repository for an our software, based off Rails.

We've also had a manually updated encrypted repository - pull unencrypted, encode with RubyEncoder, push to encrypted.

We've mostly transitioned to Git, and would like to make the process automatic, and I'd like to make the process automatic, and per-commit.

So

  1. Server recieves a push to unencrypted, any branch
  2. Server filters changed .rb files, passing them through Rubyencoder
  3. Encrypted .rb files & other files are pushed to encrypted repository, commit message kept, so there is a 1:1 commit ratio
  4. Branch creation and deletion is also mirrored.

Unlike solutions like git-encrypt, it's the customer's comuter we interpret as insecure, not the code repository.

My first attempt was a long post-recieve hook, which was slow and branching didn't work correctly, so I abandoned it.

My second attempt was setting *.rb = rubyencode and setting up clean and smudge filters. While RubyEncoder can be set to input on /dev/stdin and output to /dev/stdout, it seems these affect files on disk without effecting git history, requiring another commit per received push.

The server-local pull and push ( git remote origin add git@git.work.com:product/work_unencrypted.git and git remote set-url origin --push git@git.work.com:product/work_encrypted.git to get it to push and pull from the expected repository ) would have been triggered by the post-recieve hook, if clean/smudge was working as expected.

I'm lost enough I don't even know the proper question to ask at this point. Maybe it's how to step through & modify commits to keep the 1:1 history?

user6167808
  • 35
  • 6

1 Answers1

2

I would use some CI server (Jenkins, Travis, Buildbot...) to run the script instead of playing with hooks and smudge filters. You can use the post-receive hook too, but then use it just to trigger the task (using some IPC mechanism), do not try to run the whole task inside the hook.

Anyhow, let's assume that the working repository has been initialized and the triggering branch has been set to $GIT_BRANCH.

Also expect these remote definitions:

git remote add unencrypted git@git.work.com:product/work_unencrypted.git
git remote add encrypted git@git.work.com:product/work_encrypted.git

Then the script itself should be something like this:

git fetch unencrypted
git checkout -f unencrypted/$GIT_BRANCH

while read -r FILE; do
    rubyencode $FILE
    git add $FILE
done < <( git diff HEAD..HEAD~ --name-only --diff-filter=ACMR \
         | grep .rb\$ )

git commit --amend --no-edit
git push encrypted HEAD:$GIT_BRANCH
jil
  • 2,601
  • 12
  • 14
  • 1
    For the lower requirements, I ended up using a bash script + cron job rather than a CI server. Individual commits tend to be small, so running every 15 minutes gets a 'close enough' result. – user6167808 May 13 '16 at 13:59