[webkit-changes] [WebKit/WebKit] 604395: [git-webkit] Add pre-push hook to prevent publicat...

[Jonathan Bedard]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 604395a516c13cff80d4b0400e43a4c322dbb32f
      https://github.com/WebKit/WebKit/commit/604395a516c13cff80d4b0400e43a4c322dbb32f
  Author: Jonathan Bedard <jbedard at apple.com>
  Date:   2023-03-10 (Fri, 10 Mar 2023)

  Changed paths:
    A Tools/Scripts/hooks/pre-push
    M Tools/Scripts/libraries/webkitscmpy/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/clean.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/land.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/publish.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/setup.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/git_unittest.py
    M Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/setup_unittest.py

  Log Message:
  -----------
  [git-webkit] Add pre-push hook to prevent publication of security sensative commits
https://bugs.webkit.org/show_bug.cgi?id=253354
rdar://106216593

Reviewed by Elliott Williams.

Write a pre-push hook to block or prompt the user in 3 situations to prevent the
inadvertent publication of security sensative commits:
- Class 1: A commit exists on a remote more secure than the one a contributor is pushing to
- Class 2: A commit is a cherry-pick of a commit from a more secure remote
- Class 3: The commit references a security bug the target remote is public

The goal of this hook is to prevent class 1 and 2 without relying on code in the checkout, while
class 3 relies on webkitbugspy to determine if a linked issue is redacted.

* Tools/Scripts/hooks/pre-push: Added.
* Tools/Scripts/libraries/webkitscmpy/setup.py: Bump version.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/__init__.py: Ditto.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/mocks/local/git.py:
(Git): Add `git config --get-regexp`
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/clean.py:
(Clean.cleanup): Forward verbosity into `git push`.
(Clean.main): Ditto.
(DeletePRBranches.main): Ditto.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/land.py:
(Land.main): Forward verbosity into `git push`.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/publish.py:
(Publish.main): Change operating mode of our pre-push hook to allow class-1 security
publication with a prompt.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/pull_request.py:
(PullRequest.create_pull_request): Forward verbosity into `git push`.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/program/setup.py:
(Setup._security_levels): Provide a security level for source and fork remotes based on
the order of our source remotes.
(Setup.git): Pass arguments to template for our pre-push hook.
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/git_unittest.py:
* Tools/Scripts/libraries/webkitscmpy/webkitscmpy/test/setup_unittest.py:

Canonical link: https://commits.webkit.org/261526@main