{"id":15824548,"url":"https://github.com/sambacha/test-git-repo","last_synced_at":"2026-05-20T14:32:16.798Z","repository":{"id":46204412,"uuid":"421303817","full_name":"sambacha/test-git-repo","owner":"sambacha","description":"collection of scripts / configurations for authenticating / validating deployments / server side code / etc","archived":false,"fork":false,"pushed_at":"2022-05-05T15:24:50.000Z","size":951,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-26T23:44:47.494Z","etag":null,"topics":["git","secure"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sambacha.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security.txt","support":null}},"created_at":"2021-10-26T06:17:12.000Z","updated_at":"2021-12-15T04:49:06.000Z","dependencies_parsed_at":"2022-09-23T05:41:46.258Z","dependency_job_id":null,"html_url":"https://github.com/sambacha/test-git-repo","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sambacha%2Ftest-git-repo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sambacha%2Ftest-git-repo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sambacha%2Ftest-git-repo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sambacha%2Ftest-git-repo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sambacha","download_url":"https://codeload.github.com/sambacha/test-git-repo/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246612494,"owners_count":20805354,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["git","secure"],"created_at":"2024-10-05T09:00:24.862Z","updated_at":"2026-05-20T14:32:11.746Z","avatar_url":"https://github.com/sambacha.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![codenotify](https://github.com/sambacha/test-git-repo/actions/workflows/codenotify.yml/badge.svg)](https://github.com/sambacha/test-git-repo/actions/workflows/codenotify.yml)\n\n### `git repo utils`\n\n#### Motivation\n\n- Automate admin. tasks  \n- Reduce surface area of potential attacks  \n- Reduce surface area of trusted workflows (see, `git is apart of the trusted computing base`)  \n- Tooling to check configuration weaknesses   \n- Tooling to automate analysis (static, etc)  \n\n### Overview\n\n- perl script for extracting chomod permissions\n- codenotification for changes to certain files\n- automate meaningful hash for end user verification of deployed artifacts, etc\n\n\n### Misc Scripts\n\n```sh\necho '$Format:Last commit: %h by %aN at %cd%n%+w(76,6,9)%B$' \u003e LAST_COMMIT\necho 'Last commit date: $Format:%cd by %aN$' \u003e LAST_COMMIT\necho '$Id$' \u003e security.txt\n\ngit archive HEAD  --format tgz --worktree-attributes -o HEAD.tgz\n\nTZ=UTC git show --quiet --date=\"format-local:%Y.%-m.%-d\" --format=\"nightly-%cd\" \u003enightly-release.txt\n```\n\n\necho '$Format:Last commit: %h by %aN at %cd%n%+w(76,6,9)%B$' \u003e LAST_COMMIT\necho 'Last commit date: $Format:%cd by %aN$' \u003e LAST_COMMIT\necho '$Id$' \u003e security.txt\n\ngit archive HEAD  --format tgz --worktree-attributes -o HEAD.tgz\n\n\n`git rev-list ^#{sha}^@ refs/remotes/#{remote_ref}`\n\n### server side\n\n```sh\nfiles_modified = `git log -1 --name-only --pretty=format:'' #{ref}`\n```\n\nyou have to use:\n#### client side \n```sh\nfiles_modified = `git diff-index --cached --name-only HEAD`\n```\n\n```ruby\n#!/usr/bin/env ruby\n\nbase_branch = ARGV[0]\nif ARGV[1]\n  topic_branch = ARGV[1]\nelse\n  topic_branch = \"HEAD\"\nend\n\ntarget_shas = `git rev-list #{base_branch}..#{topic_branch}`.split(\"\\n\")\nremote_refs = `git branch -r`.split(\"\\n\").map { |r| r.strip }\n\ntarget_shas.each do |sha|\n  remote_refs.each do |remote_ref|\n    shas_pushed = `git rev-list ^#{sha}^@ refs/remotes/#{remote_ref}`\n    if shas_pushed.split(\"\\n\").include?(sha)\n      puts \"[POLICY] Commit #{sha} has already been pushed to #{remote_ref}\"\n      exit 1\n    end\n  end\nend\n```\n\n### check_directory_perms\n\n```ruby\n#!/usr/bin/env ruby\n\n$user    = ENV['USER']\n\n# [ insert acl_access_data method from above ]\n\n# only allows certain users to modify certain subdirectories in a project\ndef check_directory_perms\n  access = get_acl_access_data('.git/acl')\n\n  files_modified = `git diff-index --cached --name-only HEAD`.split(\"\\n\")\n  files_modified.each do |path|\n    next if path.size == 0\n    has_file_access = false\n    access[$user].each do |access_path|\n    if !access_path || (path.index(access_path) == 0)\n      has_file_access = true\n    end\n    if !has_file_access\n      puts \"[POLICY] You do not have access to push to #{path}\"\n      exit 1\n    end\n  end\nend\n\ncheck_directory_perms\n```\n\n```ruby\n# only allows certain users to modify certain subdirectories in a project\ndef check_directory_perms\n  access = get_acl_access_data('acl')\n\n  # see if anyone is trying to push something they can't\n  new_commits = `git rev-list #{$oldrev}..#{$newrev}`.split(\"\\n\")\n  new_commits.each do |rev|\n    files_modified = `git log -1 --name-only --pretty=format:'' #{rev}`.split(\"\\n\")\n    files_modified.each do |path|\n      next if path.size == 0\n      has_file_access = false\n      access[$user].each do |access_path|\n        if !access_path  # user has access to everything\n           || (path.start_with? access_path) # access to this path\n          has_file_access = true\n        end\n      end\n      if !has_file_access\n        puts \"[POLICY] You do not have access to push to #{path}\"\n        exit 1\n      end\n    end\n  end\nend\n\ncheck_directory_perms\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsambacha%2Ftest-git-repo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsambacha%2Ftest-git-repo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsambacha%2Ftest-git-repo/lists"}