Github let's you overwrite on protected branch when freshly pulled repo clone #23398

ideepika · 2021-07-02T16:27:03Z

ideepika
Jul 2, 2021

  <a href="https://github.com/github/hub/issues/2793" target="_blank" rel="noopener nofollow ugc">github.com/github/hub</a>

github let's you overwrite on protected branch when freshly pulled repo clone

<div class="github-info">
  <div class="date">
    opened <span class="discourse-local-date" data-format="ll" data-date="2021-07-01" data-time="18:11:28" data-timezone="UTC">06:11PM - 01 Jul 21 UTC</span>
  </div>


  <div class="user">
    <a href="https://github.com/ideepika" target="_blank" rel="noopener nofollow ugc">
      <img alt="ideepika" src="https://user-images.githubusercontent.com/22215384/181076753-29df44a5-a95b-4236-ba62-2a08a500c3d1.jpeg" class="onebox-avatar-inline" width="20" height="20">
      ideepika
    </a>
  </div>
</div>

<div class="labels">
    <span style="display:inline-block;margin-top:2px;background-color: #B8B8B8;padding: 2px;border-radius: 4px;color: #fff;margin-left: 3px;">
      bug
    </span>
</div>

this is pretty dangerous bug as it can wipe out the code if mistakenly someone f…orce pushes in main branch, request you to please look into the issue on priority.

I fresh cloned a repo I am a contributor to and forgot set up fork remote to push on, instead I pushed mistakenly set my remote also to point to origin/master...

❯ git remote add ideepika https://github.com/ceph/ceph-build.git
❯ git push ideepika -f
Enumerating objects: 13, done.
Counting objects: 100% (13/13), done.
Delta compression using up to 8 threads
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.05 KiB | 1.05 MiB/s, done.
Total 7 (delta 4), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (4/4), completed with 4 local objects.
To https://github.com/ceph/ceph-build.git
   9afd68cf..33e4b91f  master -&gt; master

This should have been rejected since the branch is protected, but it got bypassed somehow
Since the branch was a protected branch this should have been rejected, but it still got force pushed, and when I tried to amend by repushing the original state ... I get

❯ git push origin master -f
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
remote: error: GH006: Protected branch update failed for refs/heads/master.
remote: error: Cannot force-push to this protected branch
To github.com:ceph/ceph-build.git
 ! [remote rejected]   master -&gt; master (protected branch hook declined)
error: failed to push some refs to 'github.com:ceph/ceph-build.git'

Command attempted:

What happened:

More info:

Answered by jsoref

Jul 2, 2021

I don’t think --force means what you think it means.

Here is where your repository was:

  <a href="https://github.com/ceph/ceph-build/commit/9afd68cf2c530781b11d99455186b1dd59f480cb" target="_blank" rel="noopener nofollow ugc">github.com/ceph/ceph-build</a>

Merge pull request #1861 from ceph/wip-normaldistro

<div class="github-info">
  <div class="date">
    committed <span class="discourse-local-date" data-format="ll" data-date="2021-06-30" data-time="21:29:06" data-timezone="UTC">09:29PM - 30 Jun 21 UTC</span>
  </div>

  <div class="user">
    <a href="https://github.com/djgalloway" target="_blank" rel="noopener nofollow ugc">
      <img alt="djgalloway" src="https://user-images…

View full answer

jsoref · 2021-07-02T20:13:47Z

jsoref
Jul 2, 2021

I don’t think --force means what you think it means.

Here is where your repository was:

  <a href="https://github.com/ceph/ceph-build/commit/9afd68cf2c530781b11d99455186b1dd59f480cb" target="_blank" rel="noopener nofollow ugc">github.com/ceph/ceph-build</a>

Merge pull request #1861 from ceph/wip-normaldistro

<div class="github-info">
  <div class="date">
    committed <span class="discourse-local-date" data-format="ll" data-date="2021-06-30" data-time="21:29:06" data-timezone="UTC">09:29PM - 30 Jun 21 UTC</span>
  </div>

  <div class="user">
    <a href="https://github.com/djgalloway" target="_blank" rel="noopener nofollow ugc">
      <img alt="djgalloway" src="https://user-images.githubusercontent.com/2119212/181076754-166b5e66-c2ec-4237-8c38-4b6c9f5ecca4.jpeg" class="onebox-avatar-inline" width="20" height="20">
      djgalloway
    </a>
  </div>

  <div class="lines" title="changed 1 files with 1 additions and 1 deletions">
    <a href="https://github.com/ceph/ceph-build/commit/9afd68cf2c530781b11d99455186b1dd59f480cb" target="_blank" rel="noopener nofollow ugc">
      <span class="added">+1</span>
      <span class="removed">-1</span>
    </a>
  </div>
</div>

build_utils.sh: Fix variable

Here is where your repository went to:

  <a href="https://github.com/ceph/ceph-build/commit/33e4b91f30d638b0059c4586e15afcfa090ee4a8" target="_blank" rel="noopener nofollow ugc">github.com/ceph/ceph-build</a>

build_utils: set build flags using CMakeLists of pushed branch

<div class="github-info">
  <div class="date">
    committed <span class="discourse-local-date" data-format="ll" data-date="2021-07-01" data-time="17:32:34" data-timezone="UTC">05:32PM - 01 Jul 21 UTC</span>
  </div>

  <div class="user">
    <a href="https://github.com/ideepika" target="_blank" rel="noopener nofollow ugc">
      <img alt="ideepika" src="https://user-images.githubusercontent.com/2119212/181076755-fc025a37-5ef1-4c8b-a139-8da886bcc364.jpeg" class="onebox-avatar-inline" width="20" height="20">
      ideepika
    </a>
  </div>

  <div class="lines" title="changed 2 files with 22 additions and 0 deletions">
    <a href="https://github.com/ceph/ceph-build/commit/33e4b91f30d638b0059c4586e15afcfa090ee4a8" target="_blank" rel="noopener nofollow ugc">
      <span class="added">+22</span>
      <span class="removed">-0</span>
    </a>
  </div>
</div>

idea is to fetch CMakeLists.txt from pushed branch on ci >> grep for set cmake o…n libraries >> export build optional for these

Signed-off-by: Deepika Upadhyay <dupadhya@redhat.com>

This is the difference:

  <a href="https://github.com/ceph/ceph-build/compare/9afd68cf2c530781b11d99455186b1dd59f480cb...33e4b91f30d638b0059c4586e15afcfa090ee4a8" target="_blank" rel="noopener nofollow ugc">GitHub</a>

ceph/ceph-build

Helper scripts for building the official Ceph packages - ceph/ceph-build

If you look at the commits list for where you are now, you’ll see that the parent is where you were before.

--force is used for when you’re asking git to effectively remove commits from the chain leading up to a point.

You aren’t doing that, and thus --force was ignored.

Say you had:

  <a href="https://github.com/ceph/ceph-build/commit/694e4b9ba4423ae0a3b8801248039ea5a12b8cdd" target="_blank" rel="noopener nofollow ugc">github.com/ceph/ceph-build</a>

build_utils.sh: Fix variable

<div class="github-info">
  <div class="date">
    committed <span class="discourse-local-date" data-format="ll" data-date="2021-06-30" data-time="21:14:24" data-timezone="UTC">09:14PM - 30 Jun 21 UTC</span>
  </div>

  <div class="user">
    <a href="https://github.com/djgalloway" target="_blank" rel="noopener nofollow ugc">
      <img alt="djgalloway" src="https://user-images.githubusercontent.com/2119212/181076758-55a39de3-ab8f-4ef9-8447-c2fdf97529ee.jpeg" class="onebox-avatar-inline" width="20" height="20">
      djgalloway
    </a>
  </div>

  <div class="lines" title="changed 1 files with 1 additions and 1 deletions">
    <a href="https://github.com/ceph/ceph-build/commit/694e4b9ba4423ae0a3b8801248039ea5a12b8cdd" target="_blank" rel="noopener nofollow ugc">
      <span class="added">+1</span>
      <span class="removed">-1</span>
    </a>
  </div>
</div>

Signed-off-by: David Galloway <dgallowa@redhat.com>

as your HEAD, and you tried pushing (don’t do this, test either in a pair of local repositories, or in some unrelated test repositories in your user’s space). By default w/o --force, you’d get an error:

Here’s a long chain of commands that you could try to follow to understand what’s happening in the basic cases:

% cd $(mktemp -d); git init a; (cd a; touch a; git add a; git commit -m a); git clone a b; (cd b; git checkout -b ignore-this); git clone a c; (cd c; git checkout -b ignore-this); (cd a; echo a >> a; git add a; git commit -m A; git checkout -b ignore-this; git fetch ../b; git push ../b main); for a in *; do (cd $a; echo $a; git log main --oneline); done; (cd c; git fetch ../b; git push ../b main; echo 'well that did not work -- try forcing it!'; git push ../b main --force); for a in *; do (cd $a; echo $a; git log main --oneline); done
Initialized empty Git repository in /private/var/folders/r3/n29fz25x72x191fdv6mhhr3m0000gp/T/tmp.UlNnUFSW/a/.git/
[main (root-commit) 639fd66] a
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 a
Cloning into 'b'...
done.
Switched to a new branch 'ignore-this'
Cloning into 'c'...
done.
Switched to a new branch 'ignore-this'
[main a60c634] A
 1 file changed, 1 insertion(+)
Switched to a new branch 'ignore-this'
From ../b
 * branch            HEAD       -> FETCH_HEAD
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Writing objects: 100% (3/3), 240 bytes | 240.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
To ../b
   639fd66..a60c634  main -> main
a
a60c634 (HEAD -> ignore-this, main) A
639fd66 a
b
a60c634 (main) A
639fd66 (HEAD -> ignore-this, origin/main, origin/HEAD) a
c
639fd66 (HEAD -> ignore-this, origin/main, origin/HEAD, main) a
From ../b
 * branch            HEAD       -> FETCH_HEAD
To ../b
 ! [rejected]        main -> main (fetch first)
error: failed to push some refs to '../b'
hint: Updates were rejected because the remote contains work that you do
hint: not have locally. This is usually caused by another repository pushing
hint: to the same ref. You may want to first integrate the remote changes
hint: (e.g., 'git pull ...') before pushing again.
hint: See the 'Note about fast-forwards' in 'git push --help' for details.
well that did not work -- try forcing it!
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
To ../b
 + a60c634...639fd66 main -> main (forced update)
a
a60c634 (HEAD -> ignore-this, main) A
639fd66 a
b
639fd66 (HEAD -> ignore-this, origin/main, origin/HEAD, main) a
c
639fd66 (HEAD -> ignore-this, origin/main, origin/HEAD, main) a

Admittedly, the GitHub docs on allow-force-push are not end-user resilient, but I don’t have the energy to fix them.
https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#allow-force-pushes

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Github let's you overwrite on protected branch when freshly pulled repo clone #23398

{{title}}

github let's you overwrite on protected branch when freshly pulled repo clone

Replies: 1 comment

{{title}}

Merge pull request #1861 from ceph/wip-normaldistro

build_utils: set build flags using CMakeLists of pushed branch

build_utils.sh: Fix variable

Select a reply