Open
Conversation
…nos/git-proxy into 1325-architecture-guide-draft
Co-authored-by: Fabio Vincenzi <93596376+fabiovincenzi@users.noreply.github.com> Signed-off-by: Juan Escalada <97265671+jescalada@users.noreply.github.com>
Co-authored-by: Fabio Vincenzi <93596376+fabiovincenzi@users.noreply.github.com> Signed-off-by: Juan Escalada <97265671+jescalada@users.noreply.github.com>
Co-authored-by: Fabio Vincenzi <93596376+fabiovincenzi@users.noreply.github.com> Signed-off-by: Juan Escalada <97265671+jescalada@users.noreply.github.com>
Co-authored-by: Fabio Vincenzi <93596376+fabiovincenzi@users.noreply.github.com> Signed-off-by: Juan Escalada <97265671+jescalada@users.noreply.github.com>
Co-authored-by: Fabio Vincenzi <93596376+fabiovincenzi@users.noreply.github.com> Signed-off-by: Juan Escalada <97265671+jescalada@users.noreply.github.com>
Co-authored-by: Fabio Vincenzi <93596376+fabiovincenzi@users.noreply.github.com> Signed-off-by: Juan Escalada <97265671+jescalada@users.noreply.github.com>
Co-authored-by: Fabio Vincenzi <93596376+fabiovincenzi@users.noreply.github.com> Signed-off-by: Juan Escalada <97265671+jescalada@users.noreply.github.com>
Co-authored-by: Fabio Vincenzi <93596376+fabiovincenzi@users.noreply.github.com> Signed-off-by: Juan Escalada <97265671+jescalada@users.noreply.github.com>
Co-authored-by: Kris West <kristopher.west@natwest.com> Signed-off-by: Juan Escalada <97265671+jescalada@users.noreply.github.com>
…nos/git-proxy into 1325-architecture-guide-draft
github-actions
bot
added
the
documentation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.
|
This was referenced Feb 7, 2026
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1391 +/- ##
=======================================
Coverage 81.34% 81.34%
=======================================
Files 65 65
Lines 4648 4648
Branches 792 792
=======================================
Hits 3781 3781
Misses 852 852
Partials 15 15 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
kriswest
requested changes
Feb 9, 2026
Contributor
kriswest
left a comment
kriswest
left a comment
There was a problem hiding this comment.
Added some corrections, questions and updates for open PRs expected to be merged shortly for the v2 release.
| - [`preReceive`](#prereceive) | ||
| - [`getDiff`](#getdiff) | ||
| - [`gitleaks`](#gitleaks) | ||
| - [`clearBareClone`](#clearbareclone) |
Contributor
There was a problem hiding this comment.
Suggested change
| - [`clearBareClone`](#clearbareclone) |
Removing this from the chain in #1393 and conditionally triggering it based on whether pullRemote succeeded
Comment on lines
+98
to
+100
| After processors in the chain are done executing, [`audit`](#audit) is called to store the action along with all of its execution steps in the database for auditing purposes. | ||
|
|
||
| Then, if the action was auto-approved or auto-rejected as a result of running [`preReceive`](#prereceive), it will attempt to auto-approve or auto-reject it. |
Contributor
There was a problem hiding this comment.
Suggested change
| After processors in the chain are done executing, [`audit`](#audit) is called to store the action along with all of its execution steps in the database for auditing purposes. | |
| Then, if the action was auto-approved or auto-rejected as a result of running [`preReceive`](#prereceive), it will attempt to auto-approve or auto-reject it. | |
| After processors in the chain are done executing, [`audit`](#audit) is called to store the action along with all of its execution steps in the database for auditing purposes. | |
| If [`pullRemote`](#pullremote) ran successfully and cloned the repository, then [`clearBareClone`](#clearbareclone) is run to clear up that clone, freeing disk space and ensuring that the _.remote/*_ folder created does not conflict with any future pushes involving the same SHA. | |
| Finally, if the action was auto-approved or auto-rejected as a result of running [`preReceive`](#prereceive), it will attempt to auto-approve or auto-reject it. |
|
|
||
| Action chains are a list of processors that a Git operation goes through before awaiting approval. Three action chains are currently available: | ||
|
|
||
| #### Push action chain |
Contributor
There was a problem hiding this comment.
the pre-processer parseAction doesn't get a mention. I think some content on it is necessary, particularly as it classifies requests (push/pull/default) and hence control what subsequent steps run.
#1393 also pulls out audit and clearBareClone into a post-processors folder as they don't quite fit as pure push processors (audit is now applied to everything, clearBareClone isn't part of the chain now but conditionally invoked by it if pullRemote was)
|
|
||
| Executed when a user makes a `git clone` or `git pull` to GitProxy: | ||
|
|
||
| - [`checkRepoInAuthorisedList`](#checkrepoinauthorisedlist) |
Contributor
There was a problem hiding this comment.
Suggested change
| - [`checkRepoInAuthorisedList`](#checkrepoinauthorisedlist) | |
| - [`checkRepoInAuthorisedList`](#checkrepoinauthorisedlist) | |
| - | |
| At present the pull action chain is only checking that the repository is configured in Git Proxy, ensuring that it will block pull requests for unknown repositories. |
|
|
||
| This chain is executed when making any operation other than a `git push` or `git pull`. | ||
|
|
||
| - [`checkRepoInAuthorisedList`](#checkrepoinauthorisedlist) |
Contributor
There was a problem hiding this comment.
Suggested change
| - [`checkRepoInAuthorisedList`](#checkrepoinauthorisedlist) | |
| - [`checkRepoInAuthorisedList`](#checkrepoinauthorisedlist) | |
| - | |
| At present the default action chain is only checking that the repository is configured in Git Proxy, ensuring that it will block all git client requests for unknown repositories. |
|
|
||
| #### `contactEmail` | ||
|
|
||
| Sets the contact email for the Open Source Program Office in the attestation form: |
Contributor
There was a problem hiding this comment.
Suggested change
| Sets the contact email for the Open Source Program Office in the attestation form: | |
| Sets the contact email for the Open Source Program Office (or equivalent organisational contact) in the attestation form: |
|
|
||
| #### `authorisedList` | ||
|
|
||
| Defines a list of repositories that are allowed to be pushed to through the proxy. Note that **repositories can also be added through the UI or manually editing the database**. |
Contributor
There was a problem hiding this comment.
Suggested change
| Defines a list of repositories that are allowed to be pushed to through the proxy. Note that **repositories can also be added through the UI or manually editing the database**. | |
| Defines a initial list of repositories that are allowed to be pushed to through the proxy. Note that **repositories can also be added through the UI, API or by manually editing the database**. |
|
|
||
| ##### Setting up JWT Authentication | ||
|
|
||
| When JWT authentication is enabled, all incoming requests must provide a valid JWT access token in the UI. This can be set in the settings tab. |
Contributor
There was a problem hiding this comment.
Clarify what type of request - presumably the API (rather than the git proxy interface)
|
|
||
| When JWT authentication is enabled, all incoming requests must provide a valid JWT access token in the UI. This can be set in the settings tab. | ||
|
|
||
| If no token, or an invalid/expired token is set, requests will fail with a `401` Unauthorized response. |
Contributor
There was a problem hiding this comment.
Suggested change
| If no token, or an invalid/expired token is set, requests will fail with a `401` Unauthorized response. | |
| If no token, or an invalid/expired token is sent, requests will fail with a `401` Unauthorized response. |
|
|
||
| #### `tls` | ||
|
|
||
| Allows configuring TLS (Transport Layer Security) **for the proxy** (not for the API): |
Contributor
There was a problem hiding this comment.
Suggested change
| Allows configuring TLS (Transport Layer Security) **for the proxy** (not for the API): | |
| Allows configuring TLS (Transport Layer Security) **for the proxy** (rather than for the API or UI): |
A pointer on how to configure for the API & UI would be useful
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #1325. Previous PR (#1335) got stuck because of a GitHub bug where comments on orphaned commits cannot be closed.
Previous PR description: