update hook for Main git when handling push from weblate
This scripts is the security barrier into maingit. It is triggerd by the
bare git hook mechanism.
It is placed inside puppet-tails:
- the script is triggered for every push to tails.git
- a malicious users try to trick this script
- the translation-server may be compromised and the weblate user may pushes malicious commits.
GL_USERis a environment variable, that is set by gitolite and is safe to rely on and indicates the users that it pushing.
- If the script returns with a status code 0 the push is allowed and not 0 if not allowed.
- Any output to stdout/stderr is allowed but only displayed to the user.
- Weblate need to use “weblate <email@example.com>” as committer “name ” in any case
- Weblate is ONLY to push po files nothing else in any case.
- Everything else is not allowed for weblate.
- For all other users the script should not do anything.
Parent Task: #15082 (closed)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information