Here’s how the pre-push hook approach works, with a branch called dontpushthis.
Create this file as .git/hooks/pre-push:
#!/usr/bin/bash
if [[ `grep 'dontpushthis'` ]]; then
echo "You really don't want to push this branch. Aborting."
exit 1
fi
This works because the list of refs being pushed is passed on standard input. So this will also catch git push --all.
Make it executable.
Do this in every local repository.
When you try to push to that branch, you’ll see:
$ git checkout dontpushthis
$ git push
You really don't want to push this branch. Aborting.
error: failed to push some refs to 'https://github.com/stevage/test.git'
Obviously this is as simple as it looks, and only prevents pushing the branch named “dontpushthis”. So it’s useful if you’re trying to avoid directly pushing to an important branch, such as master.
If you’re trying to solve the problem of preventing confidential information leaking, it might not be sufficient. For example, if you created a sub-branch from dontpushthis, that branch would not be detected. You’d need more sophisticated detection – you could look to see whether any of the commits on the “dontpushthis” branch were present on the current branch, for instance.
A safer solution
Looking at the question again, I think a better solution in this case would be:
- Have one repo which is public
- Clone that to a new working directory which is private
- Remove the remote (
git remote rm origin) from that working directory. - To merge public changes, just do
git pull https://github.com/myproj/mypublicrepo
This way, the private repo working directory never has anywhere it could push to. You essentially have a one-way valve of public information to private, but not back.