Add doc for Git pre-push hook to block accidental pushes to main/master

[rparolin]

Adds a Markdown doc showing how to set up a global Git pre‑push hook that blocks pushes to main (and master) unless the explicit override flag --break_glass_to_push_main is used. The override flag is intended to be loud and nosy to avoid accidental use.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[cpcloud]

Won't this affect every git repo a user has cloned? That seems like a pretty ostentatious choice to make for people.

[rparolin]

That's intended because the purpose of the hook is to prevent accidental pushes to main. This is more of a problem for people with admin access because we locked down direct commits to main outside of PR merges. But also, we haven't setup those rules for all repos yet.

[cpcloud]

It sounds like you're assuming that all repos anyone will clone or has cloned will be either nvidia repos or repos that they will never want to or need to force push to.

Is that not a rather strong assumption?

[rparolin]

Point taken. I've added per-repo instructions to the doc as an alternative to setting this pre-push hook globally.

[rparolin]

/ok to test 8764233

[rwgk]

Looks very useful to me! This is a great way to spread the trick.

FWIW, I metabolized this already into my personal config:

https://github.com/rwgk/rwgk_config/blob/09bac54bacc35b763bf76dfa5b2917a81827e5c6/git_stuff/pre-push

That code is entirely LLM-generated. I just told the LLM that I wanted to integrate the branch protection into what I had already.

I was already set up with an alias to copy that into a git repo (cwd). After learning about the global ~/.git-hooks trick here, I think that'll actually be better ... but I'm saving that for another day.

[rparolin]

/ok to test bbd8b0e

[rparolin]

Looks very useful to me! This is a great way to spread the trick.

FWIW, I metabolized this already into my personal config:

https://github.com/rwgk/rwgk_config/blob/09bac54bacc35b763bf76dfa5b2917a81827e5c6/git_stuff/pre-push

That code is entirely LLM-generated. I just told the LLM that I wanted to integrate the branch protection into what I had already.

I was already set up with an alias to copy that into a git repo (cwd). After learning about the global ~/.git-hooks trick here, I think that'll actually be better ... but I'm saving that for another day.

Thank you!

I was reading as part of the research for this that global pre-push hooks will override pre-repo unless you have your global hook call into the pre-repo hook. I never tested it so never added it to the doc but its a good piece of knowledge to file away if you need it.

[github-actions]

Doc Preview CI
Preview removed because the pull request was closed or merged.

[leofang]

@rparolin looks nice! We should hyperlink to it in the ToC here:

cuda-python/CONTRIBUTING.md

Lines 17 to 23 in 09bac29

	## Table of Contents
	- [Pre-commit](#pre-commit)
	- [Code signing](#code-signing)
	- [Developer Certificate of Origin (DCO)](#developer-certificate-of-origin-dco)
	- [CI infrastructure overview](#ci-infrastructure-overview)

Alternatively, we can move the entire doc to the contributing guide as a separate section

[kkraus14]

I didn't get a chance to review this before we merged, but I don't think documenting git / dev configs unrelated to the cuda-python project is something we should be doing.

We should have a GitHub ruleset and proper CI config that allows us to prevent everyone, including admins, from committing directly to protected branches while still allowing us to skip CI when needed.

[rparolin]

I didn't get a chance to review this before we merged, but I don't think documenting git / dev configs unrelated to the cuda-python project is something we should be doing.

We should have a GitHub ruleset and proper CI config that allows us to prevent everyone, including admins, from committing directly to protected branches while still allowing us to skip CI when needed.

👍 I'll remove it from the repo. #1026