Depends on: #10 (Mirror Sync) — the internal fork must exist before this gate can function.
Problem
Once an internal mirror exists, teams want to do collaborative work — code review, security scanning, licence compliance — on that fork before changes are pushed upstream through jgit-proxy. Today jgit-proxy has no way to verify that an internal review has happened and passed.
Missing: a push-time gate that looks up the corresponding internal fork PR and blocks the push if the PR is not approved or required status checks have not passed.
Proposed Design
Core interface: InternalPRGateCheck
Shared service in jgit-proxy-core with thin adapters for each execution path:
InternalPRGateHook (store-and-forward) — implements PreReceiveHook, streams result live via rp.sendMessage()InternalPRGateFilter (transparent proxy) — implements GitProxyFilter at order 200, accumulates result and calls sendGitError
GitHubPRGateCheck (initial implementation)
GitHub REST API v3 / GHE 3.x compatible. Logic per push:
- Resolve internal fork coordinates from push destination URL
- Find open PR:
GET /repos/{owner}/{repo}/pulls?head={org}:{branch}&state=open — fail if none
- Check approvals:
GET /repos/{owner}/{repo}/pulls/{pull_number}/reviews — fail if approved count < min
- Check status checks:
GET /repos/{owner}/{repo}/commits/{sha}/check-runs — fail if required check not completed/success
Steps 2–4 can run in parallel; gate result is their conjunction.
Tasks
Open Questions
- Branch name mapping: push branch may not match internal PR head branch 1:1; need configurable lookup strategy (by branch name, commit SHA, or PR label)
- Multiple internal forks: all mirrors need an approved PR, or just one?
- GitLab / Bitbucket variants:
InternalPRGateCheck is provider-agnostic; additional implementations can be added without touching the adapters
Depends on: #10 (Mirror Sync) — the internal fork must exist before this gate can function.
Problem
Once an internal mirror exists, teams want to do collaborative work — code review, security scanning, licence compliance — on that fork before changes are pushed upstream through jgit-proxy. Today jgit-proxy has no way to verify that an internal review has happened and passed.
Missing: a push-time gate that looks up the corresponding internal fork PR and blocks the push if the PR is not approved or required status checks have not passed.
Proposed Design
Core interface:
InternalPRGateCheckShared service in
jgit-proxy-corewith thin adapters for each execution path:InternalPRGateHook(store-and-forward) — implementsPreReceiveHook, streams result live viarp.sendMessage()InternalPRGateFilter(transparent proxy) — implementsGitProxyFilterat order 200, accumulates result and callssendGitErrorGitHubPRGateCheck(initial implementation)GitHub REST API v3 / GHE 3.x compatible. Logic per push:
GET /repos/{owner}/{repo}/pulls?head={org}:{branch}&state=open— fail if noneGET /repos/{owner}/{repo}/pulls/{pull_number}/reviews— fail if approved count < minGET /repos/{owner}/{repo}/commits/{sha}/check-runs— fail if required check notcompleted/successSteps 2–4 can run in parallel; gate result is their conjunction.
Tasks
InternalPRGateCheckinterface andPRGateResultrecord injgit-proxy-coreInternalPRGateHook(PreReceiveHookadapter — streams messages to git client on failure)InternalPRGateFilter(GitProxyFilterat order 200)GitHubPRGateCheckwith parallelised PR lookup, approval check, and status-check queriesgit-proxy.mirror.pr-gate.*:enabled,min-approvals,required-app-slug,block-if-no-pr,block-if-app-not-installed)Open Questions
InternalPRGateCheckis provider-agnostic; additional implementations can be added without touching the adapters