Git pre-receive hook trigger when pushing Git notes

[LupusUmbrae]

When we upgraded to v16 we started getting the following error in GitLab:

Commit message does not follow the pattern \'^(build|ci|docs|feat|fix|perf|refactor|style|test|chore)(\\([a-z]+\\)){0,1}:\

It looks like the new notes part is committing with a format that doesn't follow the commit format, but I can't see what the commit message is in the logs.

Have I missed a prefix or is something else wrong?

[gr2m]

Can you please fill out all the questions of the bug issue template? https://github.com/semantic-release/semantic-release/issues/new?template=01_bug_report.md

Otherwise it's hard for us to help you

[mckha]

Hi, I'm seeing similar behaviour too.

Gitlab allows us to define push rules, including setting a commit message regex for the pre-receive hook. Additionally, we can enforce rejection of unsigned commits.

Current behavior

Upgrading semantic release from v15 to v17 has added new notes. When these notes are committed, the commit fails our previously functioning regex validation, which follows the default angular commit convention:

^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test)(\([a-z-0-9]+\))?: (.*)+$

Further, where commits are required to be the signed the note commit is not signed where git settings have been set to enforce gpgsign.

Expected behavior

1. Should be able to validate the notes commit
2. Should not be prohibited from enforcing signed commits when using semantic release

Environment

• semantic-release version: 17.0.2
• CI environment: Gitlab
• Plugins used: commit-analyser, release-notes-generator, changelog, npm, git
• semantic-release configuration:

.releaserc

{
  "branches": [
    "+([0-9])?(.{+([0-9]),x}).x", 
    "master",  
    "next",
    {
      "name": "alpha",
      "prerelease": true
    },
    {
      "name": "beta",
      "prerelease": true
    }],
  "plugins": [
    "@semantic-release/commit-analyzer",
    "@semantic-release/release-notes-generator",
    "@semantic-release/changelog",
    "@semantic-release/npm",
    "@semantic-release/git",
  ]
}

.gitlab-ci.yaml - publish step

publish:
  <<: *cache_pull_definition
  stage: publish
  before_script:
   # GPG key
   # Import GPG Key & Owner Trust from Env Vars  
   - echo -e $GPG_PRIVATE_KEY | gpg --import
   - echo -e $GPG_OWNER_TRUST | gpg --import-ownertrust
   # Git to always sign commit using GPG_KEY_ID  
   - git config commit.gpgsign true
   - git config --global user.signingkey $GPG_KEY_ID
  script:
    - npm run semantic-release

• CI logs:
  GPG log

125 Error: Command failed with exit code 1: git push https://gitlab-ci-token:[secure]@gitlab.com/example/gpg-test.git refs/notes/semantic-release
126 remote: GitLab: Commit must be signed with a GPG key        
127 To https://gitlab.com/example/gpg-test.git
128  ! [remote rejected] refs/notes/semantic-release -> refs/notes/semantic-release (pre-receive hook declined)
129 error: failed to push some refs to 'https://gitlab-ci-token:[secure]@gitlab.com/example/gpg-test.git'
130     at makeError (/builds/example/gpg-test/node_modules/execa/lib/error.js:58:11)
131     at handlePromise (/builds/example/gpg-test/node_modules/execa/index.js:114:26)
132     at processTicksAndRejections (internal/process/task_queues.js:97:5)
133     at async pushNotes (/builds/example/gpg-test/node_modules/semantic-release/lib/git.js:248:3)
134     at async run (/builds/example/gpg-test/node_modules/semantic-release/index.js:191:5)
135     at async module.exports (/builds/example/gpg-test/node_modules/semantic-release/index.js:257:22)
136     at async module.exports (/builds/example/gpg-test/node_modules/semantic-release/cli.js:55:5) {
137   shortMessage: 'Command failed with exit code 1: git push https://gitlab-ci-token:[secure]@gitlab.com/example/gpg-test.git refs/notes/semantic-release',
138   command: 'git push https://gitlab-ci-token:[secure]@gitlab.com/example/gpg-test.git refs/notes/semantic-release',
139   exitCode: 1,
140   signal: undefined,
141   signalDescription: undefined,
142   stdout: '',
143   stderr: 'remote: GitLab: Commit must be signed with a GPG key        \n' +
144     'To https://gitlab.com/example/gpg-test.git\n' +
145     ' ! [remote rejected] refs/notes/semantic-release -> refs/notes/semantic-release (pre-receive hook declined)\n' +
146     "error: failed to push some refs to 'https://gitlab-ci-token:[secure]@gitlab.com/example/gpg-test.git'",

Commit Validation

 Error: Command failed with exit code 1: git push https://gitlab-ci-token:[secure]@gitlab.com/example/gpg-config.git refs/notes/semantic-release
144 remote: GitLab: Commit message does not follow the pattern '^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test)(\([a-z-0-9]+\))?: (.*)+$'        
145 To https://gitlab.com/example/gpg-config.git
146  ! [remote rejected] refs/notes/semantic-release -> refs/notes/semantic-release (pre-receive hook declined)
147 error: failed to push some refs to 'https://gitlab-ci-token:[secure]@gitlab.com/example/gpg-config.git'
148     at makeError (/builds/example/gpg-config/node_modules/execa/lib/error.js:58:11)
149     at handlePromise (/builds/example/gpg-config/node_modules/execa/index.js:114:26)
150     at processTicksAndRejections (internal/process/task_queues.js:97:5)
151     at async pushNotes (/builds/example/gpg-config/node_modules/semantic-release/lib/git.js:248:3)
152     at async run (/builds/example/gpg-config/node_modules/semantic-release/index.js:191:5)
153     at async module.exports (/builds/example/gpg-config/node_modules/semantic-release/index.js:257:22)
154     at async module.exports (/builds/example/gpg-config/node_modules/semantic-release/cli.js:55:5) {
155   shortMessage: 'Command failed with exit code 1: git push https://gitlab-ci-token:[secure]@gitlab.com/example/gpg-config.git refs/notes/semantic-release',
156   command: 'git push https://gitlab-ci-token:[secure]@gitlab.com/example/gpg-config.git refs/notes/semantic-release',
157   exitCode: 1,
158   signal: undefined,
159   signalDescription: undefined,
160   stdout: '',
161   stderr: "remote: GitLab: Commit message does not follow the pattern '^(build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test)(\\([a-z-0-9]+\\))?: (.*)+$'        \n" +
162     'To https://gitlab.com/example/gpg-config.git\n' +
163     ' ! [remote rejected] refs/notes/semantic-release -> refs/notes/semantic-release (pre-receive hook declined)\n' +
164     "error: failed to push some refs to 'https://gitlab-ci-token:[secure]@gitlab.com/example/gpg-config.git'",
165   failed: true,
166   timedOut: false,
167   isCanceled: false,
168   killed: false
169 }npm ERR! code ELIFECYCLE
170 npm ERR! errno 1

[pvdlg]

I tried to do a bit of research but couldn't find any information related to how Git notes should behave with commit hooks.
Intuitively I would says notes should not trigger a commit hook, but I don't know what is the intended behavior from the Git team perspective. I don't know if it's specific to GitLab either.

I would recommend to:

• Test with another Git host (GitHub, Bitbucket or custom Git repo) to figure out if it's GitLab related
• If it's GitLab related open an issue with them
• If not, open an issue with the Git team and ask if it's the intended behavior and if there is workaround

[pvdlg]

@mckha can you clarify if the rules you configure is something specific to GitLab or if it's a regular Git hook?
Can you provide the exact Git command necessary to recreate the same rule?

[LupusUmbrae]

The Regex is added to the GitLab push rules, not an actual Git pre-commit hook file. I'm going to look at adding a pre-commit hook for git and test locally

[LupusUmbrae]

Testing with a simple commit-msg hook on the local repo and it appears to work.

#!/bin/sh

echo "testing"

test "" = "$(egrep '^(build|ci|docs|feat|fix|perf|refactor|style|test|chore)(\([a-z]+\)){0,1}:\s.+' "$1")" && {
   cat $1
   exit 1
}

exit 0

It's also worth noting that we have no notes, is it possible to via config disable note generation in the mean time?

[mckha]

@pvdlg - The rules are specific to gitlab. It's an input on the UI that allows you to supply a commit regex. If using gitlab you can navigate to this on a repo through Settings > Repository > Push Rules. The 'commit message' input is described as: "All commit messages must match this regular expression to be pushed. If this field is empty it allows any commit message. For example you can require that an issue number is always mentioned in the commit message."

I assume this configures a server-side pre-receive hook, but cannot confirm. The documentation relating to this can be found here.

We are able to run the regex supplied above as a local githook as a work around for our own commits. However, we need this to be applied server-side to enforce consistent commits from developers, thereby creating consistent release notes.

The note format I can see for semantic release is: {"channels":["alpha"]}. Adjusting the server-side regex for commit message validation to permit this format does not prevent the CI throwing the pattern error. The regex is ^((build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test)(\([a-z-0-9]+\))?: (.*)+|(\{\"channels\"\:\[\"(alpha|master|beta)\"\]\}))$

stderr: `remote: GitLab: Commit message does not follow the pattern '^((build|chore|ci|docs|feat|fix|perf|refactor|revert|style|test)(\\([a-z-0-9]+\\))?: (.*)+|(\\{\\"channels\\"\\:\\[\\"(alpha|master|beta)\\"\\]\\}))$'        \n` +

I've have had a look at recreating this with Github, but unfortunately the free version does not offer the same functionality as Gitlab.

[pvdlg]

I assume this configures a server-side pre-receive hook, but cannot confirm. The documentation relating to this can be found here.

We are able to run the regex supplied above as a local githook as a work around for our own commits. However, we need this to be applied server-side to enforce consistent commits from developers, thereby creating consistent release notes.

If the local hook works but the remote one doesn't I guess it's either because GitLab is doing something on top of the hook or maybe it's related to the version of Git they are using.
In any case I don't think there is much we can do on the semantic-release side. I would recommend to open an issue with GitLab. Hopefully they will tell if they can fix it or if an issue has to be opened in the Git repo.

[LupusUmbrae]

Raised a GitLab issue, I'm going to try getting a test project setup for this as well.
https://gitlab.com/gitlab-org/gitlab/issues/207807

[VLZZZ]

As a temporary workaround you may add the following sequence to your regex pattern

^(Notes added by \'git notes add\')

So it will match the refs convention

git log --notes refs/notes/semantic-release --oneline | head
0672150 Notes added by 'git notes add'
30437e0 Notes added by 'git notes add'
7aff5cf Notes added by 'git notes add'
ca9e291 Notes added by 'git notes add'
9e6e3b2 Notes added by 'git notes add'
2721fd1 Notes added by 'git notes add'
4124c96 Notes added by 'git notes add'
178e743 Notes added by 'git notes add'
6a044fb Notes added by 'git notes add'
f539237 Notes added by 'git notes add'

Looking forwards for a fix from GitLab team

[LupusUmbrae]

Thanks for the work around, will test it locally

[aquariuslt]

I met same issue at self-hosted git server with ! [remote rejected] refs/notes/semantic-release -> refs/notes/semantic-release (prohibited by Git: Git:You are not allowed to push code to this project or Not support 'refs/remote' push.)

want to know if any options to skip pushNotes with git notes?

[cesarp]

I also have this issue, it would be really helpful if we could at least configure the commit message. We have a hook to check for jira tickets in the commits and it is failing too

remote: 0000000000000000000000000000000000000000 f61c810b54cb94a09ea5e778598439b6ef653205 refs/notes/semantic-release        
remote: Commit f61c810b54cb94a09ea5e778598439b6ef653205 does not contain a valid JIRA ticket: 'Notes added by 'git notes add'        
remote: 
remote: '        
remote: pre-receive hook validation FAILED   

[jasondamour]

Gitlab issue: https://gitlab.com/gitlab-org/gitlab/-/issues/207807

[jasondamour]

@pvdlg What about the GPG part of the issue described in #1446 (comment)?

Semantic-release can be configured to sign commits and tags, is the same possible for notes?
https://github.com/semantic-release/git#use-the-gpg-key-to-sign-commit-and-tags-locally