distgit: Block push of branches named 'origin/*'

We already use the update hook for gitolite.

This introduces a new update hook, which merely chains the gitolite one,
and a new one to block pushes to badly named branches.

The new hook was written originally by Till Maas.

https://fedorahosted.org/rel-eng/ticket/4071

roles/git/hooks/files/update-block-push-origin

@@ -0,0 +1,10 @@
+#!/bin/sh
+#
+# Block pushes to branches if their name starts with `origin/`
+# https://fedorahosted.org/rel-eng/ticket/4071
+
+refname="${1}"
+sha1_old="${2}"
+sha1_new="${3}"
+
+echo "${refname}" | grep -qE '^refs/heads/origin/' && exit 1 || exit 0

roles/git/hooks/files/update-chained

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+
+refname="${1}"
+sha1_old="${2}"
+sha1_new="${3}"
+
+
+$GIT_DIR/hooks/update-chained.d/update-gitolite "$refname" "$sha1_old" "$sha1_new" || exit 1
+$GIT_DIR/hooks/update-chained.d/update-block-push-origin "$refname" "$sha1_old" "$sha1_new" || exit 1
+
+exit 0

roles/git/hooks/tasks/main.yml

@@ -13,6 +13,8 @@
   with_items:
   - post-receive-fedmsg
   - post-receive-chained
+  - update-block-push-origin
+  - update-chained
 
 - name: install the git mail hooks
   copy: src={{item}} dest=/usr/share/git-core/mail-hooks mode=0755