Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Automatically sign a merge commit based on criteria

Svante Gustafsson
Svante Gustafsson
Contributor
March 10, 2020

Hey,

I wonder if someone has looked into the following use-case:

We want to digitally "sign" all commits created on e.g. the master branch based on a number of criteria. These could be approved by at least 1 reviewer, task list in PR completed etc.

I know that these "rules" can be applied as project/repo configuration but we do have lots of repo admins that potentially can disable these checks and circumvent them. This is all captured in the audit log but it is usually too late if the commit has already hit the production system.

My idea is therefore to introduce an event listener that triggers on PR merged and in theses cases run the list of criteria on that PR and merge commit and if it fulfills all of them digitally sign the merge commit on the master branch. With this in place we can instruct our pipelines to only deploy changes that has passed these checks.

Has anyone implemented something similar? Or is there a better way to approach this (without revoking the repo admin permissions from people)?

We do have the Scriptrunner for Bitbucket so any ideas or pointers implemented with Groovy are highly appreciated.

Cheers!

Answer
Watch
Like Be the first to like this
744 views

1 answer

0 votes
Robert Giddings _Adaptavist_
Robert Giddings _Adaptavist_
Community Champion
March 13, 2020

Hi @Svante Gustafsson 

Regarding your question around using ScriptRunner for Bitbucket for signed commits, would the existing built-in Pre Hook of Enforcing Trusted Commit Authors address your requirements?

https://scriptrunner.adaptavist.com/latest/bitbucket/PreReceiveHooks.html#_enforce_trusted_commit_authors

Also, regarding repo admins being able to disable these checks, the Enforce Trusted Commit Authors Pre Hook can be set up in the global admin area of Bitbucket, which I assume your repo admins do not have access to. Thus preventing them from disabling the hook.

Please let me know if this helps? Or you require further assistance?

Kind regards,

Robert Giddings

Product Manager, ScriptRunner for Bitbucket

View More Comments
Svante Gustafsson
Svante Gustafsson
Contributor
March 16, 2020

Hey Robert,

No this is not what I am looking for. 

I want to be able to sign a commit automatically based on a number of criteria.

The criteria can be (but not limited to):

  • Only commits created on a certain branch, e.g. the master branch
  • Only merge commits, i.e. require a PR
  • Commit must have been approved by at least one reviewer

The reason we see this need is that even if we enforce e.g. number of approvers to 1 it is possible for a repo admin to temporarily disable this and merge the PR without approvals and then re-enable the check.

This is an offending usage I know, but we need to be able to proof that this has not happened to code in our production systems.

The idea here is to create an event listener that trigger on new commits and based on the "conditions" above signs the commit if all are true.

I guess it is possible to create a scripted listener doing this but I am a bit concerned about the performance here. We are talking about 4-5000 commits per day in our instance.

Any comments about this?

Cheers,

// Svante 

Like
Robert Giddings _Adaptavist_
Robert Giddings _Adaptavist_
Community Champion
March 23, 2020

Hi @Svante Gustafsson ,

Please can I first point out that in order to prevent Repo admins from disabling your Require a number of approvals Merge Check, you can configure the Merge Check at the global admin level and have it configured to apply to repositories.

Repo admins would then not be able to disable the Merge Check.

Also, we now have better auditing for ScriptRunner for Bitbucket to help keep check of configuration changes: https://scriptrunner.adaptavist.com/latest/bitbucket/audit-logging.html

Finally, if you still require a custom solution here are a couple of pointers.

Here is an example Post Hook that records push traceability, that might be helpful for your needs and perhaps could be adapted? - https://scriptrunner.adaptavist.com/latest/bitbucket/PostReceiveHooks.html#_push_traceability

From your requirements it looks like you will need a custom Event Handler however, as it seems you already need the PR to have been merged?

https://scriptrunner.adaptavist.com/latest/bitbucket/StashEventHandlers.html#_working_with_custom_event_handlers

Kind regards,

Robert Giddings,

Product Manager for Bitbucket

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.