chore(release): prevent for pushing to personal forks (#115)

mdelapenya · web-flow · commit baca2c0117dd · 2025-10-23T17:09:48.000+02:00
* chore(release): prevent for pushing to personal forks

* fix: quote

* chore: actually validate in the release script

* docs: wording and headings
diff --git a/.github/scripts/common.sh b/.github/scripts/common.sh
@@ -39,6 +39,8 @@ readonly CURRENT_DIR="$(get_script_dir)"
 readonly ROOT_DIR="$(dirname $(dirname "${CURRENT_DIR}"))"
 readonly BUILD_DIR="${ROOT_DIR}/.github/scripts/.build"
 readonly GITHUB_REPO="github.com/docker/go-sdk"
+readonly EXPECTED_ORIGIN_SSH="git@github.com:docker/go-sdk.git"
+readonly EXPECTED_ORIGIN_HTTPS="https://${GITHUB_REPO}.git"
 readonly DRY_RUN="${DRY_RUN:-true}"
 
 # This function is used to trigger the Go proxy to fetch the module.
@@ -67,6 +69,34 @@ execute_or_echo() {
   fi
 }
 
+# Validate that git remote origin points to the correct repository
+# This prevents accidentally pushing to the wrong remote
+validate_git_remote() {
+  local actual_origin="$(git -C "${ROOT_DIR}" remote get-url origin 2>/dev/null || echo "")"
+
+  if [[ -z "$actual_origin" ]]; then
+    echo "❌ Error: No 'origin' remote found"
+    echo "Please configure the origin remote first:"
+    echo "  git remote add origin ${EXPECTED_ORIGIN_SSH}"
+    exit 1
+  fi
+
+  # Accept both SSH and HTTPS formats for the docker/go-sdk repository
+  if [[ "$actual_origin" != "$EXPECTED_ORIGIN_SSH" ]] && \
+     [[ "$actual_origin" != "$EXPECTED_ORIGIN_HTTPS" ]]; then
+    echo "❌ Error: Git remote 'origin' points to the wrong repository"
+    echo "  Expected: ${EXPECTED_ORIGIN_SSH}"
+    echo "            (or ${EXPECTED_ORIGIN_HTTPS})"
+    echo "  Actual:   ${actual_origin}"
+    echo ""
+    echo "To fix this, update your origin remote:"
+    echo "  git remote set-url origin ${EXPECTED_ORIGIN_SSH}"
+    exit 1
+  fi
+
+  echo "✅ Git remote validation passed: origin → ${actual_origin}"
+}
+
 # Function to get modules from go.work
 get_modules() {
   go work edit -json | jq -r '.Use[] | "\(.DiskPath | ltrimstr("./"))"' | tr '\n' ' ' && echo
diff --git a/.github/scripts/release.sh b/.github/scripts/release.sh
@@ -47,6 +47,9 @@ set -e
 readonly SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 source "${SCRIPT_DIR}/common.sh"
 
+# Validate git remote before doing anything
+validate_git_remote
+
 MODULE="${1:-}"
 
 # Collect and stage changes across modules, then create a single commit
diff --git a/RELEASING.md b/RELEASING.md
@@ -123,14 +123,22 @@ The `pre-release-all` or `pre-release` command must be run first:
 - Handles prerelease numbering with leading zeros
 - Writes the next version to a file in the build directory, located at `.github/scripts/.build/<module>-next-tag`
 
-### 2. Pre-Release Check
-The `release-all` command automatically runs `check-pre-release` for all modules to verify:
-- The `.github/scripts/.build` directory exists
-- Each module has a corresponding `<module>-next-tag` file
-- The version in the `<module>-next-tag` file matches the version in `<module>/version.go`
+### 2. Release Validation Checks
+Before creating any commits or tags, the release script performs the following validation checks:
+
+**Git Remote Validation:**
+- Verifies that the `origin` remote points to `git@github.com:docker/go-sdk.git` (or HTTPS equivalent)
+- Prevents accidentally pushing releases to forks or personal repositories
+- If validation fails, the script aborts immediately with instructions to fix the remote
+
+**Pre-Release Verification:**
+- The `release-all` command automatically runs `check-pre-release` for all modules
+- Verifies the `.github/scripts/.build` directory exists
+- Checks each module has a corresponding `<module>-next-tag` file
+- Validates the version in `<module>-next-tag` matches the version in `<module>/version.go`
 - If any checks fail, the release is aborted with an error message
-
-This check is implemented in `.github/scripts/check-pre-release.sh` and ensures that `pre-release-all` was completed successfully (with `DRY_RUN=false`) and that all version files are properly updated before proceeding with the release.
+- Implemented in `.github/scripts/check-pre-release.sh`
+- Ensures `pre-release-all` was completed successfully (with `DRY_RUN=false`)
 
 You can manually run the check for a specific module:
 ```bash
