feat: Block internal PRs via pre-push hook and GitHub Action

Gas Town agents must push directly to main, not create PRs. This adds defense-in-depth: 1. .githooks/pre-push - Blocks pushes to non-main branches locally 2. .github/workflows/block-internal-prs.yml - Auto-closes PRs from the same repo (forks/contributors can still create PRs) 3. internal/git/git.go - Auto-configures core.hooksPath on clone 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-04 23:28:11 -08:00
parent e0ba057821
commit ff670c5bd4
3 changed files with 104 additions and 2 deletions
--- a/.githooks/pre-push
+++ b/.githooks/pre-push
@@ -0,0 +1,32 @@
+#!/bin/bash
+# Block pushes to non-main branches from internal clones
+# External contributors use forks, so this only affects Gas Town agents
+
+# Allow: main, beads-sync
+# Block: feature branches, polecat/* branches, etc.
+
+while read local_ref local_sha remote_ref remote_sha; do
+  branch="${remote_ref#refs/heads/}"
+
+  case "$branch" in
+    main|beads-sync)
+      # Allowed branches
+      ;;
+    *)
+      echo "ERROR: Gas Town agents push directly to main."
+      echo ""
+      echo "Blocked push to: $branch"
+      echo ""
+      echo "If you're working on a fix:"
+      echo "  git checkout main"
+      echo "  git merge $branch"
+      echo "  git push origin main"
+      echo "  git branch -d $branch"
+      echo ""
+      echo "See CLAUDE.md: 'Crew workers push directly to main. No feature branches.'"
+      exit 1
+      ;;
+  esac
+done
+
+exit 0