We should install commit hooks into hosted repositories. These will allow us to:
- Reject `--force` pushes unless a repository is explicitly configured to accept them (see <https://news.ycombinator.com/item?id=6713742>).
- Run Herald pre-commit rules and reject unreviewed commits, etc.
- Run (and possibly install/manage) third-party hooks (Gitolite, etc.) in a structured way.
- Record which Phabricator user pushed each commit (vs committer/author), and when (vs commit date), from where, etc.
The general structure here is:
- After creating or updating a repository, we'll dump a hook script into it. This will be a one liner which calls into a common hook script.
- The common hook script will do all the magic above.
- For third-party hooks, I'm imagining we'll have a rule like "everything in `hooks/phabricator-pre-commit.d/` which is executable will get run". Ideally, the Gitolite hook can just be moved here. This needs more research, though. We could also (or alternatively) provide some common directory inside of `phabricator/` (instead of inside each working copy) where you dump all the scripts you want to run in one central place and we execute them with the right CWD and maybe some hints in the environment. This might be much easier to manage if all or almost all repositories have similar rules, and is significantly more foolproof.