Git server hooks
- Tier: Free, Premium, Ultimate
- Offering: GitLab Self-Managed
Version history
- Renamed from server hooks to Git server hooks in GitLab 15.6.
Git server hooks run custom logic on the GitLab server. You can use them to run Git-related tasks such as:
- Enforcing specific commit policies.
- Performing tasks based on the state of the repository.
Git server hooks use pre-receive
, post-receive
, and update
Git server-side hooks.
GitLab administrators configure server hooks using the gitaly
command, which also:
- Is used to launch a Gitaly server.
- Provides several subcommands.
- Connects to the Gitaly gRPC API.
If you don't have access to the gitaly
command, alternatives to server hooks include:
- Webhooks.
- GitLab CI/CD.
- Push rules, for a user-configurable Git hook interface.
For GitLab Helm chart instances, see information about global server hooks in the Gitaly chart.
Geo doesn't replicate server hooks to secondary nodes.
Prerequisites
- The storage name, path to the Gitaly configuration file
(default is
/var/opt/gitlab/gitaly/config.toml
on Linux package instances), and the repository relative path for the repository. - Any language runtimes and utilities that are required by the hooks must be installed on each of the servers that run Gitaly.
Set server hooks for a repository
To set server hooks for a repository:
-
Create tarball containing custom hooks:
-
Write the code to make the server hook function as expected. Git server hooks can be in any programming language. Ensure the shebang at the top reflects the language type. For example, if the script is in Ruby the shebang is probably
#!/usr/bin/env ruby
.- To create a single server hook, create a file with a name that matches the hook type. For example, for a
pre-receive
server hook, the filename should bepre-receive
with no extension. - To create many server hooks, create a directory for the hooks that matches the hook type. For example, for a
pre-receive
server hook, the directory name should bepre-receive.d
. Put the files for the hook in that directory.
- To create a single server hook, create a file with a name that matches the hook type. For example, for a
-
Ensure the server hook files are executable and do not match the backup file pattern (
*~
). The server hooks be in acustom_hooks
directory that is at the root of the tarball. -
Create the custom hooks archive with the tar command. For example,
tar -cf custom_hooks.tar custom_hooks
.
-
-
Run the
hooks set
subcommand with required options to set the Git hooks for the repository. For example:cat custom_hooks.tar | sudo -u git -- /opt/gitlab/embedded/bin/gitaly hooks set --storage <storage> --repository <relative path> --config <config path>
-
A path to a valid Gitaly configuration for the node is required to connect to the node and provided to the
--config
flag. -
Custom hooks tarball must be passed through
stdin
. For example:cat custom_hooks.tar | sudo -u git -- /opt/gitlab/embedded/bin/gitaly hooks set --storage <storage> --repository <relative path> --config <config path>
-
-
If you are using Gitaly Cluster (Praefect), you must run
hooks set
subcommand on all Gitaly nodes.
If you implemented the server hook code correctly, it should execute when the Git hook is next triggered.
Server hooks on a Gitaly Cluster (Praefect)
If you use Gitaly Cluster (Praefect), an individual repository may be replicated to multiple Gitaly storages in Praefect. Consequently, the hook scripts must be copied to every Gitaly node that has a replica of the repository. To accomplish this, follow the same steps for setting custom repository hooks for the applicable version and repeat for each storage.
The location to copy the scripts to depends on where repositories are stored. New repositories are created using
Praefect-generated replica paths which are not the hashed storage path. To identify the replica path,
query the Praefect repository metadata by using
-relative-path
option to specify the expected GitLab hashed storage path.
Create global server hooks for all repositories
To create a Git hook that applies to all repositories, set a global server hook. Global server hooks also apply to:
- Project and group wiki repositories. Their storage directory names are in the format
<id>.wiki.git
. - Design management repositories under a project. Their storage directory names are in the format
<id>.design.git
.
Choose a server hook directory
Before creating a global server hook, you must choose a directory for it.
Linux package (Omnibus)
The directory is set in gitlab.rb
under gitaly['configuration'][:hooks][:custom_hooks_dir]
. You can either:
- Use the default suggestion of the
/var/opt/gitlab/gitaly/custom_hooks
directory by uncommenting it. - Add your own setting.
Self-compiled (source)
- The directory is set in
gitaly/config.toml
under the[hooks]
section. However, GitLab honors thecustom_hooks_dir
value ingitlab-shell/config.yml
if the value ingitaly/config.toml
is blank or non-existent. - The default directory is
/home/git/gitlab-shell/hooks
.
Create the global server hook
To create a global server hook for all repositories:
- On the GitLab server, go to the configured global server hook directory.
- In the configured global server hook directory, create a directory for the hooks that matches the hook type. For example, for a
pre-receive
server hook, the directory name should bepre-receive.d
. - Inside this new directory, add your server hooks. Git server hooks can be in any programming language. Ensure the
shebang (
#!
) at the top reflects the language type. For example, if the script is in Ruby the shebang is probably#!/usr/bin/env ruby
. - Make the hook file executable, ensure that it's owned by the Git user, and ensure it does not match the backup file
pattern (
*~
).
If the server hook code is properly implemented, it should execute when the Git hook is next triggered. Hooks are executed in alphabetical order by filename in the hook type subdirectories.
Remove server hooks for a repository
To remove server hooks, pass an empty tarball to hook set
to indicate that the repository should contain no hooks. For example:
cat empty_hooks.tar | sudo -u git -- /opt/gitlab/embedded/bin/gitaly hooks set --storage <storage> --repository <relative path> --config <config path>
Chained server hooks
GitLab can execute server hooks in a chain. GitLab searches for and executes server hooks in the following order:
- Built-in GitLab server hooks. These server hooks are not customizable by users.
-
<project>.git/custom_hooks/<hook_name>
: Per-project hooks. This location is kept for backwards compatibility. -
<project>.git/custom_hooks/<hook_name>.d/*
: Location for per-project hooks. -
<custom_hooks_dir>/<hook_name>.d/*
: Location for all executable global hook files except editor backup files.
In a server hooks directory, hooks:
- Are executed in alphabetical order.
- Stop executing when a hook exits with a non-zero value.
Environment variables available to server hooks
You can pass any environment variable to server hooks, but you should only rely on supported environment variables.
The following GitLab environment variables are supported for all server hooks:
Environment variable | Description |
---|---|
GL_ID |
GitLab identifier of user or SSH key that initiated the push. For example, user-2234 or key-4 . |
GL_PROJECT_PATH |
GitLab project path. |
GL_PROTOCOL |
Protocol used for this change. One of: http (Git push using HTTP), ssh (Git push using SSH), or web (all other actions). |
GL_REPOSITORY |
GitLab project ID with a prefix of project- . For example, project-1234
|
GL_USERNAME |
GitLab username of the user that initiated the push. |
The following Git environment variables are supported for pre-receive
and post-receive
server hooks:
Environment variable | Description |
---|---|
GIT_ALTERNATE_OBJECT_DIRECTORIES |
Alternate object directories in the quarantine environment. |
GIT_OBJECT_DIRECTORY |
GitLab project path in the quarantine environment. |
GIT_PUSH_OPTION_COUNT |
Number of push options. |
GIT_PUSH_OPTION_<i> |
Value of a specific push option where <i> is from 0 to one less than the value defined in GIT_PUSH_OPTION_COUNT . |
Custom error messages
When server hooks reject a push, provide clear error messages to help users understand why the push was rejected and how to fix the issue. Custom error messages appear in the GitLab UI and in the user's terminal when a hook declines a push.
Without custom error messages, users only see generic messages like (pre-receive hook declined)
.
Clear error messages help users:
- Understand why their push was rejected.
- Fix the issue without contacting an administrator.
- Reduce support requests.
To display a custom error message, your script must:
- Send the custom error messages to either the script's
stdout
orstderr
. - Prefix each message with
GL-HOOK-ERR:
with no characters appearing before the prefix.
For example:
# Bad: Generic message
echo "GL-HOOK-ERR: Commit rejected.";
# Good: Specific message with action
echo "GL-HOOK-ERR: Commit rejected: Commit message must include an issue reference (for example, #1234).";
Related topics
Troubleshooting
When working with Git server hooks, you might encounter the following issues.
pre-receive hook declined
Error: When a user pushes to a GitLab repository, they might receive an error message that includes
(pre-receive hook declined)
. For example:
! [remote rejected] main (pre-receive hook declined)
error: failed to push some refs to 'https://gitlab.example.com/group/project'
This error indicates that a pre-receive hook rejected the push. Pre-receive hooks run before any references are updated in the repository. Git provides three server-side hooks that can reject pushes:
-
pre-receive
: Runs before any references are updated. Can reject the entire push. -
update
: Runs once per branch being updated. Can reject individual branches. -
post-receive
: Runs after all references are updated. Cannot reject pushes, but can cause errors if the hook fails.
The (pre-receive hook declined)
error usually comes from either the pre-receive
or update
hook. To identify the issue:
-
Check the output immediately before the
(pre-receive hook declined)
message. The output often contains information about why the push was rejected. For example:remote: GitLab: The default branch of a project cannot be deleted. ! [remote rejected] main (pre-receive hook declined)
-
Check the Gitaly logs for more details about why the hook failed:
sudo grep PreReceiveHook /var/log/gitlab/gitaly/current | jq .
-
If the repository has custom server hooks configured, review the custom hook code for issues.
The following are common causes of pre-receive hook failures:
- Default branch protection: Pushes that delete or force-update the default branch are
rejected. This occurs with
git push --mirror
when the source repository has a different default branch than the target repository. - Push rules: The push violates configured push rules, such as commit message requirements, file size limits, or author email restrictions.
- Custom server hooks: A custom server hook script rejected the push. Review your custom hook code and error messages.
- Timeout: The hook took too long to run and was terminated. Check the Gitaly logs for timeout errors.
- LFS objects: Required Git LFS objects are missing from the repository.
To help users understand hook failures use custom error messages to provide clear feedback about why a push was rejected. Custom error messages appear in the GitLab UI and in the user's terminal.