Git::Hooks::CheckReference - Git::Hooks plugin for checking references


version 2.10.1


As a Git::Hooks plugin you don't use this Perl module directly. Instead, you may configure it in a Git configuration file like this:

    # Enable the plugin
    plugin = CheckReference

    # These users are exempt from all checks
    admin  = joe molly

    # This group is used in a ACL spec below
    groups = cms = mhelena tiago juliana

  [githooks "checkreference"]

    # Deny changes on any references by default
    acl = deny  CRUD ^refs/

    # Only users in the @cms group may create, change, or delete tags
    acl = allow CRUD ^refs/tags/ by @cms

    # Users may maintain personal branches under user/<username>/
    acl = allow CRUD ^refs/heads/user/{USER}/

    # Users may only update the vetted branch names
    acl = allow U    ^refs/heads/(?:feature|release|hotfix)/

    # Users in the @cms group may create, rewrite, update, and delete the vetted
    # branch names
    acl = allow CRUD ^refs/heads/(?:feature|release|hotfix)/ by @cms

    # Reject lightweight tags
    require-annotated-tags = true


This Git::Hooks plugin hooks itself to the hooks below to check if the names of references added to or renamed in the repository meet specified constraints. If they don't, the commit/push is aborted.

  • update

  • pre-receive

  • ref-update

  • commit-received

  • submit

To enable it you should add it to the githooks.plugin configuration option:

      plugin = CheckReference


CheckReference - Git::Hooks plugin for checking references


The plugin is configured by the following git options under the githooks.checkacls subsection.

It can be disabled for specific references via the githooks.ref and githooks.noref options about which you can read in the Git::Hooks documentation.

acl RULE

This multi-valued option specifies rules allowing or denying specific users to perform specific actions on specific references. (Common references are branches and tags, but an ACL may refer to any reference under the refs/ name space.) By default any user can perform any action on any reference. So, the rules are used to impose restrictions.

The acls are grokked by the Git::Repository::Plugin::GitHooks's grok_acls method. Please read its documentation for the general documentation.

A RULE takes three or four parts, like this:

  (allow|deny) [CRUD]+ <refspec> (by <userspec>)?

Some parts are described below:

  • [CRUD]+

    The second part specifies which actions are being considered by a combination of letters: (C) create a reference, (R) rewrite a reference (a non fast-forward change), (U) update a reference (a fast-forward change), or (D) delete a reference. You can specify one, two, three, or the four letters.

  • <refspec>

    The third part specifies which references are being considered. In its simplest form, a refspec is a complete name starting with refs/ (e.g. refs/heads/master). These refspecs match a single file exactly.

    If the refspec starts with a caret (^) it's interpreted as a Perl regular expression, the caret being kept as part of the regexp. These refspecs match potentially many references (e.g. ^refs/heads/feature/).

    Before being interpreted as a string or as a regexp, any sub-string of it in the form {VAR} is replaced by $ENV{VAR}. This is useful, for example, to interpolate the committer's username in the refspec, in order to create reference name spaces for users.

See the "SYNOPSIS" section for some examples.

require-annotated-tags BOOL

By default one can push lightweight or annotated tags but if you want to require that only annotated tags be pushed to the repository you can set this option to true.


This option is deprecated. Please, use an acl option like this instead:

  [githooks "checkreference"]
    acl = deny C ^<REGEXP>

This directive denies references with names matching REGEXP.


This option is deprecated. Please, use an acl option like this instead:

  [githooks "checkreference"]
    acl = allow C ^<REGEXP>

This directive allows references with names matching REGEXP. Since by default all names are allowed this directive is useful only to prevent a githooks.checkreference.deny directive to deny the same name.

The checks are evaluated so that a reference is denied only if it's name matches any deny directive and none of the allow directives. So, for instance, you would apply it like this to allow only the creation of branches with names prefixed by feature/, release/, and hotfix/, denying all others.

    [githooks "checkreference"]
        deny  = ^refs/heads/
        allow = ^refs/heads/(?:feature|release|hotfix)/

Note that the order of the directives is irrelevant.


  • update-paranoid

    This module is inspired from the example hook which comes with the Git distribution.


Gustavo L. de M. Chaves <>


This software is copyright (c) 2018 by CPqD <>.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.