Commit `57fea768f13d`

Vincent Demeester <vincent@sbr.pm>

2026-02-02 10:27:13

fix(hooks): prevent false positives in validate-git-push

The hook was triggering on any command containing the literal string "git push", including inside commit messages, heredocs, and string arguments. Now uses regex to only match git push when it appears as an actual command (at start, or after &&, ||, ;, |, or $(). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

main

1 parent 1b8fd7f

Changed files (1)

tools

claude-hooks

cmd

validate-git-push

main.go

@@ -27,9 +27,15 @@ func hasExplicitRefspec(command string) bool {
 	return refspecPattern.MatchString(command)
 }
 
-// Check if this is a git push command
+// Check if this is a git push command (not just the string "git push" inside arguments)
 func isGitPush(command string) bool {
-	return strings.Contains(command, "git push") || strings.Contains(command, "git push")
+	// Match git push only when it appears as an actual command:
+	// - At the start of the command
+	// - After command separators: && || ; |
+	// - After $( for command substitution
+	// This avoids false positives on "git push" inside heredocs, strings, or commit messages
+	gitPushPattern := regexp.MustCompile(`(^|&&|\|\||;|\||\$\()\s*git\s+push(\s|$)`)
+	return gitPushPattern.MatchString(command)
 }
 
 // Check if pushing to a protected branch without explicit refspec

Commit 57fea768f13d

Commit `57fea768f13d`