Use the server example as a guide on how to validate the JSON payload on Push events.
# validate all commits are from the pusher
def validate(payload)
# read all committer emails
committers = payload.commits.map{ |c| c.author.email }.uniq
# validate all commits are from the pusher
if committers.count > 1
{:failure => "Includes commits from #{committers.count} committers"}
elsif !committers.include?(payload.pusher.email)
{:failure => "Committer doesn't match pusher"}
else
{:success => "All commits match pusher"}
end
end
Add the validation to your CI server or any stand-alone webserver that responds to GitHub's WebHook events.
The JSON Payload will contain the Git Author and the Git Commiter for each files modified. These values come from the .gitconfig
on the user's computer.
The payload also contains the Pusher's Info who is the authenticated GitHub user that has pushed up the code.
Create a Webhook and watch for the Push Event. This event is triggered when you push from the command-line or commit a change through the Web UI.
To prevent merges until identity checks are passed, enable Protected Branches and Required Status Checks, then have your CI server run checks against the JSON payload delivered from the Webhook.