#!/usr/bin/env bash
set -euo pipefail

is_private_ref() {
  local ref="$1"
  [[ "$ref" == refs/heads/private || "$ref" == refs/heads/private/* ]]
}

is_delete_update() {
  local local_ref="$1"
  local local_sha="$2"
  [[ "$local_ref" == "(delete)" || "$local_sha" =~ ^0+$ ]]
}

while read -r local_ref local_sha remote_ref remote_sha; do
  local_ref="${local_ref:-}"
  local_sha="${local_sha:-}"
  remote_ref="${remote_ref:-}"

  if is_private_ref "$local_ref"; then
    echo "push blocked: private branch ref detected in push input." >&2
    echo "local_ref='$local_ref' remote_ref='$remote_ref'" >&2
    echo "do not push refs/heads/private/* to remote." >&2
    exit 1
  fi

  if is_private_ref "$remote_ref" && ! is_delete_update "$local_ref" "$local_sha"; then
    echo "push blocked: update to remote private ref is not allowed." >&2
    echo "local_ref='$local_ref' remote_ref='$remote_ref'" >&2
    echo "only deletion of refs/heads/private/* is allowed for cleanup." >&2
    exit 1
  fi
done
