#!/usr/bin/env bash
set -euo pipefail

while read local_ref local_sha remote_ref remote_sha; do
  if [ "$local_sha" = "0000000000000000000000000000000000000000" ]; then
    continue  # branch deletion, skip
  fi

  # Only check commits unique to this branch — not commits already on main
  # (including GitHub squash-merge commits which carry GitHub's own key).
  base=$(git merge-base "$local_sha" origin/main 2>/dev/null \
    || git rev-list --max-parents=0 HEAD)

  while IFS= read -r line; do
    sha="${line%% *}"
    status="${line##* }"
    if [ "$status" != "G" ]; then
      echo "error: commit ${sha} is unsigned or unverified — sign your commits before pushing"
      exit 1
    fi
  done < <(git log --format="%H %G?" "${base}..${local_sha}")
done
