You can now prevent force pushes to your repositories by embedding a policy operation in the JWT used for Git authentication.
When a remote URL is generated with the no-force-push operation, the server will reject any push
that rewrites history — any non-fast-forward ref update is rejected. Normal pushes, including
--force with a fast-forward commit, continue to work as expected.
import { OP_NO_FORCE_PUSH } from '@pierre/storage';
const url = await repo.getRemoteURL({
ops: [OP_NO_FORCE_PUSH],
});from pierre_storage import OP_NO_FORCE_PUSH
url = await repo.get_remote_url(
ops=[OP_NO_FORCE_PUSH],
)url, err := repo.RemoteURL(ctx, storage.RemoteURLOptions{
Ops: storage.Ops{storage.OpNoForcePush},
})The policy is carried inside the signed JWT, so each remote URL controls its own write rules
independently. A token without no-force-push still allows force pushes, letting you mix protected
and unrestricted access within the same repository.
Attempting a real force push against a protected remote returns a clear error from the server:
error: remote unpack failed: error force push denied by policy
All three SDKs — TypeScript, Python, and Go — support the new ops parameter on getRemoteURL,
getImportRemoteURL, and getEphemeralRemoteURL.