Summary
AuthorEmailCheck collects the author email from every commit in the pushed range and validates it against the configured domain allowlist (commit.author.email.domain.allow). This causes false-positive rejections when an engineer rebases external/open-source contributor commits onto a branch before pushing.
How it happens
CommitInspectionService.getCommitRange walks all commits between the old and new branch tip via git log <old>..<new>. For a branch update that includes rebased external commits, those commits are included in the range. AuthorEmailCheck then checks every author email in that set — including emails from outside contributors that will never match a corporate domain pattern.
Why this is wrong
When a commit is rebased, Git preserves the original author identity but sets committer to the engineer who ran the rebase. For corporate compliance purposes, the relevant identity is the committer — the employee who vouched for and forwarded the change. The original author email is irrelevant to whether the push is compliant.
The Commit model already carries both author and committer as separate fields (populated in both CommitInspectionService and GitReceivePackParser), so the data is available.
Suggested fix
Change AuthorEmailCheck to validate the committer email instead of the author email, and add a corresponding commit.committer.email.* config block to mirror the existing commit.author.email.* structure. The existing IdentityVerificationHook/IdentityVerificationFilter already checks both author and committer for the registered-user check, so there is precedent in the codebase for this distinction.
Summary
AuthorEmailCheckcollects theauthoremail from every commit in the pushed range and validates it against the configured domain allowlist (commit.author.email.domain.allow). This causes false-positive rejections when an engineer rebases external/open-source contributor commits onto a branch before pushing.How it happens
CommitInspectionService.getCommitRangewalks all commits between the old and new branch tip viagit log <old>..<new>. For a branch update that includes rebased external commits, those commits are included in the range.AuthorEmailCheckthen checks every author email in that set — including emails from outside contributors that will never match a corporate domain pattern.Why this is wrong
When a commit is rebased, Git preserves the original
authoridentity but setscommitterto the engineer who ran the rebase. For corporate compliance purposes, the relevant identity is the committer — the employee who vouched for and forwarded the change. The original author email is irrelevant to whether the push is compliant.The
Commitmodel already carries bothauthorandcommitteras separate fields (populated in bothCommitInspectionServiceandGitReceivePackParser), so the data is available.Suggested fix
Change
AuthorEmailCheckto validate the committer email instead of the author email, and add a correspondingcommit.committer.email.*config block to mirror the existingcommit.author.email.*structure. The existingIdentityVerificationHook/IdentityVerificationFilteralready checks both author and committer for the registered-user check, so there is precedent in the codebase for this distinction.