Server hook: Get annotated tag commit ID


I have a self-managed GitLab instance configured with a global serverside Git hook. GitLab calls them global ‘server hooks’. It’s an update hook that blocks or allows certain tags based on tag name and tag commit ID.

I’m struggling to retrieve the commit ID of an annotated tag within this script.

The script executes with args containing the name and SHA-1 of the ref being updated. When a user adds a lightweight tag, the SHA-1 is the ID of the commit being tagged. However when a user adds an annotated tag, the SHA-1 is the hash of the tag object itself, not of the commit it points to. This is documented behaviour within Git, but makes things tricky for my use-case.

None of the three arguments with which the update script is executed tell me about the commit an annotated tag points to, and neither do the environment variables. I don’t want to allow the tag to be created and handle it using a File Hook as this is messy and prevents me from returning an error to the browser, since our users create tags using the web app.

I could instruct users not to create annotated tags by not adding tag notes, but it’ll happen regardless and I haven’t found a way to disable the adding of tag notes in web UI.

Any ideas? Some help with this would be fantastic,


GitLab-CE 14.6.3 Omnibus
Ubuntu 20.04
Python 3.8