git - Find committer of a force push on github

Question

In our project (which is hosted on GitHub), someone accidentally force-pushes master every once in a while. No one is aware if doing so, and I would like to find out who does it and what sort of misconfigured tool or bad habit is behind it.

So the question is, how to identify the user who made the force push? When I pull I see something like this:

# git pull --prune
(.....)
 + 4c0d44c...138b9ed master     -> origin/master  (forced update)

but 138b9ed is just the latest commit in origin/master, and anyone might have committed after the force push; it is even possible that the force pusher himself did not commit anything, just rebased, so his name is not even present in the rewritten part of origin/master's history as an author.

I also tried git reflog origin/master, but it just gives the same information: there is a record saying git pull --prune (forced update) with the commit id 138b9ed, but that will again give the last committer into master, not the one who did the force push. Running git reflog master on the origin server would probably help, but GitHub does not give you that sort of access AFAIK.

Is there any reliable way to find out whom the push originated from (and when)?

Answer 1

You can add a webhook to your Github repository and have it submit the push notifications to some server or a service like requestb.in.

The notification payload has a pusher key which identifies the Github user account used to push the update(s). This way you should be able to identify the "bad guy".

Edit: The payload also has a boolean forced key, which tells you if the even was --force pushed or not. It is not shown in Github's example payload ^{[as of 2013-07-06]}, but visible in this other example.

Edit: This is only possible because Github is an integrated solution that identifies the pusher and provides that information in the webhook payload. Using a pure Git server (e.g. using only SSH for authorization) or a different Git serving solution (Gitolite, Gitlab, etc), this might not be possible. Git itself has no way of identifying the user who pushes (Git only saves user information in commit and tag objects), so this information has to be provided by the identification & authorization part of the connection (this can be SSH or HTTPS or the likes; it can also be completely missing, for example when pushing locally to a repo on the same file system).