update hook for Main git when handling push from weblate

This scripts is the security barrier into maingit. It is triggerd by the bare git hook mechanism.
It is placed inside puppet-tails: files/gitolite/hooks/tails-weblate-update.hook

Envrironment:

the script is triggered for every push to tails.git
a malicious users try to trick this script
the translation-server may be compromised and the weblate user may pushes malicious commits.
GL_USER is a environment variable, that is set by gitolite and is safe to rely on and indicates the users that it pushing.
If the script returns with a status code 0 the push is allowed and not 0 if not allowed.
Any output to stdout/stderr is allowed but only displayed to the user.

Expected outcome:

Weblate need to use “weblate <tails-l10n@boum.org>” as committer “name ” in any case
Weblate is ONLY to push po files nothing else in any case.
Everything else is not allowed for weblate.
For all other users the script should not do anything.

Feature Branch: https://salsa.debian.org/hefee/puppet-tails/tree/bugfix/15402-update-hook-for-weblate-pushes

Attachments

test-tails-weblate-update

Parent Task: #15082 (closed)

Related issues

Related to #15185 (closed)
Related to #15401 (closed)
Related to #16760
Related to #16761
Blocks #16712

Original created by @u on 15402 (Redmine)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information