Kevin Veen-Birkenbach
a21fb1a908
`git rebase <base>` is a no-op when HEAD is already a descendant of <base>, which is the normal shape for a local branch built on top of origin/main. Without `--force-rebase`, rebase short-circuits, `-S` never runs, and the unsigned commit gets pushed and rejected by required_signatures branch rules. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
git-maintainer-tools 🧰
Small CLIs for a fork-based OSS maintainer workflow.
Homepage: github.com/kevinveenbirkenbach/git-maintainer-tools
Originally extracted from s.infinito.nexus/code, where these helpers started as shell scripts under scripts/git/ before being rewritten in Python and split out as a standalone tool.
Tools 🔧
git-setup-remotes 🌐
Configures a clone for a fork-based workflow and is idempotent.
originpoints at the canonical repository.forkpoints at the maintainer's personal fork.maintracksorigin/main.remote.pushDefault=fork,push.default=currentso everygit pushand everygit push -ufor a new branch lands on the fork, not on the canonical repo.branch.main.pushRemote=originso a direct push on the canonical branch targets upstream, not the personal fork (whose branch-protection rules can diverge).
Usage:
git-setup-remotes \
--canonical git@github.com:<org>/<repo>.git \
--fork git@github.com:<user>/<fork>.git
Both URLs may be provided via environment variables instead (CANONICAL_URL, FORK_URL). If --fork / FORK_URL is not given, the tool reuses an existing fork remote or an existing origin that does not point at canonical (clone-from-fork case).
git-sign-push 🔐
GPG-signs every unpushed commit on the current branch and pushes.
- Refuses to run inside the Claude sandbox (where
~/.gnupgis unreadable) and when the working tree is dirty. - For a branch with an upstream:
git push --force-with-leaseafter any required re-sign. - For a branch without upstream:
git push -u <remote>where<remote>is resolved fromremote.pushDefault(fallback:origin). In a repo configured bygit-setup-remotes, this means new branches land on the fork.
Usage:
git-sign-push
Install 📦
From the repo checkout:
pip install .
Or for development:
pip install -e '.[dev]'
Both entry points are registered in pyproject.toml and will be on your $PATH after install.
Sandbox 🏜️
Both CLIs refuse to run when CLAUDE_CODE or CLAUDECODE is set in the environment, because the Claude sandbox blocks .git/config writes (for git-setup-remotes) and access to ~/.gnupg (for git-sign-push). The tools MUST be run by the human operator outside the sandbox.
Author ✍️
Kevin Veen-Birkenbach, veen.world
License 📜
Licensed under the MIT License.