--- a/pipeline.groovy	Thu May 25 22:33:44 2017 +0100
+++ b/pipeline.groovy	Thu May 25 22:54:10 2017 +0100
@@ -7,7 +7,8 @@
  *    No artifacts are archived
  *
  *  * `integration()` - like `build()` pipeline, then all test pass on all
- *    configurations, archive artifacts and push staged changes to opstream.
+ *    configurations, archive artifacts and push staged changes to opstream
+ *    (if approvec by the user)
  */
 
 import com.cloudbees.plugins.credentials.CredentialsProvider;
@@ -121,11 +122,40 @@
      * archiving a broken build.
      */
     println "Smalltalk/X built, job status is: ${currentBuild.result}"
-    if (currentBuild.result == 'UNSTABLE') {
+    if ( currentBuild.result == 'UNSTABLE' ) {
         return;
     }
     artifacts()
-    push()
+
+    /*
+     * Check if there are changes to be pushed to upstream. If so,
+     * ask user to approve that push
+     */
+    if ( changes() ) {
+        def integrate = input(message: 'Integrate all staged changes to upstream?',
+                                parameters: [
+                                    booleanParam(name: "Integrate changes",
+                                         description: 'If checked, all staged changes will be pushed to an upstream repository',
+                                         defaultValue: true)]);
+        if ( integrate ) {
+            push()
+        }
+    }
+}
+
+/*
+ * Utility. Return true, if there are any changes to be pushed to an upstream,
+ * false othervise.
+ */
+def changes() {
+    changes = false;
+    matrix ( configurations ) {
+        withCredentialsForUpstream() { user, pass ->
+            status = sh ( script: "rake \"workflow:out-upstream[${user}, ${pass}]\"", returnStatus: true)
+        }
+        changes = status == 0;
+    }
+    return changes;
 }
 
 def combine(configurations, axes = null, axis = 0, partial = new HashMap(), combinations = []) {
@@ -207,51 +237,62 @@
 def push() {
     any ( configurations ) {
         stage ( "Push to upstream" ) {
-            /*
-             * Kludge: This stage may push changes to public BitBucket
-             * repositories. To access repos on BitBucket, I (JV) don't
-             * want to use the same key / password as for checkouts from
-             * staging repositories,
-             *
-             * Therefore, also look for another credentials with ID
-             * `workflow:push-upstream`. If it exists, then use these to
-             * push to upstrem repository. If no such credentials exist,
-             * use standard credentials.
-             *
-             * So, here we go:
-             */
-            def id1 = "workflow-push-upstream";
-            def id2 = scm.getCredentialsId();
-            def credentials = null;
-
-            for (StandardUsernameCredentials c : CredentialsProvider.lookupCredentials(StandardUsernameCredentials.class)) {
-              if (c.getId().equals(id1)) {
-                credentials = c;
-                break;
-              }
-            }
-            if (credentials == null) {
-              for (StandardUsernameCredentials c : CredentialsProvider.lookupCredentials(StandardUsernameCredentials.class)) {
-                if (c.getId().equals(id2)) {
-                  credentials = c;
-                  break;
-                }
-              }
-            }
-
-            println "Using credentials ${credentials.getId()}: ${credentials.getDescription()}"
-
-            if (credentials instanceof SSHUserPrivateKey) {
-                sshagent([ credentials.getId() ]) {
-                    sh "rake \"workflow:push-upstream\""
-                }
-            } else {
-                withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: credentials.getId(), passwordVariable: 'pass', usernameVariable: 'user']]) {
-                    sh "rake \"workflow:push-upstream[${user}, ${pass}]\""
-                }
+            withCredentialsForUpstream { user, pass ->
+                sh "rake \"workflow:push-upstream[${user}, ${pass}]\""
             }
         }
     }
 }
 
+/*
+ * Utility. Executes given block with credentials for upstream repository.
+ */
+def withCredentialsForUpstream(block) {
+    /*
+     * Kludge: Upstream repositories may be on a public BitBucket
+     * server. To access repos on BitBucket, I (JV) don't
+     * want to use the same key / password as for checkouts from
+     * staging repositories,
+     *
+     * Therefore, also look for another credentials with ID
+     * `workflow:push-upstream`. If it exists, then use these to
+     * push to upstrem repository. If no such credentials exist,
+     * use standard credentials.
+     *
+     * So, here we go:
+     */
+    def id1 = "workflow-push-upstream";
+    def id2 = scm.getCredentialsId();
+    def credentials = null;
+
+    for (StandardUsernameCredentials c : CredentialsProvider.lookupCredentials(StandardUsernameCredentials.class)) {
+      if (c.getId().equals(id1)) {
+        credentials = c;
+        break;
+      }
+    }
+    if (credentials == null) {
+      for (StandardUsernameCredentials c : CredentialsProvider.lookupCredentials(StandardUsernameCredentials.class)) {
+        if (c.getId().equals(id2)) {
+          credentials = c;
+          break;
+        }
+      }
+    }
+
+    println "Using upstream credentials ${credentials.getId()}: ${credentials.getDescription()}"
+
+    if (credentials instanceof SSHUserPrivateKey) {
+        sshagent([ credentials.getId() ]) {
+            // sh "rake \"workflow:push-upstream\""
+            block(null, null)
+        }
+    } else {
+        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: credentials.getId(), passwordVariable: 'pass', usernameVariable: 'user']]) {
+            // sh "rake \"workflow:push-upstream[${user}, ${pass}]\""
+            block(user, pass)
+        }
+    }
+}
+
 return this;