-
Notifications
You must be signed in to change notification settings - Fork 1
/
lefthook.yml
120 lines (100 loc) · 4.14 KB
/
lefthook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
commit-msg:
commands:
lint-commit-msg:
run: npx --yes commitlint --edit
pre-commit:
parallel: true
commands:
check-format-backend:
root: backend/
run: ./gradlew spotlessApply -DspotlessFiles=$(echo {staged_files} | sed 's/ /,/g') && git add {staged_files}
check-javadocs:
root: backend/
run: ./gradlew checkstyleMain -Dinclude=$(echo {staged_files} | sed 's/ /,/g')}
check-illegal-imports-in-tests:
root: backend/
run: ./gradlew checkstyleTest -Dinclude=$(echo {staged_files} | sed 's/ /,/g')}
check-format-frontend:
root: frontend/
run: npm run --silent prettier:fix {staged_files} && git add {staged_files}
lint-frontend:
root: frontend/
glob: "*.{ts,js,vue}"
run: npm run --silent eslint:fix:imports {staged_files} && git add {staged_files}
typecheck-frontend:
root: frontend/
glob: "*.{ts,vue}"
run: npm run --silent typecheck && git add {staged_files}
check-format-yaml:
glob: "*.{yml,yaml}"
# Is already checked in the frontend formatting. Attempting will lead to
# an error as Prettier somehow detects that there is a Tailwind plugin
# in this folder, but cannot load it when being run from outside.
exclude: "frontend/"
run: |
echo {staged_files}
npm --prefix frontend exec prettier -- --check --write --ignore-unknown {staged_files} && git add {staged_files}
secrets-audit:
run: >
talisman --githook pre-commit ||
(echo "Verify the content and fix it with: talisman --githook pre-commit --interactive"; exit 1)
post-commit:
commands:
secrets-checkum-test:
tags: security
skip:
- rebase
fail_text: |
This commit has touched files which are known to include false positives of the secret scanner.
It does not mean you have introduced new secrets, but these are "old" reports.
But due to the file content change, the checksum Talisman is using for the verification has changed too.
Please double check the reported file(s) and update their checksums in the `.talismanrc` file.
Afterwards stage the file and amend this commit which was just created with `git commit --amend --no-edit`
run: |
local_reference=$(git rev-parse --symbolic-full-name HEAD)
local_object_name=$(git rev-parse HEAD)
# Strong assumption that we run after the commit has been created (not before)!
remote_reference=$(git branch --format="%(upstream)" --list $(git rev-parse --abbrev-ref HEAD))
remote_object_name=$(git rev-parse $remote_reference)
echo $local_reference \
$local_object_name \
${remote_reference:-0000000000000000000000000000000000000000} \
${remote_object_name:-0000000000000000000000000000000000000000} \
| talisman --githook pre-push
pre-push:
parallel: true
commands:
licences-audit-backend:
root: backend/
run: ./gradlew checkLicense
licences-audit-frontend:
root: frontend/
run: npm run audit:licences > /dev/null;
secrets-audit:
run: |
local_reference=$(git rev-parse --symbolic-full-name HEAD)
local_object_name=$(git rev-parse HEAD)
remote_reference=$(git log -1 origin)
remote_object_name=$(git rev-parse $remote_reference)
echo $local_reference \
$local_object_name \
${remote_reference:-0000000000000000000000000000000000000000} \
${remote_object_name:-0000000000000000000000000000000000000000} \
| talisman --githook pre-push
check-pipeline-status:
only:
- ref: main
run: |
which gh 2>&1 >/dev/null || exit 0
conclusion="$(
gh run list --branch main --workflow pipeline.yml --json conclusion,status \
--jq '[.[] | select(.status=="completed")][0].conclusion' \
)"
if [[ "$conclusion" != "success" ]]; then
echo "The last completed pipeline run has failed!"
echo "If you intend to fix the pipeline use '--no-verify', BUT ONLY IF all other hooks are okay."
exit 1
fi
skip_output:
- meta
- execution