django-admin-react/.pre-commit-config.yaml at main · MartinCastroAlvarez/django-admin-react · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# Pre-commit hook configuration for django-admin-react.
#
# Install once:
#   poetry run pip install pre-commit
#   pre-commit install
#
# Then every `git commit` runs these hooks against the staged diff.
# The security rules these enforce are documented in `SECURITY.md` §3.
#
# This file is the commit-time half of the quality gate, run together
# with `scripts/lint.sh` before a PR. CI (`.github/workflows/ci.yml`)
# runs the Python lint gate (ruff check + ruff format --check + mypy +
# bandit) and the test suites; these hooks add the secret-scan + pygrep
# house rules at commit time.

repos:
  # -------------------------------------------------------------------
  # Secret scanning — fail commit if a token-shaped string is added.
  # -------------------------------------------------------------------
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.4
    hooks:
      - id: gitleaks
        args: ["protect", "--staged", "--no-banner", "--redact"]

  # -------------------------------------------------------------------
  # Python lint + format + import order — Ruff is the single source of
  # truth (#651/#652). Black, standalone isort, and flake8 were removed;
  # ruff-format owns formatting and the `I` rules own import sorting.
  # -------------------------------------------------------------------
  - repo: https://github.com/astral-sh/ruff-pre-commit
    rev: v0.6.9
    hooks:
      - id: ruff
        args: ["--fix", "--exit-non-zero-on-fix"]
        files: ^(django_admin_react|tests|examples)/
      - id: ruff-format
        files: ^(django_admin_react|tests|examples)/

  # -------------------------------------------------------------------
  # Python security lint (bandit). Runs only over the package, not tests
  # (asserts in tests are fine and would otherwise be noisy).
  # -------------------------------------------------------------------
  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.10
    hooks:
      - id: bandit
        # Read scope from pyproject [tool.bandit]; the `toml` extra lets
        # the isolated hook env parse it.
        args: ["-c", "pyproject.toml", "-q", "-r", "django_admin_react"]
        additional_dependencies: ["bandit[toml]"]
        pass_filenames: false

  # -------------------------------------------------------------------
  # House rules — local hooks that enforce package-specific invariants
  # from SECURITY.md §3.
  # -------------------------------------------------------------------
  - repo: local
    hooks:
      # No partial / redacted token references anywhere in the diff.
      #
      # The `exclude` list covers the small set of files that
      # legitimately *document* the forbidden patterns (e.g., the
      # rule itself in SECURITY.md and the security test that scans for
      # them). All other files in the repo MUST be free of these
      # substrings.
      - id: no-partial-tokens
        name: No partial token redactions (e.g., ghp_…XYZ)
        language: pygrep
        entry: '(ghp_|gho_|ghs_|github_pat_|aws_secret_access_key|AKIA[0-9A-Z]{16}|BEGIN (RSA|EC|OPENSSH) PRIVATE)'
        types_or: [text]
        exclude: |
          (?x)^(
            SECURITY\.md
            |\.pre-commit-config\.yaml
            |tests/test_security\.py
            |scripts/README\.md
          )$

      # No Model.objects.all|filter in django_admin_react/api/.
      - id: no-objects-all-in-api
        name: No Model.objects.all/filter in django_admin_react/api/
        language: pygrep
        entry: 'objects\.(all|filter)\('
        files: '^django_admin_react/api/.*\.py$'

      # No csrf_exempt anywhere in the package.
      - id: no-csrf-exempt
        name: No @csrf_exempt in django_admin_react/
        language: pygrep
        entry: 'csrf_exempt'
        files: '^django_admin_react/.*\.py$'

      # No user.has_perm direct calls (everything goes through ModelAdmin).
      - id: no-user-has-perm
        name: No user.has_perm in django_admin_react/api/
        language: pygrep
        entry: 'user\.has_perm\('
        files: '^django_admin_react/api/.*\.py$'

      # No frontend page packages importing @dar/api directly.
      - id: no-dar-api-from-pages
        name: '@dar/list|details|models|shell must not import @dar/api'
        language: pygrep
        entry: "from ['\"]@dar/api['\"]"
        files: '^frontend/packages/(list|details|models|shell)/'

      # Doc-reference integrity (#653): fail if a docstring/comment cites
      # a *.md file or §N section that no longer exists.
      - id: doc-ref-guard
        name: No dangling *.md / §N doc references
        language: system
        entry: poetry run pytest tests/test_doc_refs.py -q
        pass_filenames: false
        files: '\.(py|yaml)$'