-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathmise.toml
More file actions
150 lines (124 loc) · 4.47 KB
/
mise.toml
File metadata and controls
150 lines (124 loc) · 4.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# Root mise config: monorepo task discovery + shared tools.
# See https://mise.jdx.dev/tasks/monorepo.html
min_version = "2026.2.6"
experimental_monorepo_root = true
[settings]
experimental = true
[tools]
node = "22"
prek = "0.3.8"
gitleaks = "latest"
semgrep = "latest"
osv-scanner = "latest"
"grype" = "0.110.0"
"aqua:zizmorcore/zizmor" = "1.23.1"
[monorepo]
config_roots = ["cdk", "agent", "cli", "docs"]
##################
###### CORE ######
##################
# One `yarn install` at the repo root installs every Yarn workspace (`cdk`, `cli`, `docs`).
# `//cdk:install`, `//cli:install`, and `//docs:install` are thin wrappers around the same command.
[tasks.install]
description = "Yarn workspaces (cdk, cli, docs) + agent Python (uv) + prek git hooks when inside a Git repo"
run = [
"yarn install --check-files",
"cd agent && mise run install",
# Install prek shims only in a real checkout (skip tarballs / no-.git environments).
"bash -c 'git rev-parse --git-dir >/dev/null 2>&1 || exit 0; prek install --prepare-hooks'",
]
##################
###### QUALITY ###
##################
[tasks.quality]
description = "Monorepo quality checks (agent quality, then cdk, cli, docs)"
depends = ["//agent:quality"]
run = [
"MISE_EXPERIMENTAL=1 mise //cdk:eslint",
"MISE_EXPERIMENTAL=1 mise //cli:eslint",
"MISE_EXPERIMENTAL=1 mise //docs:check",
]
##################
#### SECURITY ####
##################
[tasks."security:secrets"]
description = "Scan for secrets with gitleaks"
run = "gitleaks detect --source . --no-banner"
[tasks."security:secrets:staged"]
description = "gitleaks on staged changes (pre-commit hook)"
run = "gitleaks protect --staged --no-banner"
[tasks."security:sast"]
description = "SAST scan with semgrep (auto + OWASP top 10)"
run = "semgrep scan --config auto --config p/python --config p/typescript --config p/owasp-top-ten --config p/security-audit --error --quiet ."
[tasks."security:deps"]
description = "Audit dependencies for known vulnerabilities (osv-scanner)"
# Yarn workspaces use the repo-root lockfile only; do not scan stale cli/docs yarn.lock copies.
run = "osv-scanner scan --lockfile agent/uv.lock --lockfile yarn.lock"
[tasks."security:grype"]
description = "Run Grype"
run = [
"grype . --fail-on high"
]
[tasks."security:retire"]
description = "Retire.js (CDK, CLI, docs)"
run = "npx retire --path cdk --severity high --ignore \"node_modules/**,cdk.out/**,cdk/cdk.out/**\" && cd cli && npm run security:retire && cd ../docs && npm run security:retire"
[tasks."security:gh-actions"]
description = "Static analysis of GitHub Actions workflows (zizmor)"
# Offline: no GitHub API for online-only rules; config in .github/zizmor.yml
run = "zizmor --offline .github"
[tasks.security]
description = "Run security scans"
run = [
{ task = "security:secrets" },
{ task = "security:deps" },
{ task = "security:sast" },
{ task = "security:grype" },
{ task = "security:retire" },
{ task = "security:gh-actions" },
"MISE_EXPERIMENTAL=1 mise //agent:security",
]
##################
##### HOOKS ######
##################
[tasks."hooks:install"]
description = "Install or refresh prek git hooks (also runs at end of `mise run install` in a Git repo)"
run = "prek install --prepare-hooks"
[tasks."hooks:run"]
description = "Run prek on all files (pre-commit then pre-push stages)"
run = [
"prek run --all-files --stage pre-commit",
"prek run --all-files --stage pre-push",
]
[tasks."hooks:pre-push:security"]
description = "Pre-push security scans"
run = "mise run security"
[tasks."hooks:pre-push:tests"]
description = "Pre-push tests in cdk/cli/agent"
run = [
"MISE_EXPERIMENTAL=1 mise //cdk:test",
"MISE_EXPERIMENTAL=1 mise //cli:test",
"cd agent && mise run test",
]
[tasks."hooks:pre-push"]
description = "Pre-push gate: security scans then tests in cdk/cli/agent"
run = [
"mise run hooks:pre-push:security",
"mise run hooks:pre-push:tests",
]
##################
##### BUILD #####
##################
# Agent code is packaged by CDK (Docker asset); validate Python before heavy JS/CDK work.
# Multiple `depends` run in parallel, so agent is a sole prerequisite, then packages run in order.
[tasks.build]
description = "Monorepo build (agent quality, then cdk, cli, docs)"
depends = ["//agent:quality"]
run = [
"MISE_EXPERIMENTAL=1 mise //cdk:build",
"MISE_EXPERIMENTAL=1 mise //cli:build",
"MISE_EXPERIMENTAL=1 mise //docs:build",
"MISE_EXPERIMENTAL=1 mise //docs:sync",
]
[tasks.default]
description = "Install + build"
depends = [":install", ":build"]