fix: unblock CI checks and harden local hooks

haasonsaas · haasonsaas · commit fe43e33e3d2a · 2026-03-13T03:46:15.000-07:00
Normalize analyzer tool paths across platforms so Windows test expectations stay stable, and rewrite workflow secret gating so GitHub can parse eval and release workflows. Add repo-managed hook scripts and docs so the same workflow and Rust checks run locally before commit and push.

Made-with: Cursor
diff --git a/.githooks/pre-commit b/.githooks/pre-commit
@@ -1,28 +1,23 @@
 #!/usr/bin/env bash
-set -e
+set -euo pipefail
+
+repo_root="$(git rev-parse --show-toplevel)"
+cd "$repo_root"
+
+echo "==> Validating GitHub workflows..."
+bash "./scripts/check-workflows.sh"
 
 echo "==> Running cargo fmt --check..."
-cargo fmt --check || {
-    echo "ERROR: cargo fmt found formatting issues. Run 'cargo fmt' to fix."
-    exit 1
-}
+cargo fmt --check
 
-echo "==> Running cargo clippy..."
-cargo clippy --all-targets -- -D warnings || {
-    echo "ERROR: cargo clippy found warnings. Fix them before committing."
-    exit 1
-}
+echo "==> Running cargo clippy --all-targets..."
+cargo clippy --all-targets -- -D warnings
 
-# Tests are slower — run by default but skip with SKIP_TESTS=1
 if [ "${SKIP_TESTS:-0}" = "1" ]; then
-    echo "==> Skipping tests (SKIP_TESTS=1). CI will catch failures."
+    echo "==> Skipping cargo test (SKIP_TESTS=1). Pre-push still enforces the full Rust gate."
 else
     echo "==> Running cargo test..."
-    cargo test || {
-        echo "ERROR: Tests failed. Fix them before committing."
-        echo "Tip: SKIP_TESTS=1 git commit ... to skip tests locally (CI will still run them)."
-        exit 1
-    }
+    cargo test
 fi
 
-echo "==> All pre-commit checks passed."
+echo "==> Pre-commit checks passed."
diff --git a/.githooks/pre-push b/.githooks/pre-push
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(git rev-parse --show-toplevel)"
+cd "$repo_root"
+
+echo "==> Validating GitHub workflows..."
+bash "./scripts/check-workflows.sh"
+
+echo "==> Running cargo fmt --check..."
+cargo fmt --check
+
+echo "==> Running cargo clippy --all-targets..."
+cargo clippy --all-targets -- -D warnings
+
+echo "==> Running cargo test..."
+cargo test
+
+echo "==> Pre-push checks passed."
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - name: Lint GitHub Actions
+        uses: rhysd/actionlint@v1
       - uses: actions/setup-node@v4
         with:
           node-version: '20'
@@ -26,7 +28,7 @@ jobs:
       - name: Format
         run: cargo fmt -- --check
       - name: Clippy
-        run: cargo clippy -- -D warnings
+        run: cargo clippy --all-targets -- -D warnings
 
   security:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml
@@ -18,21 +18,36 @@ env:
 
 jobs:
   eval:
-    if: ${{ secrets.OPENAI_API_KEY != '' }}
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
+      - name: Check eval secret
+        id: secret-check
+        env:
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+        run: |
+          if [ -n "${OPENAI_API_KEY}" ]; then
+            echo "configured=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "configured=false" >> "$GITHUB_OUTPUT"
+          fi
+
       - uses: actions/checkout@v4
+        if: ${{ steps.secret-check.outputs.configured == 'true' }}
         with:
           fetch-depth: 0
 
       - uses: dtolnay/rust-toolchain@stable
+        if: ${{ steps.secret-check.outputs.configured == 'true' }}
       - uses: Swatinem/rust-cache@v2
+        if: ${{ steps.secret-check.outputs.configured == 'true' }}
 
       - name: Build current branch binary
+        if: ${{ steps.secret-check.outputs.configured == 'true' }}
         run: cargo build --release
 
       - name: Build baseline report from origin/main
+        if: ${{ steps.secret-check.outputs.configured == 'true' }}
         env:
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
         run: |
@@ -47,6 +62,7 @@ jobs:
             --output /tmp/eval-baseline.json
 
       - name: Run eval thresholds on current branch
+        if: ${{ steps.secret-check.outputs.configured == 'true' }}
         env:
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
         run: |
@@ -64,17 +80,14 @@ jobs:
             --max-rule-f1-drop reliability.unwrap_panic=0.25
 
       - name: Upload eval reports
-        if: always()
+        if: ${{ always() && steps.secret-check.outputs.configured == 'true' }}
         uses: actions/upload-artifact@v4
         with:
           name: eval-reports
           path: |
             eval-current.json
             /tmp/eval-baseline.json
 
-  eval-skipped:
-    if: ${{ secrets.OPENAI_API_KEY == '' }}
-    runs-on: ubuntu-latest
-    steps:
       - name: Skip message
+        if: ${{ steps.secret-check.outputs.configured != 'true' }}
         run: echo "Skipping eval workflow because OPENAI_API_KEY secret is not configured."
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -25,11 +25,11 @@ jobs:
         
       - name: Extract version
         id: get_version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
         
       - name: Create Release
         id: create_release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ github.ref }}
           name: Release ${{ steps.get_version.outputs.VERSION }}
@@ -129,8 +129,8 @@ jobs:
       - name: Set up macOS cross-compilation
         if: matrix.os == 'macos-latest' && matrix.target == 'aarch64-apple-darwin'
         run: |
-          echo "SDKROOT=$(xcrun -sdk macosx --show-sdk-path)" >> $GITHUB_ENV
-          echo "MACOSX_DEPLOYMENT_TARGET=$(xcrun -sdk macosx --show-sdk-platform-version)" >> $GITHUB_ENV
+          echo "SDKROOT=$(xcrun -sdk macosx --show-sdk-path)" >> "$GITHUB_ENV"
+          echo "MACOSX_DEPLOYMENT_TARGET=$(xcrun -sdk macosx --show-sdk-platform-version)" >> "$GITHUB_ENV"
       
       - name: Build
         run: cargo build --release --target ${{ matrix.target }}
@@ -158,9 +158,9 @@ jobs:
           cd target/${{ matrix.target }}/release/
           if [ -f "${{ matrix.artifact_name }}" ]; then
             if [[ "$RUNNER_OS" == "macOS" ]]; then
-              shasum -a 256 ${{ matrix.artifact_name }} > ${{ matrix.asset_name }}.sha256
+              shasum -a 256 "${{ matrix.artifact_name }}" > "${{ matrix.asset_name }}.sha256"
             else
-              sha256sum ${{ matrix.artifact_name }} > ${{ matrix.asset_name }}.sha256
+              sha256sum "${{ matrix.artifact_name }}" > "${{ matrix.asset_name }}.sha256"
             fi
           else
             echo "Binary not found, build may have failed"
@@ -169,6 +169,7 @@ jobs:
           
       - name: Create checksum (Windows)
         if: matrix.os == 'windows-latest'
+        shell: pwsh
         run: |
           cd target/${{ matrix.target }}/release/
           (Get-FileHash -Algorithm SHA256 ${{ matrix.artifact_name }}).Hash + "  " + "${{ matrix.artifact_name }}" | Out-File -Encoding ASCII ${{ matrix.asset_name }}.sha256
@@ -195,6 +196,7 @@ jobs:
         if: matrix.os == 'windows-latest'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: pwsh
         run: |
           cd target/${{ matrix.target }}/release/
           # Upload binary
@@ -227,7 +229,7 @@ jobs:
 
       - name: Extract version from tag
         id: get_version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+        run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
 
       - name: Build and push Docker image
         id: build-and-push
diff --git a/README.md b/README.md
@@ -1002,6 +1002,16 @@ The summary includes:
 
 Contributions are welcome! Please open an issue first to discuss what you would like to change.
 
+### Local Development Checks
+
+Enable the repository-managed git hooks after cloning:
+
+```bash
+bash scripts/install-hooks.sh
+```
+
+The hooks validate GitHub Actions workflows and run `cargo fmt --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` before code leaves your machine. Install `actionlint` if you want full local workflow linting; otherwise the fallback check still blocks invalid `secrets.*` usage inside workflow `if:` expressions.
+
 ## Supported Platforms
 
 DiffScope provides pre-built binaries for the following platforms:
diff --git a/scripts/check-workflows.sh b/scripts/check-workflows.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(git rev-parse --show-toplevel)"
+cd "$repo_root"
+
+if [ ! -d ".github/workflows" ]; then
+    exit 0
+fi
+
+if command -v actionlint >/dev/null 2>&1; then
+    actionlint
+    exit 0
+fi
+
+python3 - <<'PY'
+from pathlib import Path
+import re
+import sys
+
+workflow_dir = Path(".github/workflows")
+paths = sorted(workflow_dir.glob("*.yml")) + sorted(workflow_dir.glob("*.yaml"))
+secret_if_pattern = re.compile(r"^\s*if:\s*\$\{\{\s*secrets\.", re.MULTILINE)
+
+failures = []
+for path in paths:
+    contents = path.read_text(encoding="utf-8")
+    if secret_if_pattern.search(contents):
+        failures.append(str(path))
+
+if failures:
+    print("ERROR: GitHub Actions does not allow the `secrets` context directly in `if:` expressions.")
+    print("Use a prior step to expose a boolean output instead.")
+    print("")
+    print("Affected workflow files:")
+    for path in failures:
+        print(f" - {path}")
+    print("")
+    print("Install `actionlint` for full local workflow lint coverage.")
+    sys.exit(1)
+PY
diff --git a/scripts/install-hooks.sh b/scripts/install-hooks.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+repo_root="$(git rev-parse --show-toplevel)"
+cd "$repo_root"
+
+git config core.hooksPath .githooks
+chmod +x .githooks/pre-commit .githooks/pre-push
+
+echo "Installed repository git hooks from .githooks."
+echo "Pre-commit and pre-push will now run local workflow and Rust checks."
diff --git a/src/plugins/builtin/eslint.rs b/src/plugins/builtin/eslint.rs
@@ -7,6 +7,8 @@ use serde_json::Value;
 use std::collections::HashMap;
 use std::path::{Path, PathBuf};
 
+use super::path_utils::normalize_tool_path;
+
 pub struct EslintAnalyzer;
 
 impl EslintAnalyzer {
@@ -181,33 +183,6 @@ fn build_context_chunk(tool_name: &str, findings: &[AnalyzerFinding]) -> String
     format!("{tool_name} findings:\n{details}")
 }
 
-fn normalize_tool_path(repo_root: &Path, raw: &str) -> PathBuf {
-    let path = PathBuf::from(raw);
-    let relative = if path.is_absolute() {
-        path.strip_prefix(repo_root)
-            .map(|value| value.to_path_buf())
-            .unwrap_or(path)
-    } else {
-        path
-    };
-
-    normalize_relative_path(relative)
-}
-
-fn normalize_relative_path(path: PathBuf) -> PathBuf {
-    let mut normalized = PathBuf::new();
-    for component in path.components() {
-        match component {
-            std::path::Component::CurDir => {}
-            std::path::Component::ParentDir => {
-                normalized.pop();
-            }
-            other => normalized.push(other.as_os_str()),
-        }
-    }
-    normalized
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;
diff --git a/src/plugins/builtin/mod.rs b/src/plugins/builtin/mod.rs
@@ -1,5 +1,6 @@
 mod duplicate_filter;
 mod eslint;
+mod path_utils;
 mod secret_scanner;
 mod semgrep;
 mod supply_chain;
diff --git a/src/plugins/builtin/path_utils.rs b/src/plugins/builtin/path_utils.rs
diff --git a/src/plugins/builtin/semgrep.rs b/src/plugins/builtin/semgrep.rs
