embabel-learning/.pre-commit-config.yaml at master · jmjava/embabel-learning · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# Pre-commit hooks configuration
# See https://pre-commit.com for more information

repos:
  # GitGuardian - Secret scanning (runs on both commit and push)
  - repo: https://github.com/GitGuardian/ggshield
    rev: v1.25.0
    hooks:
      - id: ggshield
        language_version: python3
        stages: [pre-commit, pre-push]  # Run on both commit and push for extra security

  # Local safety checks - Prevent commits to upstream organization repos
  - repo: local
    hooks:
      - id: block-upstream-commit
        name: Block commits to upstream organization
        entry: bash -c 'REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null)" && if [ -z "$REPO_ROOT" ]; then exit 0; fi && SCRIPT_DIR="$REPO_ROOT/scripts" && LEARNING_DIR="$REPO_ROOT" && if [ -f "$SCRIPT_DIR/config-loader.sh" ]; then source "$SCRIPT_DIR/config-loader.sh" >/dev/null 2>&1; fi && if [ -f "$SCRIPT_DIR/safety-checks.sh" ]; then source "$SCRIPT_DIR/safety-checks.sh" >/dev/null 2>&1 && block_upstream_commit; else exit 0; fi'
        language: system
        pass_filenames: false
        always_run: true
        stages: [pre-commit]
      - id: block-upstream-push
        name: Block pushes to upstream organization
        entry: scripts/block-upstream-push-hook.sh
        language: system
        pass_filenames: false
        always_run: true
        stages: [pre-push]

  # General file checks
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.5.0
    hooks:
      - id: trailing-whitespace
        args: [--markdown-linebreak-ext=md]
      - id: end-of-file-fixer
      - id: check-yaml
        args: [--unsafe]  # Allow custom YAML tags
      - id: check-json
      - id: check-added-large-files
        args: ['--maxkb=1000']
      - id: check-merge-conflict
      - id: check-case-conflict
      - id: check-toml
      - id: mixed-line-ending
        args: [--fix=lf]
      - id: detect-private-key
      - id: detect-aws-credentials

  # Shell script linting
  - repo: https://github.com/shellcheck-py/shellcheck-py
    rev: v0.9.0.6
    hooks:
      - id: shellcheck
        args: [-e, SC1091, --severity=error]  # Only fail on errors, not warnings

  # Markdown linting
  - repo: https://github.com/igorshubovych/markdownlint-cli
    rev: v0.38.0
    hooks:
      - id: markdownlint
        args: [--fix, --disable, MD013, MD033]  # Allow long lines and HTML

  # YAML linting
  - repo: https://github.com/adrienverge/yamllint
    rev: v1.33.0
    hooks:
      - id: yamllint
        args: [-c=.yamllint.yml]

  # detect-secrets (separate repo)
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']
        exclude: ^(.*/)?(secrets.baseline|\.secrets\.baseline)$