-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlefthook.yml
More file actions
103 lines (93 loc) · 3.72 KB
/
Copy pathlefthook.yml
File metadata and controls
103 lines (93 loc) · 3.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
min_version: 2.1.6
assert_lefthook_installed: true
glob_matcher: doublestar
output:
- meta
- summary
- failure
- execution_info
templates:
pnpm: pnpm exec
pre-commit:
parallel: true
jobs:
- name: biome
glob: "*.{ts,tsx,js,jsx,json,jsonc}"
run: pnpm exec biome check --write --no-errors-on-unmatched {staged_files}
stage_fixed: true
priority: 1
fail_text: "biome check failed — fix the lint errors above, then re-stage."
- name: banned-strings
run: bash scripts/check-banned-strings.sh
glob: "**/*.{ts,tsx,js,jsx,md,yaml,yml,json}"
priority: 2
fail_text: "banned-strings check failed — see scripts/check-banned-strings.sh."
- name: pnpm-lock-sync
run: "pnpm install --frozen-lockfile --lockfile-only"
glob: "{pnpm-lock.yaml,package.json,pnpm-workspace.yaml}"
priority: 3
fail_text: "pnpm-lock is stale — run 'pnpm install' then re-stage."
- name: no-dist-cache
run: bash scripts/check-no-dist-cache.sh
glob: ".github/workflows/*.{yml,yaml}"
priority: 4
fail_text: "a workflow caches build output — see scripts/check-no-dist-cache.sh (never cache dist/)."
commit-msg:
jobs:
- name: commitlint
run: pnpm exec commitlint --edit {1}
fail_text: "Commit message is not conventional — see commitlint.config.mjs for rules."
pre-push:
parallel: true
jobs:
- name: typecheck
# Exclude @opencodehub/docs — its astro/starlight virtual modules
# (`astro:content`, `*.jsonc?raw`) only resolve after `astro sync`, so a
# bare `tsc --noEmit` always errors on vendored types. This matches the
# `mise run typecheck` task and ci.yml's typecheck lane (both filter docs
# out); without the filter the hook and its own reproduce-instruction
# disagree.
run: pnpm --filter '!@opencodehub/docs' -r exec tsc --noEmit
skip:
- merge
- rebase
files: "git diff --name-only @{push} HEAD || git diff --name-only HEAD~"
fail_text: "tsc --noEmit failed — run 'mise run typecheck' to reproduce."
- name: test
run: pnpm -r test
skip:
- merge
- rebase
files: "git diff --name-only @{push} HEAD || git diff --name-only HEAD~"
fail_text: "tests failed — run 'mise run test' locally before pushing."
# Guard the verdict gate on a present index so the hook degrades
# gracefully on dev boxes that haven't run `codehub analyze` yet —
# mirrors the SKIP behaviour of scripts/pack-determinism-audit.sh.
# Index path is the single-file `store.sqlite` (ADR 0019).
#
# The verdict CLI exit ladder is 0=auto_merge, 1=single_review,
# 2=dual_review/expert_review, 3=block. Those tiers are review-routing
# advice, not a push blocker — a routine multi-community change is a
# legitimate `dual_review` and must still be pushable. Only a hard
# `block` (exit 3, e.g. a policy violation) should fail the push, so we
# surface the verdict output and gate solely on exit code 3.
- name: verdict
run: |
if [ ! -f .codehub/store.sqlite ]; then
echo "verdict skipped: no .codehub/store.sqlite (run 'mise run och:self-analyze' first)"
exit 0
fi
set +e
{pnpm} codehub verdict --base origin/main --head HEAD
code=$?
set -e
if [ "$code" -eq 3 ]; then
echo "verdict: BLOCK (exit 3) — push refused. Resolve the blocking finding above."
exit 1
fi
echo "verdict: advisory tier (exit $code) — push allowed."
exit 0
skip:
- merge
- rebase
fail_text: "codehub verdict returned BLOCK — resolve the blocking finding (run 'mise run och:self-verdict' to reproduce)."