|
| 1 | +# .pre-commit-config.yaml — DevRail pre-commit hooks |
| 2 | +# |
| 3 | +# Fast-local hooks only. Full scanning runs in CI via `make check`. |
| 4 | +# |
| 5 | +# Hook strategy: All language hooks are included. Hooks that match no staged |
| 6 | +# files have zero runtime cost. This eliminates the need for a config-generation |
| 7 | +# step based on .devrail.yml — hooks naturally only fire for matching file types. |
| 8 | +# |
| 9 | +# Performance budget: All hooks must complete within 30 seconds total on a |
| 10 | +# typical changeset (< 50 files). |
| 11 | +# |
| 12 | +# Fast-local vs slow-CI split: |
| 13 | +# LOCAL (this file): ruff, shellcheck, shfmt, terraform fmt, tflint, |
| 14 | +# ansible-lint, conventional-commits, gitleaks, terraform-docs |
| 15 | +# CI ONLY (make check): bandit, semgrep, tfsec, checkov, pytest, bats, |
| 16 | +# terratest, trivy, molecule |
| 17 | + |
| 18 | +repos: |
| 19 | + # --- Conventional Commits (Story 4.1) --- |
| 20 | + # Validates commit message format: type(scope): description |
| 21 | + # Runs on commit-msg stage, not pre-commit stage |
| 22 | + - repo: https://github.com/devrail-dev/pre-commit-conventional-commits |
| 23 | + rev: v1.0.0 |
| 24 | + hooks: |
| 25 | + - id: conventional-commits |
| 26 | + |
| 27 | + # --- Python: ruff lint + format (Story 4.2) --- |
| 28 | + # Ruff replaces flake8, isort, and black in a single tool. |
| 29 | + # Typically < 1 second for staged files. |
| 30 | + # Triggers on: .py files (declared via types_or: [python]) |
| 31 | + # .devrail.yml language: python |
| 32 | + - repo: https://github.com/astral-sh/ruff-pre-commit |
| 33 | + rev: v0.8.6 |
| 34 | + hooks: |
| 35 | + - id: ruff |
| 36 | + name: ruff check |
| 37 | + - id: ruff-format |
| 38 | + name: ruff format check |
| 39 | + args: [--check] |
| 40 | + |
| 41 | + # --- Bash: shellcheck (Story 4.2) --- |
| 42 | + # Static analysis for shell scripts. |
| 43 | + # Triggers on: shell scripts (types: [shell]) |
| 44 | + # .devrail.yml language: bash |
| 45 | + - repo: https://github.com/shellcheck-py/shellcheck-py |
| 46 | + rev: v0.10.0.1 |
| 47 | + hooks: |
| 48 | + - id: shellcheck |
| 49 | + |
| 50 | + # --- Bash: shfmt (Story 4.2) --- |
| 51 | + # Consistent formatting for shell scripts. |
| 52 | + # Triggers on: shell scripts (types: [shell]) |
| 53 | + # .devrail.yml language: bash |
| 54 | + - repo: https://github.com/scop/pre-commit-shfmt |
| 55 | + rev: v3.10.0-1 |
| 56 | + hooks: |
| 57 | + - id: shfmt |
| 58 | + args: [--diff] |
| 59 | + |
| 60 | + # --- Terraform: fmt + tflint + docs (Stories 4.2, 4.3) --- |
| 61 | + # terraform_fmt: Canonical formatting for .tf files |
| 62 | + # terraform_tflint: Terraform-specific linting rules |
| 63 | + # terraform_docs: Auto-generates README with inputs/outputs/resources |
| 64 | + # Triggers on: .tf files |
| 65 | + # .devrail.yml language: terraform |
| 66 | + - repo: https://github.com/antonbabenko/pre-commit-terraform |
| 67 | + rev: v1.96.3 |
| 68 | + hooks: |
| 69 | + - id: terraform_fmt |
| 70 | + - id: terraform_tflint |
| 71 | + - id: terraform_docs |
| 72 | + args: |
| 73 | + - --hook-config=--path-to-file=README.md |
| 74 | + - --hook-config=--add-to-existing-file=true |
| 75 | + |
| 76 | + # --- Ansible: lint (Story 4.2) --- |
| 77 | + # Playbook and role linting. |
| 78 | + # Triggers on: Ansible YAML files (playbooks, roles, tasks) |
| 79 | + # .devrail.yml language: ansible |
| 80 | + - repo: https://github.com/ansible/ansible-lint |
| 81 | + rev: v24.12.2 |
| 82 | + hooks: |
| 83 | + - id: ansible-lint |
| 84 | + |
| 85 | + # --- Secrets: gitleaks (Story 4.3) --- |
| 86 | + # Scans staged files for secrets, API keys, and credentials. |
| 87 | + # Runs on EVERY commit regardless of language — secrets can appear in any file. |
| 88 | + # This is on the local side of the fast-local / slow-CI split because once a |
| 89 | + # secret is pushed, the damage is done. |
| 90 | + # |
| 91 | + # False positive handling: |
| 92 | + # - Create .gitleaksignore in repo root with SHA hashes of allowed findings |
| 93 | + # - Or use inline `# gitleaks:allow` comment on the line with the false positive |
| 94 | + - repo: https://github.com/gitleaks/gitleaks |
| 95 | + rev: v8.21.2 |
| 96 | + hooks: |
| 97 | + - id: gitleaks |
0 commit comments