eclipse-opensovd · alexmohr · Jun 1, 2026 · May 12, 2026 · May 29, 2026 · May 29, 2026
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: Apache-2.0
-# SPDX-FileCopyrightText: 2025 The Contributors to Eclipse OpenSOVD (see CONTRIBUTORS)
+# SPDX-FileCopyrightText: 2026 The Contributors to Eclipse OpenSOVD (see CONTRIBUTORS)
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -18,58 +18,54 @@ on:
   workflow_dispatch:
   workflow_call:
     inputs:
-      rust-nightly-version:
-        description: 'Rust nightly version to use (YYYY-MM-DD), defaults to 2025-07-14 if not set'
+      rust-toolchain:
+        description: 'Rust toolchain to install (e.g. "stable", "nightly-2025-07-14")'
         required: false
         type: string
-      python-version:
-        description: 'Python version to use for pre-commit environment'
-        required: false
-        type: string
-      pre-commit-config-path:
-        description: 'Path to a custom .pre-commit-config.yml in the consumer repository'
-        required: false
-        type: string
-      copyright-text:
-        description: 'Copyright holder text for reuse annotate, defaults to "The Contributors to Eclipse OpenSOVD (see CONTRIBUTORS)"'
-        required: false
-        type: string
-      license:
-        description: 'SPDX license identifier for reuse annotate (e.g. "Apache-2.0"), defaults to "Apache-2.0"'
-        required: false
-        type: string
-      reuse-template:
-        description: 'Name of reuse Jinja2 template in .reuse/templates/ (without .jinja2 suffix), defaults to "opensovd"'
-        required: false
-        type: string
-      no-unicode-extensions:
-        description: 'Comma-separated file extensions to check for non-ASCII characters (e.g., ".py,.rs"). Empty string disables the check.'
-        required: false
-        type: string
-      allowed-unicode-chars:
-        description: 'Comma-separated Unicode characters to allow in the no-unicode check. Empty by default.'
+        default: 'stable'
+      go-version:
+        description: 'Go version for gitleaks hook'
         required: false
         type: string
+        default: '1.25'
 
 permissions:
   contents: read
 
 jobs:
   checks:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: false
+          fetch-depth: 0
+      - name: Pin cicd-workflows rev to current SHA
+        shell: bash
+        run: |
+          sed -i "s|rev: CICD_WORKFLOWS_HEAD_SHA|rev: $(git rev-parse HEAD)|" .pre-commit-config.yaml
+          git add .pre-commit-config.yaml
       - name: Run checks
         uses: ./pre-commit-action
         with:
-          rust-nightly-version: ${{ inputs.rust-nightly-version }}
-          python-version: ${{ inputs.python-version }}
-          config-path: ${{ inputs.pre-commit-config-path }}
-          copyright-text: ${{ inputs.copyright-text }}
-          license: ${{ inputs.license }}
-          reuse-template: ${{ inputs.reuse-template }}
-          no-unicode-extensions: ${{ inputs.no-unicode-extensions || '.py,.yml,.toml,.jinja2' }}
-          allowed-unicode-chars: ${{ inputs.allowed-unicode-chars }}
+          rust-toolchain: ${{ inputs.rust-toolchain }}
+          go-version: ${{ inputs.go-version }}
+
+      - name: Validate commit subjects (Conventional Commits)
+        if: github.event_name == 'pull_request'
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          set -euo pipefail
+          fail=0
+          for sha in $(git rev-list "$BASE_SHA..$HEAD_SHA"); do
+            git log -1 --format=%B "$sha" > /tmp/commit-msg
+            if ! prek run --hook-stage commit-msg \
+                --commit-msg-filename /tmp/commit-msg conventional-pre-commit; then
+              echo "::error::Non-conventional commit subject: $(git log -1 --format='%h %s' "$sha")"
+              fail=1
+            fi
+          done
+          exit "$fail"
diff --git a/.gitignore b/.gitignore
@@ -11,3 +11,6 @@
 .idea/
 .vscode/
 .DS_Store
+.venv/
+uv.lock
+__pycache__/
diff --git a/.markdownlint.yaml b/.markdownlint.yaml
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2026 The Contributors to Eclipse OpenSOVD (see CONTRIBUTORS)
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+default: true
+MD013:
+  line_length: 1000
+MD024:
+  siblings_only: true
+MD033: false
+MD060: false
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,63 @@
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2026 The Contributors to Eclipse OpenSOVD (see CONTRIBUTORS)
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+
+default_install_hook_types: [pre-commit, commit-msg]
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: check-yaml
+      - id: check-toml
+      - id: check-json
+      - id: check-merge-conflict
+      - id: end-of-file-fixer
+        exclude: '\.lock$'
+      - id: trailing-whitespace
+        exclude: '\.(patch|diff|lock)$'
+      - id: mixed-line-ending
+        exclude: '\.lock$'
+  - repo: https://github.com/google/yamlfmt
+    rev: v0.21.0
+    hooks:
+      - id: yamlfmt
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.48.0
+    hooks:
+      - id: markdownlint
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.15.12
+    hooks:
+      - id: ruff-check
+      - id: ruff-format
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.30.1
+    hooks:
+      - id: gitleaks
+  - repo: https://github.com/koalaman/shellcheck-precommit
+    rev: v0.11.0
+    hooks:
+      - id: shellcheck
+  - repo: https://github.com/compilerla/conventional-pre-commit
+    rev: v4.4.0
+    hooks:
+      - id: conventional-pre-commit
+        stages: [commit-msg]
+  - repo: https://github.com/eclipse-opensovd/cicd-workflows
+    # prek does not support `repo: self` or `repo: local`, so this repo must
+    # reference itself by URL with an explicit rev. The CI workflow (checks.yml)
+    # patches this sentinel to the actual HEAD SHA before running prek. For
+    # local runs, set this to the desired commit SHA (branch names not allowed).
+    rev: CICD_WORKFLOWS_HEAD_SHA
+    hooks:
+      - id: reuse-annotate
+      - id: no-unicode-check
+      - id: no-banner-comment-check
+      - id: check-hooks
diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
@@ -0,0 +1,62 @@
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2026 The Contributors to Eclipse OpenSOVD (see CONTRIBUTORS)
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+- id: reuse-annotate
+  name: Add missing license headers (REUSE)
+  entry: pre-commit-action/reuse-annotate-hook.py
+  language: script
+  pass_filenames: true
+  exclude: ^(LICENSE|NOTICE|CONTRIBUTORS)$
+  args:
+    - --copyright=The Contributors to Eclipse OpenSOVD (see CONTRIBUTORS)
+    - --license=Apache-2.0
+    - --template=opensovd
+
+- id: no-unicode-check
+  name: No Unicode characters allowed
+  entry: pre-commit-action/no-unicode-check.py
+  language: script
+  pass_filenames: true
+  files: '\.(rs|py|toml|yml|yaml|rst|c|h|kt|kts|sh|proto|fbs|puml|json|xml)$|^Dockerfile$'
+
+- id: no-banner-comment-check
+  name: No banner-style comments allowed
+  entry: pre-commit-action/no-banner-comment-check.py
+  language: script
+  pass_filenames: true
+  files: '\.(rs|py|toml|yml|yaml|c|h|kt|kts|sh|proto|fbs|puml|json|xml)$|^Dockerfile$'
+  args:
+    - --banner-chars==\-#\*/~_+
+    - --min-length=5
+
+- id: validate-cargo-lints
+  name: Validate Cargo Lints
+  entry: shared-lints/check_cargo_lints.py Cargo.toml
+  language: script
+  types: [rust]
+  pass_filenames: false
+
+- id: check-hooks
+  name: Validate hook configuration
+  entry: pre-commit-action/check-hooks-installed.py
+  language: script
+  always_run: true
+  pass_filenames: false
+
+- id: cargo-fmt
+  name: Rust format (shared config)
+  entry: shared-config/cargo-fmt.sh
+  language: script
+  pass_filenames: false
+
+- id: clippy
+  name: Clippy (shared config)
+  entry: shared-config/cargo-clippy.sh
+  language: script
+  pass_filenames: false
diff --git a/.yamlfmt b/.yamlfmt
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: 2026 The Contributors to Eclipse OpenSOVD (see CONTRIBUTORS)
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0
+formatter:
+  type: basic
+  retain_line_breaks_single: true
diff --git a/AGENTS.md b/AGENTS.md
@@ -0,0 +1,50 @@
+<!--
+SPDX-License-Identifier: Apache-2.0
+SPDX-FileCopyrightText: 2026 The Contributors to Eclipse OpenSOVD (see CONTRIBUTORS)
+
+See the NOTICE file(s) distributed with this work for additional
+information regarding copyright ownership.
+
+This program and the accompanying materials are made available under the
+terms of the Apache License Version 2.0 which is available at
+https://www.apache.org/licenses/LICENSE-2.0
+-->
+
+# AI Agent Guidelines
+
+Guidance for AI coding assistants working in this repository.
+
+## Do Not Generate Banner Comments
+
+Do not generate banner-style decorative comments such as repeated `=` or `-` lines.
+They add noise and will be rejected by the `no-banner-comment-check` hook.
+
+Prefer clear names, small modules, and well-structured functions instead.
+
+## Code Style
+
+### Python
+
+- Line length: 100 characters
+- Formatter: `ruff format`
+- Linter: `ruff check` with rules from `shared-config/ruff.toml`
+
+### Rust
+
+- Formatter: `cargo fmt` with `shared-config/.rustfmt.toml`
+- Linter: `cargo clippy --all-features --all-targets -- -D warnings`
+- Max line width: 100 characters
+
+### Shell
+
+- Shell scripts must pass `shellcheck`
+
+## License Headers (REUSE/SPDX)
+
+Every source file must include SPDX license headers. For Markdown files like this one, use an HTML comment block.
+
+Do not remove or alter SPDX headers added by `reuse-annotate`.
+
+## Sharing With Consumer Repos
+
+Consumer repositories may copy or adapt this file for their own agent guidance. There is no automated distribution mechanism yet; keep copies in sync manually or reference a pinned canonical version.