-
Notifications
You must be signed in to change notification settings - Fork 0
/
lefthook.yml
86 lines (74 loc) · 3.21 KB
/
lefthook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
commit-msg:
commands:
lint-commit-msg:
run: npx --yes commitlint --edit
pre-commit:
parallel: true
commands:
secrets-audit:
run: |
talisman --githook pre-commit ||
(echo "Verify the content and fix it with: talisman --githook pre-commit --interactive"; exit 1)
check-format-frontend:
run: npm run --silent prettier:fix {staged_files} && git add {staged_files}
lint-frontend:
glob: "*.{ts,js,vue}"
run: npm run --silent eslint:fix {staged_files} && git add {staged_files}
typecheck-frontend:
glob: "*.{ts,vue}"
run: npm run --silent typecheck && git add {staged_files}
post-commit:
commands:
secrets-checksum-test:
tags: security
skip:
- rebase
fail_text: |
This commit has touched files which are known to include false positives of the secret scanner.
It does not mean you have introduced new secrets, but these are "old" reports.
But due to the file content change, the checksum Talisman is using for the verification has changed too.
Please double check the reported file(s) and update their checksums in the `.talismanrc` file.
Afterwards, stage the file and amend this commit which was just created with `git commit --amend --no-edit`.
run: |
local_reference=$(git rev-parse --symbolic-full-name HEAD)
local_object_name=$(git rev-parse HEAD)
# Strong assumption that we run after the commit has been created (not before)!
remote_reference=$(git branch --format="%(upstream)" --list $(git rev-parse --abbrev-ref HEAD))
remote_object_name=$(git rev-parse $remote_reference)
echo $local_reference \
$local_object_name \
${remote_reference:-0000000000000000000000000000000000000000} \
${remote_object_name:-0000000000000000000000000000000000000000} \
| talisman --githook pre-push
pre-push:
parallel: true
commands:
licenses-audit-frontend:
root: frontend/
run: npm run audit:licenses > /dev/null;
secrets-audit:
run: |
local_reference=$(git rev-parse --symbolic-full-name HEAD)
local_object_name=$(git rev-parse HEAD)
# Strong assumption that we run after the commit has been created (not before)!
remote_reference=$(git branch --format="%(upstream)" --list $(git rev-parse --abbrev-ref HEAD))
remote_object_name=$(git rev-parse $remote_reference)
echo $local_reference \
$local_object_name \
${remote_reference:-0000000000000000000000000000000000000000} \
${remote_object_name:-0000000000000000000000000000000000000000} \
| talisman --githook pre-push
check-pipeline-status:
only:
- ref: main
run: |
which gh 2>&1 >/dev/null || exit 0
conclusion="$(
gh run list --branch main --workflow pipeline.yml --json conclusion,status \
--jq '[.[] | select(.status=="completed")][0].conclusion' \
)"
if [[ "$conclusion" != "success" ]]; then
echo "The last completed pipeline run has failed!"
echo "If you intend to fix the pipeline use '--no-verify', BUT ONLY IF all other hooks are okay."
exit 1
fi