assay/.pre-commit-config.yaml at main · Rul1an/assay · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# .pre-commit-config.yaml
minimum_pre_commit_version: "4.4.0"
default_install_hook_types: [pre-commit, pre-push]

# Best practice: pin versions (rev) and periodically `pre-commit autoupdate`.
repos:
  # Baseline hygiene (stable, fast)
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v6.0.0
    hooks:
      - id: check-merge-conflict
      - id: check-yaml
        args: ["--unsafe"]
        exclude: |
          (?x)^(
            tests/fixtures/mcp/malformed\.yaml|
            tests/fixtures/golden/eval_broken\.yaml
          )$
      - id: check-toml
      - id: end-of-file-fixer
      - id: trailing-whitespace

  # GitGuardian secrets detection (manual/local opt-in; requires GITGUARDIAN_API_KEY)
  - repo: https://github.com/gitguardian/ggshield
    rev: v1.47.0
    hooks:
      - id: ggshield
        language_version: python3
        stages: [manual]

  # --- Tooling hooks (remote) ---
  # typos (spellcheck)
  - repo: https://github.com/crate-ci/typos
    rev: v1.42.1
    hooks:
      - id: typos
        types_or: [text]
        args: ["--config", ".typos.toml", "--force-exclude"]

  # actionlint (GitHub Actions workflow lint)
  - repo: https://github.com/rhysd/actionlint
    rev: v1.7.10
    hooks:
      - id: actionlint
        args: ["-config-file", ".github/actionlint.yaml"]
        files: ^\.github/workflows/.*\.ya?ml$

  # shellcheck (bash) — use system binary to avoid SSL/download issues
  - repo: local
    hooks:
      - id: shellcheck
        name: shellcheck
        entry: shellcheck
        args: ["-x", "-S", "warning"]
        language: system
        types: [shell]

  # --- Rust: fmt on commit (fast), clippy on push (heavier) ---
  - repo: local
    hooks:
      - id: cargo-fmt
        name: cargo fmt --check
        entry: bash -lc 'cargo fmt --all -- --check'
        language: system
        types_or: [rust]
        always_run: true
        pass_filenames: false

      # --- Dependency security (shift-left) ---
      - id: cargo-deny
        name: cargo deny (advisories, licenses, bans, sources)
        entry: bash -lc 'cargo deny check advisories bans licenses sources'
        language: system
        pass_filenames: false
        # Only run when deps/policy change (avoids noise on unrelated commits)
        files: ^(Cargo\.lock|Cargo\.toml|crates/.*/Cargo\.toml|deny\.toml)$
        stages: [pre-commit]

      - id: cargo-audit
        name: cargo audit (RustSec)
        entry: bash -lc 'cargo audit'
        language: system
        pass_filenames: false
        files: ^Cargo\.lock$
        stages: [pre-push]
      - id: cargo-clippy
        name: cargo clippy (workspace, deny warnings)
        entry: scripts/precommit/cargo-clippy.sh
        language: system
        stages: [pre-push]
        pass_filenames: false

      - id: linux-check
        name: linux compile gate (target/multipass)
        entry: bash scripts/ci/check-linux.sh
        language: system
        stages: [pre-push]
        pass_filenames: false
        # Default: cross-compile only (ASSAY_LINUX_CHECK_MODE=target), with timeout so pre-push does not hang.
        # ASSAY_LINUX_TARGET_TIMEOUT=300 (default). Set =multipass for full VM clippy.