chore: implement pre lint auto-fix pipeline

Related: AAP-64628

Author: ssbarnea

.github/workflows/pre.yml

@@ -0,0 +1,59 @@
+---
+name: pre
+on:
+  merge_group:
+    branches: ["main", "devel/*"]
+  push:
+    branches: ["main", "devel/*"]
+    tags:
+      - "v*.*"
+  pull_request:
+    # 'closed' is missing to avoid double triggering on PR merge
+    # 'edited' is missing to allow us to edit PR title/description without triggering
+    types: [synchronize, opened, reopened]
+    branches: ["main", "devel/*"]
+permissions:
+  contents: write
+  id-token: write
+  pull-requests: write
+  checks: write
+jobs:
+  prek:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0 # we need tags for dynamic versioning
+          show-progress: false
+
+      # needed by our prek system hooks like toml
+      - uses: astral-sh/setup-uv@v7
+
+      # needed by our prek systems hooks like biome
+      - name: Set up Node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
+
+      - name: yarn install
+        run: |
+          npx yarn install --immutable
+
+      - uses: j178/prek-action@v1
+        with:
+          install-only: true
+
+      - name: Run prek with auto-fix
+        id: prek
+        run: |
+          EXIT_CODE=0
+          prek run --all-files --color=always || EXIT_CODE=$?
+          if [ -n "$(git status --porcelain)" ]; then
+              git config --global user.email ansible-devtools@redhat.com
+              git config --global user.name "Ansible DevTools"
+              git add -A
+              git commit -m 'Prek auto-fixes'
+              prek run --all-files --color=always || EXIT_CODE=$?
+              if  [ $EXIT_CODE -eq 0 ]; then
+                git push origin || EXIT_CODE=$?
+              fi
+          fi
+          exit $EXIT_CODE

.pre-commit-config.yaml

@@ -47,20 +47,18 @@ repos:
         language: system
         pass_filenames: false
         always_run: true
-        entry: biome check --write --unsafe
+        entry: npx biome check --write --unsafe
       - id: knip
         name: knip (typescript declutter)
-        entry: yarn knip --fix
+        entry: npx knip --fix
         language: system
         pass_filenames: false
         always_run: true
       - id: eslint
         name: eslint
-        entry: npm
+        entry: npx
         language: system
         args:
-          - exec
-          - --
           - eslint
           - --no-warn-ignored
           - --color
@@ -81,7 +79,7 @@ repos:
       - id: renovate-config-validator
         name: renovate config validator
         alias: renovate
-        entry: renovate-config-validator
+        entry: npx --yes --package renovate -- renovate-config-validator
         language: system
         pass_filenames: false
         files: "renovate.json"

eslint.config.mjs

@@ -14,8 +14,7 @@ import { defineConfig } from "eslint/config";
 import { createRequire } from "module";
 
 const require = createRequire(import.meta.url);
-const noUnsafeSpawnRule =
-  require("./out/client/test/eslint/no-unsafe-spawn.js").default;
+const noUnsafeSpawnRule = require("./test/eslint/no-unsafe-spawn.cjs");
 
 const __filename = fileURLToPath(import.meta.url); // get the resolved path to the file
 const __dirname = path.dirname(__filename); // get the name of the directory
@@ -68,6 +67,19 @@ export default defineConfig(
       "@typescript-eslint/no-unsafe-argument": "off",
     },
   },
+  {
+    // CommonJS rule file: Node globals (module, require, exports)
+    files: ["test/eslint/**/*.cjs"],
+    languageOptions: {
+      globals: {
+        ...globals.node,
+      },
+      parserOptions: {
+        ecmaVersion: 2022,
+        sourceType: "script",
+      },
+    },
+  },
   eslint.configs.recommended,
   prettierRecommendedConfig,
   tseslint.configs.recommended,

test/eslint/no-unsafe-spawn.ts test/eslint/no-unsafe-spawn.cjstest/eslint/no-unsafe-spawn.ts renamed to test/eslint/no-unsafe-spawn.cjs

@@ -1,72 +1,25 @@
+"use strict";
 /**
  * ESLint rule to detect unsafe child_process spawn/spawnSync calls
  * that use a single string argument instead of separate command and args array.
  *
  * This prevents shell injection vulnerabilities and ensures proper argument handling.
  */
 
-import type { Rule } from "eslint";
-
-// Extend RuleContext to include report method which exists at runtime
-interface ExtendedRuleContext extends Rule.RuleContext {
-  report(options: { node: Rule.Node; messageId: string }): void;
-}
-
-// Extend RuleModule to require meta (it's optional in the base type)
-interface ExtendedRuleModule extends Rule.RuleModule {
-  meta: {
-    type: "problem";
-    docs: {
-      description: string;
-      category: string;
-      recommended: boolean;
-    };
-    fixable: undefined;
-    schema: [];
-    messages: {
-      unsafeSpawn: string;
-      unsafeSpawnSync: string;
-    };
-  };
-  create(context: ExtendedRuleContext): Rule.RuleListener;
-}
-
-const rule: ExtendedRuleModule = {
-  meta: {
-    type: "problem",
-    docs: {
-      description:
-        "disallow child_process.spawn/spawnSync with single string argument containing spaces",
-      category: "Security",
-      recommended: true,
-    },
-    fixable: undefined,
-    schema: [],
-    messages: {
-      unsafeSpawn:
-        "Use spawn(command, args[]) instead of spawn(commandString). Split the command string into command and args array to prevent shell injection.",
-      unsafeSpawnSync:
-        "Use spawnSync(command, args[]) instead of spawnSync(commandString). Split the command string into command and args array to prevent shell injection.",
-    },
-  },
-  create(context: ExtendedRuleContext): Rule.RuleListener {
+const rule = {
+  create(context) {
     /**
      * Check if a call expression is spawn or spawnSync
      */
-    function isSpawnCall(
-      node: Rule.Node,
-    ): node is Rule.Node & { type: "CallExpression" } {
+    function isSpawnCall(node) {
       if (node.type !== "CallExpression" || !("callee" in node)) {
         return false;
       }
-
       const callee = node.callee;
-
       // Check for: spawnSync(...) or spawn(...) as identifier
       if (callee.type === "Identifier") {
         return callee.name === "spawnSync" || callee.name === "spawn";
       }
-
       // Check for: child_process.spawnSync(...) or cp.spawnSync(...)
       if (
         callee.type === "MemberExpression" &&
@@ -77,31 +30,24 @@ const rule: ExtendedRuleModule = {
         const methodName = callee.property.name;
         return methodName === "spawnSync" || methodName === "spawn";
       }
-
       return false;
     }
-
     /**
      * Check if the call is unsafe (command string instead of command + args array)
      */
-    function isUnsafeCall(
-      node: Rule.Node & { type: "CallExpression" },
-    ): boolean {
+    function isUnsafeCall(node) {
       const args = node.arguments;
       if (!args || args.length === 0) {
         return false;
       }
-
       const firstArg = args[0];
       if (!firstArg) {
         return false;
       }
-
       // If there's a second argument that's an array, it's safe (proper usage)
       if (args.length > 1 && args[1].type === "ArrayExpression") {
         return false;
       }
-
       // Check if second argument is an options object with shell: true
       // This is unsafe because it goes through shell interpretation
       if (
@@ -125,14 +71,12 @@ const rule: ExtendedRuleModule = {
           }
         }
       }
-
       // Check if first argument is a string literal with spaces
       if (firstArg.type === "Literal" && typeof firstArg.value === "string") {
         const value = firstArg.value.trim();
         // Flag if it contains spaces (command + args) but allow single commands
         return value.includes(" ") && value.length > 0;
       }
-
       // Check if it's a template literal
       if (firstArg.type === "TemplateLiteral") {
         const quasis = firstArg.quasis || [];
@@ -144,7 +88,6 @@ const rule: ExtendedRuleModule = {
           }
         }
       }
-
       // Check if first argument is a variable and second is options (not array)
       // This is potentially unsafe - we can't know the variable's value statically,
       // but if it's not followed by an array, it's likely a command string
@@ -156,16 +99,13 @@ const rule: ExtendedRuleModule = {
         // Variable with options object (not array) - likely unsafe
         return true;
       }
-
       return false;
     }
-
     return {
-      CallExpression(node: Rule.Node) {
+      CallExpression(node) {
         if (!isSpawnCall(node)) {
           return;
         }
-
         // Check if it's an unsafe call
         if (isUnsafeCall(node)) {
           const methodName =
@@ -177,19 +117,34 @@ const rule: ExtendedRuleModule = {
                   node.callee.property.type === "Identifier"
                 ? node.callee.property.name
                 : "spawn";
-
           context.report({
-            node,
             messageId:
               methodName === "spawnSync" ? "unsafeSpawnSync" : "unsafeSpawn",
+            node,
           });
         }
       },
     };
   },
+  meta: {
+    docs: {
+      category: "Security",
+      description:
+        "disallow child_process.spawn/spawnSync with single string argument containing spaces",
+      recommended: true,
+    },
+    fixable: undefined,
+    messages: {
+      unsafeSpawn:
+        "Use spawn(command, args[]) instead of spawn(commandString). Split the command string into command and args array to prevent shell injection.",
+      unsafeSpawnSync:
+        "Use spawnSync(command, args[]) instead of spawnSync(commandString). Split the command string into command and args array to prevent shell injection.",
+    },
+    schema: [],
+    type: "problem",
+  },
 };
-
-export default {
+module.exports = {
   rules: {
     "no-unsafe-spawn": rule,
   },