Skip to content
Validate Hooks

fix(install): also strip tmpl-contract in the guarded-template render path #48

Sign in to view logs

fix(install): also strip tmpl-contract in the guarded-template render path

fix(install): also strip tmpl-contract in the guarded-template render path #48

Workflow file for this run

.github/workflows/validate-hooks.yml at b861562
name: Validate Hooks
on:
pull_request:
branches: [main, develop]
paths:
- 'global/hooks/**'
- 'hooks/**'
- 'tests/hooks/**'
- 'tests/hooks/fixtures/**'
- 'tests/markdown-anchor-validator/**'
- 'tests/batch_drift_benchmark/**'
- 'plugin/**'
- 'plugin-lite/**'
- 'tests/plugin/**'
- 'scripts/install.sh'
- 'scripts/install.ps1'
- 'scripts/install-manifest.sh'
- 'scripts/install-manifest.ps1'
- 'bootstrap.sh'
- 'bootstrap.ps1'
- 'tests/scripts/test-plugin-*.sh'
- 'tests/scripts/test-install-manifest-helpers.*'
- 'tests/scripts/test-install-permissions-policy.sh'
- 'tests/scripts/test-language-policy-drift.sh'
- 'tests/scripts/test-installer-prompt-drift.sh'
- 'tests/scripts/test-doc-prompt-lockstep.sh'
- 'tests/scripts/test-language-override-contract.sh'
- 'scripts/lib/**'
- 'global/settings.json'
- 'global/settings.windows.json'
- 'tests/scripts/test-windows-hooks-parity.sh'
- 'tests/scripts/test-windows-powershell-permissions.sh'
- 'tests/scripts/test-hook-ordering.sh'
- 'tests/scripts/test-severity-enum.sh'
- 'scripts/backup.sh'
- 'scripts/backup.ps1'
- 'tests/scripts/test-installer-robustness.sh'
# Cancel in-progress runs of the same PR / schedule so a fast follow-up commit
# does not pile up.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
test:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install jq and bash 4+
run: |
if [[ "$RUNNER_OS" == "Linux" ]]; then
sudo apt-get update && sudo apt-get install -y jq
elif [[ "$RUNNER_OS" == "macOS" ]]; then
# macOS ships with bash 3.2; install bash 4+ so hooks that need
# associative arrays (e.g., markdown-anchor-validator.sh) can
# re-exec into it via the PATH checks in the hook itself.
brew install jq bash
fi
- name: Run hook tests
run: bash tests/hooks/test-runner.sh
- name: Run drift benchmark extractor tests
run: bash tests/batch_drift_benchmark/test-extractors.sh
- name: Run scratch repo seeding tests
run: bash tests/batch_drift_benchmark/test-seed-scratch-repo.sh
- name: Run aggregator tests
run: bash tests/batch_drift_benchmark/test-aggregate-results.sh
- name: Run benchmark orchestrator tests
run: bash tests/batch_drift_benchmark/test-run-benchmark.sh
- name: Run plugin standalone regression tests
# Validates plugin/hooks/hooks.json inline guards when no probe
# file exists (standalone deployment fallback). The test script
# extracts the live command string from hooks.json via python3,
# which is pre-installed on ubuntu-latest and macos-latest runners.
run: bash tests/scripts/test-plugin-standalone.sh
- name: Run plugin/plugin-lite directory smoke test (#622)
# Catches packaging regressions (manifest mismatches, missing
# skills) before they ship in releases. Sh runner on Linux/macOS;
# PowerShell sibling smoke-test.ps1 is exercised when the
# InstallerFetch matrix lands a Windows runner.
run: bash tests/plugin/smoke-test.sh
- name: Run plugin fallback regression tests
# Validates probe-driven per-hook stand-down plus failure modes
# (unknown schema, malformed JSON, missing key).
run: bash tests/scripts/test-plugin-fallback.sh
- name: Run install manifest helper tests
run: bash tests/scripts/test-install-manifest-helpers.sh
- name: Run install manifest helper tests (PowerShell)
run: pwsh tests/scripts/test-install-manifest-helpers.ps1
- name: Run install permissions policy lint
# Lint test: install.sh must enforce 700 / 600 / 644 on tracked files.
run: bash tests/scripts/test-install-permissions-policy.sh
- name: Run content-language policy drift test
# Verifies (a) canonical .md == .tmpl rendered with english phrase,
# (b) every CLAUDE_CONTENT_LANGUAGE value renders deterministically.
run: bash tests/scripts/test-language-policy-drift.sh
- name: Run installer prompt drift test
# Guards drift between scripts/lib/install-prompts.sh (bash) and
# scripts/lib/InstallPrompts.psm1 (PowerShell) - the single source
# of truth for installer prompts and the policy phrase table.
run: bash tests/scripts/test-installer-prompt-drift.sh
- name: Run doc/prompt lockstep test
# Pins the live 3-option Language Profile Preset prompt as the
# single source of truth (#763): fails if any tracked file
# reintroduces a removed prompt-function identifier or a stale
# two-prompt description, and asserts the preset header, the three
# option labels, and the [default: 3] line are still present.
run: bash tests/scripts/test-doc-prompt-lockstep.sh
- name: Run language override contract test
# Locks the independent non-interactive env-override contract
# (issue #762): presetting only AGENT_LANGUAGE or only
# CONTENT_LANGUAGE must be honored, not clobbered to the Hybrid
# default. Guards against the AND-gate regression from #757.
run: bash tests/scripts/test-language-override-contract.sh
- name: Run installer robustness test
# Guards the per-platform settings-source parity (PowerShell
# installers ship settings.windows.json, bash installers ship
# settings.json), install.sh error() being terminal, and the
# backup.sh/.ps1 copy-then-swap staging (silent-data-loss fix).
run: bash tests/scripts/test-installer-robustness.sh
- name: Run hook-wiring parity test (settings.json <-> settings.windows.json)
# Catches dormant guards: a .ps1 hook present in global/hooks/ but not
# wired into settings.windows.json (or POSIX-only drift). This is the
# gate the 7 unwired Windows security guards (#655) would have tripped.
run: bash tests/scripts/test-windows-hooks-parity.sh
- name: Run Windows PowerShell permissions policy test
# Ensures Windows gets narrow read-only PowerShell discovery allowances
# without broad PowerShell(*) or state-changing gh grants.
run: bash tests/scripts/test-windows-powershell-permissions.sh
- name: Run hook ordering test
# Asserts the load-bearing PreToolUse hook order (sensitive-file-guard
# before pre-edit-read-guard, etc.) is preserved across both settings.
run: bash tests/scripts/test-hook-ordering.sh
- name: Run skill severity enum test
# Validates code-review skill frontmatter severity/finding_levels enums.
run: bash tests/scripts/test-severity-enum.sh
shellcheck:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install shellcheck
run: |
if [[ "$RUNNER_OS" == "Linux" ]]; then
sudo apt-get update && sudo apt-get install -y shellcheck
elif [[ "$RUNNER_OS" == "macOS" ]]; then
brew install shellcheck
fi
- name: Run shellcheck on shell scripts
run: |
failed=0
# Broad loop: every tracked .sh, gated at error severity. Self-tracking
# — new scripts are covered automatically with no workflow change.
# while-read over process substitution (not `... | while`) keeps the
# failed flag in the current shell and stays bash 3.2 compatible
# (macOS runners lack the bash 4+ `mapfile`).
while IFS= read -r f; do
echo "Checking (error) $f..."
if ! shellcheck --severity=error -e SC2086 "$f"; then
failed=1
fi
done < <(git ls-files '*.sh')
# Strict loop: hook + benchmark scripts held to the stricter warning bar.
for script in global/hooks/*.sh tests/batch_drift_benchmark/*.sh; do
echo "Checking (warning) $script..."
if ! shellcheck -S warning -e SC2086 "$script"; then
failed=1
fi
done
if [ "$failed" -ne 0 ]; then
echo "Shellcheck found issues"
exit 1
fi
echo "All shell scripts passed shellcheck!"