-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.pre-commit-config.yaml
More file actions
154 lines (139 loc) · 5.55 KB
/
Copy path.pre-commit-config.yaml
File metadata and controls
154 lines (139 loc) · 5.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# OrbVis — pre-commit configuration.
#
# This is the single source of truth for local git hooks. It replaces the
# previous husky/lint-staged setup. Both pre-commit and pre-push stages are
# defined here.
#
# Setup:
# pip install pre-commit
# pre-commit install --hook-type pre-commit --hook-type pre-push
# or:
# make install-hooks
default_install_hook_types: [pre-commit, pre-push]
default_stages: [pre-commit, manual]
repos:
# ------------------------------------------------------------------------
# Base hygiene
# ------------------------------------------------------------------------
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-merge-conflict
- id: check-yaml
- id: check-toml
- repo: https://github.com/gitleaks/gitleaks
rev: v8.21.0
hooks:
- id: gitleaks
# ------------------------------------------------------------------------
# Python: ruff (format + lint) — runs on every commit
# ------------------------------------------------------------------------
- repo: https://github.com/astral-sh/ruff-pre-commit
rev: v0.15.7
hooks:
- id: ruff
args: [--fix]
- id: ruff-format
# ------------------------------------------------------------------------
# Shell scripts
# ------------------------------------------------------------------------
- repo: https://github.com/shellcheck-py/shellcheck-py
rev: v0.10.0.1
hooks:
- id: shellcheck
# ------------------------------------------------------------------------
# Python: bandit (security) — runs on every commit for backend/app
# ------------------------------------------------------------------------
- repo: https://github.com/PyCQA/bandit
rev: 1.8.0
hooks:
- id: bandit
args: [-ll]
files: ^backend/app/.*\.py$
# ------------------------------------------------------------------------
# Local hooks (tools pinned to the repo venv / node_modules)
# ------------------------------------------------------------------------
- repo: local
hooks:
# ----- Python: mypy strict (checkmk-equivalent config from root) -----
- id: mypy
name: mypy (strict checkmk-equivalent)
entry: backend/.venv/bin/mypy
language: system
types: [python]
files: ^backend/app/
pass_filenames: false
args: [backend/app]
# ----- Frontend: eslint on changed TS/Vue files --------------------
# src/vendor is excluded from all three fixers: vendored files must
# stay byte-identical to upstream cmk-frontend-vue (drift-check),
# and auto-fixes (e.g. stripping eslint-disable comments) break that.
# Covers tool configs/scripts too (eslint.config.js, prettier.config.cjs,
# vite.config.ts, e2e/, scripts/) — CI lints `eslint .`, so a config-only
# change must not slip past the hook.
- id: eslint
name: eslint (auto-fix)
entry: bash -c 'cd frontend && npx eslint --fix "${@#frontend/}"' --
language: system
files: ^frontend/(src/.*\.(ts|vue)|e2e/.*\.ts|scripts/.*\.(js|mjs|cjs)|[^/]+\.(ts|js|cjs|mjs))$
exclude: ^frontend/src/vendor/
pass_filenames: true
# ----- Frontend: prettier on changed TS/Vue/CSS files --------------
- id: prettier
name: prettier (auto-format)
entry: bash -c 'cd frontend && npx prettier --write "${@#frontend/}"' --
language: system
files: ^frontend/src/.*\.(ts|vue|css)$
exclude: ^frontend/src/vendor/
pass_filenames: true
# ----- Frontend: stylelint on changed Vue/CSS files ----------------
- id: stylelint
name: stylelint (auto-fix)
entry: bash -c 'cd frontend && npx stylelint --fix "${@#frontend/}"' --
language: system
files: ^frontend/src/.*\.(vue|css)$
exclude: ^frontend/src/vendor/
pass_filenames: true
# ----- Pre-push: full test suites + deps audit ---------------------
- id: pytest
name: pytest (full backend suite)
entry: bash -c 'cd backend && .venv/bin/pytest'
language: system
files: ^backend/.*\.py$
pass_filenames: false
stages: [pre-push]
- id: vitest
name: vitest (full frontend suite)
entry: bash -c 'cd frontend && npx vitest run'
language: system
files: ^frontend/src/
pass_filenames: false
stages: [pre-push]
# Full CI-parity lint (eslint . + stylelint) — the per-file commit hook
# can't see files outside its pattern; this catches everything before
# the GitHub workflow does.
- id: frontend-lint
name: npm run lint (CI parity)
entry: bash -c 'cd frontend && npm run lint'
language: system
files: ^frontend/
pass_filenames: false
stages: [pre-push]
- id: npm-audit
name: npm audit (frontend deps)
entry: bash -c 'cd frontend && npm audit --audit-level=high'
language: system
files: ^frontend/(package\.json|package-lock\.json)$
pass_filenames: false
stages: [pre-push]
- id: pip-audit
name: pip-audit (backend deps)
# PYSEC-2025-183: disputed "weak encryption" advisory gegen PyJWT,
# kein Fix verfuegbar (Schluessellaenge ist Anwendungsverantwortung).
entry: bash -c 'cd backend && .venv/bin/pip-audit . --ignore-vuln PYSEC-2025-183'
language: system
always_run: true
pass_filenames: false
stages: [pre-push]