agent-bom/.pre-commit-config.yaml at main · msaad00/agent-bom · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0
    hooks:
      - id: check-yaml
        args: [--unsafe]
        exclude: "^deploy/helm/.*/templates/.*\\.ya?ml$"
      - id: check-json
        exclude: "tsconfig.*\\.json$"
      - id: check-toml
      - id: end-of-file-fixer
        exclude: "\\.(svg|png|gif|ico|woff|woff2|ttf|eot)$"
      - id: trailing-whitespace
        exclude: "\\.(md|mdx)$"
      - id: detect-private-key
        exclude: "^tests/|^sdks/shared/test-fixtures\\.json$"
      - id: check-case-conflict
      - id: check-merge-conflict
      - id: mixed-line-ending
        args: [--fix=lf]

  - repo: https://github.com/astral-sh/ruff-pre-commit
    rev: v0.9.7
    hooks:
      - id: ruff
        args: [--fix]
      - id: ruff-format

  - repo: https://github.com/pre-commit/mirrors-mypy
    rev: v1.15.0
    hooks:
      - id: mypy
        args: [--ignore-missing-imports, --no-error-summary, --disable-error-code, import-untyped]
        files: ^src/
        additional_dependencies: [types-PyYAML]
        pass_filenames: true

  - repo: https://github.com/PyCQA/bandit
    rev: 1.8.3
    hooks:
      - id: bandit
        args: [--severity-level, medium, -r]
        files: ^src/
        exclude: ^tests/

  - repo: local
    hooks:
      # Catches new AGENT_BOM_* env vars added under src/agent_bom/ that are
      # neither declared in config.py nor allowlisted. The generator is pure
      # AST-parsing so it runs cleanly under the pre-commit env without the
      # project venv. Same gate the CI Lint stage runs — pre-commit just
      # surfaces it locally before push.
      - id: env-var-reference-drift
        name: env-var reference drift (config.py + allowlist gate)
        entry: python3 scripts/generate_env_var_reference.py --check
        language: system
        pass_filenames: false
        files: ^(src/agent_bom/.*\.py|src/agent_bom/config\.py|scripts/env_var_allowlist\.txt|docs/operations/ENV_VARS\.md)$
      - id: duplicate-artifact-guard
        name: Finder duplicate artifact guard
        # --working-tree also catches untracked Finder copies (e.g. 'nav 2.tsx')
        # that break local tsc/pytest collection but are never staged, so the
        # tracked-only CI guard misses them. Build/cache dirs are ignored.
        entry: python3 scripts/check_duplicate_artifacts.py --working-tree
        language: system
        pass_filenames: false
        always_run: true