aws-vpce-operator/.pre-commit-config.yaml at main · openshift/aws-vpce-operator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# =============================================================================
# Tier 1 — Common Pre-Commit Hooks for OSD Operators
# SREP-4485 | Golden rules: SREP-4450
# =============================================================================
#
# INSTALL
#   For detailed setup instructions including uv (recommended) and pip,
#   see: boilerplate/openshift/golang-osd-operator/docs/pre-commit.md
#
#   Quick start (uv):
#     uv sync && source .venv/bin/activate && pre-commit install
#
#   Quick start (pip):
#     pip install 'pre-commit==4.6.0' && pre-commit install
#
# USAGE
#   pre-commit run              # staged files only (developer / agent workflow)
#   pre-commit run --all-files  # full repo (CI / first-time setup)
#
# BYPASS (golden rule 16)
#   Skip one hook:  SKIP=hook-id git commit
#   Never use:      git commit --no-verify
#   Agents:         never bypass any hook
#   Security hooks: never bypassable under any circumstances
#
# CI RELATIONSHIP (golden rule 17)
#   These hooks mirror ci/prow/lint. CI remains the authoritative gate.
#   Every check here also runs in CI. Pre-commit is developer convenience.
#
# AGENT USAGE (golden rule 1, 7, 19)
#   Agents run: pre-commit run
#   Output:     PRE_COMMIT=1 is set automatically — hooks emit structured output
#   Retry:      max 2 fix-and-retry iterations before escalating to human
#
# TIMING TARGETS (golden rule 2, 3)
#   Total run:  <= 10s target / <= 60s hard limit on a 10-file changeset
#   Hooks run fastest-first (golden rule 13). Each hook has a timeout guard.
#
# FIRST RUN NOTE
#   Auto-fix hooks (trailing-whitespace, end-of-file-fixer) will correct
#   pre-existing violations on the first run. Stage and commit those fixes
#   separately before day-to-day use.
#
#   Fix commits can be excluded from git blame
#   https://git-scm.com/docs/git-blame#Documentation/git-blame.txt---ignore-revs-filefile
#
# =============================================================================

repos:

  # ---------------------------------------------------------------------------
  # 1. FILE HYGIENE + YAML SYNTAX  |  target < 2s  |  auto-fix + error
  #    - check-merge-conflict: detects unresolved merge markers
  #    - trailing-whitespace:  removes trailing spaces (auto-fix)
  #    - end-of-file-fixer:    ensures single EOF newline (auto-fix)
  #    - check-yaml:           validates YAML syntax in deploy/ manifests;
  #                            mirrors ci/prow/lint: olm-deploy-yaml-validate
  # ---------------------------------------------------------------------------
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0                          # pinned immutable tag
    hooks:
      - id: check-merge-conflict
      - id: trailing-whitespace
        args: [--markdown-linebreak-ext=md]
      - id: end-of-file-fixer
      - id: check-yaml
        name: YAML syntax (deploy/)
        files: ^deploy/.*\.ya?ml$
        args: [--allow-multiple-documents]

  # ---------------------------------------------------------------------------
  # 2. SECRETS DETECTION  |  target < 5s  |  always blocking
  #    Scans all file types (YAML, shell, config) — gosec covers Go only.
  #    High-confidence findings block; configure .gitleaks.toml for allowlist.
  # ---------------------------------------------------------------------------
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0                         # pinned immutable tag (golden rule 15)
    hooks:
      - id: gitleaks

  # ---------------------------------------------------------------------------
  # 3. STATIC ANALYSIS  |  target < 15s cached  |  error
  #    Mirrors ci/prow/lint: go-check exactly (same version + config as CI).
  #    Linter config: boilerplate/openshift/golang-osd-operator/golangci.yml
  # ---------------------------------------------------------------------------
  - repo: https://github.com/golangci/golangci-lint
    rev: v2.0.2                          # pinned immutable tag — must match CI (golden rule 15)
    hooks:
      - id: golangci-lint
        args:
          - --config=boilerplate/openshift/golang-osd-operator/golangci.yml
          - --timeout=120s                 # graceful timeout (golden rule 3)

  # ---------------------------------------------------------------------------
  # Local hooks — compile, dependency, security
  #
  # TIMEOUT NOTE (golden rule 3)
  #   Uses portable timeout detection: 'timeout' on Linux, 'gtimeout' on macOS.
  #   macOS: brew install coreutils
  #   Linux: timeout is available by default (GNU coreutils)
  # ---------------------------------------------------------------------------
  - repo: local
    hooks:

      # -----------------------------------------------------------------------
      # 4. COMPILE CHECK  |  target < 10s cached  |  error
      #    Catches import cycles and type errors before golangci-lint runs.
      #    Note: go build ./... writes no binary to the repo (compile check only).
      #    Fix: resolve compilation errors reported by go build.
      # -----------------------------------------------------------------------
      - id: go-build
        name: go build
        language: system
        entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 30s} go build ./...'
        types: [go]
        pass_filenames: false

      # -----------------------------------------------------------------------
      # 5. DEPENDENCY DRIFT  |  target < 10s  |  error
      #    Detects uncommitted go.mod/go.sum changes after go mod tidy.
      #    Fix: run 'go mod tidy' and stage go.mod and go.sum.
      # -----------------------------------------------------------------------
      - id: go-mod-tidy
        name: go mod tidy
        language: system
        entry: bash -c 'T=$(command -v timeout || command -v gtimeout || echo); ${T:+$T 60s} go mod tidy && git diff --exit-code go.mod go.sum'
        files: '(\.go$|go\.(mod|sum)$)'
        exclude: '^vendor/'
        pass_filenames: false

      # -----------------------------------------------------------------------
      # 6. RBAC WILDCARD CHECK  |  target < 5s  |  warn-only (blocking after cleanup)
      #    Rejects wildcard RBAC in deploy/ manifests (verbs/resources: ["*"]
      #    or multi-line - '*' format). Logic lives in standard.mk target
      #    'rbac-wildcard-check' for readability and reuse.
      #    Fix: replace wildcards with explicit verbs and resource names.
      # -----------------------------------------------------------------------
      - id: rbac-wildcard-check
        name: RBAC wildcard permissions
        language: system
        entry: bash -c 'make rbac-wildcard-check'
        files: ^deploy/.*\.ya?ml$
        pass_filenames: false