From d7eace87ae82dc8e36ba161136e36a57b1e070a6 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Sun, 25 Jan 2026 10:45:04 +0000 Subject: [PATCH] chore: prep pre-commit runner --- .detect-secrets.cfg | 4 ++++ .pre-commit-config.yaml | 26 +++++++++++++++++++++--- .secrets.baseline | 11 +--------- scripts/pre-commit/run-node-tool.sh | 31 +++++++++++++++++++++++++++++ 4 files changed, 59 insertions(+), 13 deletions(-) create mode 100755 scripts/pre-commit/run-node-tool.sh diff --git a/.detect-secrets.cfg b/.detect-secrets.cfg index 66ed5236e..38912567c 100644 --- a/.detect-secrets.cfg +++ b/.detect-secrets.cfg @@ -7,6 +7,10 @@ [exclude-files] # pnpm lockfiles contain lots of high-entropy package integrity blobs. pattern = (^|/)pnpm-lock\.yaml$ +# Generated output and vendored assets. +pattern = (^|/)(dist|vendor)/ +# Local config file with allowlist patterns. +pattern = (^|/)\.detect-secrets\.cfg$ [exclude-lines] # Fastlane checks for private key marker; not a real key. diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4be40f8a8..80813a0d3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -24,7 +24,27 @@ repos: rev: v1.5.0 hooks: - id: detect-secrets - args: [--baseline, .secrets.baseline] + args: + - --baseline + - .secrets.baseline + - --exclude-files + - '(^|/)(dist/|vendor/|pnpm-lock\.yaml$|\.detect-secrets\.cfg$)' + - --exclude-lines + - 'key_content\.include\?\("BEGIN PRIVATE KEY"\)' + - --exclude-lines + - 'case \.apiKeyEnv: "API key \(env var\)"' + - --exclude-lines + - 'case apikey = "apiKey"' + - --exclude-lines + - '"gateway\.remote\.password"' + - --exclude-lines + - '"gateway\.auth\.password"' + - --exclude-lines + - '"talk\.apiKey"' + - --exclude-lines + - '=== "string"' + - --exclude-lines + - 'typeof remote\?\.password === "string"' # Shell script linting - repo: https://github.com/koalaman/shellcheck-precommit @@ -55,7 +75,7 @@ repos: # oxlint --type-aware src test - id: oxlint name: oxlint - entry: npx oxlint --type-aware src test + entry: scripts/pre-commit/run-node-tool.sh oxlint --type-aware src test language: system pass_filenames: false types_or: [javascript, jsx, ts, tsx] @@ -63,7 +83,7 @@ repos: # oxfmt --check src test - id: oxfmt name: oxfmt - entry: npx oxfmt --check src test + entry: scripts/pre-commit/run-node-tool.sh oxfmt --check src test language: system pass_filenames: false types_or: [javascript, jsx, ts, tsx] diff --git a/.secrets.baseline b/.secrets.baseline index f02613353..dc29dbee1 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -2210,16 +2210,7 @@ "is_verified": false, "line_number": 182 } - ], - "vendor/a2ui/README.md": [ - { - "type": "Secret Keyword", - "filename": "vendor/a2ui/README.md", - "hashed_secret": "2619a5397a5d054dab3fe24e6a8da1fbd76ec3a6", - "is_verified": false, - "line_number": 123 - } ] }, - "generated_at": "2026-01-25T06:57:20Z" + "generated_at": "2026-01-25T10:46:40Z" } diff --git a/scripts/pre-commit/run-node-tool.sh b/scripts/pre-commit/run-node-tool.sh new file mode 100755 index 000000000..341630755 --- /dev/null +++ b/scripts/pre-commit/run-node-tool.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash +set -euo pipefail + +ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)" + +if [[ $# -lt 1 ]]; then + echo "usage: run-node-tool.sh [args...]" >&2 + exit 2 +fi + +tool="$1" +shift + +if [[ -f "$ROOT_DIR/pnpm-lock.yaml" ]] && command -v pnpm >/dev/null 2>&1; then + exec pnpm exec "$tool" "$@" +fi + +if { [[ -f "$ROOT_DIR/bun.lockb" ]] || [[ -f "$ROOT_DIR/bun.lock" ]]; } && command -v bun >/dev/null 2>&1; then + exec bunx --bun "$tool" "$@" +fi + +if command -v npm >/dev/null 2>&1; then + exec npm exec -- "$tool" "$@" +fi + +if command -v npx >/dev/null 2>&1; then + exec npx "$tool" "$@" +fi + +echo "Missing package manager: pnpm, bun, or npm required." >&2 +exit 1