-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.pre-commit-config.yaml
More file actions
33 lines (31 loc) · 1.73 KB
/
.pre-commit-config.yaml
File metadata and controls
33 lines (31 loc) · 1.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
fail_fast: false # Set to true if you want it to stop on the first failing hook
repos:
# Standard useful hooks
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
hooks:
- id: check-yaml
- id: end-of-file-fixer
- id: trailing-whitespace
- id: check-added-large-files
- id: check-merge-conflict
# Hook to prevent committing the plaintext secrets file (e.g., your local ./docker/.env)
- repo: local
hooks:
- id: forbid-plaintext-docker-env
language: system
name: Forbid plaintext docker/.env
files: '^docker/\.env$' # This ensures the hook triggers if docker/.env is modified/staged
entry: | # Use the literal block scalar indicator here
bash -c 'if git diff --cached --name-only | grep -Fxq "docker/.env"; then echo "ERROR: Plaintext docker/.env is staged for commit! It should be encrypted in secrets.sops.env."; exit 1; fi'
# Optional (more advanced): A hook to check if *.sops.env files are actually encrypted and you can decrypt them.
# This requires your local SOPS/age setup to be able to decrypt.
- repo: local
hooks:
- id: check-sops-files-are-encrypted
name: Check SOPS files are encrypted and decryptable
entry: |
bash -c 'if [ -f "$1" ]; then SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys.txt" sops --decrypt "$1" > /dev/null || (echo "ERROR: File $1 failed SOPS decryption. Ensure your age key is in $HOME/.config/sops/age/keys.txt and the file is encrypted for your key." && exit 1); else echo "Skipping SOPS check for non-file/empty argument: $1"; fi' --
language: system
files: '\.sops\.env$' # Matches files like secrets.sops.env
pass_filenames: true # Good to be explicit