# Pre-commit hooks for openclaw # Install: prek install # Run manually: prek run --all-files # # See https://pre-commit.com for more information repos: # Basic file hygiene - repo: https://github.com/pre-commit/pre-commit-hooks rev: v6.0.0 hooks: - id: trailing-whitespace exclude: '^(docs/|dist/|vendor/|.*\.snap$)' - id: end-of-file-fixer exclude: '^(docs/|dist/|vendor/|.*\.snap$)' - id: check-yaml args: [--allow-multiple-documents] - id: check-added-large-files args: [--maxkb=500] - id: check-merge-conflict - id: detect-private-key exclude: '(^|/)(\.secrets\.baseline$|\.detect-secrets\.cfg$|\.pre-commit-config\.yaml$|apps/ios/fastlane/Fastfile$|.*\.test\.ts$)' # Secret detection (same as CI) - repo: https://github.com/Yelp/detect-secrets rev: v1.5.0 hooks: - id: detect-secrets args: - --baseline - .secrets.baseline - --exclude-files - '(^|/)pnpm-lock\.yaml$' - --exclude-lines - 'key_content\.include\?\("BEGIN PRIVATE KEY"\)' - --exclude-lines - 'case \.apiKeyEnv: "API key \(env var\)"' - --exclude-lines - 'case apikey = "apiKey"' - --exclude-lines - '"gateway\.remote\.password"' - --exclude-lines - '"gateway\.auth\.password"' - --exclude-lines - '"talk\.apiKey"' - --exclude-lines - '=== "string"' - --exclude-lines - 'typeof remote\?\.password === "string"' - --exclude-lines - "OPENCLAW_DOCKER_GPG_FINGERPRINT=" - --exclude-lines - '"secretShape": "(secret_input|sibling_ref)"' - --exclude-lines - 'API key rotation \(provider-specific\): set `\*_API_KEYS`' - --exclude-lines - 'password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\.auth\.password` -> `gateway\.remote\.password`' - --exclude-lines - 'password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\.remote\.password` -> `gateway\.auth\.password`' - --exclude-files - '^src/gateway/client\.watchdog\.test\.ts$' - --exclude-lines - 'export CUSTOM_API_K[E]Y="your-key"' - --exclude-lines - 'grep -q ''N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache'' ~/.bashrc \|\| cat >> ~/.bashrc <<''EOF''' - --exclude-lines - 'env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},' - --exclude-lines - '"ap[i]Key": "xxxxx",' - --exclude-lines - 'ap[i]Key: "A[I]za\.\.\.",' # Shell script linting - repo: https://github.com/koalaman/shellcheck-precommit rev: v0.11.0 hooks: - id: shellcheck args: [--severity=error] # Only fail on errors, not warnings/info # Exclude vendor and scripts with embedded code or known issues exclude: "^(vendor/|scripts/e2e/)" # GitHub Actions linting - repo: https://github.com/rhysd/actionlint rev: v1.7.10 hooks: - id: actionlint # GitHub Actions security audit - repo: https://github.com/zizmorcore/zizmor-pre-commit rev: v1.22.0 hooks: - id: zizmor args: [--persona=regular, --min-severity=medium, --min-confidence=medium] exclude: "^(vendor/|Swabble/)" # Python checks for skills scripts - repo: https://github.com/astral-sh/ruff-pre-commit rev: v0.14.1 hooks: - id: ruff files: "^skills/.*\\.py$" args: [--config, pyproject.toml] - repo: local hooks: - id: skills-python-tests name: skills python tests entry: pytest -q skills language: python additional_dependencies: [pytest>=8, <9] pass_filenames: false files: "^skills/.*\\.py$" # Project checks (same commands as CI) - repo: local hooks: # pnpm audit --prod --audit-level=high - id: pnpm-audit-prod name: pnpm-audit-prod entry: pnpm audit --prod --audit-level=high language: system pass_filenames: false # oxlint --type-aware src test - id: oxlint name: oxlint entry: scripts/pre-commit/run-node-tool.sh oxlint --type-aware src test language: system pass_filenames: false types_or: [javascript, jsx, ts, tsx] # oxfmt --check src test - id: oxfmt name: oxfmt entry: scripts/pre-commit/run-node-tool.sh oxfmt --check src test language: system pass_filenames: false types_or: [javascript, jsx, ts, tsx] # swiftlint (same as CI) - id: swiftlint name: swiftlint entry: swiftlint --config .swiftlint.yml language: system pass_filenames: false types: [swift] # swiftformat --lint (same as CI) - id: swiftformat name: swiftformat entry: swiftformat --lint apps/macos/Sources --config .swiftformat language: system pass_filenames: false types: [swift]