mirror of
https://github.com/moltbot/moltbot.git
synced 2026-03-07 22:44:16 +00:00
e4d80ed556
* Tests: stabilize detect-secrets fixtures * Tests: fix rebased detect-secrets false positives * Docs: keep snippets valid under detect-secrets * Tests: finalize detect-secrets false-positive fixes * Tests: reduce detect-secrets false positives * Tests: keep detect-secrets pragmas inline * Tests: remediate next detect-secrets batch * Tests: tighten detect-secrets allowlists * Tests: stabilize detect-secrets formatter drift
154 lines
5.0 KiB
YAML
154 lines
5.0 KiB
YAML
# Pre-commit hooks for openclaw
|
|
# Install: prek install
|
|
# Run manually: prek run --all-files
|
|
#
|
|
# See https://pre-commit.com for more information
|
|
|
|
repos:
|
|
# Basic file hygiene
|
|
- repo: https://github.com/pre-commit/pre-commit-hooks
|
|
rev: v6.0.0
|
|
hooks:
|
|
- id: trailing-whitespace
|
|
exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
|
|
- id: end-of-file-fixer
|
|
exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
|
|
- id: check-yaml
|
|
args: [--allow-multiple-documents]
|
|
- id: check-added-large-files
|
|
args: [--maxkb=500]
|
|
- id: check-merge-conflict
|
|
- id: detect-private-key
|
|
exclude: '(^|/)(\.secrets\.baseline$|\.detect-secrets\.cfg$|\.pre-commit-config\.yaml$|apps/ios/fastlane/Fastfile$|.*\.test\.ts$)'
|
|
|
|
# Secret detection (same as CI)
|
|
- repo: https://github.com/Yelp/detect-secrets
|
|
rev: v1.5.0
|
|
hooks:
|
|
- id: detect-secrets
|
|
args:
|
|
- --baseline
|
|
- .secrets.baseline
|
|
- --exclude-files
|
|
- '(^|/)pnpm-lock\.yaml$'
|
|
- --exclude-lines
|
|
- 'key_content\.include\?\("BEGIN PRIVATE KEY"\)'
|
|
- --exclude-lines
|
|
- 'case \.apiKeyEnv: "API key \(env var\)"'
|
|
- --exclude-lines
|
|
- 'case apikey = "apiKey"'
|
|
- --exclude-lines
|
|
- '"gateway\.remote\.password"'
|
|
- --exclude-lines
|
|
- '"gateway\.auth\.password"'
|
|
- --exclude-lines
|
|
- '"talk\.apiKey"'
|
|
- --exclude-lines
|
|
- '=== "string"'
|
|
- --exclude-lines
|
|
- 'typeof remote\?\.password === "string"'
|
|
- --exclude-lines
|
|
- "OPENCLAW_DOCKER_GPG_FINGERPRINT="
|
|
- --exclude-lines
|
|
- '"secretShape": "(secret_input|sibling_ref)"'
|
|
- --exclude-lines
|
|
- 'API key rotation \(provider-specific\): set `\*_API_KEYS`'
|
|
- --exclude-lines
|
|
- 'password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\.auth\.password` -> `gateway\.remote\.password`'
|
|
- --exclude-lines
|
|
- 'password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\.remote\.password` -> `gateway\.auth\.password`'
|
|
- --exclude-files
|
|
- '^src/gateway/client\.watchdog\.test\.ts$'
|
|
- --exclude-lines
|
|
- 'export CUSTOM_API_K[E]Y="your-key"'
|
|
- --exclude-lines
|
|
- 'grep -q ''N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache'' ~/.bashrc \|\| cat >> ~/.bashrc <<''EOF'''
|
|
- --exclude-lines
|
|
- 'env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},'
|
|
- --exclude-lines
|
|
- '"ap[i]Key": "xxxxx",'
|
|
- --exclude-lines
|
|
- 'ap[i]Key: "A[I]za\.\.\.",'
|
|
# Shell script linting
|
|
- repo: https://github.com/koalaman/shellcheck-precommit
|
|
rev: v0.11.0
|
|
hooks:
|
|
- id: shellcheck
|
|
args: [--severity=error] # Only fail on errors, not warnings/info
|
|
# Exclude vendor and scripts with embedded code or known issues
|
|
exclude: "^(vendor/|scripts/e2e/)"
|
|
|
|
# GitHub Actions linting
|
|
- repo: https://github.com/rhysd/actionlint
|
|
rev: v1.7.10
|
|
hooks:
|
|
- id: actionlint
|
|
|
|
# GitHub Actions security audit
|
|
- repo: https://github.com/zizmorcore/zizmor-pre-commit
|
|
rev: v1.22.0
|
|
hooks:
|
|
- id: zizmor
|
|
args: [--persona=regular, --min-severity=medium, --min-confidence=medium]
|
|
exclude: "^(vendor/|Swabble/)"
|
|
|
|
# Python checks for skills scripts
|
|
- repo: https://github.com/astral-sh/ruff-pre-commit
|
|
rev: v0.14.1
|
|
hooks:
|
|
- id: ruff
|
|
files: "^skills/.*\\.py$"
|
|
args: [--config, pyproject.toml]
|
|
|
|
- repo: local
|
|
hooks:
|
|
- id: skills-python-tests
|
|
name: skills python tests
|
|
entry: pytest -q skills
|
|
language: python
|
|
additional_dependencies: [pytest>=8, <9]
|
|
pass_filenames: false
|
|
files: "^skills/.*\\.py$"
|
|
|
|
# Project checks (same commands as CI)
|
|
- repo: local
|
|
hooks:
|
|
# pnpm audit --prod --audit-level=high
|
|
- id: pnpm-audit-prod
|
|
name: pnpm-audit-prod
|
|
entry: pnpm audit --prod --audit-level=high
|
|
language: system
|
|
pass_filenames: false
|
|
|
|
# oxlint --type-aware src test
|
|
- id: oxlint
|
|
name: oxlint
|
|
entry: scripts/pre-commit/run-node-tool.sh oxlint --type-aware src test
|
|
language: system
|
|
pass_filenames: false
|
|
types_or: [javascript, jsx, ts, tsx]
|
|
|
|
# oxfmt --check src test
|
|
- id: oxfmt
|
|
name: oxfmt
|
|
entry: scripts/pre-commit/run-node-tool.sh oxfmt --check src test
|
|
language: system
|
|
pass_filenames: false
|
|
types_or: [javascript, jsx, ts, tsx]
|
|
|
|
# swiftlint (same as CI)
|
|
- id: swiftlint
|
|
name: swiftlint
|
|
entry: swiftlint --config .swiftlint.yml
|
|
language: system
|
|
pass_filenames: false
|
|
types: [swift]
|
|
|
|
# swiftformat --lint (same as CI)
|
|
- id: swiftformat
|
|
name: swiftformat
|
|
entry: swiftformat --lint apps/macos/Sources --config .swiftformat
|
|
language: system
|
|
pass_filenames: false
|
|
types: [swift]
|