From b82c24ad07a452fcd6fb101ed64926102b2bf362 Mon Sep 17 00:00:00 2001 From: Sabin Shrestha Date: Mon, 21 Jul 2025 22:46:12 +0545 Subject: [PATCH] chore: add pre-commit --- .github/workflows/pre-commit.yml | 33 ++++++++ .pre-commit-config.yaml | 130 +++++++++++++++++++++++++++++++ .secrets.baseline | 115 +++++++++++++++++++++++++++ 3 files changed, 278 insertions(+) create mode 100644 .github/workflows/pre-commit.yml create mode 100644 .pre-commit-config.yaml create mode 100644 .secrets.baseline diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml new file mode 100644 index 000000000..91ae6fdf4 --- /dev/null +++ b/.github/workflows/pre-commit.yml @@ -0,0 +1,33 @@ +name: pre-commit + +on: + push: + pull_request: + branches: [main] + +jobs: + pre-commit: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Required for detecting diffs + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.12' + + - name: Install pre-commit + run: | + pip install pre-commit + + - name: Run pre-commit on changed files + run: | + CHANGED_FILES=$(git diff --name-only origin/main...HEAD | tr '\n' ' ') + if [ -n "$CHANGED_FILES" ]; then + pre-commit run --files $CHANGED_FILES + else + echo "No changed files to check." + fi diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000..4fd428d2f --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,130 @@ +# Pre-commit configuration for SurfSense +# See https://pre-commit.com for more information + +repos: + # General file quality hooks + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 + hooks: + - id: trailing-whitespace + exclude: '\.md$' + - id: check-yaml + args: [--multi, --unsafe] + - id: check-json + exclude: '(tsconfig\.json|\.vscode/.*\.json)$' + - id: check-toml + - id: check-merge-conflict + - id: check-added-large-files + args: [--maxkb=10240] # 10MB limit + - id: debug-statements + - id: check-case-conflict + + # Security - detect secrets across all file types + - repo: https://github.com/Yelp/detect-secrets + rev: v1.5.0 + hooks: + - id: detect-secrets + args: ['--baseline', '.secrets.baseline'] + exclude: | + (?x)^( + .*\.env\.example| + .*\.env\.template| + .*/tests/.*| + .*test.*\.py| + .github/workflows/.*\.yml| + .github/workflows/.*\.yaml| + .*pnpm-lock\.yaml| + .*alembic\.ini| + .*\.mdx$ + )$ + + # Python Backend Hooks (surfsense_backend) + - repo: https://github.com/psf/black + rev: 25.1.0 + hooks: + - id: black + files: ^surfsense_backend/ + language_version: python3 + + - repo: https://github.com/pycqa/isort + rev: 6.0.1 + hooks: + - id: isort + files: ^surfsense_backend/ + args: ["--profile", "black", "--line-length", "88"] + + - repo: https://github.com/astral-sh/ruff-pre-commit + rev: v0.12.4 + hooks: + - id: ruff + files: ^surfsense_backend/ + args: [--fix, --exit-non-zero-on-fix] + - id: ruff-format + files: ^surfsense_backend/ + + - repo: https://github.com/pre-commit/mirrors-mypy + rev: v1.17.0 + hooks: + - id: mypy + files: ^surfsense_backend/ + additional_dependencies: [] + args: [--ignore-missing-imports, --disallow-untyped-defs] + + - repo: https://github.com/PyCQA/bandit + rev: 1.8.6 + hooks: + - id: bandit + files: ^surfsense_backend/ + args: ['-r', '.', '-f', 'json'] + exclude: ^surfsense_backend/(tests/|alembic/) + + # Frontend/Extension Hooks (TypeScript/JavaScript) + - repo: https://github.com/pre-commit/mirrors-prettier + rev: v4.0.0-alpha.8 + hooks: + - id: prettier + files: ^(surfsense_web|surfsense_browser_extension)/ + types_or: [javascript, jsx, ts, tsx, json, yaml, markdown] + exclude: '(package-lock\.json|\.next/|build/|dist/)' + + - repo: https://github.com/pre-commit/mirrors-eslint + rev: v9.31.0 + hooks: + - id: eslint + files: ^surfsense_web/ + types: [file] + types_or: [javascript, jsx, ts, tsx] + additional_dependencies: + - 'eslint@^9' + - 'eslint-config-next@15.2.0' + - '@eslint/eslintrc@^3' + args: [--fix] + exclude: '(\.next/|build/|dist/)' + + # TypeScript compilation check + - repo: local + hooks: + - id: typescript-check-web + name: TypeScript Check (Web) + entry: bash -c 'cd surfsense_web && (command -v pnpm >/dev/null 2>&1 && pnpm build --dry-run || npx next build --dry-run)' + language: system + files: ^surfsense_web/.*\.(ts|tsx)$ + pass_filenames: false + + - id: typescript-check-extension + name: TypeScript Check (Browser Extension) + entry: bash -c 'cd surfsense_browser_extension && npx tsc --noEmit' + language: system + files: ^surfsense_browser_extension/.*\.(ts|tsx)$ + pass_filenames: false + + # Commit message linting + - repo: https://github.com/commitizen-tools/commitizen + rev: v4.8.3 + hooks: + - id: commitizen + stages: [commit-msg] + +# Global configuration +default_stages: [pre-commit] +fail_fast: false \ No newline at end of file diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 000000000..254d9ded0 --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,115 @@ +{ + "version": "1.5.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + } + ], + "results": {}, + "generated_at": "2025-01-20T12:00:00Z" +} \ No newline at end of file