g_it/site
g_it/site
1
0
Fork 0
Code Issues Releases 1 Wiki Activity Actions

Making the pre-push faster?

Browse source
This commit is contained in:
g_it 2026-02-11 18:21:26 +01:00
commit 118160c4b9
Signed by untrusted user who does not match committer: g_it
GPG key ID: A2B0A7C06A054627
1 changed files with 75 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

58
.checks/pre-push
View file

@ -15,12 +15,14 @@ CONTENT_DIR="$REPO_ROOT/content"
ZENSICAL_CFG_PATH="$REPO_ROOT/zensical.toml" ZENSICAL_CFG_PATH="$REPO_ROOT/zensical.toml"
SITE_DIR="$REPO_ROOT/deploy" SITE_DIR="$REPO_ROOT/deploy"
LOG_DIR="$REPO_ROOT/logs" LOG_DIR="$REPO_ROOT/logs"
mkdir -p "$LOG_DIR"
# Removing the old logs and recreating logs folder # Cleanup old logs
rm -rf "$LOG_DIR"; mkdir -p "$LOG_DIR" rm -f "$LOG_DIR/*"
SERVER_PID="" # Cleanup function
cleanup() { cleanup() {
trap - EXIT INT TERM
if [[ -n "${SERVER_PID:-}" ]] && ps -p "$SERVER_PID" >/dev/null 2>&1; then if [[ -n "${SERVER_PID:-}" ]] && ps -p "$SERVER_PID" >/dev/null 2>&1; then
kill "$SERVER_PID" >/dev/null 2>&1 || true kill "$SERVER_PID" >/dev/null 2>&1 || true
for _ in {1..30}; do ps -p "$SERVER_PID" >/dev/null 2>&1 || break; sleep 0.1; done for _ in {1..30}; do ps -p "$SERVER_PID" >/dev/null 2>&1 || break; sleep 0.1; done
@ -28,22 +30,30 @@ cleanup() {
} }
trap cleanup EXIT INT TERM trap cleanup EXIT INT TERM
# Trivy check for vulnerabilities in dependencies # Function to run commands and log output
run_command() {
local cmd="$1"
local logfile="$2"
echo -e "${GREEN}Running ${cmd}...${NC}"
$cmd >"$logfile" 2>&1 || { echo -e "${RED}${cmd} failed. See $logfile${NC}"; exit 1; }
}
# Running independent checks in parallel
{
# Trivy check for vulnerabilities
if command -v trivy &>/dev/null; then if command -v trivy &>/dev/null; then
echo -e "${GREEN}Running Trivy scan...${NC}" run_command "trivy fs . --exit-code 1 --severity CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN --no-progress --scanners vuln" "$LOG_DIR/trivy.log"
trivy fs . --exit-code 1 --severity CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN --no-progress --scanners vuln \
>"$LOG_DIR/trivy.log" 2>&1 || { echo -e "${RED}Trivy failed. See $LOG_DIR/trivy.log${NC}"; exit 1; }
else else
echo -e "${YELLOW}Trivy not installed. Skipping vulnerability scan.${NC}" echo -e "${YELLOW}Trivy not installed. Skipping vulnerability scan.${NC}"
fi fi
} &
{
# Trufflehog check for passwords and secrets # Trufflehog check for passwords and secrets
if command -v trufflehog &>/dev/null && command -v jq &>/dev/null; then if command -v trufflehog &>/dev/null && command -v jq &>/dev/null; then
echo -e "${GREEN}Running TruffleHog (verified only)...${NC}"
TMPF="$(mktemp)" TMPF="$(mktemp)"
trufflehog filesystem . --json >"$TMPF" 2>"$LOG_DIR/trufflehog.log" || true trufflehog filesystem . --json >"$TMPF" 2>"$LOG_DIR/trufflehog.log" || true
VERIFIED="$(jq 'select(.verified==true)' "$TMPF" | wc -l | tr -d ' ')" if jq -e 'select(.verified==true)' "$TMPF" | grep -q .; then
if [[ "$VERIFIED" -gt 0 ]]; then
cp "$TMPF" "$LOG_DIR/trufflehog-findings.json" cp "$TMPF" "$LOG_DIR/trufflehog-findings.json"
echo -e "${RED}Verified secrets found. See $LOG_DIR/trufflehog-findings.json${NC}" echo -e "${RED}Verified secrets found. See $LOG_DIR/trufflehog-findings.json${NC}"
rm -f "$TMPF"; exit 1 rm -f "$TMPF"; exit 1
@ -52,31 +62,30 @@ if command -v trufflehog &>/dev/null && command -v jq &>/dev/null; then
else else
echo -e "${YELLOW}TruffleHog or jq not installed. Skipping secrets scan.${NC}" echo -e "${YELLOW}TruffleHog or jq not installed. Skipping secrets scan.${NC}"
fi fi
} &
{
# Dependabot dependency vulnerability check # Dependabot dependency vulnerability check
if command -v npm &>/dev/null && [[ -f package.json ]]; then if command -v npm &>/dev/null && [[ -f package.json ]]; then
echo -e "${GREEN}Running npm audit...${NC}" run_command "npm audit --audit-level=high" "$LOG_DIR/npm-audit.log"
npm audit --audit-level=high >"$LOG_DIR/npm-audit.log" 2>&1 || {
echo -e "${RED}npm audit found vulnerabilities. See $LOG_DIR/npm-audit.log${NC}"
exit 1
}
elif command -v pip &>/dev/null && [[ -f requirements.txt ]]; then elif command -v pip &>/dev/null && [[ -f requirements.txt ]]; then
echo -e "${GREEN}Running pip dependency check...${NC}" run_command "pip list --outdated" "$LOG_DIR/pip-outdated.log"
pip list --outdated >"$LOG_DIR/pip-outdated.log" 2>&1 || true
if grep -q "upgradable" "$LOG_DIR/pip-outdated.log"; then if grep -q "upgradable" "$LOG_DIR/pip-outdated.log"; then
echo -e "${YELLOW}Outdated Python dependencies found. See $LOG_DIR/pip-outdated.log${NC}" echo -e "${YELLOW}Outdated Python dependencies found. See $LOG_DIR/pip-outdated.log${NC}"
fi fi
else else
echo -e "${YELLOW}No dependency management files found. Skipping dependency checks.${NC}" echo -e "${YELLOW}No dependency management files found. Skipping dependency checks.${NC}"
fi fi
} &
# Lint all the markdown files using markdownlint-cli2 # Wait for all background jobs to finish
wait
# Lint markdown files using markdownlint-cli2
if command -v markdownlint-cli2 &>/dev/null; then if command -v markdownlint-cli2 &>/dev/null; then
echo -e "${GREEN}Running markdownlint...${NC}"
# Check committed Markdown files instead of staged ones
MD_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)" MD_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)"
if [[ -n "$MD_FILES" ]]; then if [[ -n "$MD_FILES" ]]; then
# shellcheck disable=SC2086 echo -e "${GREEN}Running markdownlint...${NC}"
echo $MD_FILES | xargs markdownlint-cli2 >"$LOG_DIR/markdownlint.log" 2>&1 || { echo $MD_FILES | xargs markdownlint-cli2 >"$LOG_DIR/markdownlint.log" 2>&1 || {
echo -e "${RED}markdownlint-cli2 failed. See $LOG_DIR/markdownlint.log${NC}"; exit 1; } echo -e "${RED}markdownlint-cli2 failed. See $LOG_DIR/markdownlint.log${NC}"; exit 1; }
else else
@ -89,10 +98,8 @@ fi
# Lint language using Vale # Lint language using Vale
if command -v vale &>/dev/null && [[ -f "$REPO_ROOT/.vale.ini" ]]; then if command -v vale &>/dev/null && [[ -f "$REPO_ROOT/.vale.ini" ]]; then
echo -e "${GREEN}Running Vale...${NC}" echo -e "${GREEN}Running Vale...${NC}"
# Check committed Markdown files instead of staged ones
VALE_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)" VALE_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)"
if [[ -n "$VALE_FILES" ]]; then if [[ -n "$VALE_FILES" ]]; then
# shellcheck disable=SC2086
echo $VALE_FILES | xargs vale >"$LOG_DIR/vale.log" 2>&1 || { echo $VALE_FILES | xargs vale >"$LOG_DIR/vale.log" 2>&1 || {
echo -e "${RED}Vale issues. See $LOG_DIR/vale.log${NC}"; exit 1; } echo -e "${RED}Vale issues. See $LOG_DIR/vale.log${NC}"; exit 1; }
else else
@ -106,7 +113,4 @@ fi
if ! command -v zensical >/dev/null 2>&1; then if ! command -v zensical >/dev/null 2>&1; then
echo -e "${RED}Zensical not installed; cannot build docs.${NC}"; exit 1 echo -e "${RED}Zensical not installed; cannot build docs.${NC}"; exit 1
fi fi
echo -e "${GREEN}Building documentation (strict)…${NC}" run_command "zensical build --clean" "$LOG_DIR/zensical-build.log"
zensical build --clean >"$LOG_DIR/zensical-build.log" 2>&1 || {
echo -e "${RED}Zensical build failed. See $LOG_DIR/zensical-build.log${NC}"; exit 1;
}