g_it/site
g_it/site
1
0
Fork 0
Code Issues Releases 1 Wiki Activity Actions

Making the pre-push faster?

Browse source
This commit is contained in:
g_it 2026-02-11 18:21:26 +01:00
commit 118160c4b9
Signed by untrusted user who does not match committer: g_it
GPG key ID: A2B0A7C06A054627
1 changed files with 75 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

146
.checks/pre-push
View file

@ -15,98 +15,102 @@ CONTENT_DIR="$REPO_ROOT/content"
ZENSICAL_CFG_PATH="$REPO_ROOT/zensical.toml" ZENSICAL_CFG_PATH="$REPO_ROOT/zensical.toml"
SITE_DIR="$REPO_ROOT/deploy" SITE_DIR="$REPO_ROOT/deploy"
LOG_DIR="$REPO_ROOT/logs" LOG_DIR="$REPO_ROOT/logs"
mkdir -p "$LOG_DIR"
# Removing the old logs and recreating logs folder # Cleanup old logs
rm -rf "$LOG_DIR"; mkdir -p "$LOG_DIR" rm -f "$LOG_DIR/*"
SERVER_PID="" # Cleanup function
cleanup() { cleanup() {
trap - EXIT INT TERM
if [[ -n "${SERVER_PID:-}" ]] && ps -p "$SERVER_PID" >/dev/null 2>&1; then if [[ -n "${SERVER_PID:-}" ]] && ps -p "$SERVER_PID" >/dev/null 2>&1; then
kill "$SERVER_PID" >/dev/null 2>&1 || true kill "$SERVER_PID" >/dev/null 2>&1 || true
for _ in {1..30}; do ps -p "$SERVER_PID" >/dev/null 2>&1 || break; sleep 0.1; done for _ in {1..30}; do ps -p "$SERVER_PID" >/dev/null 2>&1 || break; sleep 0.1; done
fi fi
} }
trap cleanup EXIT INT TERM trap cleanup EXIT INT TERM
# Trivy check for vulnerabilities in dependencies # Function to run commands and log output
if command -v trivy &>/dev/null; then run_command() {
echo -e "${GREEN}Running Trivy scan...${NC}" local cmd="$1"
trivy fs . --exit-code 1 --severity CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN --no-progress --scanners vuln \ local logfile="$2"
>"$LOG_DIR/trivy.log" 2>&1 || { echo -e "${RED}Trivy failed. See $LOG_DIR/trivy.log${NC}"; exit 1; } echo -e "${GREEN}Running ${cmd}...${NC}"
else $cmd >"$logfile" 2>&1 || { echo -e "${RED}${cmd} failed. See $logfile${NC}"; exit 1; }
echo -e "${YELLOW}Trivy not installed. Skipping vulnerability scan.${NC}" }
fi
# Trufflehog check for passwords and secrets # Running independent checks in parallel
if command -v trufflehog &>/dev/null && command -v jq &>/dev/null; then {
echo -e "${GREEN}Running TruffleHog (verified only)...${NC}" # Trivy check for vulnerabilities
TMPF="$(mktemp)" if command -v trivy &>/dev/null; then
trufflehog filesystem . --json >"$TMPF" 2>"$LOG_DIR/trufflehog.log" || true run_command "trivy fs . --exit-code 1 --severity CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN --no-progress --scanners vuln" "$LOG_DIR/trivy.log"
VERIFIED="$(jq 'select(.verified==true)' "$TMPF" | wc -l | tr -d ' ')" else
if [[ "$VERIFIED" -gt 0 ]]; then echo -e "${YELLOW}Trivy not installed. Skipping vulnerability scan.${NC}"
cp "$TMPF" "$LOG_DIR/trufflehog-findings.json" fi
echo -e "${RED}Verified secrets found. See $LOG_DIR/trufflehog-findings.json${NC}" } &
rm -f "$TMPF"; exit 1
fi
rm -f "$TMPF"
else
echo -e "${YELLOW}TruffleHog or jq not installed. Skipping secrets scan.${NC}"
fi
# Dependabot dependency vulnerability check {
if command -v npm &>/dev/null && [[ -f package.json ]]; then # Trufflehog check for passwords and secrets
echo -e "${GREEN}Running npm audit...${NC}" if command -v trufflehog &>/dev/null && command -v jq &>/dev/null; then
npm audit --audit-level=high >"$LOG_DIR/npm-audit.log" 2>&1 || { TMPF="$(mktemp)"
echo -e "${RED}npm audit found vulnerabilities. See $LOG_DIR/npm-audit.log${NC}" trufflehog filesystem . --json >"$TMPF" 2>"$LOG_DIR/trufflehog.log" || true
exit 1 if jq -e 'select(.verified==true)' "$TMPF" | grep -q .; then
} cp "$TMPF" "$LOG_DIR/trufflehog-findings.json"
elif command -v pip &>/dev/null && [[ -f requirements.txt ]]; then echo -e "${RED}Verified secrets found. See $LOG_DIR/trufflehog-findings.json${NC}"
echo -e "${GREEN}Running pip dependency check...${NC}" rm -f "$TMPF"; exit 1
pip list --outdated >"$LOG_DIR/pip-outdated.log" 2>&1 || true fi
if grep -q "upgradable" "$LOG_DIR/pip-outdated.log"; then rm -f "$TMPF"
echo -e "${YELLOW}Outdated Python dependencies found. See $LOG_DIR/pip-outdated.log${NC}" else
fi echo -e "${YELLOW}TruffleHog or jq not installed. Skipping secrets scan.${NC}"
else fi
echo -e "${YELLOW}No dependency management files found. Skipping dependency checks.${NC}" } &
fi
# Lint all the markdown files using markdownlint-cli2 {
# Dependabot dependency vulnerability check
if command -v npm &>/dev/null && [[ -f package.json ]]; then
run_command "npm audit --audit-level=high" "$LOG_DIR/npm-audit.log"
elif command -v pip &>/dev/null && [[ -f requirements.txt ]]; then
run_command "pip list --outdated" "$LOG_DIR/pip-outdated.log"
if grep -q "upgradable" "$LOG_DIR/pip-outdated.log"; then
echo -e "${YELLOW}Outdated Python dependencies found. See $LOG_DIR/pip-outdated.log${NC}"
fi
else
echo -e "${YELLOW}No dependency management files found. Skipping dependency checks.${NC}"
fi
} &
# Wait for all background jobs to finish
wait
# Lint markdown files using markdownlint-cli2
if command -v markdownlint-cli2 &>/dev/null; then if command -v markdownlint-cli2 &>/dev/null; then
echo -e "${GREEN}Running markdownlint...${NC}" MD_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)"
# Check committed Markdown files instead of staged ones if [[ -n "$MD_FILES" ]]; then
MD_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)" echo -e "${GREEN}Running markdownlint...${NC}"
if [[ -n "$MD_FILES" ]]; then echo $MD_FILES | xargs markdownlint-cli2 >"$LOG_DIR/markdownlint.log" 2>&1 || {
# shellcheck disable=SC2086 echo -e "${RED}markdownlint-cli2 failed. See $LOG_DIR/markdownlint.log${NC}"; exit 1; }
echo $MD_FILES | xargs markdownlint-cli2 >"$LOG_DIR/markdownlint.log" 2>&1 || { else
echo -e "${RED}markdownlint-cli2 failed. See $LOG_DIR/markdownlint.log${NC}"; exit 1; } echo -e "${YELLOW}No committed Markdown files found. Skipping markdown check.${NC}"
else fi
echo -e "${YELLOW}No committed Markdown files found. Skipping markdown check.${NC}"
fi
else else
echo -e "${YELLOW}markdownlint-cli2 not installed. Skipping markdown check.${NC}" echo -e "${YELLOW}markdownlint-cli2 not installed. Skipping markdown check.${NC}"
fi fi
# Lint language using Vale # Lint language using Vale
if command -v vale &>/dev/null && [[ -f "$REPO_ROOT/.vale.ini" ]]; then if command -v vale &>/dev/null && [[ -f "$REPO_ROOT/.vale.ini" ]]; then
echo -e "${GREEN}Running Vale...${NC}" echo -e "${GREEN}Running Vale...${NC}"
# Check committed Markdown files instead of staged ones VALE_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)"
VALE_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)" if [[ -n "$VALE_FILES" ]]; then
if [[ -n "$VALE_FILES" ]]; then echo $VALE_FILES | xargs vale >"$LOG_DIR/vale.log" 2>&1 || {
# shellcheck disable=SC2086 echo -e "${RED}Vale issues. See $LOG_DIR/vale.log${NC}"; exit 1; }
echo $VALE_FILES | xargs vale >"$LOG_DIR/vale.log" 2>&1 || { else
echo -e "${RED}Vale issues. See $LOG_DIR/vale.log${NC}"; exit 1; } echo -e "${YELLOW}No committed Markdown files found. Skipping Vale check.${NC}"
else fi
echo -e "${YELLOW}No committed Markdown files found. Skipping Vale check.${NC}"
fi
else else
echo -e "${YELLOW}Vale not installed or .vale.ini missing. Skipping Vale.${NC}" echo -e "${YELLOW}Vale not installed or .vale.ini missing. Skipping Vale.${NC}"
fi fi
# Build the site using Zensical to check for build errors # Build the site using Zensical to check for build errors
if ! command -v zensical >/dev/null 2>&1; then if ! command -v zensical >/dev/null 2>&1; then
echo -e "${RED}Zensical not installed; cannot build docs.${NC}"; exit 1 echo -e "${RED}Zensical not installed; cannot build docs.${NC}"; exit 1
fi fi
echo -e "${GREEN}Building documentation (strict)…${NC}" run_command "zensical build --clean" "$LOG_DIR/zensical-build.log"
zensical build --clean >"$LOG_DIR/zensical-build.log" 2>&1 || {
echo -e "${RED}Zensical build failed. See $LOG_DIR/zensical-build.log${NC}"; exit 1;
}