From 6a810475df1ca481b67f5ab8df91d4be20cd2a39 Mon Sep 17 00:00:00 2001 From: g_it Date: Wed, 11 Feb 2026 00:24:24 +0100 Subject: [PATCH] Fix pre-push check to check commited files, not staged. --- .checks/pre-push | 116 +++++++++++++++++++++++++---------------------- 1 file changed, 63 insertions(+), 53 deletions(-) diff --git a/.checks/pre-push b/.checks/pre-push index fb68318..b08be97 100755 --- a/.checks/pre-push +++ b/.checks/pre-push @@ -1,102 +1,112 @@ #!/usr/bin/env bash +# PRE-PUSH +# Check the repo for dependency, language, vulnerability, and build issues + set -euo pipefail -# Colors +# Setting log colours RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; NC='\033[0m' echo -e "${GREEN}Running pre-push checks...${NC}" -# Paths +# Setting paths REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)" CONTENT_DIR="$REPO_ROOT/content" ZENSICAL_CFG_PATH="$REPO_ROOT/zensical.toml" SITE_DIR="$REPO_ROOT/deploy" LOG_DIR="$REPO_ROOT/logs" -# Clean logs +# Removing the old logs and recreating logs folder rm -rf "$LOG_DIR"; mkdir -p "$LOG_DIR" SERVER_PID="" cleanup() { - if [[ -n "${SERVER_PID:-}" ]] && ps -p "$SERVER_PID" >/dev/null 2>&1; then - kill "$SERVER_PID" >/dev/null 2>&1 || true - for _ in {1..30}; do ps -p "$SERVER_PID" >/dev/null 2>&1 || break; sleep 0.1; done - fi + if [[ -n "${SERVER_PID:-}" ]] && ps -p "$SERVER_PID" >/dev/null 2>&1; then + kill "$SERVER_PID" >/dev/null 2>&1 || true + for _ in {1..30}; do ps -p "$SERVER_PID" >/dev/null 2>&1 || break; sleep 0.1; done + fi } trap cleanup EXIT INT TERM # Trivy check for vulnerabilities in dependencies if command -v trivy &>/dev/null; then - echo -e "${GREEN}Running Trivy scan...${NC}" - trivy fs --ignorefile .trivyignore . --exit-code 1 --severity CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN --no-progress --scanners vuln \ - >"$LOG_DIR/trivy.log" 2>&1 || { echo -e "${RED}Trivy failed. See $LOG_DIR/trivy.log${NC}"; exit 1; } + echo -e "${GREEN}Running Trivy scan...${NC}" + trivy fs --ignorefile .trivyignore . --exit-code 1 --severity CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN --no-progress --scanners vuln \ + >"$LOG_DIR/trivy.log" 2>&1 || { echo -e "${RED}Trivy failed. See $LOG_DIR/trivy.log${NC}"; exit 1; } else - echo -e "${YELLOW}Trivy not installed. Skipping vulnerability scan.${NC}" + echo -e "${YELLOW}Trivy not installed. Skipping vulnerability scan.${NC}" fi # Trufflehog check for passwords and secrets if command -v trufflehog &>/dev/null && command -v jq &>/dev/null; then - echo -e "${GREEN}Running TruffleHog (verified only)...${NC}" - TMPF="$(mktemp)" - trufflehog filesystem . --json >"$TMPF" 2>"$LOG_DIR/trufflehog.log" || true - VERIFIED="$(jq 'select(.verified==true)' "$TMPF" | wc -l | tr -d ' ')" - if [[ "$VERIFIED" -gt 0 ]]; then - cp "$TMPF" "$LOG_DIR/trufflehog-findings.json" - echo -e "${RED}Verified secrets found. See $LOG_DIR/trufflehog-findings.json${NC}" - rm -f "$TMPF"; exit 1 - fi - rm -f "$TMPF" + echo -e "${GREEN}Running TruffleHog (verified only)...${NC}" + TMPF="$(mktemp)" + trufflehog filesystem . --json >"$TMPF" 2>"$LOG_DIR/trufflehog.log" || true + VERIFIED="$(jq 'select(.verified==true)' "$TMPF" | wc -l | tr -d ' ')" + if [[ "$VERIFIED" -gt 0 ]]; then + cp "$TMPF" "$LOG_DIR/trufflehog-findings.json" + echo -e "${RED}Verified secrets found. See $LOG_DIR/trufflehog-findings.json${NC}" + rm -f "$TMPF"; exit 1 + fi + rm -f "$TMPF" else - echo -e "${YELLOW}TruffleHog or jq not installed. Skipping secrets scan.${NC}" + echo -e "${YELLOW}TruffleHog or jq not installed. Skipping secrets scan.${NC}" fi -# Dependabot-like dependency vulnerability check +# Dependabot dependency vulnerability check if command -v npm &>/dev/null && [[ -f package.json ]]; then - echo -e "${GREEN}Running npm audit...${NC}" - npm audit --audit-level=high >"$LOG_DIR/npm-audit.log" 2>&1 || { - echo -e "${RED}npm audit found vulnerabilities. See $LOG_DIR/npm-audit.log${NC}" - exit 1 - } + echo -e "${GREEN}Running npm audit...${NC}" + npm audit --audit-level=high >"$LOG_DIR/npm-audit.log" 2>&1 || { + echo -e "${RED}npm audit found vulnerabilities. See $LOG_DIR/npm-audit.log${NC}" + exit 1 + } elif command -v pip &>/dev/null && [[ -f requirements.txt ]]; then - echo -e "${GREEN}Running pip dependency check...${NC}" - pip list --outdated >"$LOG_DIR/pip-outdated.log" 2>&1 || true - if grep -q "upgradable" "$LOG_DIR/pip-outdated.log"; then - echo -e "${YELLOW}Outdated Python dependencies found. See $LOG_DIR/pip-outdated.log${NC}" - fi + echo -e "${GREEN}Running pip dependency check...${NC}" + pip list --outdated >"$LOG_DIR/pip-outdated.log" 2>&1 || true + if grep -q "upgradable" "$LOG_DIR/pip-outdated.log"; then + echo -e "${YELLOW}Outdated Python dependencies found. See $LOG_DIR/pip-outdated.log${NC}" + fi else - echo -e "${YELLOW}No dependency management files found. Skipping dependency checks.${NC}" + echo -e "${YELLOW}No dependency management files found. Skipping dependency checks.${NC}" fi # Lint all the markdown files using markdownlint-cli2 if command -v markdownlint-cli2 &>/dev/null; then - echo -e "${GREEN}Running markdownlint...${NC}" - MD_FILES="$(git diff --cached --name-only --diff-filter=ACM | grep -E '\.md$' || true)" - if [[ -n "$MD_FILES" ]]; then - # shellcheck disable=SC2086 - echo $MD_FILES | xargs markdownlint-cli2 >"$LOG_DIR/markdownlint.log" 2>&1 || { - echo -e "${RED}markdownlint-cli2 failed. See $LOG_DIR/markdownlint.log${NC}"; exit 1; } - fi + echo -e "${GREEN}Running markdownlint...${NC}" + # Check committed Markdown files instead of staged ones + MD_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)" + if [[ -n "$MD_FILES" ]]; then + # shellcheck disable=SC2086 + echo $MD_FILES | xargs markdownlint-cli2 >"$LOG_DIR/markdownlint.log" 2>&1 || { + echo -e "${RED}markdownlint-cli2 failed. See $LOG_DIR/markdownlint.log${NC}"; exit 1; } + else + echo -e "${YELLOW}No committed Markdown files found. Skipping markdown check.${NC}" + fi else - echo -e "${YELLOW}markdownlint-cli2 not installed. Skipping markdown check.${NC}" + echo -e "${YELLOW}markdownlint-cli2 not installed. Skipping markdown check.${NC}" fi # Lint language using Vale if command -v vale &>/dev/null && [[ -f "$REPO_ROOT/.vale.ini" ]]; then - echo -e "${GREEN}Running Vale...${NC}" - VALE_FILES="$(git diff --cached --name-only --diff-filter=ACM | grep -E '\.md$' || true)" - if [[ -n "$VALE_FILES" ]]; then - # shellcheck disable=SC2086 - echo $VALE_FILES | xargs vale >"$LOG_DIR/vale.log" 2>&1 || { - echo -e "${RED}Vale issues. See $LOG_DIR/vale.log${NC}"; exit 1; } - fi + echo -e "${GREEN}Running Vale...${NC}" + # Check committed Markdown files instead of staged ones + VALE_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)" + if [[ -n "$VALE_FILES" ]]; then + # shellcheck disable=SC2086 + echo $VALE_FILES | xargs vale >"$LOG_DIR/vale.log" 2>&1 || { + echo -e "${RED}Vale issues. See $LOG_DIR/vale.log${NC}"; exit 1; } + else + echo -e "${YELLOW}No committed Markdown files found. Skipping Vale check.${NC}" + fi else - echo -e "${YELLOW}Vale not installed or .vale.ini missing. Skipping Vale.${NC}" + echo -e "${YELLOW}Vale not installed or .vale.ini missing. Skipping Vale.${NC}" fi # Build the site using Zensical to check for build errors if ! command -v zensical >/dev/null 2>&1; then - echo -e "${RED}Zensical not installed; cannot build docs.${NC}"; exit 1 + echo -e "${RED}Zensical not installed; cannot build docs.${NC}"; exit 1 fi echo -e "${GREEN}Building documentation (strict)…${NC}" -zensical build -f "$ZENSICAL_CFG_PATH" -d "$SITE_DIR" --strict >"$LOG_DIR/zensical-build.log" 2>&1 || { - echo -e "${RED}Zensical build failed. See $LOG_DIR/zensical-build.log${NC}"; exit 1; } +zensical build --clean >"$LOG_DIR/zensical-build.log" 2>&1 || { + echo -e "${RED}Zensical build failed. See $LOG_DIR/zensical-build.log${NC}"; exit 1; +}