Fix pre-push check to check commited files, not staged.

2026-02-11 00:24:24 +01:00 · 2026-02-11 00:24:24 +01:00 · 6a810475df
commit 6a810475df
parent 7471b48794
1 changed files with 63 additions and 53 deletions
--- a/.checks/pre-push
+++ b/.checks/pre-push
@ -1,102 +1,112 @@
 #!/usr/bin/env bash
 # PRE-PUSH
 # Check the repo for dependency, language, vulnerability, and build issues
 set -euo pipefail
-# Colors
+# Setting log colours
 RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; NC='\033[0m'
 echo -e "${GREEN}Running pre-push checks...${NC}"
-# Paths
+# Setting paths
 REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
 CONTENT_DIR="$REPO_ROOT/content"
 ZENSICAL_CFG_PATH="$REPO_ROOT/zensical.toml"
 SITE_DIR="$REPO_ROOT/deploy"
 LOG_DIR="$REPO_ROOT/logs"
-# Clean logs
+# Removing the old logs and recreating logs folder
 rm -rf "$LOG_DIR"; mkdir -p "$LOG_DIR"
 SERVER_PID=""
 cleanup() {
-  if [[ -n "${SERVER_PID:-}" ]] && ps -p "$SERVER_PID" >/dev/null 2>&1; then
+     if [[ -n "${SERVER_PID:-}" ]] && ps -p "$SERVER_PID" >/dev/null 2>&1; then
-    kill "$SERVER_PID" >/dev/null 2>&1 || true
+          kill "$SERVER_PID" >/dev/null 2>&1 || true
-    for _ in {1..30}; do ps -p "$SERVER_PID" >/dev/null 2>&1 || break; sleep 0.1; done
+     for _ in {1..30}; do ps -p "$SERVER_PID" >/dev/null 2>&1 || break; sleep 0.1; done
-  fi
+     fi
 }
 trap cleanup EXIT INT TERM
 # Trivy check for vulnerabilities in dependencies
 if command -v trivy &>/dev/null; then
-  echo -e "${GREEN}Running Trivy scan...${NC}"
+     echo -e "${GREEN}Running Trivy scan...${NC}"
-  trivy fs --ignorefile .trivyignore . --exit-code 1 --severity CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN --no-progress --scanners vuln \
+     trivy fs --ignorefile .trivyignore . --exit-code 1 --severity CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN --no-progress --scanners vuln \
-    >"$LOG_DIR/trivy.log" 2>&1 || { echo -e "${RED}Trivy failed. See $LOG_DIR/trivy.log${NC}"; exit 1; }
+     >"$LOG_DIR/trivy.log" 2>&1 || { echo -e "${RED}Trivy failed. See $LOG_DIR/trivy.log${NC}"; exit 1; }
 else
-  echo -e "${YELLOW}Trivy not installed. Skipping vulnerability scan.${NC}"
+     echo -e "${YELLOW}Trivy not installed. Skipping vulnerability scan.${NC}"
 fi
 # Trufflehog check for passwords and secrets
 if command -v trufflehog &>/dev/null && command -v jq &>/dev/null; then
-  echo -e "${GREEN}Running TruffleHog (verified only)...${NC}"
+     echo -e "${GREEN}Running TruffleHog (verified only)...${NC}"
-  TMPF="$(mktemp)"
+     TMPF="$(mktemp)"
-  trufflehog filesystem . --json >"$TMPF" 2>"$LOG_DIR/trufflehog.log" || true
+     trufflehog filesystem . --json >"$TMPF" 2>"$LOG_DIR/trufflehog.log" || true
-  VERIFIED="$(jq 'select(.verified==true)' "$TMPF" | wc -l | tr -d ' ')"
+     VERIFIED="$(jq 'select(.verified==true)' "$TMPF" | wc -l | tr -d ' ')"
-  if [[ "$VERIFIED" -gt 0 ]]; then
+     if [[ "$VERIFIED" -gt 0 ]]; then
-    cp "$TMPF" "$LOG_DIR/trufflehog-findings.json"
+          cp "$TMPF" "$LOG_DIR/trufflehog-findings.json"
-    echo -e "${RED}Verified secrets found. See $LOG_DIR/trufflehog-findings.json${NC}"
+          echo -e "${RED}Verified secrets found. See $LOG_DIR/trufflehog-findings.json${NC}"
-    rm -f "$TMPF"; exit 1
+          rm -f "$TMPF"; exit 1
-  fi
+     fi
-  rm -f "$TMPF"
+     rm -f "$TMPF"
 else
-  echo -e "${YELLOW}TruffleHog or jq not installed. Skipping secrets scan.${NC}"
+     echo -e "${YELLOW}TruffleHog or jq not installed. Skipping secrets scan.${NC}"
 fi
-# Dependabot-like dependency vulnerability check
+# Dependabot dependency vulnerability check
 if command -v npm &>/dev/null && [[ -f package.json ]]; then
-  echo -e "${GREEN}Running npm audit...${NC}"
+     echo -e "${GREEN}Running npm audit...${NC}"
-  npm audit --audit-level=high >"$LOG_DIR/npm-audit.log" 2>&1 || {
+     npm audit --audit-level=high >"$LOG_DIR/npm-audit.log" 2>&1 || {
-    echo -e "${RED}npm audit found vulnerabilities. See $LOG_DIR/npm-audit.log${NC}"
+          echo -e "${RED}npm audit found vulnerabilities. See $LOG_DIR/npm-audit.log${NC}"
-    exit 1
+          exit 1
-  }
+     }
 elif command -v pip &>/dev/null && [[ -f requirements.txt ]]; then
-  echo -e "${GREEN}Running pip dependency check...${NC}"
+     echo -e "${GREEN}Running pip dependency check...${NC}"
-  pip list --outdated >"$LOG_DIR/pip-outdated.log" 2>&1 || true
+     pip list --outdated >"$LOG_DIR/pip-outdated.log" 2>&1 || true
-  if grep -q "upgradable" "$LOG_DIR/pip-outdated.log"; then
+     if grep -q "upgradable" "$LOG_DIR/pip-outdated.log"; then
-    echo -e "${YELLOW}Outdated Python dependencies found. See $LOG_DIR/pip-outdated.log${NC}"
+          echo -e "${YELLOW}Outdated Python dependencies found. See $LOG_DIR/pip-outdated.log${NC}"
-  fi
+     fi
 else
-  echo -e "${YELLOW}No dependency management files found. Skipping dependency checks.${NC}"
+     echo -e "${YELLOW}No dependency management files found. Skipping dependency checks.${NC}"
 fi
 # Lint all the markdown files using markdownlint-cli2
 if command -v markdownlint-cli2 &>/dev/null; then
-  echo -e "${GREEN}Running markdownlint...${NC}"
+     echo -e "${GREEN}Running markdownlint...${NC}"
-  MD_FILES="$(git diff --cached --name-only --diff-filter=ACM | grep -E '\.md$' || true)"
+     # Check committed Markdown files instead of staged ones
-  if [[ -n "$MD_FILES" ]]; then
+     MD_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)"
-    # shellcheck disable=SC2086
+     if [[ -n "$MD_FILES" ]]; then
-    echo $MD_FILES | xargs markdownlint-cli2 >"$LOG_DIR/markdownlint.log" 2>&1 || {
+          # shellcheck disable=SC2086
-      echo -e "${RED}markdownlint-cli2 failed. See $LOG_DIR/markdownlint.log${NC}"; exit 1; }
+          echo $MD_FILES | xargs markdownlint-cli2 >"$LOG_DIR/markdownlint.log" 2>&1 || {
-  fi
+          echo -e "${RED}markdownlint-cli2 failed. See $LOG_DIR/markdownlint.log${NC}"; exit 1; }
     else
          echo -e "${YELLOW}No committed Markdown files found. Skipping markdown check.${NC}"
     fi
 else
-  echo -e "${YELLOW}markdownlint-cli2 not installed. Skipping markdown check.${NC}"
+     echo -e "${YELLOW}markdownlint-cli2 not installed. Skipping markdown check.${NC}"
 fi
 # Lint language using Vale
 if command -v vale &>/dev/null && [[ -f "$REPO_ROOT/.vale.ini" ]]; then
-  echo -e "${GREEN}Running Vale...${NC}"
+     echo -e "${GREEN}Running Vale...${NC}"
-  VALE_FILES="$(git diff --cached --name-only --diff-filter=ACM | grep -E '\.md$' || true)"
+     # Check committed Markdown files instead of staged ones
-  if [[ -n "$VALE_FILES" ]]; then
+     VALE_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)"
-    # shellcheck disable=SC2086
+     if [[ -n "$VALE_FILES" ]]; then
-    echo $VALE_FILES | xargs vale >"$LOG_DIR/vale.log" 2>&1 || {
+          # shellcheck disable=SC2086
-      echo -e "${RED}Vale issues. See $LOG_DIR/vale.log${NC}"; exit 1; }
+          echo $VALE_FILES | xargs vale >"$LOG_DIR/vale.log" 2>&1 || {
-  fi
+          echo -e "${RED}Vale issues. See $LOG_DIR/vale.log${NC}"; exit 1; }
     else
          echo -e "${YELLOW}No committed Markdown files found. Skipping Vale check.${NC}"
     fi
 else
-  echo -e "${YELLOW}Vale not installed or .vale.ini missing. Skipping Vale.${NC}"
+     echo -e "${YELLOW}Vale not installed or .vale.ini missing. Skipping Vale.${NC}"
 fi
 # Build the site using Zensical to check for build errors
 if ! command -v zensical >/dev/null 2>&1; then
-  echo -e "${RED}Zensical not installed; cannot build docs.${NC}"; exit 1
+     echo -e "${RED}Zensical not installed; cannot build docs.${NC}"; exit 1
 fi
 echo -e "${GREEN}Building documentation (strict)…${NC}"
-zensical build -f "$ZENSICAL_CFG_PATH" -d "$SITE_DIR" --strict >"$LOG_DIR/zensical-build.log" 2>&1 || {
+zensical build --clean >"$LOG_DIR/zensical-build.log" 2>&1 || {
-  echo -e "${RED}Zensical build failed. See $LOG_DIR/zensical-build.log${NC}"; exit 1; }
+     echo -e "${RED}Zensical build failed. See $LOG_DIR/zensical-build.log${NC}"; exit 1;
 }