This commit is contained in:
g_it
parent
cdc47d5058
commit
a63608ace0
GPG key ID:
A2B0A7C06A054627
1 changed files with 126 additions and 126 deletions
220
.checks/pre-push
220
.checks/pre-push
|
|
@ -1,126 +1,126 @@
|
||||||
#!/usr/bin/env bash
|
# #!/usr/bin/env bash
|
||||||
# PRE-PUSH
|
# # PRE-PUSH
|
||||||
# Check the repo for dependency, language, vulnerability, and build issues
|
# # Check the repo for dependency, language, vulnerability, and build issues
|
||||||
|
|
||||||
set -euo pipefail
|
# set -euo pipefail
|
||||||
|
|
||||||
# Setting log colours
|
# # Setting log colours
|
||||||
RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; NC='\033[0m'
|
# RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; NC='\033[0m'
|
||||||
|
|
||||||
echo -e "${GREEN}Running pre-push checks...${NC}"
|
# echo -e "${GREEN}Running pre-push checks...${NC}"
|
||||||
|
|
||||||
# Start time tracking
|
# # Start time tracking
|
||||||
START_TIME=$(date +%s)
|
# START_TIME=$(date +%s)
|
||||||
|
|
||||||
# Setting paths
|
# # Setting paths
|
||||||
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
|
# REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
|
||||||
CONTENT_DIR="$REPO_ROOT/content"
|
# CONTENT_DIR="$REPO_ROOT/content"
|
||||||
ZENSICAL_CFG_PATH="$REPO_ROOT/zensical.toml"
|
# ZENSICAL_CFG_PATH="$REPO_ROOT/zensical.toml"
|
||||||
SITE_DIR="$REPO_ROOT/deploy"
|
# SITE_DIR="$REPO_ROOT/deploy"
|
||||||
LOG_DIR="$REPO_ROOT/.checks/logs"
|
# LOG_DIR="$REPO_ROOT/.checks/logs"
|
||||||
mkdir -p "$LOG_DIR"
|
# mkdir -p "$LOG_DIR"
|
||||||
|
|
||||||
# Cleanup old logs
|
# # Cleanup old logs
|
||||||
rm -f "$LOG_DIR/*"
|
# rm -f "$LOG_DIR/*"
|
||||||
|
|
||||||
# Cleanup function
|
# # Cleanup function
|
||||||
cleanup() {
|
# cleanup() {
|
||||||
trap - EXIT INT TERM
|
# trap - EXIT INT TERM
|
||||||
if [[ -n "${SERVER_PID:-}" ]] && ps -p "$SERVER_PID" >/dev/null 2>&1; then
|
# if [[ -n "${SERVER_PID:-}" ]] && ps -p "$SERVER_PID" >/dev/null 2>&1; then
|
||||||
kill "$SERVER_PID" >/dev/null 2>&1 || true
|
# kill "$SERVER_PID" >/dev/null 2>&1 || true
|
||||||
for _ in {1..30}; do ps -p "$SERVER_PID" >/dev/null 2>&1 || break; sleep 0.1; done
|
# for _ in {1..30}; do ps -p "$SERVER_PID" >/dev/null 2>&1 || break; sleep 0.1; done
|
||||||
fi
|
# fi
|
||||||
}
|
# }
|
||||||
trap cleanup EXIT INT TERM
|
# trap cleanup EXIT INT TERM
|
||||||
|
|
||||||
# Function to run commands and log output
|
# # Function to run commands and log output
|
||||||
run_command() {
|
# run_command() {
|
||||||
local cmd="$1"
|
# local cmd="$1"
|
||||||
local logfile="$2"
|
# local logfile="$2"
|
||||||
echo -e "${GREEN}Running ${cmd}...${NC}"
|
# echo -e "${GREEN}Running ${cmd}...${NC}"
|
||||||
$cmd >"$logfile" 2>&1 || { echo -e "${RED}${cmd} failed. See $logfile${NC}"; exit 1; }
|
# $cmd >"$logfile" 2>&1 || { echo -e "${RED}${cmd} failed. See $logfile${NC}"; exit 1; }
|
||||||
}
|
# }
|
||||||
|
|
||||||
# Running independent checks in parallel
|
# # Running independent checks in parallel
|
||||||
{
|
# {
|
||||||
# Trivy check for vulnerabilities
|
# # Trivy check for vulnerabilities
|
||||||
if command -v trivy &>/dev/null; then
|
# if command -v trivy &>/dev/null; then
|
||||||
run_command "trivy fs . --exit-code 1 --severity CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN --no-progress --scanners vuln" "$LOG_DIR/trivy.log"
|
# run_command "trivy fs . --exit-code 1 --severity CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN --no-progress --scanners vuln" "$LOG_DIR/trivy.log"
|
||||||
else
|
# else
|
||||||
echo -e "${YELLOW}Trivy not installed. Skipping vulnerability scan.${NC}"
|
# echo -e "${YELLOW}Trivy not installed. Skipping vulnerability scan.${NC}"
|
||||||
fi
|
# fi
|
||||||
} &
|
# } &
|
||||||
|
|
||||||
{
|
# {
|
||||||
# Trufflehog check for passwords and secrets
|
# # Trufflehog check for passwords and secrets
|
||||||
if command -v trufflehog &>/dev/null && command -v jq &>/dev/null; then
|
# if command -v trufflehog &>/dev/null && command -v jq &>/dev/null; then
|
||||||
TMPF="$(mktemp)"
|
# TMPF="$(mktemp)"
|
||||||
trufflehog filesystem . --json >"$TMPF" 2>"$LOG_DIR/trufflehog.log" || true
|
# trufflehog filesystem . --json >"$TMPF" 2>"$LOG_DIR/trufflehog.log" || true
|
||||||
if jq -e 'select(.verified==true)' "$TMPF" | grep -q .; then
|
# if jq -e 'select(.verified==true)' "$TMPF" | grep -q .; then
|
||||||
cp "$TMPF" "$LOG_DIR/trufflehog-findings.json"
|
# cp "$TMPF" "$LOG_DIR/trufflehog-findings.json"
|
||||||
echo -e "${RED}Verified secrets found. See $LOG_DIR/trufflehog-findings.json${NC}"
|
# echo -e "${RED}Verified secrets found. See $LOG_DIR/trufflehog-findings.json${NC}"
|
||||||
rm -f "$TMPF"; exit 1
|
# rm -f "$TMPF"; exit 1
|
||||||
fi
|
# fi
|
||||||
rm -f "$TMPF"
|
# rm -f "$TMPF"
|
||||||
else
|
# else
|
||||||
echo -e "${YELLOW}TruffleHog or jq not installed. Skipping secrets scan.${NC}"
|
# echo -e "${YELLOW}TruffleHog or jq not installed. Skipping secrets scan.${NC}"
|
||||||
fi
|
# fi
|
||||||
} &
|
# } &
|
||||||
|
|
||||||
{
|
# {
|
||||||
# Dependabot dependency vulnerability check
|
# # Dependabot dependency vulnerability check
|
||||||
if command -v npm &>/dev/null && [[ -f package.json ]]; then
|
# if command -v npm &>/dev/null && [[ -f package.json ]]; then
|
||||||
run_command "npm audit --audit-level=high" "$LOG_DIR/npm-audit.log"
|
# run_command "npm audit --audit-level=high" "$LOG_DIR/npm-audit.log"
|
||||||
elif command -v pip &>/dev/null && [[ -f requirements.txt ]]; then
|
# elif command -v pip &>/dev/null && [[ -f requirements.txt ]]; then
|
||||||
run_command "pip list --outdated" "$LOG_DIR/pip-outdated.log"
|
# run_command "pip list --outdated" "$LOG_DIR/pip-outdated.log"
|
||||||
if grep -q "upgradable" "$LOG_DIR/pip-outdated.log"; then
|
# if grep -q "upgradable" "$LOG_DIR/pip-outdated.log"; then
|
||||||
echo -e "${YELLOW}Outdated Python dependencies found. See $LOG_DIR/pip-outdated.log${NC}"
|
# echo -e "${YELLOW}Outdated Python dependencies found. See $LOG_DIR/pip-outdated.log${NC}"
|
||||||
fi
|
# fi
|
||||||
else
|
# else
|
||||||
echo -e "${YELLOW}No dependency management files found. Skipping dependency checks.${NC}"
|
# echo -e "${YELLOW}No dependency management files found. Skipping dependency checks.${NC}"
|
||||||
fi
|
# fi
|
||||||
} &
|
# } &
|
||||||
|
|
||||||
# Wait for all background jobs to finish
|
# # Wait for all background jobs to finish
|
||||||
wait
|
# wait
|
||||||
|
|
||||||
# Lint markdown files using markdownlint-cli2
|
# # Lint markdown files using markdownlint-cli2
|
||||||
if command -v markdownlint-cli2 &>/dev/null; then
|
# if command -v markdownlint-cli2 &>/dev/null; then
|
||||||
MD_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)"
|
# MD_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)"
|
||||||
if [[ -n "$MD_FILES" ]]; then
|
# if [[ -n "$MD_FILES" ]]; then
|
||||||
echo -e "${GREEN}Running markdownlint...${NC}"
|
# echo -e "${GREEN}Running markdownlint...${NC}"
|
||||||
echo "$MD_FILES" | xargs markdownlint-cli2 >"$LOG_DIR/markdownlint.log" 2>&1 || {
|
# echo "$MD_FILES" | xargs markdownlint-cli2 >"$LOG_DIR/markdownlint.log" 2>&1 || {
|
||||||
echo -e "${RED}markdownlint-cli2 failed. See $LOG_DIR/markdownlint.log${NC}"; exit 1;
|
# echo -e "${RED}markdownlint-cli2 failed. See $LOG_DIR/markdownlint.log${NC}"; exit 1;
|
||||||
}
|
# }
|
||||||
else
|
# else
|
||||||
echo -e "${YELLOW}No committed Markdown files found. Skipping markdown check.${NC}"
|
# echo -e "${YELLOW}No committed Markdown files found. Skipping markdown check.${NC}"
|
||||||
fi
|
# fi
|
||||||
else
|
# else
|
||||||
echo -e "${YELLOW}markdownlint-cli2 not installed. Skipping markdown check.${NC}"
|
# echo -e "${YELLOW}markdownlint-cli2 not installed. Skipping markdown check.${NC}"
|
||||||
fi
|
# fi
|
||||||
|
|
||||||
# Lint language using Vale
|
# # Lint language using Vale
|
||||||
if command -v vale &>/dev/null && [[ -f "$REPO_ROOT/.vale.ini" ]]; then
|
# if command -v vale &>/dev/null && [[ -f "$REPO_ROOT/.vale.ini" ]]; then
|
||||||
echo -e "${GREEN}Running Vale...${NC}"
|
# echo -e "${GREEN}Running Vale...${NC}"
|
||||||
VALE_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)"
|
# VALE_FILES="$(git diff HEAD~1 HEAD --name-only --diff-filter=ACM | grep -E '\.md$' || true)"
|
||||||
if [[ -n "$VALE_FILES" ]]; then
|
# if [[ -n "$VALE_FILES" ]]; then
|
||||||
echo "$VALE_FILES" | xargs vale >"$LOG_DIR/vale.log" 2>&1 || {
|
# echo "$VALE_FILES" | xargs vale >"$LOG_DIR/vale.log" 2>&1 || {
|
||||||
echo -e "${RED}Vale issues. See $LOG_DIR/vale.log${NC}"; exit 1;
|
# echo -e "${RED}Vale issues. See $LOG_DIR/vale.log${NC}"; exit 1;
|
||||||
}
|
# }
|
||||||
else
|
# else
|
||||||
echo -e "${YELLOW}No committed Markdown files found. Skipping Vale check.${NC}"
|
# echo -e "${YELLOW}No committed Markdown files found. Skipping Vale check.${NC}"
|
||||||
fi
|
# fi
|
||||||
else
|
# else
|
||||||
echo -e "${YELLOW}Vale not installed or .vale.ini missing. Skipping Vale.${NC}"
|
# echo -e "${YELLOW}Vale not installed or .vale.ini missing. Skipping Vale.${NC}"
|
||||||
fi
|
# fi
|
||||||
|
|
||||||
# Build the site using Zensical to check for build errors
|
# # Build the site using Zensical to check for build errors
|
||||||
if ! command -v zensical >/dev/null 2>&1; then
|
# if ! command -v zensical >/dev/null 2>&1; then
|
||||||
echo -e "${RED}Zensical not installed; cannot build docs.${NC}"; exit 1
|
# echo -e "${RED}Zensical not installed; cannot build docs.${NC}"; exit 1
|
||||||
fi
|
# fi
|
||||||
run_command "zensical build --clean" "$LOG_DIR/zensical-build.log"
|
# run_command "zensical build --clean" "$LOG_DIR/zensical-build.log"
|
||||||
|
|
||||||
# End time tracking and calculate duration
|
# # End time tracking and calculate duration
|
||||||
END_TIME=$(date +%s)
|
# END_TIME=$(date +%s)
|
||||||
DURATION=$((END_TIME - START_TIME))
|
# DURATION=$((END_TIME - START_TIME))
|
||||||
echo -e "${GREEN}Push checks completed in $DURATION seconds.${NC}"
|
# echo -e "${GREEN}Push checks completed in $DURATION seconds.${NC}"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue