g_it/site
g_it/site
1
0
Fork 0
Code Issues Releases 1 Wiki Activity Actions
site/.checks/pre-push
g_it 7471b48794
 .
2026-02-10 23:51:28 +01:00

102 lines
4 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
# Colors
RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; NC='\033[0m'
echo -e "${GREEN}Running pre-push checks...${NC}"
# Paths
REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
CONTENT_DIR="$REPO_ROOT/content"
ZENSICAL_CFG_PATH="$REPO_ROOT/zensical.toml"
SITE_DIR="$REPO_ROOT/deploy"
LOG_DIR="$REPO_ROOT/logs"
# Clean logs
rm -rf "$LOG_DIR"; mkdir -p "$LOG_DIR"
SERVER_PID=""
cleanup() {
if [[ -n "${SERVER_PID:-}" ]] && ps -p "$SERVER_PID" >/dev/null 2>&1; then
kill "$SERVER_PID" >/dev/null 2>&1 || true
for _ in {1..30}; do ps -p "$SERVER_PID" >/dev/null 2>&1 || break; sleep 0.1; done
fi
}
trap cleanup EXIT INT TERM
# Trivy check for vulnerabilities in dependencies
if command -v trivy &>/dev/null; then
echo -e "${GREEN}Running Trivy scan...${NC}"
trivy fs --ignorefile .trivyignore . --exit-code 1 --severity CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN --no-progress --scanners vuln \
>"$LOG_DIR/trivy.log" 2>&1 || { echo -e "${RED}Trivy failed. See $LOG_DIR/trivy.log${NC}"; exit 1; }
else
echo -e "${YELLOW}Trivy not installed. Skipping vulnerability scan.${NC}"
fi
# Trufflehog check for passwords and secrets
if command -v trufflehog &>/dev/null && command -v jq &>/dev/null; then
echo -e "${GREEN}Running TruffleHog (verified only)...${NC}"
TMPF="$(mktemp)"
trufflehog filesystem . --json >"$TMPF" 2>"$LOG_DIR/trufflehog.log" || true
VERIFIED="$(jq 'select(.verified==true)' "$TMPF" | wc -l | tr -d ' ')"
if [[ "$VERIFIED" -gt 0 ]]; then
cp "$TMPF" "$LOG_DIR/trufflehog-findings.json"
echo -e "${RED}Verified secrets found. See $LOG_DIR/trufflehog-findings.json${NC}"
rm -f "$TMPF"; exit 1
fi
rm -f "$TMPF"
else
echo -e "${YELLOW}TruffleHog or jq not installed. Skipping secrets scan.${NC}"
fi
# Dependabot-like dependency vulnerability check
if command -v npm &>/dev/null && [[ -f package.json ]]; then
echo -e "${GREEN}Running npm audit...${NC}"
npm audit --audit-level=high >"$LOG_DIR/npm-audit.log" 2>&1 || {
echo -e "${RED}npm audit found vulnerabilities. See $LOG_DIR/npm-audit.log${NC}"
exit 1
}
elif command -v pip &>/dev/null && [[ -f requirements.txt ]]; then
echo -e "${GREEN}Running pip dependency check...${NC}"
pip list --outdated >"$LOG_DIR/pip-outdated.log" 2>&1 || true
if grep -q "upgradable" "$LOG_DIR/pip-outdated.log"; then
echo -e "${YELLOW}Outdated Python dependencies found. See $LOG_DIR/pip-outdated.log${NC}"
fi
else
echo -e "${YELLOW}No dependency management files found. Skipping dependency checks.${NC}"
fi
# Lint all the markdown files using markdownlint-cli2
if command -v markdownlint-cli2 &>/dev/null; then
echo -e "${GREEN}Running markdownlint...${NC}"
MD_FILES="$(git diff --cached --name-only --diff-filter=ACM | grep -E '\.md$' || true)"
if [[ -n "$MD_FILES" ]]; then
# shellcheck disable=SC2086
echo $MD_FILES | xargs markdownlint-cli2 >"$LOG_DIR/markdownlint.log" 2>&1 || {
echo -e "${RED}markdownlint-cli2 failed. See $LOG_DIR/markdownlint.log${NC}"; exit 1; }
fi
else
echo -e "${YELLOW}markdownlint-cli2 not installed. Skipping markdown check.${NC}"
fi
# Lint language using Vale
if command -v vale &>/dev/null && [[ -f "$REPO_ROOT/.vale.ini" ]]; then
echo -e "${GREEN}Running Vale...${NC}"
VALE_FILES="$(git diff --cached --name-only --diff-filter=ACM | grep -E '\.md$' || true)"
if [[ -n "$VALE_FILES" ]]; then
# shellcheck disable=SC2086
echo $VALE_FILES | xargs vale >"$LOG_DIR/vale.log" 2>&1 || {
echo -e "${RED}Vale issues. See $LOG_DIR/vale.log${NC}"; exit 1; }
fi
else
echo -e "${YELLOW}Vale not installed or .vale.ini missing. Skipping Vale.${NC}"
fi
# Build the site using Zensical to check for build errors
if ! command -v zensical >/dev/null 2>&1; then
echo -e "${RED}Zensical not installed; cannot build docs.${NC}"; exit 1
fi
echo -e "${GREEN}Building documentation (strict)…${NC}"
zensical build -f "$ZENSICAL_CFG_PATH" -d "$SITE_DIR" --strict >"$LOG_DIR/zensical-build.log" 2>&1 || {
echo -e "${RED}Zensical build failed. See $LOG_DIR/zensical-build.log${NC}"; exit 1; }
Reference in a new issue View git blame Copy permalink