auths/.pre-commit-config.yaml at main · auths-dev/auths · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
      - id: check-yaml
        args: [--unsafe]
      - id: check-toml

  # check-yaml above only validates YAML syntax. actionlint validates GitHub
  # Actions semantics: invalid context names (e.g. bare `secrets.X` in `if:`
  # expressions), unknown action inputs, wrong event names, etc.
  - repo: https://github.com/rhysd/actionlint
    rev: v1.7.4
    hooks:
      - id: actionlint

  - repo: local
    hooks:
      # ── Fast gates (commit) ──────────────────────────────────────────────
      # These run on every `git commit`. They should take < 3 seconds incrementally.

      - id: check-workflow-secrets
        name: "Workflow secret leak check (no ${{ secrets.* }} in body: blocks)"
        entry: bash scripts/check_workflow_secrets.sh
        language: system
        files: \.github/workflows/.*\.yml$
        pass_filenames: false

      - id: check-sdk-boundary
        name: SDK boundary check (CLI must not import core/id/storage)
        entry: bash scripts/check_sdk_boundary.sh
        language: system
        files: crates/auths-cli/src/.*\.rs$
        pass_filenames: false

      - id: cargo-fmt
        name: cargo fmt
        entry: cargo fmt --all
        language: system
        types: [rust]
        pass_filenames: false

      - id: cargo-fmt-packages
        name: cargo fmt (packages/)
        entry: bash -c 'for d in packages/auths-node packages/auths-python packages/auths-verifier-swift; do [ -f "$d/Cargo.toml" ] && cargo fmt --manifest-path "$d/Cargo.toml" --all; done'
        language: system
        types: [rust]
        pass_filenames: false

      - id: cargo-clippy
        name: cargo clippy
        entry: cargo clippy --all-targets --all-features --keep-going -- -D warnings
        language: system
        types: [rust]
        pass_filenames: false

      - id: cargo-clippy-packages
        name: cargo clippy (packages/)
        entry: bash -c 'failed=0; for d in packages/auths-node packages/auths-python packages/auths-verifier-swift; do [ -f "$d/Cargo.toml" ] || continue; CARGO_TARGET_DIR=../../target cargo clippy --manifest-path "$d/Cargo.toml" --all-targets --keep-going -- -D warnings || failed=1; done; exit $failed'
        language: system
        types: [rust]
        pass_filenames: false

      # - id: gen-docs
      #   name: cargo xtask gen-docs (auto-fix)
      #   entry: bash -c 'cargo run --package xtask -- gen-docs && git add docs/cli/commands/'
      #   language: system
      #   files: (crates/auths-cli/src/|crates/xtask/src/gen_docs|docs/cli/commands/)
      #   pass_filenames: false

      - id: check-clippy-sync
        name: cargo xtask check-clippy-sync
        entry: cargo run --package xtask -- check-clippy-sync
        language: system
        files: clippy\.toml$
        pass_filenames: false

      - id: cargo-deny
        name: cargo deny (licenses + bans)
        entry: bash -c 'cargo deny check > .cargo/cargo-deny.log 2>&1; exit $?'
        language: system
        files: (Cargo\.(toml|lock)|deny\.toml)$
        pass_filenames: false

      # - id: capsec-audit
      #   name: capsec audit (I/O boundaries)
      #   entry: bash -c 'command -v cargo-capsec >/dev/null 2>&1 || { echo "Skipping capsec audit — not installed."; exit 0; }; cargo capsec audit --only auths-crypto,auths-verifier,auths-policy,auths-keri --fail-on low --quiet && cargo capsec audit --only auths-core,auths-id --diff --fail-on high --quiet'
      #   language: system
      #   files: \.(rs|toml)$|Cargo\.lock$
      #   pass_filenames: false

      # ── Slow gates (push only) ──────────────────────────────────────────
      # These run on `git push`. They require linking binaries, compiling
      # alternative targets, or cross-compilation.

      - id: cargo-test
        name: cargo test
        entry: cargo nextest run --workspace --profile pre-commit --no-fail-fast
        language: system
        types: [rust]
        pass_filenames: false
        stages: [pre-push]

      - id: cargo-check-python-bindings
        name: cargo check (python bindings)
        # OPTIMIZATION: We pass CARGO_TARGET_DIR so the python workspace shares
        # the main workspace's compiled dependencies, preventing a duplicate build.
        entry: bash -c 'CARGO_TARGET_DIR=../../target cargo check --manifest-path packages/auths-python/Cargo.toml'
        language: system
        types: [rust]
        pass_filenames: false
        stages: [pre-push]

      - id: cargo-check-wasm
        name: cargo check (wasm32)
        entry: bash -c 'rustup target add wasm32-unknown-unknown 2>/dev/null; cd crates/auths-verifier && cargo check --target wasm32-unknown-unknown --no-default-features --features wasm'
        language: system
        types: [rust]
        pass_filenames: false
        stages: [pre-push]

      - id: wasm-pack-build
        name: wasm-pack build (auths-verifier)
        entry: bash -c 'command -v wasm-pack >/dev/null 2>&1 || { echo "Skipping wasm-pack build — not installed."; exit 0; }; cd crates/auths-verifier && wasm-pack build --target bundler -- --no-default-features --features wasm'
        language: system
        types: [rust]
        pass_filenames: false
        stages: [pre-push]

      - id: cross-check-aarch64
        name: cross check (aarch64-linux)
        entry: bash -c 'command -v cross >/dev/null 2>&1 || { echo "Skipping aarch64 check — cross not installed."; exit 0; }; docker info >/dev/null 2>&1 || { echo "Skipping aarch64 check — Docker not running"; exit 0; }; cross check --package auths-cli --target aarch64-unknown-linux-gnu 2>&1 && echo "aarch64 OK" || echo "aarch64 check failed - CI will verify"; exit 0'
        language: system
        types: [rust]
        pass_filenames: false
        stages: [pre-push]

      - id: cargo-check-linux
        name: cargo check (linux)
        entry: bash -c 'rustup target add x86_64-unknown-linux-gnu 2>/dev/null; cargo clippy --target x86_64-unknown-linux-gnu -- -D warnings 2>&1 && echo "Linux OK" || echo "Linux check failed - CI will verify"; exit 0'
        language: system
        types: [rust]
        pass_filenames: false
        stages: [pre-push]

      - id: cargo-check-windows
        name: cargo check (windows)
        entry: bash -c 'rustup target add x86_64-pc-windows-msvc 2>/dev/null; cargo clippy --target x86_64-pc-windows-msvc --features keychain-windows -- -D warnings 2>&1 && echo "Windows OK" || echo "Windows check failed - CI will verify"; exit 0'
        language: system
        types: [rust]
        pass_filenames: false
        stages: [pre-push]