boma/.pre-commit-config.yaml

---
repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.6.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
      - id: check-merge-conflict
      - id: check-yaml
        args: [--unsafe]  # allow custom YAML tags used by Ansible

  - repo: https://github.com/adrienverge/yamllint
    rev: v1.35.1
    hooks:
      - id: yamllint
        args: [-c, .yamllint]

  - repo: https://github.com/ansible/ansible-lint
    rev: v24.12.2  # keep in sync with requirements.txt
    hooks:
      - id: ansible-lint
        # Only run on Ansible content. ansible-lint loads the play context, which
        # auto-decrypts inventories/*/group_vars/all/vault.yml via the wired
        # vault_password_file (→ rbw) — so it needs `rbw unlock`. The upstream hook is
        # always_run+pass_filenames:false (lints the whole project, every commit); we
        # override always_run:false and add a files filter so docs-/config-only commits
        # skip it (no vault needed). pass_filenames stays false → still a project lint
        # when any Ansible file is staged.
        always_run: false
        files: ^(roles|playbooks|inventories)/.*\.ya?ml$
        additional_dependencies:
          - ansible-core==2.17.*  # pin (not >=) — keep in sync with requirements.txt

  # Secret scanning — catches plaintext credentials before they are committed.
  # Bump `rev` as new gitleaks releases land.
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.4
    hooks:
      - id: gitleaks

  # Local guard: any file named vault.yml must be ansible-vault encrypted
  # (or contain only comments — a documented placeholder). See scripts/.
  - repo: local
    hooks:
      - id: vault-encrypted
        name: vault.yml must be ansible-vault encrypted
        entry: scripts/check-vault-encrypted.sh
        language: script
        files: (^|/)vault\.yml$
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			`---`
			`repos:`
			`- repo: https://github.com/pre-commit/pre-commit-hooks`
			`rev: v4.6.0`
			`hooks:`
			`- id: trailing-whitespace`
			`- id: end-of-file-fixer`
			`- id: check-merge-conflict`
			`- id: check-yaml`
			`args: [--unsafe] # allow custom YAML tags used by Ansible`

			`- repo: https://github.com/adrienverge/yamllint`
			`rev: v1.35.1`
			`hooks:`
			`- id: yamllint`
			`args: [-c, .yamllint]`

			`- repo: https://github.com/ansible/ansible-lint`
Harden lint setup and clean inventory placeholders - Pin pre-commit ansible-lint hook to ansible-core==2.17.* (was floating, crashed) - Add pre-commit to requirements.txt - Align .yamllint with ansible-lint (comments-indentation off, octal rules on) - Rewrite inventory placeholders to lint-clean empty-group form Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:56:16 +02:00			`rev: v24.12.2 # keep in sync with requirements.txt`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			`hooks:`
			`- id: ansible-lint`
chore(tooling): scope ansible-lint to ansible content; venv PATH in make test Kaizen 2026-06-10 fixes: - ansible-lint pre-commit hook now `always_run: false` + a files filter for roles/playbooks/inventories YAML, so docs-/config-only commits skip it and no longer need `rbw unlock` (root cause was ansible-lint auto-decrypting the group_vars vault, not the syntax-check). - `make test`/`test-all` prepend $(CURDIR)/.venv/bin to PATH so non-activated agent runs find ansible-config/ansible-playbook. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-10 12:51:30 +02:00			`# Only run on Ansible content. ansible-lint loads the play context, which`
			`# auto-decrypts inventories/*/group_vars/all/vault.yml via the wired`
			# vault_password_file (→ rbw) — so it needs `rbw unlock`. The upstream hook is
			`# always_run+pass_filenames:false (lints the whole project, every commit); we`
			`# override always_run:false and add a files filter so docs-/config-only commits`
			`# skip it (no vault needed). pass_filenames stays false → still a project lint`
			`# when any Ansible file is staged.`
			`always_run: false`
			`files: ^(roles\|playbooks\|inventories)/.*\.ya?ml$`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00			`additional_dependencies:`
Harden lint setup and clean inventory placeholders - Pin pre-commit ansible-lint hook to ansible-core==2.17.* (was floating, crashed) - Add pre-commit to requirements.txt - Align .yamllint with ansible-lint (comments-indentation off, octal rules on) - Rewrite inventory placeholders to lint-clean empty-group form Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:56:16 +02:00			`- ansible-core==2.17.* # pin (not >=) — keep in sync with requirements.txt`
Add core Ansible scaffold, tooling, and pre-commit guards Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-30 14:10:01 +02:00
			`# Secret scanning — catches plaintext credentials before they are committed.`
			# Bump `rev` as new gitleaks releases land.
			`- repo: https://github.com/gitleaks/gitleaks`
			`rev: v8.18.4`
			`hooks:`
			`- id: gitleaks`

			`# Local guard: any file named vault.yml must be ansible-vault encrypted`
			`# (or contain only comments — a documented placeholder). See scripts/.`
			`- repo: local`
			`hooks:`
			`- id: vault-encrypted`
			`name: vault.yml must be ansible-vault encrypted`
			`entry: scripts/check-vault-encrypted.sh`
			`language: script`
			`files: (^\|/)vault\.yml$`