---
repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.6.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
      - id: check-merge-conflict
      - id: check-yaml
        args: [--unsafe]  # allow custom YAML tags used by Ansible

  - repo: https://github.com/adrienverge/yamllint
    rev: v1.35.1
    hooks:
      - id: yamllint
        args: [-c, .yamllint]

  - repo: https://github.com/ansible/ansible-lint
    rev: v24.12.2  # keep in sync with requirements.txt
    hooks:
      - id: ansible-lint
        # Only run on Ansible content. ansible-lint loads the play context, which
        # auto-decrypts inventories/*/group_vars/all/vault.yml via the wired
        # vault_password_file (→ rbw) — so it needs `rbw unlock`. The upstream hook is
        # always_run+pass_filenames:false (lints the whole project, every commit); we
        # override always_run:false and add a files filter so docs-/config-only commits
        # skip it (no vault needed). pass_filenames stays false → still a project lint
        # when any Ansible file is staged.
        always_run: false
        files: ^(roles|playbooks|inventories)/.*\.ya?ml$
        additional_dependencies:
          - ansible-core==2.17.*  # pin (not >=) — keep in sync with requirements.txt

  # Secret scanning — catches plaintext credentials before they are committed.
  # Bump `rev` as new gitleaks releases land.
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.4
    hooks:
      - id: gitleaks

  # Local guard: any file named vault.yml must be ansible-vault encrypted
  # (or contain only comments — a documented placeholder). See scripts/.
  - repo: local
    hooks:
      - id: vault-encrypted
        name: vault.yml must be ansible-vault encrypted
        entry: scripts/check-vault-encrypted.sh
        language: script
        files: (^|/)vault\.yml$