---
repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.6.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
      - id: check-merge-conflict
      - id: check-yaml
        args: [--unsafe]  # allow custom YAML tags used by Ansible

  - repo: https://github.com/adrienverge/yamllint
    rev: v1.35.1
    hooks:
      - id: yamllint
        args: [-c, .yamllint]

  - repo: https://github.com/ansible/ansible-lint
    rev: v24.12.2  # keep in sync with requirements.txt
    hooks:
      - id: ansible-lint
        additional_dependencies:
          - ansible-core==2.17.*  # pin (not >=) — keep in sync with requirements.txt

  # Secret scanning — catches plaintext credentials before they are committed.
  # Bump `rev` as new gitleaks releases land.
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.4
    hooks:
      - id: gitleaks

  # Local guard: any file named vault.yml must be ansible-vault encrypted
  # (or contain only comments — a documented placeholder). See scripts/.
  - repo: local
    hooks:
      - id: vault-encrypted
        name: vault.yml must be ansible-vault encrypted
        entry: scripts/check-vault-encrypted.sh
        language: script
        files: (^|/)vault\.yml$