sjat/boma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
boma/.pre-commit-config.yaml
sjat 2dbcac11a0 chore(tooling): scope ansible-lint to ansible content; venv PATH in make test 
Kaizen 2026-06-10 fixes:
- ansible-lint pre-commit hook now `always_run: false` + a files filter for
  roles/playbooks/inventories YAML, so docs-/config-only commits skip it and no
  longer need `rbw unlock` (root cause was ansible-lint auto-decrypting the
  group_vars vault, not the syntax-check).
- `make test`/`test-all` prepend $(CURDIR)/.venv/bin to PATH so non-activated
  agent runs find ansible-config/ansible-playbook.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-10 12:51:30 +02:00

49 lines
1.9 KiB
YAML
Raw Blame History

---
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-merge-conflict
- id: check-yaml
args: [--unsafe] # allow custom YAML tags used by Ansible
- repo: https://github.com/adrienverge/yamllint
rev: v1.35.1
hooks:
- id: yamllint
args: [-c, .yamllint]
- repo: https://github.com/ansible/ansible-lint
rev: v24.12.2 # keep in sync with requirements.txt
hooks:
- id: ansible-lint
# Only run on Ansible content. ansible-lint loads the play context, which
# auto-decrypts inventories/*/group_vars/all/vault.yml via the wired
# vault_password_file (→ rbw) — so it needs `rbw unlock`. The upstream hook is
# always_run+pass_filenames:false (lints the whole project, every commit); we
# override always_run:false and add a files filter so docs-/config-only commits
# skip it (no vault needed). pass_filenames stays false → still a project lint
# when any Ansible file is staged.
always_run: false
files: ^(roles|playbooks|inventories)/.*\.ya?ml$
additional_dependencies:
- ansible-core==2.17.* # pin (not >=) — keep in sync with requirements.txt
# Secret scanning — catches plaintext credentials before they are committed.
# Bump `rev` as new gitleaks releases land.
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.4
hooks:
- id: gitleaks
# Local guard: any file named vault.yml must be ansible-vault encrypted
# (or contain only comments — a documented placeholder). See scripts/.
- repo: local
hooks:
- id: vault-encrypted
name: vault.yml must be ansible-vault encrypted
entry: scripts/check-vault-encrypted.sh
language: script
files: (^|/)vault\.yml$
Reference in a new issue View git blame Copy permalink