Radish alpha
h
heartwood
Radicle Heartwood Protocol & Stack
Radicle
Git (anonymous pull)
Log in to clone via SSH
Commits
just: Introduce pre-commit and pre-push installer
Adrian Duke committed 1 month ago
commit 5723bd95797c3c528f0014b811eb330e4bf269a6
parent 53fd00dec66d06810bf9a73ef8619c4de2cc1e99
2 files changed +67 -0
modified justfile
@@ -1,6 +1,20 @@
default:

    @just --list
+ 
# SECURITY: We COPY the hook template instead of symlinking it. This ensures that
+ 
# checking out an untrusted patch won't overwrite your local git hooks. The copied
+ 
# script also checks if sensitive files (like build.rs or justfile) were modified
+ 
# in the patch and prompts for confirmation, preventing arbitrary code execution.
+ 
#
+ 
# Install git hooks
+ 
[group('hooks')]
+ 
install-hooks:
+ 
    @cp scripts/git-hook-template.sh .git/hooks/pre-commit
+ 
    @chmod +x .git/hooks/pre-commit
+ 
    @cp scripts/git-hook-template.sh .git/hooks/pre-push
+ 
    @chmod +x .git/hooks/pre-push
+ 
    @echo "✅ pre-commit and pre-push hooks installed."
+ 


# Run pre-commit checks

[group('hooks')]

pre-commit: format-rust check-rust check-docs check-typos check-spelling check-scripts check-keywords format-nix
added scripts/git-hook-template.sh
@@ -0,0 +1,53 @@
+ 
#!/usr/bin/env bash
+ 
set -e
+
+ 
HOOK_NAME=$(basename "$0")
+ 
SENSITIVE_FILES=("justfile" "build.rs" "rust-toolchain.toml")
+ 
CHANGED_FILES=()
+ 
BASE_BRANCH="master"
+
+ 
for file in "${SENSITIVE_FILES[@]}"; do
+ 
    # Check if the file differs between the base branch and the current working tree
+ 
    if git diff --name-only "$BASE_BRANCH" 2>/dev/null | grep -q "^${file}$"; then
+ 
        CHANGED_FILES+=("$file")
+ 
    fi
+ 
done
+
+ 
if [ ${#CHANGED_FILES[@]} -gt 0 ]; then
+ 
    echo "⚠️  WARNING: Sensitive files have been modified relative to $BASE_BRANCH."
+ 
    echo "Executing these hooks may run arbitrary code from the modified files."
+ 
    echo ""
+
+ 
    for file in "${CHANGED_FILES[@]}"; do
+ 
        echo "--- Diff for $file ---"
+ 
        git --no-pager diff "$BASE_BRANCH" -- "$file"
+ 
        echo "------------------------"
+ 
    done
+ 
    echo ""
+
+ 
    # Read from /dev/tty because stdin is not attached to the terminal in git hooks.
+ 
    exec < /dev/tty
+
+ 
    read -r -p "Do you want to continue executing the ${HOOK_NAME} hooks? [y/N] " response
+ 
    case "$response" in
+ 
        [yY][eE][sS]|[yY])
+ 
            echo "Continuing with ${HOOK_NAME} hooks..."
+ 
            ;;
+ 
        *)
+ 
            echo "Skipping ${HOOK_NAME} hooks."
+ 
            exit 0
+ 
            ;;
+ 
    esac
+ 
fi
+
+ 
# Execute the appropriate just recipe based on the hook name
+ 
if [ "$HOOK_NAME" = "pre-commit" ]; then
+ 
    echo "Running pre-commit checks..."
+ 
    just pre-commit
+ 
elif [ "$HOOK_NAME" = "pre-push" ]; then
+ 
    echo "Running pre-push checks..."
+ 
    just pre-push
+ 
else
+ 
    echo "Unknown hook: $HOOK_NAME"
+ 
    exit 1
+ 
fi