esp-idf/.pre-commit-config.yaml
Frantisek Hrbata 01fed1a52e fix: do sbom manifest validation in post-commit
Following commit c3afbebf2316 ("fix: bump esp-idf-sbom to v0.13.0 in pre-commit"),
the validation of submodule hash now relies solely on the information recorded
in the git-tree. Previously, the hash verification used submodule's
working tree hash if available. Since the new submodule hash is recorded
in git-tree only after the commit is created, we need to move the check
into post-commit, otherwise the hash validation checks the old value.

For example:

1. in .gitmodules

	[submodule "components/json/cJSON"]
	   sbom-hash = cb8693b058ba302f4829ec6d03f609ac6f848546

2. update the cJSON

	$ git -C components/json/cJSON checkout b45f48e600671feade0b6bd65d1c69de7899f2be

3. update cJSON hash in .gitmodules

	[submodule "components/json/cJSON"]
	   sbom-hash = b45f48e600671feade0b6bd65d1c69de7899f2be

4. commit the changes

	$ git commit -a -s

Step 4. will fail, because the validation is currently started in pre-commit stage,
where the hash for cJSON recorded in git-tree is still
cb8693b058ba302f4829ec6d03f609ac6f848546. The new hash b45f48e600671feade0b6bd65d1c69de7899f2be
will be stored in git-tree after the new commit is created.

Note that this means we cannot prevent the commit creation, but only
notify user about the hash inconsistency. If he/she still decides to
push it, it will fail in pre-commit checks in CI.

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2023-12-18 08:48:57 +01:00

227 lines
8.4 KiB
YAML

# See https://pre-commit.com for more information
# See https://pre-commit.com/hooks.html for more hooks
minimum_pre_commit_version: 3.3.0
default_install_hook_types: [pre-commit, post-commit, commit-msg]
default_stages: [pre-commit]
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.0.1
hooks:
- id: trailing-whitespace
# note: whitespace exclusions use multiline regex, see https://pre-commit.com/#regular-expressions
# items are:
# 1 - some file extensions
# 2 - any file matching *test*/*expected* (for host tests, if possible use this naming pattern always)
# 3 - any directory named 'testdata'
# 4 - protobuf auto-generated files
exclude: &whitespace_excludes |
(?x)^(
.+\.(md|rst|map|bin)|
.+test.*\/.*expected.*|
.+\/testdata\/.+|
.*_pb2.py|
.*.pb-c.h|
.*.pb-c.c|
.*.yuv
)$
- id: end-of-file-fixer
exclude: *whitespace_excludes
- id: check-executables-have-shebangs
- id: mixed-line-ending
args: ['-f=lf']
- id: double-quote-string-fixer
- id: no-commit-to-branch
name: Do not use more than one slash in the branch name
args: ['--pattern', '^[^/]*/[^/]*/']
- id: no-commit-to-branch
name: Do not use uppercase letters in the branch name
args: ['--pattern', '^[^A-Z]*[A-Z]']
- repo: https://github.com/PyCQA/flake8
rev: 5.0.4
hooks:
- id: flake8
args: ['--config=.flake8', '--tee', '--benchmark']
- repo: https://github.com/pycqa/isort
rev: 5.12.0 # python 3.8 compatible
hooks:
- id: isort
name: isort (python)
exclude: >
(?x)^(
.*_pb2.py
)$
- repo: local
hooks:
- id: check-executables
name: Check File Permissions
entry: tools/ci/check_executables.py --action executables
language: python
types: [executable]
exclude: '\.pre-commit/.+'
- id: check-executable-list
name: Validate executable-list.txt
entry: tools/ci/check_executables.py --action list
language: python
pass_filenames: false
always_run: true
- id: check-kconfigs
name: Validate Kconfig files
entry: tools/ci/check_kconfigs.py
language: python
additional_dependencies:
- esp-idf-kconfig
files: '^Kconfig$|Kconfig.*$'
- id: check-deprecated-kconfigs-options
name: Check if any Kconfig Options Deprecated
entry: tools/ci/check_deprecated_kconfigs.py
language: python
files: 'sdkconfig\.ci$|sdkconfig\.rename$|sdkconfig.*$'
- id: cmake-lint
name: Check CMake Files Format
entry: cmakelint --linelength=120 --spaces=4 --filter=-whitespace/indent
language: python
additional_dependencies:
- cmakelint==1.4.1
files: 'CMakeLists.txt$|\.cmake$'
exclude: '\/third_party\/'
- id: check-codeowners
name: Validate Codeowner File
entry: tools/ci/check_codeowners.py ci-check
language: python
always_run: true
files: '\.gitlab/CODEOWNERS'
pass_filenames: false
- id: check-rules-yml
name: Check rules.yml all rules have at lease one job applied, all rules needed exist
entry: tools/ci/check_rules_yml.py
language: python
files: '\.gitlab/ci/.+\.yml|\.gitlab-ci.yml|\.gitmodules'
pass_filenames: false
additional_dependencies:
- PyYAML == 5.3.1
- id: check-generated-rules
name: Check rules are generated (based on .gitlab/ci/dependencies/dependencies.yml)
entry: tools/ci/generate_rules.py
language: python
files: '\.gitlab/ci/dependencies/.+|\.gitlab/ci/.*\.yml'
pass_filenames: false
additional_dependencies:
- PyYAML == 5.3.1
- id: mypy-check
name: Check type annotations in python files
entry: tools/ci/check_type_comments.py
additional_dependencies:
- 'mypy==0.940'
- 'mypy-extensions==0.4.3'
- 'types-setuptools==57.4.14'
- 'types-PyYAML==0.1.9'
exclude: >
(?x)^(
.*_pb2.py
)$
language: python
types: [python]
- id: check-requirement-files
name: Check requirement files
entry: tools/ci/check_requirement_files.py
additional_dependencies:
- 'jsonschema'
language: python
files: 'tools/requirements.+|tools/requirements/.+'
pass_filenames: false
- id: check-tools-files-patterns
name: Check tools dir files patterns
entry: tools/ci/check_tools_files_patterns.py
language: python
files: '^tools/.+'
additional_dependencies:
- PyYAML == 5.3.1
pass_filenames: false
- id: check-rules-components-patterns
name: check patterns-build_components in rules.yml
entry: tools/ci/check_rules_components_patterns.py
language: python
files: 'components/.+|.gitlab/ci/rules.yml'
additional_dependencies:
- PyYAML == 5.3.1
pass_filenames: false
- id: check-generated-soc-caps-kconfig
name: Check soc caps kconfig files are generated (based on components/soc/IDF_TARGET/include/soc/soc_caps.h)
entry: tools/gen_soc_caps_kconfig/gen_soc_caps_kconfig.py -d 'components/soc/*/include/soc/' 'components/esp_rom/*/' 'components/spi_flash/*/'
language: python
files: 'components/soc/.+/include/soc/.+_caps\.h|components/esp_rom/.+/.+_caps\.h|kconfig\.soc_caps.in|components/spi_flash/.+/.+_caps\.h'
pass_filenames: false
additional_dependencies:
- pyparsing
- id: check-all-apps-readmes
name: Check if all apps readme files match given .build-test-rules.yml files. Modify the supported target tables
entry: tools/ci/check_build_test_rules.py check-readmes
language: python
files: 'tools/test_apps/.+|examples/.+|components/.+|tools/idf_py_actions/constants.py|tools/ci/check_build_test_rules.py'
require_serial: true
additional_dependencies:
- PyYAML == 5.3.1
- idf_build_apps~=1.0
- id: sort-build-test-rules-ymls
name: sort .build-test-rules.yml files
entry: tools/ci/check_build_test_rules.py sort-yaml
language: python
files: '\.build-test-rules\.yml'
additional_dependencies:
- PyYAML == 5.3.1
- ruamel.yaml
- id: check-build-test-rules-path-exists
name: check path in .build-test-rules.yml exists
entry: tools/ci/check_build_test_rules.py check-exist
language: python
additional_dependencies:
- PyYAML == 5.3.1
always_run: true
pass_filenames: false
require_serial: true
- id: cleanup-ignore-lists
name: Remove non-existing patterns from ignore lists
entry: tools/ci/cleanup_ignore_lists.py
language: python
always_run: true
require_serial: true
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.0.1
hooks:
- id: file-contents-sorter
files: 'tools\/ci\/(executable-list\.txt|mypy_ignore_list\.txt|check_copyright_ignore\.txt)'
- repo: https://github.com/espressif/check-copyright/
rev: v1.0.3
hooks:
- id: check-copyright
args: ['--ignore', 'tools/ci/check_copyright_ignore.txt', '--config', 'tools/ci/check_copyright_config.yaml']
- repo: https://github.com/espressif/conventional-precommit-linter
rev: v1.4.1
hooks:
- id: conventional-precommit-linter
stages: [commit-msg]
- repo: https://github.com/espressif/astyle_py.git
rev: v1.0.5
hooks:
- id: astyle_py
# If you are modifying astyle version, update tools/format.sh as well
args: ['--astyle-version=3.4.7', '--rules=tools/ci/astyle-rules.yml']
- repo: https://github.com/shellcheck-py/shellcheck-py
rev: v0.9.0.5
hooks:
- id: shellcheck
name: shellcheck bash
args: ['--shell', 'bash', '-x']
files: 'install.sh|export.sh'
- id: shellcheck
name: shellcheck dash (export.sh)
args: ['--shell', 'dash', '-x']
files: 'export.sh'
- repo: https://github.com/espressif/esp-idf-sbom.git
rev: v0.13.0
hooks:
- id: validate-sbom-manifest
stages: [post-commit]