esp-idf/.pre-commit-config.yaml
Frantisek Hrbata 1ba5757fed fix: do sbom manifest validation in post-commit
Following commit c3afbebf23 ("fix: bump esp-idf-sbom to v0.13.0 in pre-commit"),
the validation of submodule hash now relies solely on the information recorded
in the git-tree. Previously, the hash verification used submodule's
working tree hash if available. Since the new submodule hash is recorded
in git-tree only after the commit is created, we need to move the check
into post-commit, otherwise the hash validation checks the old value.

For example:

1. in .gitmodules

	[submodule "components/json/cJSON"]
	   sbom-hash = cb8693b058ba302f4829ec6d03f609ac6f848546

2. update the cJSON

	$ git -C components/json/cJSON checkout b45f48e600671feade0b6bd65d1c69de7899f2be

3. update cJSON hash in .gitmodules

	[submodule "components/json/cJSON"]
	   sbom-hash = b45f48e600671feade0b6bd65d1c69de7899f2be

4. commit the changes

	$ git commit -a -s

Step 4. will fail, because the validation is currently started in pre-commit stage,
where the hash for cJSON recorded in git-tree is still
cb8693b058ba302f4829ec6d03f609ac6f848546. The new hash b45f48e600671feade0b6bd65d1c69de7899f2be
will be stored in git-tree after the new commit is created.

Note that this means we cannot prevent the commit creation, but only
notify user about the hash inconsistency. If he/she still decides to
push it, it will fail in pre-commit checks in CI.

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2023-12-19 12:34:36 +01:00

133 lines
4.4 KiB
YAML

# See https://pre-commit.com for more information
# See https://pre-commit.com/hooks.html for more hooks
default_stages: [commit]
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.0.1
hooks:
- id: trailing-whitespace
# note: whitespace exclusions use multiline regex, see https://pre-commit.com/#regular-expressions
# items are:
# 1 - some file extensions
# 2 - any file matching *test*/*expected* (for host tests, if possible use this naming pattern always)
# 3 - any directory named 'testdata'
# 4 - IDF monitor test data
# 5 - protobuf auto-generated files
exclude: &whitespace_excludes |
(?x)^(
.+\.(md|rst|map|bin)|
.+test.*\/.*expected.*|
.+\/testdata\/.+|
.+test_idf_monitor\/tests\/.+|
.*_pb2.py|
.*.pb-c.h|
.*.pb-c.c
)$
- id: end-of-file-fixer
exclude: *whitespace_excludes
- id: check-executables-have-shebangs
- id: mixed-line-ending
args: ['-f=lf']
- id: double-quote-string-fixer
- repo: https://github.com/PyCQA/flake8
rev: 3.9.2
hooks:
- id: flake8
args: ['--config=.flake8', '--tee', '--benchmark']
- repo: https://github.com/pycqa/isort
rev: 5.11.5 # python 3.7 compatible
hooks:
- id: isort
name: isort (python)
exclude: >
(?x)^(
.*_pb2.py
)$
- repo: local
hooks:
- id: check-executables
name: Check File Permissions
entry: tools/ci/check_executables.py --action executables
language: python
types: [executable]
exclude: '\.pre-commit/.+'
- id: check-executable-list
name: Validate executable-list.txt
entry: tools/ci/check_executables.py --action list
language: python
pass_filenames: false
always_run: true
- id: check-kconfigs
name: Validate Kconfig files
entry: tools/ci/check_kconfigs.py
language: python
files: '^Kconfig$|Kconfig.*$'
- id: check-deprecated-kconfigs-options
name: Check if any Kconfig Options Deprecated
entry: tools/ci/check_deprecated_kconfigs.py
language: python
files: 'sdkconfig\.ci$|sdkconfig\.rename$|sdkconfig.*$'
- id: cmake-lint
name: Check CMake Files Format
entry: cmakelint --linelength=120 --spaces=4 --filter=-whitespace/indent
language: python
additional_dependencies:
- cmakelint==1.4.1
files: 'CMakeLists.txt$|\.cmake$'
exclude: '\/third_party\/'
- id: check-codeowners
name: Validate Codeowner File
entry: tools/ci/check_codeowners.py ci-check
language: python
files: '\.gitlab/CODEOWNERS'
pass_filenames: false
- id: check-rules-yml
name: Check rules.yml all rules have at lease one job applied, all rules needed exist
entry: tools/ci/check_rules_yml.py
language: python
files: '\.gitlab/ci/.+\.yml|\.gitlab-ci.yml'
pass_filenames: false
additional_dependencies:
- PyYAML == 5.3.1
- id: check-generated-rules
name: Check rules are generated (based on .gitlab/ci/dependencies/dependencies.yml)
entry: .gitlab/ci/dependencies/generate_rules.py
language: python
files: '\.gitlab/ci/dependencies/.+|\.gitlab/ci/rules\.yml'
pass_filenames: false
additional_dependencies:
- PyYAML == 5.3.1
- id: mypy-check
name: Check type annotations in python files
entry: tools/ci/check_type_comments.py
additional_dependencies:
- 'mypy==1.0.1'
- 'mypy-extensions==1.0.0'
exclude: >
(?x)^(
.*_pb2.py
)$
language: python
types: [python]
- id: check-tools-files-patterns
name: Check tools dir files patterns
entry: tools/ci/check_tools_files_patterns.py
language: python
files: '^tools/.+'
additional_dependencies:
- PyYAML == 5.3.1
pass_filenames: false
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.0.1
hooks:
- id: file-contents-sorter
files: 'tools\/ci\/(executable-list\.txt|mypy_ignore_list\.txt)'
- repo: https://github.com/espressif/esp-idf-sbom.git
rev: v0.13.0
hooks:
- id: validate-sbom-manifest
stages: [post-commit]