|
| 1 | +--- |
| 2 | +name: pre-commit |
| 3 | + |
| 4 | +concurrency: |
| 5 | + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }} |
| 6 | + cancel-in-progress: true |
| 7 | + |
| 8 | +permissions: |
| 9 | + id-token: write |
| 10 | + contents: write |
| 11 | + |
| 12 | +on: |
| 13 | + workflow_call: |
| 14 | + inputs: |
| 15 | + auto_commit: |
| 16 | + description: >- |
| 17 | + Enables auto-commit of eventual fixups |
| 18 | + (requires `permissions.contents: write` on the calling job) |
| 19 | + required: false |
| 20 | + type: boolean |
| 21 | + default: false |
| 22 | + gh_app_id: |
| 23 | + description: >- |
| 24 | + The ID of the GitHub App used to interact with GitHub (e.g., cloning, |
| 25 | + committing, pushing). |
| 26 | + required: false |
| 27 | + type: number |
| 28 | + default: 1817613 |
| 29 | + |
| 30 | +jobs: |
| 31 | + pre-commit: |
| 32 | + runs-on: ubuntu-latest |
| 33 | + container: |
| 34 | + image: devopsroastbot/mise:2025.8.20-alpine |
| 35 | + credentials: |
| 36 | + username: ${{ secrets.DOCKER_REGISTRY_USERNAME }} |
| 37 | + password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} |
| 38 | + steps: |
| 39 | + - name: generate token from github app |
| 40 | + id: github_app |
| 41 | + uses: getsentry/action-github-app-token@v3 |
| 42 | + with: |
| 43 | + app_id: ${{ inputs.gh_app_id }} |
| 44 | + private_key: ${{ secrets.DEVOPS_ROAST_BOT_GH_APP_PRIVATE_KEY }} |
| 45 | + - name: checkout |
| 46 | + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v5 |
| 47 | + env: |
| 48 | + REF_TO_CHECKOUT: ${{ inputs.auto_commit == true && github.head_ref || '' }} |
| 49 | + with: |
| 50 | + ref: ${{ env.REF_TO_CHECKOUT }} |
| 51 | + token: ${{ steps.github_app.outputs.token }} |
| 52 | + fetch-depth: 0 |
| 53 | + - name: mark workspace directory as safe for git |
| 54 | + # In recent versions of Git, some steps may fail with a "detected |
| 55 | + # dubious ownership in repository" error. Marking the repository as a |
| 56 | + # "safe" directory for Git resolves the issue. For more details, refer to the |
| 57 | + # following discussion: |
| 58 | + # - https://github.com/orgs/community/discussions/48355 |
| 59 | + run: | |
| 60 | + git config --global --add safe.directory "$(pwd)" |
| 61 | + - name: add github.com to known hosts |
| 62 | + # As of version 0.8.x, the `webfactory/ssh-agent` action no longer |
| 63 | + # adds SSH key verification by default. However, SSH key verification |
| 64 | + # is still needed when cloning a private pre-commit-hooks repository. |
| 65 | + # For more details, see: |
| 66 | + # - https://github.com/webfactory/ssh-agent/issues/174#issuecomment-1486300082 |
| 67 | + run: | |
| 68 | + curl --silent -H "Authorization: Bearer ${{ steps.github_app.outputs.token }}" https://api.github.com/meta | \ |
| 69 | + jq --raw-output '"github.com " + .ssh_keys[]' >> /etc/ssh/ssh_known_hosts |
| 70 | + - name: setup ssh for private pre-commit hooks |
| 71 | + uses: webfactory/ssh-agent@v0.9.0 |
| 72 | + with: |
| 73 | + ssh-private-key: ${{ secrets.PRE_COMMIT_HOOKS_REPO_DEPLOY_KEY }} |
| 74 | + - name: cache mise dependencies |
| 75 | + uses: actions/cache@v4 |
| 76 | + with: |
| 77 | + path: ~/.local/share/mise |
| 78 | + key: mise-${{ runner.os }}-${{ hashFiles('mise.toml') }} |
| 79 | + - name: mise install |
| 80 | + run: | |
| 81 | + mise install --yes |
| 82 | + - name: cache pre-commit dependencies |
| 83 | + uses: actions/cache@v4 |
| 84 | + with: |
| 85 | + path: ~/.cache/pre-commit |
| 86 | + key: pre-commit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }} |
| 87 | + - name: run pre-commit on entire repository |
| 88 | + run: | |
| 89 | + commit_msg="$(git log --format=%B -n 1 ${{ github.event.after }})" |
| 90 | + if grep -Fq "[skip pre-commit]" <<< "${commit_msg}" |
| 91 | + then |
| 92 | + echo "exit early since it's an autofix commit" |
| 93 | + exit 0 |
| 94 | + else |
| 95 | + pre-commit run --show-diff-on-failure --color=always --all-files |
| 96 | + fi |
| 97 | + id: pre_commit |
| 98 | + shell: bash |
| 99 | + env: |
| 100 | + CONTINUE_ON_ERROR: ${{ inputs.auto_commit == true }} |
| 101 | + continue-on-error: ${{ fromJSON(env.CONTINUE_ON_ERROR) }} |
| 102 | + - name: auto fix changes reported by pre-commit |
| 103 | + uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0 |
| 104 | + id: auto_commit_action |
| 105 | + if: inputs.auto_commit |
| 106 | + with: |
| 107 | + commit_message: "chore: auto fix changes reported by pre-commit [skip pre-commit]" |
| 108 | + - name: re-throw potential pre-commit failure when no changes detected for auto fix |
| 109 | + if: | |
| 110 | + ( |
| 111 | + inputs.auto_commit && steps.pre_commit.outcome == 'failure' && |
| 112 | + steps.auto_commit_action.outputs.changes_detected == 'false' |
| 113 | + ) |
| 114 | + run: | |
| 115 | + echo "pre-commit failed and no changes detected to auto commit" && exit 1 |
| 116 | + shell: bash |
0 commit comments