ci(hooks): pre-commit security check (mirror of fai/platform)

Mirrors the hook + script from `fai/platform`@1ebf893 verbatim
so commits to fai_dart_sdk go through the same gate: secrets,
forbidden filenames, confidentiality references, marketing-
speak, DCO sign-off, Conventional Commits subject, no Claude
co-author trailer.

No `.security-allow` needed here — the SDK has no banned-words
gate or policy doc that mentions the filtered terms verbatim.
A full-history dry-run came back clean.

Activate once per clone with `bash tools/install-hooks.sh`.

Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
This commit is contained in:
flemming-it 2026-05-09 13:32:44 +02:00
parent 5c96d74744
commit 99ef83ccf0
4 changed files with 275 additions and 0 deletions

5
.githooks/commit-msg Executable file
View file

@ -0,0 +1,5 @@
#!/usr/bin/env bash
# F∆I Platform — commit-msg hook.
# Validates the commit message: Conventional Commits subject, DCO
# sign-off, no Claude co-author trailer, no banned phrases.
exec "$(git rev-parse --show-toplevel)/tools/security/check-staged.sh" message "$1"

6
.githooks/pre-commit Executable file
View file

@ -0,0 +1,6 @@
#!/usr/bin/env bash
# F∆I Platform — pre-commit hook.
# Activated via `tools/install-hooks.sh` (sets core.hooksPath=.githooks).
# Scans staged files for secrets, banned phrases, forbidden filenames.
# Same script runs in Forgejo CI — see .forgejo/workflows/ci.yml.
exec "$(git rev-parse --show-toplevel)/tools/security/check-staged.sh" content