ci(hooks): pre-commit security check (mirror of fai/platform)
Mirrors the hook + script from `fai/platform`@1ebf893 verbatim so commits to fai_studio go through the same gate: secrets, forbidden filenames, confidentiality references, marketing- speak, DCO sign-off, Conventional Commits subject, no Claude co-author trailer. A `.security-allow` file at the repo root extends the script's universal excludes with three Studio-specific paths whose content legitimately includes the filtered terms — the Today-Hero proposal pipeline (LLM prompt + accept gate), its runtime loader equivalent, and its operator-facing policy doc. No CI mirror yet — Studio doesn't have a Forgejo workflow (Flutter-on-DinD is a chunk of work). The local hook is the gate for now; CI mirror follows when Flutter CI lands. Activate once with `bash tools/install-hooks.sh`. Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
This commit is contained in:
parent
c389876a2f
commit
01f3f773cf
5 changed files with 290 additions and 0 deletions
18
tools/install-hooks.sh
Executable file
18
tools/install-hooks.sh
Executable file
|
|
@ -0,0 +1,18 @@
|
|||
#!/usr/bin/env bash
|
||||
# F∆I Platform — one-time hook activation for this clone.
|
||||
# Points git at the versioned `.githooks/` directory so pre-commit and
|
||||
# commit-msg checks run on every commit (including amends and rebases).
|
||||
#
|
||||
# Run once after cloning:
|
||||
# bash tools/install-hooks.sh
|
||||
set -euo pipefail
|
||||
cd "$(git rev-parse --show-toplevel)"
|
||||
|
||||
git config core.hooksPath .githooks
|
||||
chmod +x .githooks/* tools/security/*.sh tools/install-hooks.sh
|
||||
|
||||
echo "✓ core.hooksPath = .githooks"
|
||||
echo " Active hooks:"
|
||||
ls -1 .githooks/ | sed 's/^/ /'
|
||||
echo ""
|
||||
echo "Next commit will be gated by tools/security/check-staged.sh."
|
||||
Loading…
Add table
Add a link
Reference in a new issue