Skip to content

chore: add lefthook git hooks (actionlint, merge-markers, pin-check)#466

Merged
zircote merged 1 commit into
mainfrom
chore/git-hooks-lefthook
Jun 17, 2026
Merged

chore: add lefthook git hooks (actionlint, merge-markers, pin-check)#466
zircote merged 1 commit into
mainfrom
chore/git-hooks-lefthook

Conversation

@zircote

@zircote zircote commented Jun 17, 2026

Copy link
Copy Markdown
Owner

Summary

Provisioned project-tailored git hooks via lefthook (already on PATH; no Node/Python runtime). The hooks catch locally exactly what this repo's CI gates reject on push.

Stage Hook What it catches Tool
pre-commit actionlint malformed workflow YAML (on staged .github/workflows/*.yml) installed actionlint
pre-commit merge-conflicts unresolved <<<<<<</>>>>>>> markers grep
pre-push pin-check unpinned uses: refs — mirror of the required CI gate scripts/check-pins.sh

scripts/check-pins.sh mirrors .github/workflows/pin-check.yml exactly and scans the same dirs as pin-check-ci.yml (.github/workflows + actions) — so it does not false-positive on the illustrative uses: …@v6 lines in .github/skills/**/*.md.

Validated live (not just asserted)

  • This branch's commit fired merge-conflicts → passed (actionlint correctly skipped — no workflow files staged).
  • This branch's push fired pin-check → passed ("all action references SHA-pinned", ~2.5s).
  • pin-check unit-tested both ways: clean repo → exit 0; injected @v4 → exit 1 with an actionable message.

Deliberately NOT installed (with reasons)

  • creep (AI-authorship trailers) — git-creep is on PATH, but the global CLAUDE.md rule "No AI Attribution: Do NOT add Co-Authored-By or similar AI attribution lines" forbids the AI-Tool/AI-Model trailers it stamps.
  • gh-aw compile syncgh aw is not installed, and this repo compiles to .lock.yml via scripts/compile-gh-aw.sh (not the generic gh aw compile → .yml). Worth adding once gh aw is installed.
  • gitleaks secrets — binary not installed locally (auto-mode only uses already-installed tools; gitleaks runs in CI via reusable-security.yml).

Team setup

After clone: lefthook install. Bypass in an emergency: git commit --no-verify / git push --no-verify.

Type of Change

  • Chore (tooling)

Test Plan

  • lefthook install wires pre-commit + pre-push shims
  • pin-check: clean→0, unpinned→1; same logic/scope as CI
  • merge-markers: clean→0, conflict→1
  • actionlint clean on workflows
  • commit + push of this branch exercised both hooks live

@zircote
chore: add lefthook git hooks (actionlint, merge-markers, pin-check)
41c17bf 
Catch locally what the GitHub Actions CI gates reject on push:
- pre-commit: actionlint on staged workflow files; merge-conflict marker check
- pre-push: pin-check, a mirror of the required CI gate scoped to
  .github/workflows + actions (same scope as pin-check-ci.yml, so it does not
  false-positive on skill-markdown examples)

Managed by lefthook (already on PATH; no Node/Python runtime). After clone,
run: lefthook install

Deliberately NOT installed: creep (global no-AI-attribution policy forbids the
AI-Tool trailers it stamps), gh-aw compile sync (gh aw not installed and this
repo compiles to .lock.yml via scripts/compile-gh-aw.sh), gitleaks (binary not
installed locally).
@zircote zircote merged commit 8c7a1ef into main Jun 17, 2026
7 checks passed
@zircote zircote deleted the chore/git-hooks-lefthook branch June 17, 2026 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zircote