Skip to content

chore(deps): Update pre-commit hook gitleaks/gitleaks to v8.21.4 #2181

chore(deps): Update pre-commit hook gitleaks/gitleaks to v8.21.4

chore(deps): Update pre-commit hook gitleaks/gitleaks to v8.21.4 #2181

Workflow file for this run

---
# Note: Scanning the pre-commit cache with gitleaks is impossible, as it contains all the secrets
# from the repositories included as hook. Building a list of secrets is not sustainable in
# the long run, as these will change regularly.
name: 'pre-commit'
on: # yamllint disable-line rule:truthy
pull_request:
branches:
- 'main'
push:
branches:
- 'main'
workflow_dispatch:
inputs:
repoCache:
description: 'Reset or disable the cache?'
type: 'choice'
default: 'enabled'
options:
- 'enabled'
- 'disabled'
- 'reset'
# purge cache every Sunday at 0:00
schedule:
- cron: '0 0 * * 0'
permissions:
contents: 'read'
# Adding these as env variables makes it easy to re-use them in different steps and in bash.
env:
cache_archive: 'pre-commit_cache.tar.gz'
# This is the dir pre-commit provides
# If we set our own directory via cacheDir, we can run into permissions issues.
# It is also possible to cache a higher level of the directory, but it has minimal benefit. While pre-commit
# execution time gets faster, it also takes longer to upload the cache as it grows bigger.
cache_dir: '/tmp/.cache/pre-commit'
# This can be manually changed to bust the cache if neccessary.
cache_key: 'pre-commit-cache'
# File that contains the pre-commit hooks to skip
hook_skip_file: './.github/.pre-commit-skip-hooks'
jobs:
pre-commit:
permissions:
contents: 'write'
runs-on: 'ubuntu-24.04'
steps:
- name: 'Harden Runner'
uses: 'step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f' # v2.10.2
with:
egress-policy: 'audit'
- name: 'Checkout repository'
uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # v4.2.2
with:
persist-credentials: false
- name: 'Download cache of the previous workflow run'
uses: 'dawidd6/action-download-artifact@80620a5d27ce0ae443b965134db88467fc607b43' # v7
if: >-
github.event.inputs.repoCache != 'disabled' &&
github.event.inputs.repoCache != 'reset' &&
github.event_name != 'schedule'
id: 'artifact-download'
with:
name: '${{ env.cache_key }}'
path: 'cache-download'
if_no_artifact_found: 'ignore'
- name: 'Extract pre-commit cache to improve performance'
if: >-
github.event.inputs.repoCache != 'disabled' &&
github.event.inputs.repoCache != 'reset' &&
github.event_name != 'schedule' &&
steps.artifact-download.outputs.found_artifact == 'true'
shell: 'bash'
run: |
# fail if:
# - a variable is unbound
# - any command fails
# - a command in a pipe fails
# - a command in a sub-shell fails
set -Eeuo pipefail
# enable debug if runner runs in debug
[[ "${{ runner.debug }}" -ne 1 ]] || {
echo "INFO: Enabling bash trace";
set -x;
};
# Make sure the directory exists, and extract it there. Note that it's nested in the download directory.
mkdir -p "${{ env.cache_dir }}"
tar -xzf "cache-download/${{ env.cache_archive }}" -C "${{ env.cache_dir }}"
- name: 'Install Python'
uses: 'actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b' # v5.3.0
with:
# renovate dep: datasource=python-version versioning=python depName=python
python-version: '3.12.7'
- name: 'Install pre-commit'
shell: 'bash'
run: |
# fail if:
# - a variable is unbound
# - any command fails
# - a command in a pipe fails
# - a command in a sub-shell fails
set -Eeuo pipefail
# enable debug if runner runs in debug
[[ "${{ runner.debug }}" -ne 1 ]] || {
echo "INFO: Enabling bash trace";
set -x;
};
# renovate: datasource=pypi
pip3 install pre-commit==4.0.1
mkdir -pv "${{ env.cache_dir }}"
- name: 'Run pre-commit'
shell: 'bash'
run: |
# fail if:
# - a variable is unbound
# - any command fails
# - a command in a pipe fails
# - a command in a sub-shell fails
set -Eeuo pipefail
# enable debug if runner runs in debug
[[ "${{ runner.debug }}" -ne 1 ]] || {
echo "INFO: Enabling bash trace";
set -x;
};
export PRE_COMMIT_HOME="${{ env.cache_dir }}"
if [[ -f "${{ env.hook_skip_file }}" ]]; then
export SKIP="$(tr '\n' ',' < "${{ env.hook_skip_file }}")"
fi
pre-commit run --verbose --all-files --show-diff-on-failure
- name: 'Compress pre-commit cache to improve performance'
if: "github.event.inputs.repoCache != 'disabled'"
shell: 'bash'
run: |
# fail if:
# - a variable is unbound
# - any command fails
# - a command in a pipe fails
# - a command in a sub-shell fails
set -Eeuo pipefail
# enable debug if runner runs in debug
[[ "${{ runner.debug }}" -ne 1 ]] || {
echo "INFO: Enabling bash trace";
set -x;
};
# The -C is important, as otherwise we end up extracting the files with
# their full path, ultimately leading to a nested directory situation.
tar -czf "${{ env.cache_archive }}" -C "${{ env.cache_dir }}" .
- name: 'Upload compressed cache'
uses: 'actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b' # v4.5.0
if: "github.event.inputs.repoCache != 'disabled'"
with:
name: '${{ env.cache_key }}'
path: '${{ env.cache_archive }}'
# Since this is updated and restored on every run, we don't need to keep it
# for long. Just make sure this value is large enough that multiple renovate
# runs can happen before older cache archives are deleted.
retention-days: 1
...