akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

chore: git cache cleanup

Browse Source
This commit is contained in:
GitHub Actions
2026-03-04 18:34:39 +00:00
parent 7a8b0343e4
commit c32cce2a88
2001 changed files with 0 additions and 683185 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
scripts/pre-commit-hooks/block-codeql-db-commits.sh
View File

@@ -1,14 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
staged=$(git diff --cached --name-only | tr '\r' '\n' || true)
if [ -n "${staged}" ]; then
# Exclude the pre-commit-hooks directory and this script itself
filtered=$(echo "$staged" | grep -v '^scripts/pre-commit-hooks/' | grep -v '^data/backups/' || true)
if echo "$filtered" | grep -q "codeql-db"; then
echo "Error: Attempting to commit CodeQL database artifacts (codeql-db)." >&2
echo "These should not be committed. Remove them or add to .gitignore and try again." >&2
echo "Tip: Use 'scripts/repo_health_check.sh' to validate repository health." >&2
exit 1
fi
fi
exit 0

20
scripts/pre-commit-hooks/block-data-backups-commit.sh
View File

@@ -1,20 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
IFS=$'\n\t'
# Prevent committing any files under data/backups/ accidentally
staged_files=$(git diff --cached --name-only || true)
if [ -z "$staged_files" ]; then
exit 0
fi
for f in $staged_files; do
case "$f" in
data/backups/*)
echo "Error: Committing files under data/backups/ is blocked. Remove them from the commit and re-run." >&2
exit 1
;;
esac
done
exit 0

33
scripts/pre-commit-hooks/check-lfs-for-large-files.sh
View File

@@ -1,33 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# pre-commit hook: ensure large files added to git are tracked by Git LFS
MAX_BYTES=$((50 * 1024 * 1024))
FAILED=0
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
if [ -z "$STAGED_FILES" ]; then
exit 0
fi
while read -r f; do
[ -z "$f" ] && continue
if [ -f "$f" ]; then
size=$(stat -c%s "$f")
if [ "$size" -gt "$MAX_BYTES" ]; then
# check if tracked by LFS via git check-attr
filter_attr=$(git check-attr --stdin filter <<<"$f" | awk '{print $3}' || true)
if [ "$filter_attr" != "lfs" ]; then
echo "ERROR: Large file not tracked by Git LFS: $f ($size bytes)" >&2
FAILED=1
fi
fi
fi
done <<<"$STAGED_FILES"
if [ $FAILED -ne 0 ]; then
echo "You must track large files in Git LFS. Aborting commit." >&2
exit 1
fi
exit 0

136
scripts/pre-commit-hooks/codeql-check-findings.sh
View File

@@ -1,136 +0,0 @@
#!/bin/bash
# Check CodeQL SARIF results for blocking findings (CI-aligned)
set -e
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
FAILED=0
check_sarif() {
local sarif_file=$1
local lang=$2
if [ ! -f "$sarif_file" ]; then
echo -e "${RED}❌ No SARIF file found: $sarif_file${NC}"
echo "Run CodeQL scan first: pre-commit run --hook-stage manual codeql-$lang-scan --all-files"
FAILED=1
return 1
fi
echo "🔍 Checking $lang findings..."
# Check for findings using jq (if available)
if command -v jq &> /dev/null; then
# Count blocking findings.
# CI behavior: block only effective level=error (high/critical equivalent);
# warnings are reported but non-blocking unless escalated by policy.
BLOCKING_COUNT=$(jq -r '[
.runs[] as $run
| $run.results[]
| . as $result
| ($run.tool.driver.rules // []) as $rules
| ((
$result.level
// (if (($result.ruleIndex | type) == "number") then ($rules[$result.ruleIndex].defaultConfiguration.level // empty) else empty end)
// ([
$rules[]?
| select((.id // "") == ($result.ruleId // ""))
| (.defaultConfiguration.level // empty)
][0] // empty)
// ""
) | ascii_downcase) as $effectiveLevel
| select($effectiveLevel == "error")
] | length' "$sarif_file" 2>/dev/null || echo 0)
WARNING_COUNT=$(jq -r '[
.runs[] as $run
| $run.results[]
| . as $result
| ($run.tool.driver.rules // []) as $rules
| ((
$result.level
// (if (($result.ruleIndex | type) == "number") then ($rules[$result.ruleIndex].defaultConfiguration.level // empty) else empty end)
// ([
$rules[]?
| select((.id // "") == ($result.ruleId // ""))
| (.defaultConfiguration.level // empty)
][0] // empty)
// ""
) | ascii_downcase) as $effectiveLevel
| select($effectiveLevel == "warning")
] | length' "$sarif_file" 2>/dev/null || echo 0)
if [ "$BLOCKING_COUNT" -gt 0 ]; then
echo -e "${RED}❌ Found $BLOCKING_COUNT blocking CodeQL issues in $lang code${NC}"
echo ""
echo "Blocking summary (error-level):"
jq -r '
.runs[] as $run
| $run.results[]
| . as $result
| ($run.tool.driver.rules // []) as $rules
| ((
$result.level
// (if (($result.ruleIndex | type) == "number") then ($rules[$result.ruleIndex].defaultConfiguration.level // empty) else empty end)
// ([
$rules[]?
| select((.id // "") == ($result.ruleId // ""))
| (.defaultConfiguration.level // empty)
][0] // empty)
// ""
) | ascii_downcase) as $effectiveLevel
| select($effectiveLevel == "error")
| "\($effectiveLevel): \($result.ruleId // "<unknown-rule>"): \($result.message.text) (\($result.locations[0].physicalLocation.artifactLocation.uri):\($result.locations[0].physicalLocation.region.startLine))"
' "$sarif_file" 2>/dev/null | head -10
echo ""
echo "View full results: code $sarif_file"
FAILED=1
else
echo -e "${GREEN}✅ No blocking CodeQL issues found in $lang code${NC}"
if [ "$WARNING_COUNT" -gt 0 ]; then
echo -e "${YELLOW}⚠️ Non-blocking warnings in $lang: $WARNING_COUNT (policy triage required)${NC}"
fi
fi
else
echo -e "${RED}❌ jq is required for semantic CodeQL severity evaluation (${lang})${NC}"
echo "Install jq and re-run: pre-commit run --hook-stage manual codeql-check-findings --all-files"
FAILED=1
fi
}
echo "🔒 Checking CodeQL findings..."
echo ""
if ! command -v jq &> /dev/null; then
echo -e "${RED}❌ jq is required for CodeQL finding checks${NC}"
echo "Install jq and re-run: pre-commit run --hook-stage manual codeql-check-findings --all-files"
exit 1
fi
check_sarif "codeql-results-go.sarif" "go"
# Support both JS artifact names, preferring the CI-aligned canonical file.
if [ -f "codeql-results-js.sarif" ]; then
check_sarif "codeql-results-js.sarif" "js"
elif [ -f "codeql-results-javascript.sarif" ]; then
echo -e "${YELLOW}⚠️ Using legacy JS SARIF artifact name: codeql-results-javascript.sarif${NC}"
check_sarif "codeql-results-javascript.sarif" "js"
else
check_sarif "codeql-results-js.sarif" "js"
fi
if [ $FAILED -eq 1 ]; then
echo ""
echo -e "${RED}❌ CodeQL scan found blocking findings (error-level). Please fix before committing.${NC}"
echo ""
echo "To view results:"
echo " - VS Code: Install SARIF Viewer extension"
echo " - Command line: jq . codeql-results-*.sarif"
exit 1
fi
echo ""
echo -e "${GREEN}✅ All CodeQL checks passed${NC}"

71
scripts/pre-commit-hooks/codeql-go-scan.sh
View File

@@ -1,71 +0,0 @@
#!/usr/bin/env bash
# Pre-commit CodeQL Go scan - CI-aligned
set -euo pipefail
RED='\033[0;31m'
GREEN='\033[0;32m'
BLUE='\033[0;34m'
NC='\033[0m'
echo -e "${BLUE}🔍 Running CodeQL Go scan (CI-aligned)...${NC}"
echo ""
if ! command -v jq >/dev/null 2>&1; then
echo -e "${RED}❌ jq is required for CodeQL extraction metric validation${NC}"
exit 1
fi
# Clean previous database
rm -rf codeql-db-go
# Create database
echo "📦 Creating CodeQL database..."
codeql database create codeql-db-go \
--language=go \
--source-root=backend \
--codescanning-config=.github/codeql/codeql-config.yml \
--threads=0 \
--overwrite
echo ""
echo "📊 Analyzing with security-and-quality suite..."
ANALYZE_LOG=$(mktemp)
# Analyze with CI-aligned suite
codeql database analyze codeql-db-go \
codeql/go-queries:codeql-suites/go-security-and-quality.qls \
--format=sarif-latest \
--output=codeql-results-go.sarif \
--sarif-add-baseline-file-info \
--threads=0 2>&1 | tee "$ANALYZE_LOG"
echo ""
echo "🧮 Validating extraction metric against go list baseline..."
BASELINE_COUNT=$(cd backend && go list -json ./... | jq -s 'map((.GoFiles|length)+(.CgoFiles|length))|add')
SCAN_LINE=$(grep -Eo 'CodeQL scanned [0-9]+ out of [0-9]+ Go files' "$ANALYZE_LOG" | tail -1 || true)
if [ -z "$SCAN_LINE" ]; then
rm -f "$ANALYZE_LOG"
echo -e "${RED}❌ Could not parse CodeQL extraction metric from analyze output${NC}"
echo "Expected a line like: CodeQL scanned X out of Y Go files"
exit 1
fi
EXTRACTED_COUNT=$(echo "$SCAN_LINE" | awk '{print $3}')
RAW_COUNT=$(echo "$SCAN_LINE" | awk '{print $6}')
rm -f "$ANALYZE_LOG"
if [ "$EXTRACTED_COUNT" != "$BASELINE_COUNT" ]; then
echo -e "${RED}❌ CodeQL extraction drift detected${NC}"
echo " - go list compiled-file baseline: $BASELINE_COUNT"
echo " - CodeQL extracted compiled files: $EXTRACTED_COUNT"
echo " - CodeQL raw-repo denominator: $RAW_COUNT"
echo "Resolve suite/trigger/build-tag drift before merging."
exit 1
fi
echo -e "${GREEN}✅ Extraction parity OK${NC} (compiled baseline=$BASELINE_COUNT, extracted=$EXTRACTED_COUNT, raw=$RAW_COUNT)"
echo -e "${GREEN}✅ CodeQL Go scan complete${NC}"
echo "Results saved to: codeql-results-go.sarif"
echo ""
echo "Run 'pre-commit run codeql-check-findings' to validate findings"

41
scripts/pre-commit-hooks/codeql-js-scan.sh
View File

@@ -1,41 +0,0 @@
#!/bin/bash
# Pre-commit CodeQL JavaScript/TypeScript scan - CI-aligned
set -e
GREEN='\033[0;32m'
BLUE='\033[0;34m'
NC='\033[0m'
echo -e "${BLUE}🔍 Running CodeQL JavaScript/TypeScript scan (CI-aligned)...${NC}"
echo ""
# Remove generated artifacts that can create noisy/false findings during CodeQL analysis
rm -rf frontend/coverage frontend/dist playwright-report test-results coverage
# Clean previous database
rm -rf codeql-db-js
# Create database
echo "📦 Creating CodeQL database..."
codeql database create codeql-db-js \
--language=javascript \
--build-mode=none \
--source-root=frontend \
--codescanning-config=.github/codeql/codeql-config.yml \
--threads=0 \
--overwrite
echo ""
echo "📊 Analyzing with security-and-quality suite..."
# Analyze with CI-aligned suite
codeql database analyze codeql-db-js \
codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls \
--format=sarif-latest \
--output=codeql-results-js.sarif \
--sarif-add-baseline-file-info \
--threads=0
echo -e "${GREEN}✅ CodeQL JavaScript/TypeScript scan complete${NC}"
echo "Results saved to: codeql-results-js.sarif"
echo ""
echo "Run 'pre-commit run codeql-check-findings' to validate findings"

56
scripts/pre-commit-hooks/gitleaks-tuned-scan.sh
View File

@@ -1,56 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
readonly SCRIPT_DIR
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
readonly REPO_ROOT
readonly DEFAULT_REPORT_PATH="${REPO_ROOT}/test-results/security/gitleaks-tuned-precommit.json"
readonly REPORT_PATH="${GITLEAKS_REPORT_PATH:-${DEFAULT_REPORT_PATH}}"
if ! command -v rsync >/dev/null 2>&1; then
echo "Error: rsync is not installed or not in PATH" >&2
exit 127
fi
if ! command -v gitleaks >/dev/null 2>&1; then
echo "Error: gitleaks is not installed or not in PATH" >&2
echo "Install: https://github.com/gitleaks/gitleaks" >&2
exit 127
fi
TEMP_ROOT="$(mktemp -d -t gitleaks-tuned-XXXXXX)"
cleanup() {
rm -rf "${TEMP_ROOT}"
}
trap cleanup EXIT
readonly FILTERED_SOURCE="${TEMP_ROOT}/source-filtered"
mkdir -p "${FILTERED_SOURCE}"
mkdir -p "$(dirname "${REPORT_PATH}")"
cd "${REPO_ROOT}"
echo "Preparing filtered source tree for tuned gitleaks scan"
rsync -a --delete \
--exclude='.cache/' \
--exclude='node_modules/' \
--exclude='frontend/node_modules/' \
--exclude='backend/.venv/' \
--exclude='dist/' \
--exclude='build/' \
--exclude='coverage/' \
--exclude='test-results/' \
./ "${FILTERED_SOURCE}/"
echo "Running gitleaks tuned scan (no-git mode)"
gitleaks detect \
--source "${FILTERED_SOURCE}" \
--no-git \
--report-format json \
--report-path "${REPORT_PATH}" \
--exit-code 1 \
--no-banner
echo "Gitleaks report: ${REPORT_PATH}"

63
scripts/pre-commit-hooks/golangci-lint-fast.sh
View File

@@ -1,63 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# Wrapper script for golangci-lint fast linters in pre-commit
# This ensures golangci-lint works in both terminal and VS Code pre-commit integration
preferred_bin="${GOBIN:-${GOPATH:-$HOME/go}/bin}/golangci-lint"
lint_major_version() {
local binary_path="$1"
"$binary_path" version 2>/dev/null | sed -nE 's/.*version[[:space:]]+([0-9]+)\..*/\1/p' | sed -n '1p'
}
install_v2_linter() {
echo "🔧 Installing golangci-lint v2 with current Go toolchain..."
go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
}
resolve_v2_linter() {
local candidates=()
local path_linter=""
if path_linter=$(command -v golangci-lint 2>/dev/null); then
candidates+=("$path_linter")
fi
candidates+=(
"$preferred_bin"
"$HOME/go/bin/golangci-lint"
"/usr/local/bin/golangci-lint"
"/usr/bin/golangci-lint"
)
for candidate in "${candidates[@]}"; do
if [[ -x "$candidate" && "$(lint_major_version "$candidate")" == "2" ]]; then
printf '%s\n' "$candidate"
return 0
fi
done
install_v2_linter
if [[ -x "$preferred_bin" && "$(lint_major_version "$preferred_bin")" == "2" ]]; then
printf '%s\n' "$preferred_bin"
return 0
fi
return 1
}
if ! GOLANGCI_LINT="$(resolve_v2_linter)"; then
echo "ERROR: failed to resolve golangci-lint v2"
echo "PATH: $PATH"
echo "Expected v2 binary at: $preferred_bin"
exit 1
fi
echo "Using golangci-lint: $GOLANGCI_LINT"
echo "Version: $($GOLANGCI_LINT version)"
# Change to backend directory and run golangci-lint
cd "$(dirname "$0")/../../backend" || exit 1
exec "$GOLANGCI_LINT" run --config .golangci-fast.yml ./...

63
scripts/pre-commit-hooks/golangci-lint-full.sh
View File

@@ -1,63 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# Wrapper script for golangci-lint full linters in pre-commit
# This ensures golangci-lint works in both terminal and VS Code pre-commit integration
preferred_bin="${GOBIN:-${GOPATH:-$HOME/go}/bin}/golangci-lint"
lint_major_version() {
local binary_path="$1"
"$binary_path" version 2>/dev/null | sed -nE 's/.*version[[:space:]]+([0-9]+)\..*/\1/p' | sed -n '1p'
}
install_v2_linter() {
echo "🔧 Installing golangci-lint v2 with current Go toolchain..."
go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
}
resolve_v2_linter() {
local candidates=()
local path_linter=""
if path_linter=$(command -v golangci-lint 2>/dev/null); then
candidates+=("$path_linter")
fi
candidates+=(
"$preferred_bin"
"$HOME/go/bin/golangci-lint"
"/usr/local/bin/golangci-lint"
"/usr/bin/golangci-lint"
)
for candidate in "${candidates[@]}"; do
if [[ -x "$candidate" && "$(lint_major_version "$candidate")" == "2" ]]; then
printf '%s\n' "$candidate"
return 0
fi
done
install_v2_linter
if [[ -x "$preferred_bin" && "$(lint_major_version "$preferred_bin")" == "2" ]]; then
printf '%s\n' "$preferred_bin"
return 0
fi
return 1
}
if ! GOLANGCI_LINT="$(resolve_v2_linter)"; then
echo "ERROR: failed to resolve golangci-lint v2"
echo "PATH: $PATH"
echo "Expected v2 binary at: $preferred_bin"
exit 1
fi
echo "Using golangci-lint: $GOLANGCI_LINT"
echo "Version: $($GOLANGCI_LINT version)"
# Change to backend directory and run golangci-lint
cd "$(dirname "$0")/../../backend" || exit 1
exec "$GOLANGCI_LINT" run -v ./...

14
scripts/pre-commit-hooks/gorm-security-check.sh
View File

@@ -1,14 +0,0 @@
#!/usr/bin/env bash
# Pre-commit hook for GORM security scanning
# Wrapper for scripts/scan-gorm-security.sh
set -euo pipefail
# Navigate to repository root
cd "$(git rev-parse --show-toplevel)"
echo "🔒 Running GORM Security Scanner..."
echo ""
# Run scanner in check mode (exits 1 if issues found)
./scripts/scan-gorm-security.sh --check

24
scripts/pre-commit-hooks/semgrep-scan.sh
View File

@@ -1,24 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
readonly SCRIPT_DIR
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
readonly REPO_ROOT
if ! command -v semgrep >/dev/null 2>&1; then
echo "Error: semgrep is not installed or not in PATH" >&2
echo "Install: https://semgrep.dev/docs/getting-started/" >&2
exit 127
fi
cd "${REPO_ROOT}"
readonly SEMGREP_CONFIG_VALUE="${SEMGREP_CONFIG:-auto}"
echo "Running Semgrep with config: ${SEMGREP_CONFIG_VALUE}"
semgrep scan \
--config "${SEMGREP_CONFIG_VALUE}" \
--error \
backend frontend scripts .github/workflows