From df8bfc33fc7b34cf45f22b653d2f46769da28c81 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 9 Dec 2025 01:58:35 +0000 Subject: [PATCH] chore(ci): prevent committing CodeQL DB artifacts via pre-commit hook --- .pre-commit-config.yaml | 7 +++++++ .../pre-commit-hooks/block-codeql-db-commits.sh | 14 ++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 scripts/pre-commit-hooks/block-codeql-db-commits.sh diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ee1bf991..2a28f4b4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,6 +43,13 @@ repos: pass_filenames: false verbose: true always_run: true + - id: block-codeql-db-commits + name: Prevent committing CodeQL DB artifacts + entry: bash scripts/pre-commit-hooks/block-codeql-db-commits.sh + language: system + pass_filenames: false + verbose: true + always_run: true # === MANUAL/CI-ONLY HOOKS === # These are slow and should only run on-demand or in CI diff --git a/scripts/pre-commit-hooks/block-codeql-db-commits.sh b/scripts/pre-commit-hooks/block-codeql-db-commits.sh new file mode 100644 index 00000000..aae6bae4 --- /dev/null +++ b/scripts/pre-commit-hooks/block-codeql-db-commits.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash +set -euo pipefail +staged=$(git diff --cached --name-only | tr '\r' '\n' || true) +if [ -n "${staged}" ]; then + # Exclude the pre-commit-hooks directory and this script itself + filtered=$(echo "$staged" | grep -v '^scripts/pre-commit-hooks/' | grep -v '^data/backups/' || true) + if echo "$filtered" | grep -q "codeql-db"; then + echo "Error: Attempting to commit CodeQL database artifacts (codeql-db)." >&2 + echo "These should not be committed. Remove them or add to .gitignore and try again." >&2 + echo "Tip: Use 'scripts/repo_health_check.sh' to validate repository health." >&2 + exit 1 + fi +fi +exit 0