openclaw/.pre-commit-config.yaml at main · justinhuangcode/openclaw · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# Pre-commit hooks for openclaw
# Install: prek install
# Run manually: prek run --all-files
#
# See https://pre-commit.com for more information

repos:
  # Basic file hygiene
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v6.0.0
    hooks:
      - id: trailing-whitespace
        exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
      - id: end-of-file-fixer
        exclude: '^(docs/|dist/|vendor/|.*\.snap$)'
      - id: check-yaml
        args: [--allow-multiple-documents]
      - id: check-added-large-files
        args: [--maxkb=500]
      - id: check-merge-conflict
      - id: detect-private-key
        exclude: '(^|/)(\.secrets\.baseline$|\.detect-secrets\.cfg$|\.pre-commit-config\.yaml$|apps/ios/fastlane/Fastfile$|.*\.test\.ts$)'

  # Secret detection (same as CI)
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0
    hooks:
      - id: detect-secrets
        args:
          - --baseline
          - .secrets.baseline
          - --exclude-files
          - '(^|/)pnpm-lock\.yaml$'
          - --exclude-lines
          - 'key_content\.include\?\("BEGIN PRIVATE KEY"\)'
          - --exclude-lines
          - 'case \.apiKeyEnv: "API key \(env var\)"'
          - --exclude-lines
          - 'case apikey = "apiKey"'
          - --exclude-lines
          - '"gateway\.remote\.password"'
          - --exclude-lines
          - '"gateway\.auth\.password"'
          - --exclude-lines
          - '"talk\.apiKey"'
          - --exclude-lines
          - '=== "string"'
          - --exclude-lines
          - 'typeof remote\?\.password === "string"'
          - --exclude-lines
          - "OPENCLAW_DOCKER_GPG_FINGERPRINT="
          - --exclude-lines
          - '"secretShape": "(secret_input|sibling_ref)"'
          - --exclude-lines
          - 'API key rotation \(provider-specific\): set `\*_API_KEYS`'
          - --exclude-lines
          - 'password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\.auth\.password` -> `gateway\.remote\.password`'
          - --exclude-lines
          - 'password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway\.remote\.password` -> `gateway\.auth\.password`'
          - --exclude-files
          - '^src/gateway/client\.watchdog\.test\.ts$'
          - --exclude-lines
          - 'export CUSTOM_API_K[E]Y="your-key"'
          - --exclude-lines
          - 'grep -q ''N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache'' ~/.bashrc \|\| cat >> ~/.bashrc <<''EOF'''
          - --exclude-lines
          - 'env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},'
          - --exclude-lines
          - '"ap[i]Key": "xxxxx"(,)?'
          - --exclude-lines
          - 'ap[i]Key: "A[I]za\.\.\.",'
          - --exclude-lines
          - '"ap[i]Key": "(resolved|normalized|legacy)-key"(,)?'
          - --exclude-lines
          - 'sparkle:edSignature="[A-Za-z0-9+/=]+"'
  # Shell script linting
  - repo: https://github.com/koalaman/shellcheck-precommit
    rev: v0.11.0
    hooks:
      - id: shellcheck
        args: [--severity=error] # Only fail on errors, not warnings/info
        # Exclude vendor and scripts with embedded code or known issues
        exclude: "^(vendor/|scripts/e2e/)"

  # GitHub Actions linting
  - repo: https://github.com/rhysd/actionlint
    rev: v1.7.10
    hooks:
      - id: actionlint

  # GitHub Actions security audit
  - repo: https://github.com/zizmorcore/zizmor-pre-commit
    rev: v1.22.0
    hooks:
      - id: zizmor
        args: [--persona=regular, --min-severity=medium, --min-confidence=medium]
        exclude: "^(vendor/|Swabble/)"

  # Python checks for skills scripts
  - repo: https://github.com/astral-sh/ruff-pre-commit
    rev: v0.14.1
    hooks:
      - id: ruff
        files: "^skills/.*\\.py$"
        args: [--config, pyproject.toml]

  - repo: local
    hooks:
      - id: skills-python-tests
        name: skills python tests
        entry: pytest -q skills
        language: python
        additional_dependencies: [pytest>=8, <9]
        pass_filenames: false
        files: "^skills/.*\\.py$"

  # Project checks (same commands as CI)
  - repo: local
    hooks:
      # pnpm audit --prod --audit-level=high
      - id: pnpm-audit-prod
        name: pnpm-audit-prod
        entry: pnpm audit --prod --audit-level=high
        language: system
        pass_filenames: false

      # oxlint --type-aware src test
      - id: oxlint
        name: oxlint
        entry: scripts/pre-commit/run-node-tool.sh oxlint --type-aware src test
        language: system
        pass_filenames: false
        types_or: [javascript, jsx, ts, tsx]

      # oxfmt --check src test
      - id: oxfmt
        name: oxfmt
        entry: scripts/pre-commit/run-node-tool.sh oxfmt --check src test
        language: system
        pass_filenames: false
        types_or: [javascript, jsx, ts, tsx]

      # swiftlint (same as CI)
      - id: swiftlint
        name: swiftlint
        entry: swiftlint --config .swiftlint.yml
        language: system
        pass_filenames: false
        types: [swift]

      # swiftformat --lint (same as CI)
      - id: swiftformat
        name: swiftformat
        entry: swiftformat --lint apps/macos/Sources --config .swiftformat
        language: system
        pass_filenames: false
        types: [swift]