devsecops-hooks/.github/workflows/hooks.yml at main · ministryofjustice/devsecops-hooks · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# Executes all pre-commit hooks on pull requests
# Includes security scanning, linting, spellcheck, and config validation
# Trigger: pull_request (all branches) | Permissions: contents:read, issues:read, pull-requests:read

name: Git hooks 🪝
run-name: Git hooks 🪝

on:
  pull_request:
    branches: ["**"]

permissions: {}

env:
  environment: base
  timezone: ${{ vars.TIMEZONE }}

jobs:
  # 1. Setup infrastructure
  setup:
    name: Infrastructure 🔧
    runs-on: ubuntu-latest
    outputs:
      environment: ${{ env.environment }}
      timezone: ${{ env.timezone }}
    steps:
      - name: Environment 🧪
        run: echo "Environment set to ${{ env.environment }}"

      - name: Timezone 🌐
        run: echo "Timezone set to ${{ env.timezone }}"

  # 2. Execute pre-commit hooks
  hooks:
    permissions:
      contents: read
      issues: read
      pull-requests: read

    name: Hooks 🪝
    needs: setup
    environment:
      name: ${{ needs.setup.outputs.environment }}
    runs-on: ubuntu-latest

    steps:
      - name: Repository
        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # frozen: v6.0.1

      - name: Python
        uses: actions/setup-python@28f2168f4d98ee0445e3c6321f6e6616c83dd5ec # frozen: v6.1.0
        with:
          python-version-file: ./.python-version

      - name: Node
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # frozen: v6.1.0
        with:
          node-version: ${{ vars.NODE_VERSION }}

      - name: Install
        working-directory: ./
        run: |
          python -m pip install -r requirements.txt
          npm ci --ignore-scripts

      - name: Execute
        run: pre-commit run --all-files