feat: use mise exec to run most steps

...to remove the need to add the tools to the mise config and to be
able to specify tool versions in the shared hk configuration.

Author: stempler

Shared.pkl

@@ -5,25 +5,39 @@ actionlint = (Builtins.actionlint) {
   // extend to include actiion.yml/yaml files XXX turned out this is not supported by actionlint at the moment
   // glob = List(".github/workflows/*.yml", ".github/workflows/*.yaml", "action.yml", "action.yaml")
 
+  local prefix = "mise x actionlint -- "
+  check = prefix + Builtins.actionlint.check
+
   // exclude managed tf- files which are generated
   exclude = List(".github/workflows/tf-*")
 }
 
 prettier = (Builtins.prettier) {
+  local prefix = "mise x prettier -- "
+
+  check = prefix + Builtins.prettier.check_list_files
+  check_list_files = prefix + Builtins.prettier.check_list_files
+  fix = prefix + Builtins.prettier.fix
+
   // exclude files which are generated/managed
   exclude = List(".github/workflows/tf-*", "CHANGELOG.md")
 }
 
-pkl = Builtins.pkl
+local pkl_version = "0.30.0"
+local pkl_prefix = "mise x pkl@\(pkl_version) -- "
+
+pkl = (Builtins.pkl) {
+  check = pkl_prefix + Builtins.pkl.check
+}
 
 // Note: supported since pkl 0.30 - https://pkl-lang.org/main/current/release-notes/0.30.html
 // TODO use Builtins.pkl_format as soon as hk is released (>1.25.0)
 pklformat = new Config.Step {
   stage = "<JOB_FILES>"
   glob = "*.pkl"
-  check = "pkl format --silent {{files}}"
-  // exit code of pkl format is 1 if changes were made, so we first attempt to write changes with -w, and if that fails, we run again with --silent to ensure a zero exit code on success
-  fix = "pkl format -w {{files}} || pkl format --silent {{files}}"
+  check = "\(pkl_prefix) pkl format --silent {{files}}"
+  // exit code of pkl format is not zero if changes were made, so we first attempt to write changes with -w, and then run again with --silent to ensure a zero exit code on success
+  fix = "\(pkl_prefix) pkl format -w {{files}} || \(pkl_prefix) pkl format --silent {{files}}"
 }
 
 spotlessGradle = new Config.Step {
@@ -50,32 +64,33 @@ spotlessGradle = new Config.Step {
 // Secret detection tools
 
 // https://github.com/Yelp/detect-secrets
-// mise: pipx:detect-secrets
 detectsecrets = new Config.Step {
   // needs a baseline
   // create with `detect-secrets scan > .secrets.baseline`
   // check will fail if file does not exist
-  check = "detect-secrets-hook --baseline .secrets.baseline {{files}}"
+  check = "mise x pipx:detect-secrets -- detect-secrets-hook --baseline .secrets.baseline {{files}}"
 }
 
 // https://github.com/sirwart/ripsecrets
 ripsecrets = new Config.Step {
-  check = "ripsecrets {{files}}"
+  check = "mise x ripsecrets -- ripsecrets {{files}}"
 }
 
 // https://github.com/gitleaks/gitleaks
 gitleaks = new Config.Step {
+  // don't use latest as there may be breaking changes (even for minor version updates)
+  local gitleaks_version = "8.30.0"
   // XXX scans whole folder if there are multiple files (see https://github.com/gitleaks/gitleaks/issues/1727)
-  check = "gitleaks dir -v {{files}}"
+  check = "mise x gitleaks@\(gitleaks_version) -- gitleaks dir -v {{files}}"
 }
 
 // https://github.com/trufflesecurity/trufflehog
 trufflehog = new Config.Step {
-  check = "trufflehog filesystem {{files}} --fail"
+  check = "mise x trufflehog -- trufflehog filesystem {{files}} --fail"
 }
 
 // https://trivy.dev/docs/latest/scanner/secret/
 trivysecrets = new Config.Step {
   // Note: trivy fs can only take one file/path as argument, so we can only scan the current directory and not pass the files
-  check = "trivy fs --exit-code 1 --scanners secret ."
+  check = "mise x trivy -- trivy fs --exit-code 1 --scanners secret ."
 }

mise.toml

@@ -1,4 +1,4 @@
 [tools]
+# for git hooks
 hk = "latest"
 pkl = "latest"
-prettier = "3"