.pre-commit-config.yaml

---
default_language_version:
  # force all unspecified python hooks to run python3
  python: python3

repos:
  # Check the pre-commit configuration
  - repo: meta
    hooks:
      - id: check-useless-excludes

  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0
    hooks:
      - id: check-case-conflict
      - id: check-executables-have-shebangs
      - id: check-json
      - id: check-merge-conflict
      - id: check-shebang-scripts-are-executable
      - id: check-symlinks
      - id: check-toml
      - id: check-vcs-permalinks
      - id: check-xml
      - id: debug-statements
      - id: destroyed-symlinks
      - id: detect-aws-credentials
        args:
          - --allow-missing-credentials
      - id: detect-private-key
      - id: end-of-file-fixer
      - id: mixed-line-ending
        args:
          - --fix=lf
      - id: pretty-format-json
        args:
          - --autofix
      - id: requirements-txt-fixer
      - id: trailing-whitespace

  # Text file hooks
  - repo: https://github.com/igorshubovych/markdownlint-cli
    rev: v0.42.0
    hooks:
      - id: markdownlint
        args:
          - --config=.mdl_config.yaml
  - repo: https://github.com/rbubley/mirrors-prettier
    rev: v3.3.3
    hooks:
      - id: prettier
  - repo: https://github.com/adrienverge/yamllint
    rev: v1.35.1
    hooks:
      - id: yamllint
        args:
          - --strict

  # GitHub Actions hooks
  - repo: https://github.com/python-jsonschema/check-jsonschema
    rev: 0.29.4
    hooks:
      - id: check-github-actions
      - id: check-github-workflows

  # pre-commit hooks
  - repo: https://github.com/pre-commit/pre-commit
    rev: v4.0.1
    hooks:
      - id: validate_manifest

  # Go hooks
  - repo: https://github.com/TekWizely/pre-commit-golang
    rev: v1.0.0-rc.1
    hooks:
      # Go Build
      - id: go-build-repo-mod
      # Style Checkers
      - id: go-critic
      # goimports
      - id: go-imports-repo
        args:
          # Write changes to files
          - -w
      # Go Mod Tidy
      - id: go-mod-tidy-repo
      # GoSec
      - id: go-sec-repo-mod
      # StaticCheck
      - id: go-staticcheck-repo-mod
      # Go Test
      - id: go-test-repo-mod
      # Go Vet
      - id: go-vet-repo-mod
  # Nix hooks
  - repo: https://github.com/nix-community/nixpkgs-fmt
    rev: v1.3.0
    hooks:
      - id: nixpkgs-fmt

  # Shell script hooks
  - repo: https://github.com/scop/pre-commit-shfmt
    rev: v3.10.0-1
    hooks:
      - id: shfmt
        args:
          # List files that will be formatted
          - --list
          # Write result to file instead of stdout
          - --write
          # Indent by two spaces
          - --indent
          - "2"
          # Binary operators may start a line
          - --binary-next-line
          # Switch cases are indented
          - --case-indent
          # Redirect operators are followed by a space
          - --space-redirects
  - repo: https://github.com/shellcheck-py/shellcheck-py
    rev: v0.10.0.1
    hooks:
      - id: shellcheck

  # Python hooks
  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.10
    hooks:
      - id: bandit
        args:
          - --config=.bandit.yml
  - repo: https://github.com/psf/black-pre-commit-mirror
    rev: 24.10.0
    hooks:
      - id: black
  - repo: https://github.com/PyCQA/flake8
    rev: 7.1.1
    hooks:
      - id: flake8
        additional_dependencies:
          - flake8-docstrings==1.7.0
  - repo: https://github.com/PyCQA/isort
    rev: 5.13.2
    hooks:
      - id: isort
  - repo: https://github.com/pre-commit/mirrors-mypy
    rev: v1.13.0
    hooks:
      - id: mypy
  - repo: https://github.com/pypa/pip-audit
    rev: v2.7.3
    hooks:
      - id: pip-audit
        args:
          # Add any pip requirements files to scan
          - --requirement
          - requirements-dev.txt
          - --requirement
          - requirements-test.txt
          - --requirement
          - requirements.txt
  - repo: https://github.com/asottile/pyupgrade
    rev: v3.19.0
    hooks:
      - id: pyupgrade

  # Ansible hooks
  - repo: https://github.com/ansible/ansible-lint
    rev: v24.10.0
    hooks:
      - id: ansible-lint
        additional_dependencies:
          # On its own ansible-lint does not pull in ansible, only
          # ansible-core.  Therefore, if an Ansible module lives in
          # ansible instead of ansible-core, the linter will complain
          # that the module is unknown.  In these cases it is
          # necessary to add the ansible package itself as an
          # additional dependency, with the same pinning as is done in
          # requirements-test.txt of cisagov/skeleton-ansible-role.
          #
          # Version 10 is required because the pip-audit pre-commit
          # hook identifies a vulnerability in ansible-core 2.16.13,
          # but all versions of ansible 9 have a dependency on
          # ~=2.16.X.
          #
          # It is also a good idea to go ahead and upgrade to version
          # 10 since version 9 is going EOL at the end of November:
          # https://endoflife.date/ansible
          # - ansible>=10,<11
          # ansible-core 2.16.3 through 2.16.6 suffer from the bug
          # discussed in ansible/ansible#82702, which breaks any
          # symlinked files in vars, tasks, etc. for any Ansible role
          # installed via ansible-galaxy.  Hence we never want to
          # install those versions.
          #
          # Note that the pip-audit pre-commit hook identifies a
          # vulnerability in ansible-core 2.16.13.  The pin of
          # ansible-core to >=2.17 effectively also pins ansible to
          # >=10.
          #
          # It is also a good idea to go ahead and upgrade to
          # ansible-core 2.17 since security support for ansible-core
          # 2.16 ends this month:
          # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix
          #
          # Note that any changes made to this dependency must also be
          # made in requirements.txt in cisagov/skeleton-packer and
          # requirements-test.txt in cisagov/skeleton-ansible-role.
          - ansible-core>=2.17

  # Terraform hooks
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.96.1
    hooks:
      - id: terraform_fmt
      - id: terraform_validate

  # Docker hooks
  - repo: https://github.com/IamTheFij/docker-pre-commit
    rev: v3.0.1
    hooks:
      - id: docker-compose-check

  # Packer hooks
  - repo: https://github.com/cisagov/pre-commit-packer
    rev: v0.3.0
    hooks:
      - id: packer_fmt
      - id: packer_validate