forked from usegalaxy-no/infrastructure-playbook
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpre-commit
executable file
·44 lines (38 loc) · 1.36 KB
/
pre-commit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/env bash
#
# Called by "git commit" with no arguments. The hook should
# exit with non-zero status after issuing an appropriate message if
# it wants to stop the commit.
# Unset variables produce errors
set -u
if git rev-parse --verify HEAD >/dev/null 2>&1
then
against=HEAD
else
# Initial commit: diff against an empty tree object
against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
fi
# Redirect output to stderr.
exec 1>&2
EXIT_STATUS=0
# Check that all changed *.vault files are encrypted
# read: -r do not allow backslashes to escape characters; -d delimiter
while IFS= read -r -d $'\0' file; do
[[ "$file" != *.vault && "$file" != *.vault.yml ]] && continue
# cut gets symbols 1-2
file_status=$(git status --porcelain -- "$file" 2>&1 | cut -c1-2)
file_status_index=${file_status:0:1}
file_status_worktree=${file_status:1:1}
[[ "$file_status_worktree" != ' ' ]] && {
echo "ERROR: *.vault file is modified in worktree but not added to the index: $file"
echo "Can not check if it is properly encrypted. Use git add or git stash to fix this."
EXIT_STATUS=1
}
# check is neither required nor possible for deleted files
[[ "$file_status_index" = 'D' ]] && continue
head -1 "$file" | grep --quiet '^\$ANSIBLE_VAULT;' || {
echo "ERROR: non-encrypted *.vault file: $file"
EXIT_STATUS=1
}
done < <(git diff --cached --name-only -z "$against")
exit $EXIT_STATUS