joakimp/opencode-devbox
Public Access
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add gitleaks pre-commit hook and bump opencode to 1.4.2

Browse Source
This commit is contained in:
Joakim Persson
2026-04-09 19:12:27 +02:00
parent f40124296d
commit 084881b298
4 changed files with 101 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+44 -1
View File
@@ -17,6 +17,10 @@ cd opencode-devbox
cp .env.example .env
# Edit .env with your provider, API key, workspace path, git config
# Install git hooks (secret scanning)
brew install gitleaks # one-time
./setup-hooks.sh
# Build and run
docker compose run --rm devbox
```
@@ -105,12 +109,26 @@ volumes:
- ./my-opencode.json:/home/developer/.config/opencode/opencode.json:ro
```
### Rebuilding the Image
`docker compose run` and `docker compose up` use the existing image — they **do not rebuild** when you change the Dockerfile or build args (e.g. updating `OPENCODE_VERSION`). Rebuild explicitly:
```bash
# Rebuild then run
docker compose build
docker compose run --rm devbox
# Or rebuild and run in one step
docker compose run --rm --build devbox
```
### Build Args
Enable optional language runtimes:
Enable optional language runtimes or pin a specific opencode version:
```bash
docker compose build --build-arg INSTALL_PYTHON=true --build-arg INSTALL_GO=true
docker compose build --build-arg OPENCODE_VERSION=1.5.0
```
| Arg | Default | Description |
@@ -137,6 +155,31 @@ The `--use-device-code` flag outputs a URL and short code instead of trying to o
SSO sessions typically last 812 hours before requiring re-authentication.
## Secret Scanning
A [gitleaks](https://github.com/gitleaks/gitleaks) pre-commit hook prevents accidentally committing API keys, passwords, or other secrets.
### Setup
```bash
brew install gitleaks # one-time install
./setup-hooks.sh # installs the pre-commit hook
```
The hook runs automatically on every `git commit`. If gitleaks isn't installed, the hook prints a warning and allows the commit (no hard dependency on collaborators).
### Bypass
For legitimate cases (test data, documentation with example keys):
```bash
git commit --no-verify -m "Add test fixtures"
```
### Configuration
Allowlisted paths and rules are in `.gitleaks.toml`. The defaults extend gitleaks' built-in rules and allow `.env.example` and documentation files.
## Architecture
```