Add gitleaks pre-commit hook and bump opencode to 1.4.2

2026-04-09 19:12:27 +02:00
parent f40124296d
commit 084881b298
4 changed files with 101 additions and 2 deletions
@@ -0,0 +1,38 @@
+#!/bin/bash
+# Install git hooks for this project
+set -e
+
+HOOK_DIR="$(git rev-parse --show-toplevel)/.git/hooks"
+mkdir -p "$HOOK_DIR"
+
+# --- pre-commit hook: secret scanning with gitleaks ---
+cat > "$HOOK_DIR/pre-commit" << 'HOOK'
+#!/bin/bash
+# Pre-commit hook — scans staged files for secrets using gitleaks
+
+if ! command -v gitleaks >/dev/null 2>&1; then
+  echo ""
+  echo "⚠️  gitleaks is not installed — skipping secret scan"
+  echo "   Install: brew install gitleaks"
+  echo ""
+  exit 0
+fi
+
+echo "🔒 Scanning for secrets..."
+
+if gitleaks protect --staged --no-banner 2>/dev/null; then
+  echo "✅ No secrets detected"
+  exit 0
+else
+  echo ""
+  echo "❌ Secrets detected in staged changes — commit blocked"
+  echo ""
+  echo "   Details:  gitleaks protect --staged --verbose"
+  echo "   Bypass:   git commit --no-verify"
+  echo ""
+  exit 1
+fi
+HOOK
+
+chmod +x "$HOOK_DIR/pre-commit"
+echo "✅ Pre-commit hook installed (.git/hooks/pre-commit)"