diff --git a/.bingo/Variables.mk b/.bingo/Variables.mk index d0e7c39..0b38b9b 100644 --- a/.bingo/Variables.mk +++ b/.bingo/Variables.mk @@ -58,4 +58,3 @@ $(OAPI_CODEGEN): $(BINGO_DIR)/oapi-codegen.mod @# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies. @echo "(re)installing $(GOBIN)/oapi-codegen-v2.6.0" @cd $(BINGO_DIR) && GOWORK=off GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) GOARM=$(GOHOSTARM) $(GO) build -mod=mod -modfile=oapi-codegen.mod -o=$(GOBIN)/oapi-codegen-v2.6.0 "github.com/oapi-codegen/oapi-codegen/v2/cmd/oapi-codegen" - diff --git a/.bingo/variables.env b/.bingo/variables.env index e30259c..a81a4ae 100644 --- a/.bingo/variables.env +++ b/.bingo/variables.env @@ -19,4 +19,3 @@ KUBECONFORM="${GOBIN}/kubeconform-v0.7.0" MOCKGEN="${GOBIN}/mockgen-v0.6.0" OAPI_CODEGEN="${GOBIN}/oapi-codegen-v2.6.0" - diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0de416a..0ad1568 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,29 +1,26 @@ -# Pre-commit configuration for hyperfleet-api -# Enforces Red Hat security compliance and AI-readiness best practices -# -# Setup: -# 1. Run: pre-commit install -# 2. Run: pre-commit install --hook-type pre-push -# 3. Run: pre-commit run --all-files (to test) -# -# See: https://pre-commit.com/ +default_install_hook_types: [pre-commit, commit-msg] repos: - # Red Hat security and compliance hooks - # NOTE: This hook requires access to Red Hat's internal GitLab. - # External contributors: You can comment out this section or skip with: - # SKIP=rh-pre-commit git commit -m "your message" - # See README.md "Pre-commit Hooks" section for more details. - - repo: https://gitlab.cee.redhat.com/infosec-public/developer-workbench/tools - rev: rh-pre-commit-2.3.2 # Use specific tag + # Secret scanning (VPN-free, open-source alternative to rh-pre-commit) + - repo: https://github.com/leaktk/leaktk + rev: e62a495260dc1e396fa586e51bbe1355f6fc7d9d # v0.3.3 hooks: - - id: rh-pre-commit + - id: leaktk.git.pre-commit - # AI-readiness hooks - - repo: https://github.com/openshift-hyperfleet/rh-hooks-ai - rev: v1.0.3 # Use latest release + # HyperFleet code quality hooks + - repo: https://github.com/openshift-hyperfleet/hyperfleet-hooks + rev: 7d5cd98ed6a1a98c39c04b9f4ab9b0ffb0d49155 # v0.1.1 hooks: - - id: check-rh-precommit - - id: validate-agents-md # Runs on git push, requires AGENTS.md - - id: ai-attribution-reminder - # - id: check-version # Optional: Checks for updates once per 24h (non-blocking) + - id: hyperfleet-commitlint + stages: [commit-msg] + - id: hyperfleet-gofmt + - id: hyperfleet-golangci-lint + - id: hyperfleet-go-vet + + # File hygiene + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # v6.0.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-added-large-files diff --git a/AGENTS.md b/AGENTS.md index e4aa3e3..f48db81 100755 --- a/AGENTS.md +++ b/AGENTS.md @@ -10,6 +10,7 @@ For Claude Code users: also see `CLAUDE.md` (auto-loaded) and `.claude/rules/` ( ``` make generate-all # REQUIRED FIRST — generated code not in git go mod download +make install-hooks # Install pre-commit hooks (secret scanning, linting, etc.) make db/setup # Start local PostgreSQL container make build # Build binary (CGO_ENABLED=1 GOEXPERIMENT=boringcrypto) ./bin/hyperfleet-api migrate @@ -143,12 +144,17 @@ Co-Authored-By: Claude ``` ### Pre-commit Hooks -Install: `pre-commit install && pre-commit install --hook-type pre-push` +Install: `make install-hooks` Hooks: -- `rh-pre-commit` — Red Hat security compliance (requires internal GitLab access; skip with `SKIP=rh-pre-commit`) -- `validate-agents-md` — validates AGENTS.md exists (runs on push) -- `ai-attribution-reminder` — reminds about AI co-author attribution +- `leaktk.git.pre-commit` — secret scanning (open-source, no VPN required) +- `hyperfleet-commitlint` — validates commit message format (commit-msg stage) +- `hyperfleet-gofmt` — Go code formatting +- `hyperfleet-golangci-lint` — linting +- `hyperfleet-go-vet` — Go vet checks +- `trailing-whitespace` — removes trailing whitespace +- `end-of-file-fixer` — ensures files end with newline +- `check-added-large-files` — prevents large files from being committed ### Branching Create feature branches from `main`. PRs target `main`. diff --git a/Makefile b/Makefile index 4a737cf..c625414 100755 --- a/Makefile +++ b/Makefile @@ -84,6 +84,10 @@ help: ## Display this help ##@ Code Quality +.PHONY: install-hooks +install-hooks: ## Install pre-commit hooks + pre-commit install + .PHONY: verify verify: ## Verify source passes standard checks ${GO} vet \ @@ -101,6 +105,16 @@ verify: ## Verify source passes standard checks printf '\033[0m'; \ ) +.PHONY: gofmt +gofmt: ## Format Go code + ! gofmt -l cmd pkg test |\ + sed 's/^/Unformatted file: /' |\ + grep . + +.PHONY: go-vet +go-vet: ## Run go vet + ${GO} vet ./cmd/... ./pkg/... + .PHONY: lint lint: generate-all $(GOLANGCI_LINT) ## Run golangci-lint $(GOLANGCI_LINT) run ./cmd/... ./pkg/... ./test/... diff --git a/charts/templates/_helpers.tpl b/charts/templates/_helpers.tpl index 928f4f8..b765f4b 100644 --- a/charts/templates/_helpers.tpl +++ b/charts/templates/_helpers.tpl @@ -133,4 +133,3 @@ Database environment variables (using secretKeyRef - Kubernetes best practice) key: db.password {{- end }} {{- end }} - diff --git a/docs/config.md b/docs/config.md index b4e8fa2..b695799 100644 --- a/docs/config.md +++ b/docs/config.md @@ -647,4 +647,3 @@ Before deploying to production, verify: - ✅ Configuration files (YAML snake_case) - ✅ Default values - ✅ OpenTelemetry tracing variables (HYPERFLEET_TRACING_ENABLED, OTEL_*) if tracing is enabled - diff --git a/docs/database.md b/docs/database.md index e41170f..40fa4d7 100644 --- a/docs/database.md +++ b/docs/database.md @@ -69,7 +69,7 @@ Generic resources (the `resources` table) use delete policies to control child b | `restrict` | Parent delete is rejected with `409 Conflict` if active children exist | | `cascade` | All children are soft-deleted (marked Finalizing) along with the parent | -Policies are enforced recursively — a cascade on a parent triggers policy checks on children. For clusters and nodepools, the cascade is built-in: deleting a cluster cascades to all its nodepools — those with required adapters are soft-deleted (entering Finalizing), while those without are hard-deleted immediately. +Policies are enforced recursively — a cascade on a parent triggers policy checks on children. For clusters and nodepools, the cascade is built-in: deleting a cluster cascades to all its nodepools — those with required adapters are soft-deleted (entering Finalizing), while those without are hard-deleted immediately. Resources without required adapters skip the Finalizing phase entirely — they are hard-deleted immediately on `DELETE`. diff --git a/docs/deployment.md b/docs/deployment.md index 81c87d9..2ed1211 100644 --- a/docs/deployment.md +++ b/docs/deployment.md @@ -10,7 +10,7 @@ For running the binary directly on your machine (development, debugging), see th Before deploying, ensure you have: -- **Kubernetes cluster** (1.25+) +- **Kubernetes cluster** (1.25+) - **Helm 3** CLI - **PostgreSQL database** — either: - An external managed instance (Cloud SQL, RDS, Azure Database) for production, or diff --git a/docs/development.md b/docs/development.md index 455477d..86f60c5 100644 --- a/docs/development.md +++ b/docs/development.md @@ -325,9 +325,9 @@ bingo list Tool versions are tracked in `.bingo/*.mod` files and loaded automatically via `include .bingo/Variables.mk` in the Makefile. -### Pre-commit Hooks (Optional) +### Pre-commit Hooks -This project uses pre-commit hooks for code quality and security checks. +This project uses pre-commit hooks for code quality and secret scanning. #### Setup @@ -338,23 +338,13 @@ brew install pre-commit # macOS pip install pre-commit # Install hooks -pre-commit install -pre-commit install --hook-type pre-push +make install-hooks # Test pre-commit run --all-files ``` -#### For External Contributors - -The `.pre-commit-config.yaml` includes `rh-pre-commit` which requires access to Red Hat's internal GitLab. External contributors can skip it: - -```bash -# Skip internal hook when committing -SKIP=rh-pre-commit git commit -m "your message" -``` - -Or comment out the internal hook in `.pre-commit-config.yaml`. +The first run takes 3-5 minutes while LeakTK compiles (one-time), then it's instant. #### Update Hooks