.pre-commit-config.yaml

---
default_language_version:
  # force all unspecified python hooks to run python3
  python: python3

repos:
  # Check the pre-commit configuration
  - repo: meta
    hooks:
      - id: check-useless-excludes

  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0
    hooks:
      - id: check-case-conflict
      - id: check-executables-have-shebangs
      - id: check-json
      - id: check-merge-conflict
      - id: check-shebang-scripts-are-executable
      - id: check-symlinks
      - id: check-toml
      - id: check-vcs-permalinks
      - id: check-xml
      - id: debug-statements
      - id: destroyed-symlinks
      - id: detect-aws-credentials
        args:
          - --allow-missing-credentials
      - id: detect-private-key
      - id: end-of-file-fixer
      - id: mixed-line-ending
        args:
          - --fix=lf
      - id: pretty-format-json
        args:
          - --autofix
      - id: requirements-txt-fixer
      - id: trailing-whitespace

  # Text file hooks
  - repo: https://github.com/igorshubovych/markdownlint-cli
    rev: v0.42.0
    hooks:
      - id: markdownlint
        args:
          - --config=.mdl_config.yaml
  - repo: https://github.com/rbubley/mirrors-prettier
    rev: v3.3.3
    hooks:
      - id: prettier
  - repo: https://github.com/adrienverge/yamllint
    rev: v1.35.1
    hooks:
      - id: yamllint
        args:
          - --strict

  # GitHub Actions hooks
  - repo: https://github.com/python-jsonschema/check-jsonschema
    rev: 0.29.4
    hooks:
      - id: check-github-actions
      - id: check-github-workflows

  # pre-commit hooks
  - repo: https://github.com/pre-commit/pre-commit
    # pre-commit v3+ dropped support for Python <3.8. Until this project and
    # the build.yml workflow can migrate to Python 3.8 or newer we must
    # continue to use an older version.
    rev: v2.21.0
    hooks:
      - id: validate_manifest

  # Go hooks
  - repo: https://github.com/TekWizely/pre-commit-golang
    rev: v1.0.0-rc.1
    hooks:
      # Go Build
      - id: go-build-repo-mod
      # Style Checkers
      - id: go-critic
      # goimports
      - id: go-imports-repo
        args:
          # Write changes to files
          - -w
      # Go Mod Tidy
      - id: go-mod-tidy-repo
      # GoSec
      - id: go-sec-repo-mod
      # StaticCheck
      - id: go-staticcheck-repo-mod
      # Go Test
      - id: go-test-repo-mod
      # Go Vet
      - id: go-vet-repo-mod
  # Nix hooks
  - repo: https://github.com/nix-community/nixpkgs-fmt
    rev: v1.3.0
    hooks:
      - id: nixpkgs-fmt

  # Shell script hooks
  - repo: https://github.com/scop/pre-commit-shfmt
    rev: v3.10.0-1
    hooks:
      - id: shfmt
        args:
          # List files that will be formatted
          - --list
          # Write result to file instead of stdout
          - --write
          # Indent by two spaces
          - --indent
          - "2"
          # Binary operators may start a line
          - --binary-next-line
          # Switch cases are indented
          - --case-indent
          # Redirect operators are followed by a space
          - --space-redirects
  - repo: https://github.com/shellcheck-py/shellcheck-py
    rev: v0.10.0.1
    hooks:
      - id: shellcheck

  # Python hooks
  # Run bandit on the "tests" tree with a configuration
  - repo: https://github.com/PyCQA/bandit
    # bandit 1.7.6 dropped support for Python <3.8. Until this project
    # and the build.yml workflow can migrate to Python 3.8 or newer we
    # must continue to use an older version.
    rev: 1.7.5
    hooks:
      - id: bandit
        name: bandit (tests tree)
        files: tests
        args:
          - --config=.bandit.yml
        additional_dependencies:
          - importlib-metadata<5
  # Run bandit on everything except the "tests" tree
  - repo: https://github.com/PyCQA/bandit
    # bandit 1.7.6 dropped support for Python <3.8. Until this project
    # and the build.yml workflow can migrate to Python 3.8 or newer we
    # must continue to use an older version.
    rev: 1.7.5
    hooks:
      - id: bandit
        name: bandit (everything else)
        exclude: tests
        additional_dependencies:
          - importlib-metadata<5
  - repo: https://github.com/psf/black-pre-commit-mirror
    rev: 24.10.0
    hooks:
      - id: black
  - repo: https://github.com/PyCQA/flake8
    # flake8 v6+ dropped support for Python <3.8. Until this project and
    # the build.yml workflow can migrate to Python 3.8 or newer we must
    # continue to use an older version.
    rev: 5.0.4
    hooks:
      - id: flake8
        additional_dependencies:
          - flake8-docstrings==1.7.0
  - repo: https://github.com/PyCQA/isort
    # isort 5.12.0 dropped support for Python <3.8. Until this project and
    # the build.yml workflow can migrate to Python 3.8 or newer we must
    # continue to use an older version.
    rev: 5.11.5
    hooks:
      - id: isort
  - repo: https://github.com/pre-commit/mirrors-mypy
    # mypy 1.5.0 dropped support for Python <3.8. Until this project
    # and the build.yml workflow can migrate to Python 3.8 or newer we
    # must continue to use an older version.
    rev: v1.4.1
    hooks:
      - id: mypy
        # IMPORTANT: Keep type hinting-related dependencies of the
        # mypy pre-commit hook additional_dependencies in sync with
        # the dev section of setup.py to avoid discrepancies in type
        # checking between environments.
        additional_dependencies:
          - pytest
          - pytablewriter
          - types-docopt
          - types-pyOpenSSL
          - types-requests
          - types-setuptools
          - types-urllib3
        # Override the default arguments to drop the --ignore-missing-imports
        # option to enforce a complete mypy configuration.
        args:
          - --scripts-are-modules
  # pip-audit turns up several vulnerabilities for cryptography, but
  # we cannot pull in a newer version of that library because we
  # can't currently support any version of Python later than 3.10.
  # - repo: https://github.com/pypa/pip-audit
  #   rev: v2.7.3
  #   hooks:
  #     - id: pip-audit
  #       args:
  #         # Add any pip requirements files to scan
  #         - --requirement
  #         - requirements-dev.txt
  #         - --requirement
  #         - requirements-test.txt
  #         - --requirement
  #         - requirements.txt
  - repo: https://github.com/asottile/pyupgrade
    # pyupgrade no longer supports Python 3.7 as of version 3.4.0, so
    # we cannot upgrade past the 3.3.2 release:
    # https://github.com/asottile/pyupgrade/blob/v3.4.0/setup.cfg#L23
    rev: v3.3.2
    hooks:
      - id: pyupgrade

  # Ansible hooks
  # - repo: https://github.com/ansible-community/ansible-lint
  #   # ansible-lint no longer supports Python 3.7 as of version 6.0, so
  #   # we cannot upgrade past the 5.4.0 release:
  #   # https://github.com/ansible/ansible-lint/releases/tag/v6.0.0
  #   #
  #   # But the 5.4.0 release causes a different failure because the
  #   # version of ansible isn't correctly pinned.  The best way forward
  #   # is to simply comment out this pre-commit hook until we can move
  #   # to Python >3.7.
  #   rev: v6.17.0
  #   hooks:
  #     - id: ansible-lint
  #         additional_dependencies:
  #         # On its own ansible-lint does not pull in ansible, only
  #         # ansible-core.  Therefore, if an Ansible module lives in
  #         # ansible instead of ansible-core, the linter will complain
  #         # that the module is unknown.  In these cases it is
  #         # necessary to add the ansible package itself as an
  #         # additional dependency, with the same pinning as is done in
  #         # requirements-test.txt of cisagov/skeleton-ansible-role.
  #         # - ansible>=9,<10
  #         # ansible-core 2.16.3 through 2.16.6 suffer from the bug
  #         # discussed in ansible/ansible#82702, which breaks any
  #         # symlinked files in vars, tasks, etc. for any Ansible role
  #         # installed via ansible-galaxy.  Hence we never want to
  #         # install those versions.
  #         #
  #         # Note that any changes made to this dependency must also be
  #         # made in requirements.txt in cisagov/skeleton-packer and
  #         # requirements-test.txt in cisagov/skeleton-ansible-role.
  #         - ansible-core>=2.16.7

  # Terraform hooks
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.96.1
    hooks:
      - id: terraform_fmt
      - id: terraform_validate

  # Docker hooks
  - repo: https://github.com/IamTheFij/docker-pre-commit
    rev: v3.0.1
    hooks:
      - id: docker-compose-check

  # Packer hooks
  - repo: https://github.com/cisagov/pre-commit-packer
    rev: v0.3.0
    hooks:
      - id: packer_fmt
      - id: packer_validate