Add pre-commit configuration

OCP-on-NERC · Feb 13, 2024 · 12388ec · 12388ec
1 parent b6f0b7e
commit 12388ec
Show file tree

Hide file tree

Showing 8 changed files with 92 additions and 23 deletions.
diff --git a/.github/workflows/precommit.yaml b/.github/workflows/precommit.yaml
@@ -0,0 +1,31 @@
+name: Run pre-commit checks
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  run-linters:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Configure caching
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pre-commit
+          key: precommit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }}
+
+      - name: Install pre-commit
+        run: |
+          pip install pre-commit
+
+      - name: Run linters
+        run: |
+          pre-commit run --all-files
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 /rendered
 /data/tokens
 /.env
+data/secrets/
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,26 @@
+repos:
+  - repo: https://github.com/Lucas-C/pre-commit-hooks
+    rev: v1.5.4
+    hooks:
+      - id: remove-tabs
+        exclude: '^scripts/.*\.sh'
+
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: trailing-whitespace
+      - id: check-merge-conflict
+      - id: end-of-file-fixer
+      - id: check-added-large-files
+      - id: check-case-conflict
+      - id: check-json
+      - id: check-symlinks
+      - id: detect-private-key
+
+  - repo: https://github.com/adrienverge/yamllint.git
+    rev: v1.32.0
+    hooks:
+      - id: yamllint
+        files: \.(yaml|yml)$
+        types: [file, yaml]
+        entry: yamllint --strict
diff --git a/.yamllint.yaml b/.yamllint.yaml
@@ -0,0 +1,11 @@
+---
+extends: default
+rules:
+  line-length: disable
+  document-start: disable
+  indentation:
+    indent-sequences: whatever
+  hyphens:
+    max-spaces-after: 4
+  truthy:
+    check-keys: false
diff --git a/config/backup-job.jsonnet b/config/backup-job.jsonnet
@@ -2,37 +2,37 @@
   resources: [
     // Enable "kubernetes/backup" as a kubernetes auth endpoint
     {
-      path: '/v1/sys/auth/kubernetes/backup',
-      'if-not-exists': true,
+      path: "/v1/sys/auth/kubernetes/backup",
+      "if-not-exists": true,
       payload: {
-        type: 'kubernetes',
+        type: "kubernetes",
       },
     },
 
     // https://developer.hashicorp.com/vault/api-docs/auth/kubernetes#configure-method
     {
-      path: '/v1/auth/kubernetes/backup/config',
+      path: "/v1/auth/kubernetes/backup/config",
       payload: {
-        kubernetes_host: 'https://kubernetes.default.svc',
+        kubernetes_host: "https://kubernetes.default.svc",
       },
     },
 
     // https://developer.hashicorp.com/vault/api-docs/auth/kubernetes#create-update-role
     {
-      path: '/v1/auth/kubernetes/backup/role/nerc-vault-backup',
+      path: "/v1/auth/kubernetes/backup/role/nerc-vault-backup",
       payload: {
-        bound_service_account_names: ['backup-job'],
-        bound_service_account_namespaces: ['vault'],
+        bound_service_account_names: ["backup-job"],
+        bound_service_account_namespaces: ["vault"],
         token_policies: [
-          'nerc-vault-backup',
+          "nerc-vault-backup",
         ],
       },
     },
 
     {
-      path: '/v1/sys/policy/nerc-vault-backup',
+      path: "/v1/sys/policy/nerc-vault-backup",
       payload: {
-        policy: importstr 'policies/nerc-vault-backup.hcl',
+        policy: importstr "policies/nerc-vault-backup.hcl",
       },
     },
   ],

diff --git a/config/global/oidc.jsonnet b/config/global/oidc.jsonnet
@@ -5,7 +5,7 @@
       "if-not-exists": true,
       payload: {
         type: "oidc",
-	description: "OIDC authentication via Dex on nerc-ocp-infra",
+        description: "OIDC authentication via Dex on nerc-ocp-infra",
         config: {
           listing_visibility: "unauth",
         },

diff --git a/config/global/policies.jsonnet b/config/global/policies.jsonnet
@@ -1,33 +1,33 @@
 {
   resources: [
     {
-      path: '/v1/sys/policy/admin',
+      path: "/v1/sys/policy/admin",
       payload: {
-        policy: importstr 'policies/admin.hcl',
+        policy: importstr "policies/admin.hcl",
       },
     },
     {
-      path: '/v1/sys/policy/default',
+      path: "/v1/sys/policy/default",
       payload: {
-        policy: importstr 'policies/default.hcl',
+        policy: importstr "policies/default.hcl",
       },
     },
     {
-      path: '/v1/sys/policy/nerc-common-reader',
+      path: "/v1/sys/policy/nerc-common-reader",
       payload: {
-        policy: importstr 'policies/nerc-common-reader.hcl',
+        policy: importstr "policies/nerc-common-reader.hcl",
       },
     },
     {
-      path: '/v1/sys/policy/nerc-all-reader',
+      path: "/v1/sys/policy/nerc-all-reader",
       payload: {
-        policy: importstr 'policies/nerc-all-reader.hcl',
+        policy: importstr "policies/nerc-all-reader.hcl",
       },
     },
     {
-      path: '/v1/sys/policy/nerc-all-writer',
+      path: "/v1/sys/policy/nerc-all-writer",
       payload: {
-        policy: importstr 'policies/nerc-all-writer.hcl',
+        policy: importstr "policies/nerc-all-writer.hcl",
       },
     },
   ],

diff --git a/lib/policies/default.hcl b/lib/policies/default.hcl
@@ -88,5 +88,5 @@ path "sys/control-group/request" {
 
 # Allow a token to make requests to the Authorization Endpoint for OIDC providers.
 path "identity/oidc/provider/+/authorize" {
-	capabilities = ["read", "update"]
+    capabilities = ["read", "update"]
 }