feat(precommit): shared layer for org-wide pre-commit (configs + templates)#12
Merged
Merged
Conversation
Stand up dryvist/.github/precommit/ as the single canonical home for pre-commit configuration shared across the org. Two consumption paths share the same artifacts: Nix-flake repos: imports = [ inputs.nix-devenv.flakeModules.<profile> ] Non-Nix repos: copy templates/<profile>.yaml + the configs the hooks need configs/ holds canonical lint configs for tools that demand a file on disk - ansible-lint.yml, tflint.hcl, yamllint.yml. Each merge picks the most-common variant from the workspace inventory (terraform-proxmox for tflint, ansible-proxmox for ansible-lint and yamllint) rather than the strictest superset, to keep Phase 2 consumer migrations from becoming massive cleanups. Repos add stricter rules locally until critical mass agrees to lift them into the canonical. templates/ holds static .pre-commit-config.yaml fragments for non-Nix consumers - base, terraform, ansible, python. Hook versions pinned at v6.0.0 (pre-commit-hooks), v1.92.0 (pre-commit-terraform), v26.4.0 (ansible-lint), v1.38.0 (yamllint), v0.22.1 (markdownlint-cli2), v1.25.2 (zizmor). Renovate sync for these rev: pins is tracked separately. Markdownlint canonical (.markdownlint-cli2.yaml) stays at the .github root for backwards compatibility with the existing markdownlint workflow - precommit/templates/*.yaml fetch it from there. terraform_docs and terraform_validate (with init -backend=false) are in the terraform template per the terraform-checks-placement policy. terragrunt-validate / terragrunt-plan are NOT - they are CI-only via OIDC. AWS/GCP/Azure tflint plugins stay opt-in per repo because their rulesets are noisy on repos that do not target that cloud. precommit/README.md documents both consumption paths and the rationale behind canonical-config choices. Root README.md adds the precommit/ row to the Inheritance mechanism and API tables. Refs: shared pre-commit architecture rollout, Phase 1b. Assisted-by: Claude <noreply@anthropic.com>
This was referenced May 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Stand up
precommit/as the single canonical home for pre-commit configuration shared across every dryvist repo. Two consumption paths share the same artifacts:imports = [ inputs.nix-devenv.flakeModules.<profile> ](terraform / ansible / python / base). Pinned via flake.lock. The profile modules ship indryvist/nix-devenvPR #34.templates/<profile>.yamlat scaffold + materialize the canonical lint configs fromconfigs/. Renovate keepsrev:pins fresh going forward.README.mdrow added to the inheritance-mechanism + API tables. Full architecture doc atprecommit/README.md.What's in this PR
precommit/configs/— canonical lint configs for tools that demand a file on disktflint.hclansible-lint.ymlyaml[line-length], exclude SOPS-encrypted + cache dirs.yamllint.ymlprecommit/templates/— static.pre-commit-config.yamlfragments for non-Nix consumersbase.yamlterraform.yamlansible.yamlpython.yamlHook versions pinned: pre-commit-hooks
v6.0.0, pre-commit-terraformv1.92.0, ansible-lintv26.4.0, yamllintv1.38.0, markdownlint-cli2v0.22.1, zizmorv1.25.2. Renovate sync for these tracked separately.Canonical-config strategy
.markdownlint-cli2.yaml) stays at the.githubroot for backwards compat with the existing markdownlint workflow —precommit/templates/*.yamlfetch it from there.terragrunt-validate/terragrunt-planare NOT included anywhere per the terraform-checks-placement policy (CI-only via OIDC).terraform_docsIS in the template per the same policy.checkov(terraform) /bandit/detect-secretsare opt-in per repo — they have high false-positive rates or dominate the hook cycle and didn't earn a seat in the canonical based on inventory.Test plan
precommit/configs/tflint.hclagainst terraform-proxmox / terraform-github source to confirm canonical merge (no rules lost)precommit/configs/ansible-lint.ymlagainst ansible-proxmox source to confirm canonical mergeprecommit/configs/yamllint.ymlagainst ansible-proxmox source to confirm canonical mergedryvist/nix-devenvwireslib/fetch-shared-configs.nixso the Nix profile modules materialize these configs into each repo via shellHookflakeModules.terraform+ delete.pre-commit-config.yamlinterraform-runs-onArchitecture context
Phase 1b of the shared pre-commit rollout. Pairs with
dryvist/nix-devenvPR #34 (Phase 1a — profile modules). Phase 2 migrates ~16 Nix-flake consumer repos to the single-import pattern. Phase 3 locks the convention inagentsmd/rules/pre-commit.md+ a CI guard reusable workflow.Refs: dryvist/nix-devenv#34
Assisted-by: Claude noreply@anthropic.com