add pre-commit hook example

[Mobe91]

Add pre-commit hook example as discussed in #92 (comment)

[sobolevn]

Thanks a lot!

[Tenzer]

Will this not be a really bad suggestion for anybody using git-secret to share secrets among team members? It means all the secret files will be re-encrypted on every commit, overwriting any changes that might have been made by other people to the repository, since it doesn't decrypt the secret files when changes are pulled in.

[sobolevn]

@Tenzer I have never used pre-commit (as a tool), so I might be wrong here.
Can you please share your ideas on how this can be configured the right way?

[sobolevn]

Maybe @asottile can help us 🙂

[Tenzer]

It's worth noting there's two different things with the name "pre-commit" that might cause some confusion:

1. Git itself has a notion of a "pre-commit" hook (link), that's what this PR references. It's a way for the user to run some program before each commit is made.
2. https://pre-commit.com/ is a tool that makes use of this hook to run a suite of checks across the files that are changed in the commit, and adds a bunch of tooling around this to make it easier to run linters and such on only the files that are changed, in order to make it quicker to run and also to make sure you remember to run them.

In order to avoid the problem I described above, you would probably need to add a post-checkout, post-merge (my understanding of when to run them is not total) which would decrypt any secret files in the repository, but then you may run into problems where any local changes you've made may be overwritten automatically if you pull changes from the repository.

I'm not sure I have a glorified solution for how to accomplish this, but I would urge to give it a bit more thought before recommending people to add a hook like this to their Git repositories.

[asottile]

iirc usually these types of tools are used as smudge filters and not as pre-commit hooks (such that the contents on disk are unencrypted but encrypted in git)

[Tenzer]

Ah, right. That's what git-crypt does: https://www.agwa.name/projects/git-crypt/.

[Mobe91]

I don't really get the difference between git-crypt and git-secret.

@Tenzer Good point. I also don't think that auto-decryption is a good idea for the reasons you mentioned.

I am going to close this PR since I don't think it is a good recommendation in general.

[joshrabinowitz]

Looking at the docs, it seems the big difference between git-secret and git-crypt is that with git-secret, you manually encrypt and decrypt the secrets you want to put in the repo, but with git-crypt, encryption happens for you transparently when you commit and check out files.

Also git-secret is written in bash and was last released in Sept 2019, whereas git-crypt is written in C++ and was last released in Nov 2017.