specklesystems · iainsproat · Apr 3, 2026 · Apr 3, 2026 · Apr 3, 2026
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.github/workflows/close-issue.yml b/.github/workflows/close-issue.yml
diff --git a/.github/workflows/open-issue.yml b/.github/workflows/open-issue.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,37 @@
+name: Release pipeline
+
+on:
+  push:
+    branches:
+      - '**' # all branches
+    tags:
+      - "[0-9]+.[0-9]+.[0-9]+"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+permissions: {} # purposefully empty by default at workflow level, explicitly overridden for specific jobs below
+
+jobs:
+  pre-commit:
+    name: Precommit check
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    permissions:
+      contents: read
+      packages: read # to be able to pull the pre-commit-runner image from ghcr.io
+    container:
+      image: ghcr.io/specklesystems/pre-commit-runner:latest # zizmor: ignore[unpinned-images] Speckle own this image repository
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - run: git config --global --add safe.directory $PWD
+      - name: Set precommit
+        run: pre-commit install-hooks --config ./.pre-commit-config.yaml
+      - name: Run precommit
+        run: pre-commit run --all-files --config ./.pre-commit-config.yaml
+      - name: Diff on failure
+        if: failure()
+        run: git --no-pager diff
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,14 +1,9 @@
 default_stages:
-  - 'commit'
+  - 'pre-commit'
 
 repos:
-  - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: 'v2.7.1'
-    hooks:
-      - id: prettier
-
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: 'v4.3.0'
+    rev: 'v6.0.0'
     hooks:
       - id: check-yaml
       - id: check-merge-conflict
@@ -20,12 +15,12 @@ repos:
       - id: end-of-file-fixer
 
   - repo: https://github.com/syntaqx/git-hooks
-    rev: 'v0.0.17'
+    rev: 'v0.0.18'
     hooks:
       - id: forbid-binary
 
   - repo: https://github.com/pre-commit/pre-commit
-    rev: 'v2.20.0'
+    rev: 'v4.5.1'
     hooks:
       - id: validate_manifest
 

diff --git a/.pre-commit-hooks.yaml b/.pre-commit-hooks.yaml
@@ -1,6 +1,6 @@
 - id: ggshield-not-ci
   name: GitGuardian Shield (pre-commit)
   description: Runs ggshield in non-CI environments to detect hardcoded secrets, security vulnerabilities and policy breaks.
-  stages: [commit]
+  stages: [pre-commit]
   entry: hooks/ggshield-not-ci.sh
   language: script
diff --git a/.prettierignore b/.prettierignore
@@ -0,0 +1 @@
+.github/
diff --git a/hooks/ggshield-not-ci.sh b/hooks/ggshield-not-ci.sh
@@ -4,5 +4,5 @@ set -eo pipefail
 if [[ -z "${CI}" ]]; then
   ggshield secret scan pre-commit
 else
-  echo "In a CI environment, so skipping GitGuardian ggshield"
+  echo "Detected that this script is running in a CI environment, so skipping GitGuardian ggshield"
 fi