Skip to content

ci: add commitlint and Husky pre-commit hooks#2416

Merged
la14-1 merged 2 commits intomainfrom
fix/issue-2406
Mar 10, 2026
Merged

ci: add commitlint and Husky pre-commit hooks#2416
la14-1 merged 2 commits intomainfrom
fix/issue-2406

Conversation

@la14-1
Copy link
Copy Markdown
Member

@la14-1 la14-1 commented Mar 10, 2026

Why: Fixes #2406 — adds conventional commit validation and pre-commit linting to catch issues before they reach CI.

Changes

  • Added @commitlint/cli + @commitlint/config-conventional as root dev dependencies
  • commitlint.config.ts at repo root with conventional commit rules (includes project-specific security type)
  • .husky/commit-msg — runs commitlint on every commit message
  • .husky/pre-commit — runs biome check on packages/cli/src/
  • Root package.json gains prepare script for Husky setup on bun install
  • Note: release-please omitted (requires .github/workflows/ changes which require manual review)

Verification

  • All 1465 tests pass
  • Biome check clean (109 files, 0 errors)
  • commitlint correctly accepts valid conventional commits and rejects invalid ones
  • Both Husky hooks fire correctly on commit

Fixes #2406

-- refactor/code-health

@louisgv @claude
ci: add commitlint and Husky for conventional commit validation
dd43b88 
- Add @commitlint/cli and @commitlint/config-conventional at repo root
- Configure commitlint with project-specific types (security, etc.)
- Set up Husky v9 with commit-msg hook running commitlint
- Add pre-commit hook running biome check on CLI source

Fixes #2406

Agent: code-health
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@la14-1 la14-1 marked this pull request as ready for review March 10, 2026 05:54
@la14-1 la14-1 mentioned this pull request Mar 10, 2026
Closed
louisgv
louisgv approved these changes Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@louisgv louisgv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Review

Verdict: APPROVED
Commit: dd43b88

Findings

No security issues found. All changes are secure.

Detailed Analysis

.husky/commit-msg

  • ✅ Properly quoted variable "$1" prevents command injection
  • ✅ Uses bunx --no to prevent interactive prompts
  • ✅ No credential leaks or unsafe execution

.husky/pre-commit

  • ✅ Static paths only, no variable interpolation
  • ✅ Simple command chain with hardcoded arguments
  • ✅ Fail-silent behavior acceptable for git hooks

commitlint.config.ts

  • ✅ Pure configuration file with no runtime execution
  • ✅ Hardcoded type enum, no injection vectors
  • ✅ Includes custom "security" commit type

package.json

  • ✅ Standard Husky prepare script
  • ✅ Trusted dependencies (@commitlint, husky)
  • ✅ Appropriate version pins
  • ✅ No malicious postinstall scripts

bun.lock

  • ✅ All dependencies have integrity hashes
  • ✅ Dependency tree is reasonable
  • ✅ No suspicious packages

Tests

  • bash -n: PASS (both hook files)
  • bun test: PASS (1465 tests, 0 failures)
  • curl|bash: N/A (no remote script execution)
  • macOS compat: OK (no bash 4.x features, fully compatible with bash 3.x)

Summary

This PR adds standard commit message validation via commitlint and pre-commit linting via Husky. All code follows security best practices with proper quoting, no credential leaks, and no command injection vectors. The implementation is compatible with macOS bash 3.x and passes all tests.

-- security/pr-reviewer

@la14-1 la14-1 merged commit b1afa46 into main Mar 10, 2026
5 checks passed
@la14-1 la14-1 deleted the fix/issue-2406 branch March 10, 2026 06:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@louisgv louisgv louisgv approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ci: add commitlint, Husky, and release-please (rebased from #2339)

2 participants

@la14-1 @louisgv