| ▲ | ufo 7 hours ago |
| I have always had this problem with hooks and new contributors: since hooks don't run by default if you just clone the repository, my open source projects get many PRs from new contributors that did not run the linting and commit hooks. I understand there's a security reason for this but what workflows have worked best for you to get everyone to run the hooks? And do you think the new config-based hooks can help new contributors? |
|
| ▲ | WorldMaker an hour ago | parent | next [-] |
| Many projects have used "hook managers" like Husky for this to install hooks to run based on repository-stored metadata. These new config-based hooks are definitely a step down the road towards obsoleting the third-party hook managers. One of the things they are for is for managing scripts to support multiple hooks for the same event. The new config format supports multiple hooks for the same event natively. (Which also helps in stacking personal ones versus repository ones.) The only thing missing is that the repository's .git/config isn't itself source controlled in that repository, so for now there would still be an "install step", but it's now a lot simpler of an "install step" with the install being "append .example-gitconfig into your .git/config" rather than "set X files to X different contents in .git/hooks/*" where X is the number of event hooks to be concerned about. It does open the door further to if there should be a ".gitconfig" in the Repository working tree that can also contribute repository-wide shared config, what config it can or cannot contribute, and how you secure that as a reviewable opt-in (especially change notifications). But a smartly built secure UX there would be a massive improvement over, say, shell scripts in npm postinstall operations touching .git/hooks "for you" (which is how many of the current hook managers auto-install, as side effects in dependency installs). (ETA: Though most "install scripts" now just use the very scriptable `git config` command and so just be `git config set --local hook.$name.$field $value` sequences, which is also a simpler improvement over previous ways to install and/or merge hooks files by hooks managers.) |
|
| ▲ | sethops1 7 hours ago | parent | prev | next [-] |
| > what workflows have worked best for you to get everyone to run the hooks By running the linters and any other checks on CI instead. |
| |
| ▲ | jayd16 5 hours ago | parent | next [-] | | Why waste a round trip, build time, loss of flow and CI machine queue wait time when you can catch things early? CI should also run all the checks but CI checks are not a replacement for local hooks. LFS and things like it can't be implemented as remote CI checks. Why are we acting like a James Bond villain, slowly lowering the changes into the vat of sharks after we've left the room? I want the hooks. Can we talk about making that easy, assuming some people want them? | | |
| ▲ | n_e 3 hours ago | parent | next [-] | | > Why waste a round trip, build time, loss of flow and CI machine queue wait time when you can catch things early? Because we want to be sure that the checks have passed, and that they have passed in a clean environment. Contributors can, in addition, use git hooks, or run tests in watch mode, or use their IDE. Also it's annoying to have slow git hooks if you commit often. | |
| ▲ | crote 3 hours ago | parent | prev | next [-] | | You're looking for a technological solution for a human problem. Automatically running arbitrary code from random repositories is a Really Bad Idea, so Git will almost certainly never auto-install pre-commit hooks. Just mention it in the README and run a checker in CI to confirm they are using it, it really isn't that difficult. People wasting 2 minutes of their own time once during their first contribution because they didn't read the README is not that big of a deal. What's next, you want a script to automatically sign a project's legally-binding CLA on checkout? | | |
| ▲ | jayd16 3 hours ago | parent [-] | | You're talking out of both sides of your face here. It's dangerous and also it's super easy and you should do it first thing without having to think because it's so easy. You shouldn't run this code but also the build machine automatically runs it. We already know we're definitely going to run some of these. We know we want to maintain changes to these hooks. Can we stop pretending like we're not doing that? We get it. Some of these will be untrusted so let's design a system to handle that instead of not designing a system and deciding to be just short of as unsafe as possible. Automation an uniformity increases safety. Human intervention increases human error. Its just a matter of actually finding a good solution to know what is trusted but instead we get "just set it up manually because its safer." |
| |
| ▲ | krzyk 2 hours ago | parent | prev [-] | | Local hooks are just a convenience.
CI checks are assurances, you have to have them. If one hates the round-trip he/she will adopt hooks quickly. | | |
| ▲ | 2 hours ago | parent | next [-] | | [deleted] | |
| ▲ | jayd16 2 hours ago | parent | prev [-] | | LFS hooks are not just a convenience, for example. CI, despite being a useful thing in its own right, is not a replacement. |
|
| |
| ▲ | baq 7 hours ago | parent | prev | next [-] | | autoformatter and autofix linter results can be committed and pushed by CI into the PR branch itself. this is a pain sometimes, but as a repo owner it should protect your sanity. | | |
| ▲ | sgarland 6 hours ago | parent | next [-] | | Yep. Nothing I hate more than some trivial formatting error that could easily fix itself halting CI. I am all for consistent formatting and linting, I just think it should be silently handled without fuss. | |
| ▲ | skydhash 7 hours ago | parent | prev [-] | | I just add a check workflow that test that the files are well formatted and linted. If it passes, one of the key things I check are changes to the configuration. Some tools allows for bypass comments, so I keep an eye out for those too. |
| |
| ▲ | ufo 7 hours ago | parent | prev | next [-] | | We do run the linter on CI as well, but I think our comitters would get faster feedback if they ran those checks locally. | | |
| ▲ | lou1306 6 hours ago | parent | next [-] | | Well you can tell them to please enable hooks in the PR guidelines, but you cannot really police what they do or don't run on their own machines. | | |
| ▲ | jayd16 4 hours ago | parent [-] | | This is very much not a serious solution. Look at the case of LFS. LFS needs an install step and it needed to be brought into git itself to cut through all of the problems. Manually managing hooks is not sufficient. No amount of "please don't fuck it up" in the readme is going to save you. Even CI checks for what should and shouldn't look like an lfs stub is non-trivial. I don't think such a thing even exists today. | | |
| ▲ | lou1306 4 hours ago | parent [-] | | The alternative is have hooks _forcibly_ run on people's machines, which is fantastic as an attack vector and CVE generator but probably not a good choice in other respects. | | |
| ▲ | jayd16 4 hours ago | parent [-] | | No there are a million miles in-between no support/Don't use it and arbitrary code execution. Signed git plugins and manifest or a canonical way to define hooks in repo that most tools can interface with and allow the user to automatically set up but asks to do so or really so much more. I don't know why people get fixated on this as if 99.999% of what git pulls down isn't code you expect to run and there are systems in place to protect that. |
|
|
| |
| ▲ | esafak 6 hours ago | parent | prev [-] | | You can issue installation instructions on linter failure in CI. |
| |
| ▲ | IshKebab 7 hours ago | parent | prev | next [-] | | As well, not instead. Just add `pre-commit run -a` to your CI. Job done. It's still annoying for new contributors though because they might not know how to set up pre-commit (which was quite a pain until recently because it's written in Python). | | |
| ▲ | Flimm 7 hours ago | parent [-] | | To clear up any confusion, Git runs pre-commit hooks, and they can be written in any programming language. There's a completely separate and independent project that gave itself the confusing "pre-commit" name, and it is written in Python. This project aims to make it easier to configure pre-commit hooks. An alternative to it is "prek", written in Rust. | | |
| ▲ | sgarland 6 hours ago | parent [-] | | Yes, and I hate it so, so much, and frankly don’t get the appeal. You want one-click installation of hooks? Bundle a shell script called run_first.sh that symlinks the hooks into .git. | | |
| ▲ | jayd16 2 hours ago | parent | next [-] | | That doesn't automate the maintenance of the hooks, doesn't handle cross branch differences, opens you up to all kinds of security holes because now it'll just do whatever the hook points to which is likely to be in the repo and not in some special higher scrutiny flow... All the push back to making this system good just ensures its as terrible as the nay-sayers fear. | |
| ▲ | IshKebab 5 hours ago | parent | prev [-] | | The pre-commit tool does way more than that. For example the clang-format hook will download and run a specific version of clang-format. |
|
|
| |
| ▲ | locknitpicker 3 hours ago | parent | prev [-] | | > By running the linters and any other checks on CI instead. Running linters on CI is an antipattern if there was ever one. That and configuring pipeline runs to fail for linting issues. Sometimes some people just want to create their own problems. Configuring the editor solves most of the problems, and hooks add a failsafe. Once the code is committed, it should be immutable. |
|
|
| ▲ | NekkoDroid 3 hours ago | parent | prev | next [-] |
| I wish that git would auto check for a `.githooks` directory in the repo root and prompt on first clone if the `core.hooksPath` should be changed for this repositry and when pulling any tracked file in hooksPath causes a warning (though this still leaves out the case that some hook just invokes a script in the repo outside the dir). |
|
| ▲ | jbverschoor 6 hours ago | parent | prev | next [-] |
| I don't want you to run arbitrary hooks on my machine. As with CI/CD... your hooks should simply point to a script instead |
| |
| ▲ | jayd16 5 hours ago | parent [-] | | Ok well what about when I pay you and give you a local machine to work on? Can I pay you to run hooks on the work machine I own because it saves a lot of work on the share build machines? Can we talk about making that situation less error prone? | | |
| ▲ | numbsafari 4 hours ago | parent | next [-] | | Tools growing unexpected code execution is how we keep having problems with secrets and other important things being stolen. If you add this feature to git, generally, then anybody cloning a git repo is going to have to deal with the fact that `git clone` might run arbitrary code. `git clone` is like `cp`. Do you want `cp` to unexpectedly run code? It should never do that. Why force git to be a build tool? Just document how to execute the scripts/checks that will be used by ci. Provide a simple script in the repo that folks can intentionally execute. | | |
| ▲ | jayd16 3 hours ago | parent [-] | | Git is already a build tool and LFS is a great example of something git should be able to do and is also an example of how bolted on these things feel because of pointless push back in talking about a real solution. You don't need to bring up bad ideas as if it precludes the existence of good ideas. Let's talk about good ways to solve these problems and improve the tool. |
| |
| ▲ | jbverschoor 3 hours ago | parent | prev [-] | | Yes that’s perfectly fine of course. But these days that’s not so common |
|
|
|
| ▲ | Sol- 5 hours ago | parent | prev | next [-] |
| I always considered hooks a nice to have feature for devs to already validate that their PRs will probably satisfy certain CI checks. If they don't install or run them for whatever reason, it's on them to do another iteration and update the code to make it mergeable if CI complains. So I usually considered it fine that they are only opt-in, since the merge will be gated by a CI outside of the dev's control anyway. |
|
| ▲ | jayd16 4 hours ago | parent | prev | next [-] |
| Adding configuration to the config makes things feel far less exotic. I think these changes certainly improve things, but there's still plenty of room to go further. I think there should probably be a way to specify canonical git configuration for things like hooks and LFS and all of that. It would be nice if when you clone, git prompts you to trust the remote config or to ask you to accept each new change as they come or fully reject them. Having to scrape through the readme of every repo and then run arbitrary scripts doesn't seem like the most secure solution. When there's a canonical flow gitlab GitHub and all the tooling can support it and have proper permissions around it. It's really disappointing how much lack of empathy there is when talking about new git features. Forget empathy. There's outright disdain for discussing alternative workflows. |
|
| ▲ | purerandomness 6 hours ago | parent | prev | next [-] |
| In PHP, an established tool is adding GrumPHP [0] to your dependencies. It will then handle git hooks on each commit via composer script by default (but can be omitted per commit). [0] https://github.com/phpro/grumphp |
|
| ▲ | scq 7 hours ago | parent | prev | next [-] |
| The approach some JS projects have taken is to use Husky, which automatically sets up the git hooks when you install the project's dependencies during development. |
|
| ▲ | sestep 6 hours ago | parent | prev | next [-] |
| I agree with the other replies saying to just run the checks in CI and have the CI error message mention how to install the pre-commit hook. I'm glad cloning a repo doesn't automatically install hooks since I strongly dislike them: I often use Git commands in the terminal but sometimes I use the VS Code UI to commit, and it's extremely frustrating when simply creating a commit runs for several seconds because of some pre-commit hook. |
| |
|
| ▲ | XorNot 6 hours ago | parent | prev | next [-] |
| I add an autogen.sh script to all my repositories that does things like this as it's first action. |
| |
| ▲ | misnome 6 hours ago | parent [-] | | You can also set up a central git template repository, so hooks get automatically added into every repository you clone |
|
|
| ▲ | 1718627440 6 hours ago | parent | prev [-] |
| My project needs other things on setup as well, so I just have a setup script in my repo. `mv hooks/foo .git/hooks` is then just yet another step. |
