feat(terraform_validate): Add support for running hook in git worktree

[yuriipolishchuk]

• This PR introduces breaking change.
• This PR fixes a bug.
• This PR adds new functionality.
• This PR enhances existing functionality.

Description of your changes

Fixes #992.

What

_{This section was generated by AI.}

• New common::scrub_git_env helper in hooks/_common.sh: unsets 4 GIT_* vars that leak the parent repo location into child Git processes
• hooks/terraform_validate.sh: one-line call in main() after env setup, before common::per_dir_hook
• Zero behavior change for non-worktree users — unset is a no-op when the var is absent

Why

_{This section was generated by AI.}

Hooks that invoke tofu init / terraform init (terraform_validate) end up running git clone <module> for each registry/git-source module. When git commit runs from a linked worktree, the parent git sets GIT_INDEX_FILE (pointing at .git/worktrees/<name>/index) in the hook subprocess env. The child git clone inherits this and writes cloned module blob OIDs into the parent worktree's index. The next commit fails at tree-build:

error: invalid object 100644 <oid> for '<path>'
error: Error building trees

pre-commit framework deliberately does NOT scrub GIT_* from user hook subprocesses (only its own internal git calls) per the maintainer in pre-commit/pre-commit#1849:

they need the same code as in our [no_git_env] helper if they are dealing with doing git writes

asottile reaffirmed this in pre-commit/pre-commit#3492 — framework-level scrubbing breaks valid use cases (e.g., gitleaks-docker wants GIT_INDEX_FILE passed through). Per-hook-author opt-in is the design intent. This patch applies that recommendation.

This is a targeted denylist (4 vars), NOT a mirror of pre-commit's allowlist-based no_git_env helper. Only the vars that leak the parent repository's location into child Git processes are unset; SSH/TLS/config-related GIT_* vars are preserved.

How can we test changes

_{This section was generated by AI.}

Same .pre-commit-config.yaml shape, same staged .tf change, same git commit invocation. Switch repo: between antonbabenko/pre-commit-terraform@v1.106.0 and yuriipolishchuk/pre-commit-terraform@fix/scrub-git-env:

Run	Config	Result
Unpatched	rev: v1.106.0	❌ Commit fails after 27.4s with Error building trees. 5 phantom blobs in worktree index. git fsck reports invalid sha1 in cache-tree.
Patched	rev: fix/scrub-git-env	✅ Commit succeeds in 4.7s. 0 phantom blobs. git fsck clean. Terraform validate: Passed.

Full reproduction script

mkdir /tmp/repro && cd /tmp/repro
git init && git commit --allow-empty -m init
mkdir stack
cat > stack/main.tf <<'TF'
module "test" {
  source  = "terraform-aws-modules/iam/aws"
  version = "5.x"
}
TF
cat > .pre-commit-config.yaml <<'YAML'
repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.106.0
    hooks:
      - id: terraform_validate
        args:
          - --hook-config=--retry-once-with-cleanup=true
          - --tf-init-args=-backend=false
YAML
git add -A && git commit -m baseline
git worktree add ../wt && cd ../wt
pre-commit install
echo "" >> stack/main.tf
git add stack/main.tf
git commit -m test           # → Error building trees on v1.106.0
                             # → Passes when rev is fix/scrub-git-env
git fsck --no-progress       # invalid sha1 pointer pre-fix; clean post-fix

• Reproduce bug on master (v1.106.0) from a worktree with a module-using stack → commit fails with Error building trees, index has phantom blobs
• Apply this patch via fork rev → same scenario passes, commit succeeds, index clean
• Confirm non-worktree (main checkout) behavior unchanged — unset is a no-op when env var absent
• Confirm SSH-source modules still authenticate — GIT_SSH, GIT_ASKPASS, GIT_SSL_* etc. are NOT touched
• shellcheck clean (no new warnings)

Other notes

_{This section was generated by AI.}

• Considered the allowlist mirror of no_git_env (~15 lines case block in bash) but went with the minimal denylist since only GIT_INDEX_FILE actually causes the observed failure; the others are included as documented defensive offenders. Happy to expand to allowlist if preferred.
• The unset only takes effect for the duration of the hook and its child processes. The parent git commit env is unaffected.
• Hooks that don't shell to git (terraform_fmt, terraform_trivy, terraform_checkov, etc.) are not touched.

References

• pre-commit/pre-commit#1849 — the canonical "hook authors must scrub themselves" issue
• pre-commit/pre-commit#3492 — asottile reaffirms framework-side scrub is rejected
• pre_commit/git.py:20-38 — no_git_env source + docstring

Assisted-by

Per AI_POLICY.md: the patch, docstring, and PR text were drafted with LLM assistance (Claude Code). The bug was hit, root-caused, and reproduced in my real infrastructure repo; every revision here was A/B-tested by me against a worktree reproduction before pushing (unpatched fails at tree-build, patched commits cleanly), including re-verification after scoping down to terraform_validate in 63ab2bc.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a common::scrub_git_env helper function to unset inherited Git environment variables that can cause child git clone processes spawned by tofu init or terraform init to corrupt the parent worktree's index. Integrates the helper into terraform_validate to scrub these variables before hook execution.

Changes

Git environment scrubbing across hooks

Layer / File(s)	Summary
Git environment scrubbing helper hooks/_common.sh	Inline documentation block explains the failure mode where child git clone operations inherit GIT_INDEX_FILE, GIT_DIR, GIT_WORK_TREE, and GIT_OBJECT_DIRECTORY from the parent hook environment, causing blob writes to the parent worktree's index. Implementation of common::scrub_git_env unsets these four problematic variables.
Hook integration of environment scrubbing hooks/terraform_validate.sh	terraform_validate calls common::scrub_git_env in main after parsing environment variables and before running the per-directory hook logic.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested labels

feature

Suggested reviewers

• MaxymVlasov

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding support for running the terraform_validate hook in git worktrees by addressing GIT_INDEX_FILE leakage.
Description check	✅ Passed	The PR description is comprehensive and directly related to the changeset, explaining the bug, root cause, fix implementation, testing approach, and design rationale.
Linked Issues check	✅ Passed	The code changes fully implement the objectives from issue #992: a new common::scrub_git_env helper unsets GIT_INDEX_FILE, GIT_DIR, GIT_WORK_TREE, and GIT_OBJECT_DIRECTORY to prevent worktree index corruption when terraform_validate invokes git clone for modules.
Out of Scope Changes check	✅ Passed	All changes are narrowly scoped to fixing issue #992: only additions to hooks/_common.sh (new helper) and hooks/terraform_validate.sh (single call); no unrelated modifications or file alterations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hooks/_common.sh`:
- Around line 119-149: The comment above function common::scrub_git_env is
misleading because the function only unsets a targeted subset of GIT_* vars
(GIT_INDEX_FILE, GIT_DIR, GIT_WORK_TREE, GIT_OBJECT_DIRECTORY) rather than
reproducing pre-commit's no_git_env behavior; update the docblock to explicitly
state that this function intentionally clears only those specific offending
variables (and why each is included) and clarify that pre-commit's no_git_env
removes all GIT_* except a specific allowlist (e.g., GIT_CONFIG_KEY_*,
GIT_CONFIG_VALUE_*, GIT_EXEC_PATH, GIT_SSH, GIT_SSH_COMMAND, GIT_SSL_CAINFO,
GIT_SSL_NO_VERIFY, GIT_CONFIG_COUNT, GIT_HTTP_PROXY_AUTHMETHOD,
GIT_ALLOW_PROTOCOL, GIT_ASKPASS), so the comment does not claim parity with
no_git_env and instead documents the targeted subset behavior of
common::scrub_git_env.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ee9f744b-e72b-42de-9342-5072872f64a8

📥 Commits

Reviewing files that changed from the base of the PR and between d61ded2 and a96a283.

📒 Files selected for processing (4)

• hooks/_common.sh
• hooks/terraform_docs.sh
• hooks/terraform_tflint.sh
• hooks/terraform_validate.sh

[MaxymVlasov]

I can't reproduce the worktree bug in this hook.

Suggested change

common::scrub_git_env

[MaxymVlasov]

I can't reproduce the worktree bug in this hook.

Suggested change

common::scrub_git_env

[MaxymVlasov]

There another thing that shows, both for terraform_docs and terraform_fmt hooks.

But it's not an issue at all.

18:57 repro-hoo git:(repro-hoo +) 
➜ gc       
Terraform docs...........................................................Passed
Terraform validate with tflint...........................................Passed
Terraform fmt............................................................Failed
- hook id: terraform_fmt
- files were modified by this hook

main.tf


18:57 repro-hoo git:(repro-hoo !+) 
✘1 ➜ gc
Terraform docs...........................................................Passed
Terraform validate with tflint...........................................Passed
Terraform fmt............................................................Passed
Terraform docs.......................................(no files to check)Skipped
Terraform validate with tflint.......................(no files to check)Skipped
Terraform fmt........................................(no files to check)Skipped
[repro-hoo 44cd287] fmt
 2 files changed, 2 insertions(+), 6 deletions(-)

18:58 repro-hoo git:(repro-hoo) took 9s 
➜ git fsck --no-progress | head
dangling tree bba236455e65937967031c5d25b02e11f5c252f5

18:58 repro-hoo git:(repro-hoo) 
➜ git fsck --no-progress | head
dangling tree bba236455e65937967031c5d25b02e11f5c252f5

18:58 repro-hoo git:(repro-hoo) 
➜ gc                           
Terraform docs...........................................................Failed
- hook id: terraform_docs
- files were modified by this hook
Terraform validate with tflint...........................................Passed
Terraform fmt............................................................Passed

18:58 repro-hoo git:(repro-hoo !+) 
✘1 ➜ gc
Terraform docs...........................................................Passed
Terraform validate with tflint...........................................Passed
Terraform fmt............................................................Passed
Terraform docs.......................................(no files to check)Skipped
Terraform validate with tflint.......................(no files to check)Skipped
Terraform fmt........................................(no files to check)Skipped
[repro-hoo c115ce4] docs
 2 files changed, 2 insertions(+), 2 deletions(-)

18:58 repro-hoo git:(repro-hoo) took 6s 
➜ git fsck --no-progress | head
dangling tree a13f3782d35b8ce91a9d45f5b57acd390ea671a2
dangling tree bba236455e65937967031c5d25b02e11f5c252f5

[yuriipolishchuk]

Thanks both for the thorough review - pushed 63ab2bc addressing it.

Scope (@MaxymVlasov)

Accepted both suggestions: common::scrub_git_env calls removed from terraform_tflint.sh and terraform_docs.sh. The helper is now called only from terraform_validate.sh - the confirmed reproduction path (validate -> tofu/terraform init -> git clone). I also re-verified on my side that the validate-only scrub fully fixes the original worktree failure (fresh module clone during commit, index stays clean, git fsck clean, follow-up commits healthy).

The dangling trees you observed with terraform_docs/terraform_fmt make sense as a separate, harmless artifact: pre-commit's own stash/restore cycle writes tree objects that end up unreferenced when the first commit attempt is rejected with "files were modified". No index corruption involved.

Wording / references (@yermulnik)

All applied in 63ab2bc:

• Function summary now uses your suggested line verbatim.
• "dangerous" dropped; reworded around the parent-repository-location leak.
• Var count removed from the docstring (won't go stale if the list changes).
• Full clickable URLs instead of repo-relative paths and issue shorthand; line-range references dropped.
• "Git" capitalized as a proper name (kept lowercase only in literal commands).
• unset arguments alphabetized.
• GIT_OBJECT_DIRECTORY provenance corrected - you're right that pre-commit's no_git_env docstring names only three vars. It comes from Git's own repository-location environment variables (https://git-scm.com/docs/git#_environment_variables); the docstring now cites that source for all four. Happy to drop it down to the three if you'd rather keep the list minimal.

Open design questions - deferring to you two

1. Scrub in common::initialize for all hooks vs per-hook opt-in - I see the appeal of central placement (no per-hook bookkeeping), but it would also apply the unset to hooks that demonstrably don't need it, and Maxym's reproduction results argue for the narrow version. Either shape is a small diff; I'll implement whichever you align on.
2. Worktree-detection gating - the unset is a no-op when the vars aren't set (non-worktree git commit doesn't export them into hooks in a way that breaks anything we've seen), so the gate would add code without changing behavior. But if you prefer the explicit guard for the "don't touch user env unless necessary" principle, I can add your rev-parse --show-cdup check.
3. PCT_LOG=debug notice when scrubbing - happy to add if you want it; suggest doing it together with whatever logging convention you settle on for (2).
4. readonly unset failure - a var marked readonly outside the hook would make unset error under set -e. I can add 2> /dev/null || true, though a readonly GIT_INDEX_FILE in a pre-commit env would already be broken in stranger ways. Your call.
5. terraform_providers_lock - it runs init-adjacent provider fetches but not module git clone to my knowledge; I didn't have a failing reproduction there, so I left it out per the same evidence standard Maxym applied to tflint/docs.

[yuriipolishchuk]

@MaxymVlasov @yermulnik gentle nudge - whenever you have a moment for a re-review.

Recap of what changed since the review round, all in 63ab2bc:

• Scope narrowed to terraform_validate only - removed the common::scrub_git_env calls from terraform_tflint and terraform_docs per @MaxymVlasov (you couldn't reproduce there, and I confirmed validate-only fully fixes the original worktree failure).
• Docstring reworded per @yermulnik - dropped "dangerous" and the var count, capitalized Git, full clickable URLs instead of repo-relative paths / issue shorthand, no line-range references, corrected GIT_OBJECT_DIRECTORY provenance (Git's own env-var docs, not no_git_env), alphabetized the unset args.
• Branch updated to current master; all CI green.

I also left replies on the open design questions (central common::initialize placement, worktree-detection gating, PCT_LOG notice, readonly-unset handling, terraform_providers_lock) - happy to implement whichever direction you two prefer on those. No rush; just flagging it's ready when you are.

[yermulnik]

@yuriipolishchuk Thanks for a nudge. The code looks good to me. However I'd defer the final review/approval to @MaxymVlasov as main dev.

UPD: since the PR targets Git worktrees only, I'd prefer the worktree gating there so that the code changes user env only where the problem exists rather than everywhere. @MaxymVlasov What's your view on this in particular and the PR overall?

[yermulnik]

@MaxymVlasov Code LGTM.
The two points which I'm concerned about, however I might be over-engineering these. @MaxymVlasov WDYT?

• Handle unset failure? E.g. if by any reason the var was declared readonly outside of the hook? 🤔 The unset … || true should be sufficient (not suppressing error output to let user know what's happening wrongly)
• I'd also suggest to unset Git vars only when the hook is run from inside the Git worktree so that we don't mess up non-worktree envs.
  • Here's how I identify this locally:

  local _git_repo_git_file="$(git rev-parse --show-cdup).git"
  [[ -f $_git_repo_git_file ]] && $(grep -qE ^gitdir: "$_git_repo_git_file") && local _is_git_worktree="true"

[yermulnik]

Why readonly? And why not also -a to explicitly declare array type?

[MaxymVlasov]

As I don't expect that this array will be changed

[antonbabenko]

This PR is included in version 1.107.0 🎉