feat(terraform_validate): Add support for running hook in git worktree

hooks/_common.sh

@@ -116,6 +116,52 @@ function common::parse_cmdline {
   done
 }
 
+#######################################################################
+# Scrub four dangerous GIT_* env vars before child git operations.
+#
+# Without this, `git commit` from a linked git worktree fails at
+# tree-build when a hook runs `tofu init` / `terraform init` (which
+# spawns `git clone` for each module source):
+#
+#   error: invalid object 100644 <oid> for '<path>'
+#   error: Error building trees
+#
+# Root cause: the child `git clone` inherits GIT_INDEX_FILE from the
+# parent `git commit` env (pointing at the worktree's index), then
+# writes the cloned module's blob OIDs into the parent worktree's
+# index. The subsequent commit cannot resolve those OIDs.
+#
+# Targeted denylist, NOT a mirror of pre-commit's `no_git_env`:
+# `no_git_env` (pre_commit/git.py) uses an ALLOWLIST that scrubs all
+# GIT_* except ~11 known-safe vars (GIT_EXEC_PATH, GIT_SSH,
+# GIT_SSH_COMMAND, GIT_ASKPASS, GIT_SSL_CAINFO, GIT_SSL_NO_VERIFY,
+# GIT_CONFIG_KEY_*, GIT_CONFIG_VALUE_*, GIT_CONFIG_COUNT,
+# GIT_HTTP_PROXY_AUTHMETHOD, GIT_ALLOW_PROTOCOL). It runs only on
+# pre-commit's INTERNAL git calls, not on user hook subprocesses
+# (per pre-commit/pre-commit#1849).
+#
+# We unset only the four vars that pre-commit's own docstring (git.py
+# lines 20-38) names as dangerous when leaked into child git:
+#
+#   GIT_INDEX_FILE        proximate cause; "Causes 'error invalid
+#                         object ...' during commit" in git.py.
+#   GIT_DIR               "Causes git clone to clone wrong thing".
+#   GIT_WORK_TREE         defensive; paired with GIT_DIR.
+#   GIT_OBJECT_DIRECTORY  defensive; prevents child writes into the
+#                         parent object DB via non-clone git calls.
+#
+# Denylist over allowlist mirror because:
+#   1. Bash equivalent of the Python whitelist scan is ~15-20 lines
+#      versus a one-line `unset`.
+#   2. The observed bug is fully fixed by scrubbing GIT_INDEX_FILE
+#      alone; the other three are belt-and-braces.
+#   3. Narrower scrub minimizes risk of breaking hook authors who
+#      rely on inheritance of vars an aggressive allowlist might drop.
+#######################################################################
+function common::scrub_git_env {
+  unset GIT_INDEX_FILE GIT_DIR GIT_WORK_TREE GIT_OBJECT_DIRECTORY
+}
+
 #######################################################################
 # Expand environment variables definition into their values in '--args'.
 # Support expansion only for ${ENV_VAR} vars, not $ENV_VAR.

hooks/terraform_docs.sh

@@ -20,6 +20,7 @@ function main {
   common::parse_cmdline "$@"
   common::export_provided_env_vars "${ENV_VARS[@]}"
   common::parse_and_export_env_vars
+  common::scrub_git_env
   # Support for setting relative PATH to .terraform-docs.yml config.
   for i in "${!ARGS[@]}"; do
     ARGS[i]=${ARGS[i]/--config=/--config=$(pwd)\/}

hooks/terraform_tflint.sh

@@ -13,6 +13,7 @@ function main {
   common::parse_cmdline "$@"
   common::export_provided_env_vars "${ENV_VARS[@]}"
   common::parse_and_export_env_vars
+  common::scrub_git_env
 
   # JFYI: tflint color already suppressed via PRE_COMMIT_COLOR=never
 

hooks/terraform_validate.sh

@@ -15,6 +15,7 @@ function main {
   common::parse_cmdline "$@"
   common::export_provided_env_vars "${ENV_VARS[@]}"
   common::parse_and_export_env_vars
+  common::scrub_git_env
 
   # Suppress terraform validate color
   if [ "$PRE_COMMIT_COLOR" = "never" ]; then