Skip to content

feat(terraform_validate): Add support for running hook in git worktree #993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
MaxymVlasov merged 9 commits into from
Jun 18, 2026
+30 −0
Merged

feat(terraform_validate): Add support for running hook in git worktree #993

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a96a283
fix: scrub GIT_* env vars in hooks that shell to git clone
yuriipolishchuk Jun 10, 2026
211d9cc
docs(scrub_git_env): clarify targeted-subset vs no_git_env allowlist
yuriipolishchuk Jun 10, 2026
63ab2bc
fix: Scope scrub to terraform_validate only; address review wording
yuriipolishchuk Jun 11, 2026
a063ed2
Merge remote-tracking branch 'upstream/master' into fix/scrub-git-env
yuriipolishchuk Jun 12, 2026
9c438a2
docs(scrub_git_env): trim docstring; move bug narrative to commit
MaxymVlasov Jun 18, 2026
6aa3c54
docs(scrub_git_env): mention linked worktree as the trigger
MaxymVlasov Jun 18, 2026
a8a98ab
refactor(scrub_git_env): loop over readonly array; tolerate readonly …
MaxymVlasov Jun 18, 2026
8d02f62
refactor(scrub_git_env): simplify to unset -v; keep || true for resil…
MaxymVlasov Jun 18, 2026
993f492
refactor(scrub_git_env): use readonly array with unset -v
MaxymVlasov Jun 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions hooks/_common.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,35 @@ function common::parse_cmdline {
done
}

#######################################################################
# Scrub GIT_* vars inherited from a linked Git worktree that would
# leak the parent repo location into child Git processes
# (see https://git-scm.com/docs/git#_environment_variables).
#
# pre-commit scrubs GIT_* only for its own internal Git calls, not for
# hook subprocesses - hook authors must handle it themselves:
# https://github.com/pre-commit/pre-commit/issues/1849
#
# This is a targeted denylist, NOT a mirror of pre-commit's
# allowlist-based no_git_env helper. We unset only the vars that leak
# the parent repository's location into child Git processes:
#
# GIT_DIR makes child Git operate on the parent repo
# GIT_INDEX_FILE proximate cause of the failure above
# GIT_OBJECT_DIRECTORY redirects child object writes into the
# parent object database
# GIT_WORK_TREE pairs with GIT_DIR
#######################################################################
function common::scrub_git_env {
local -ra git_env_vars=(
GIT_DIR
GIT_INDEX_FILE
GIT_OBJECT_DIRECTORY
GIT_WORK_TREE
)
unset -v "${git_env_vars[@]}" || true
}
Comment thread
coderabbitai[bot] marked this conversation as resolved.

#######################################################################
# Expand environment variables definition into their values in '--args'.
# Support expansion only for ${ENV_VAR} vars, not $ENV_VAR.
Expand Down
1 change: 1 addition & 0 deletions hooks/terraform_validate.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ function main {
common::parse_cmdline "$@"
common::export_provided_env_vars "${ENV_VARS[@]}"
common::parse_and_export_env_vars
common::scrub_git_env

# Suppress terraform validate color
if [ "$PRE_COMMIT_COLOR" = "never" ]; then
Expand Down
Loading