Skip to content

feat(terraform_validate): Add support for running hook in git worktree #993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
MaxymVlasov merged 9 commits into from
Jun 18, 2026
+30 −0
Merged

feat(terraform_validate): Add support for running hook in git worktree #993

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a96a283
fix: scrub GIT_* env vars in hooks that shell to git clone
yuriipolishchuk Jun 10, 2026
211d9cc
docs(scrub_git_env): clarify targeted-subset vs no_git_env allowlist
yuriipolishchuk Jun 10, 2026
63ab2bc
fix: Scope scrub to terraform_validate only; address review wording
yuriipolishchuk Jun 11, 2026
a063ed2
Merge remote-tracking branch 'upstream/master' into fix/scrub-git-env
yuriipolishchuk Jun 12, 2026
9c438a2
docs(scrub_git_env): trim docstring; move bug narrative to commit
MaxymVlasov Jun 18, 2026
6aa3c54
docs(scrub_git_env): mention linked worktree as the trigger
MaxymVlasov Jun 18, 2026
a8a98ab
refactor(scrub_git_env): loop over readonly array; tolerate readonly …
MaxymVlasov Jun 18, 2026
8d02f62
refactor(scrub_git_env): simplify to unset -v; keep || true for resil…
MaxymVlasov Jun 18, 2026
993f492
refactor(scrub_git_env): use readonly array with unset -v
MaxymVlasov Jun 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions hooks/_common.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,44 @@ function common::parse_cmdline {
done
}

#######################################################################
# Scrub some GIT_* env vars before child Git operations.
#
# Without this, `git commit` from a linked Git worktree fails at
# tree-build when a hook runs `tofu init` / `terraform init` (which
# spawns `git clone` for each Git-sourced module):
#
# error: invalid object 100644 <oid> for '<path>'
# error: Error building trees
#
# Root cause: the child `git clone` inherits GIT_INDEX_FILE from the
# parent `git commit` env (pointing at the worktree's index), then
# writes the cloned module's blob OIDs into the parent worktree's
# index. The subsequent commit cannot resolve those OIDs.
#
# pre-commit scrubs GIT_* only for its own internal Git calls, not
# for hook subprocesses - hook authors are expected to handle it
# themselves: https://github.com/pre-commit/pre-commit/issues/1849
#
# This is a targeted denylist, NOT a mirror of pre-commit's
# allowlist-based `no_git_env` helper
# (https://github.com/pre-commit/pre-commit/blob/main/pre_commit/git.py),
# which drops all GIT_* except known-safe vars (GIT_ASKPASS,
# GIT_CONFIG_*, GIT_SSH, GIT_SSH_COMMAND, GIT_SSL_*, etc.). We unset
# only the vars that leak the parent repository's location into child
# Git processes (see "Environment Variables" in `man 1 git`,
# https://git-scm.com/docs/git#_environment_variables):
#
# GIT_DIR makes child Git operate on the parent repo
# GIT_INDEX_FILE proximate cause of the failure above
# GIT_OBJECT_DIRECTORY redirects child object writes into the
# parent object database
# GIT_WORK_TREE pairs with GIT_DIR
#######################################################################
function common::scrub_git_env {
unset GIT_DIR GIT_INDEX_FILE GIT_OBJECT_DIRECTORY GIT_WORK_TREE
}
Comment thread
coderabbitai[bot] marked this conversation as resolved.

#######################################################################
# Expand environment variables definition into their values in '--args'.
# Support expansion only for ${ENV_VAR} vars, not $ENV_VAR.
Expand Down
1 change: 1 addition & 0 deletions hooks/terraform_validate.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ function main {
common::parse_cmdline "$@"
common::export_provided_env_vars "${ENV_VARS[@]}"
common::parse_and_export_env_vars
common::scrub_git_env

# Suppress terraform validate color
if [ "$PRE_COMMIT_COLOR" = "never" ]; then
Expand Down