From 01fed1a52efefd5388b8a3d91f29c85d97dac5f7 Mon Sep 17 00:00:00 2001 From: Frantisek Hrbata Date: Mon, 18 Dec 2023 08:08:13 +0100 Subject: [PATCH] fix: do sbom manifest validation in post-commit Following commit c3afbebf2316 ("fix: bump esp-idf-sbom to v0.13.0 in pre-commit"), the validation of submodule hash now relies solely on the information recorded in the git-tree. Previously, the hash verification used submodule's working tree hash if available. Since the new submodule hash is recorded in git-tree only after the commit is created, we need to move the check into post-commit, otherwise the hash validation checks the old value. For example: 1. in .gitmodules [submodule "components/json/cJSON"] sbom-hash = cb8693b058ba302f4829ec6d03f609ac6f848546 2. update the cJSON $ git -C components/json/cJSON checkout b45f48e600671feade0b6bd65d1c69de7899f2be 3. update cJSON hash in .gitmodules [submodule "components/json/cJSON"] sbom-hash = b45f48e600671feade0b6bd65d1c69de7899f2be 4. commit the changes $ git commit -a -s Step 4. will fail, because the validation is currently started in pre-commit stage, where the hash for cJSON recorded in git-tree is still cb8693b058ba302f4829ec6d03f609ac6f848546. The new hash b45f48e600671feade0b6bd65d1c69de7899f2be will be stored in git-tree after the new commit is created. Note that this means we cannot prevent the commit creation, but only notify user about the hash inconsistency. If he/she still decides to push it, it will fail in pre-commit checks in CI. Signed-off-by: Frantisek Hrbata --- .pre-commit-config.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e5377a467e..0e2ac147c4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,7 +2,7 @@ # See https://pre-commit.com/hooks.html for more hooks minimum_pre_commit_version: 3.3.0 -default_install_hook_types: [pre-commit, commit-msg] +default_install_hook_types: [pre-commit, post-commit, commit-msg] default_stages: [pre-commit] repos: @@ -223,3 +223,4 @@ repos: rev: v0.13.0 hooks: - id: validate-sbom-manifest + stages: [post-commit]