#!/bin/sh## Pre-commit hook that verifies if all files containing 'productio

1. #!/bin/sh
2. #
3. # Pre-commit hook that verifies if all files containing 'production' in the name
4. # are encrypted.
5. # If not, commit will fail with an error message
6. #
7. # File should be .git/hooks/pre-commit and executable
8. FILES_PATTERN='.*production.*\.yml$'
9. REQUIRED='ANSIBLE_VAULT'
10.  
11. EXIT_STATUS=0
12. wipe="\033[1m\033[0m"
13. yellow='\033[1;33m'
14. # carriage return hack. Leave it on 2 lines.
15. cr='
16. '
17. for f in $(git diff --cached --name-only | grep -E $FILES_PATTERN)
18. do
19.   # test for the presence of the required bit.
20.   MATCH=`head -n1 $f | grep --no-messages $REQUIRED`
21.   if [ ! $MATCH ] ; then
22.     # Build the list of unencrypted files if any
23.     UNENCRYPTED_FILES="$f$cr$UNENCRYPTED_FILES"
24.     EXIT_STATUS=1
25.   fi
26. done
27. if [ ! $EXIT_STATUS = 0 ] ; then
28.   echo '# COMMIT REJECTED'
29.   echo '# Looks like unencrypted ansible-vault files are part of the commit:'
30.   echo '#'
31.   while read -r line; do
32.     if [ -n "$line" ]; then
33.       echo "#\t${yellow}unencrypted:   $line${wipe}"
34.     fi
35.   done <<< "$UNENCRYPTED_FILES"
36.   echo '#'
37.   echo "# Please encrypt them with 'ansible-vault encrypt <file>'"
38.   echo "#   (or force the commit with '--no-verify')."
39.   exit $EXIT_STATUS
40. fi
41. exit $EXIT_STATUS