Task for "git secret hide" on pre-commit-hook

phpro / grumphp

A PHP code-quality tool

MIT License

4.11k stars 430 forks source link

Task for "git secret hide" on pre-commit-hook #1002

Closed ghost closed 2 years ago

ghost commented 2 years ago

Q	A
Bug?	no
New feature?	yes
Question?	yes
Documentation?	yes

I would like to have a new task type for git-secret. A tool to encrypt files before committing them.

Use case I'm implementing the git-secret tool into my repository. And I should run the git secret hide command on the pre-commit hook. After this is done it should also stage any changed added or removed *.secret and .gitsecret/* files. Since git-secret adds the actual files to the .gitignore this task should run always as it has no way of detecting a changed file until after the git secret hide command has been run.

Requirements

Implement the task that should always run git secret hide on pre-commit
Make the task recognize and adapt to git-secret configuration changes
Make sure that all changed files related to git-secret are added to staging before passing the commit checks.

Question @veewee are you interested in this task addition?

veewee commented 2 years ago

Hello,

This doesn't seem like a regular task, since it does not validate anything. It is more like a regular pre-commit action to run without expecting any specific results.

For this purpose, an event listener or task runner Middleware might be a better solution. Maybe we could start of by defining a way to specify actions to run during a specific git hook that are not tasks?

I don't know git secret myself, but the workflow you mention seems a bit off at first sight. I'dd expect the secrets to be encrypted and the regular files to be git ignored. If you change a secret and want to hide it, that Would be a manual action you run before even committing? We've always been quite against auto-adding things to your commit, since that might not be an intentional action from the user. Care to elaborate?

Maybe this feature would be a good use-case for a grumphp extension instead of going in the core?

ghost commented 2 years ago

Yes. After implementing it I see that this is more of a compiling task than a validation task. And you are right the regular files are git ignored. I was just thinking of automating the encryption of the regular file into the secret file with grumphp because I use this for my pre-commit hook.

You are right, auto adding things to a commit may not be a very good thing to do. It's probably better to move this type of task into a file watcher. That way a user will still have to manually add the files to git when they are changed. Drawback is that usually you have to start a watcher.

Since I'm using git-secret to encrypt files containing some api keys that won't change very often I will simply manually encrypt them when I update a value in the file. Closing this issue. Thanks for your feedback Toon.