kopia lustrzana https://github.com/espressif/esp-idf
fix: do sbom manifest validation in post-commit
Following commit c3afbebf23
("fix: bump esp-idf-sbom to v0.13.0 in pre-commit"),
the validation of submodule hash now relies solely on the information recorded
in the git-tree. Previously, the hash verification used submodule's
working tree hash if available. Since the new submodule hash is recorded
in git-tree only after the commit is created, we need to move the check
into post-commit, otherwise the hash validation checks the old value.
For example:
1. in .gitmodules
[submodule "components/json/cJSON"]
sbom-hash = cb8693b058ba302f4829ec6d03f609ac6f848546
2. update the cJSON
$ git -C components/json/cJSON checkout b45f48e600671feade0b6bd65d1c69de7899f2be
3. update cJSON hash in .gitmodules
[submodule "components/json/cJSON"]
sbom-hash = b45f48e600671feade0b6bd65d1c69de7899f2be
4. commit the changes
$ git commit -a -s
Step 4. will fail, because the validation is currently started in pre-commit stage,
where the hash for cJSON recorded in git-tree is still
cb8693b058ba302f4829ec6d03f609ac6f848546. The new hash b45f48e600671feade0b6bd65d1c69de7899f2be
will be stored in git-tree after the new commit is created.
Note that this means we cannot prevent the commit creation, but only
notify user about the hash inconsistency. If he/she still decides to
push it, it will fail in pre-commit checks in CI.
Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
pull/12863/head
rodzic
31ede5b09d
commit
01fed1a52e
|
@ -2,7 +2,7 @@
|
|||
# See https://pre-commit.com/hooks.html for more hooks
|
||||
|
||||
minimum_pre_commit_version: 3.3.0
|
||||
default_install_hook_types: [pre-commit, commit-msg]
|
||||
default_install_hook_types: [pre-commit, post-commit, commit-msg]
|
||||
default_stages: [pre-commit]
|
||||
|
||||
repos:
|
||||
|
@ -223,3 +223,4 @@ repos:
|
|||
rev: v0.13.0
|
||||
hooks:
|
||||
- id: validate-sbom-manifest
|
||||
stages: [post-commit]
|
||||
|
|
Ładowanie…
Reference in New Issue