# Security-focused pre-commit configuration with autoupdate settings
default_install_hook_types: [pre-commit, pre-push]
default_stages: [pre-commit, pre-merge-commit]
minimum_pre_commit_version: "3.5.0"

ci:
    autofix_commit_msg: 'chore(pre-commit): auto fixes from pre-commit hooks'
    autoupdate_commit_msg: 'chore(pre-commit): update pre-commit hook versions'
    autoupdate_schedule: weekly
    submodules: true
    skip: []

repos:
-   repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v5.0.0
    hooks:
    -   id: trailing-whitespace
    -   id: end-of-file-fixer
    -   id: check-yaml
    -   id: check-json
    -   id: check-added-large-files
        args: ['--maxkb=500']
    -   id: check-merge-conflict
    -   id: detect-private-key
    -   id: mixed-line-ending
        args: ['--fix=lf']
    -   id: check-executables-have-shebangs
    -   id: check-shebang-scripts-are-executable

-   repo: https://github.com/Calinou/pre-commit-luacheck
    rev: v1.0.0
    hooks:
    -   id: luacheck
        args: ['--config', '.luacheckrc']

-   repo: https://github.com/JohnnyMorganz/StyLua
    rev: v2.0.2
    hooks:
    -   id: stylua
        args: ['--config-path', 'stylua.toml']

-   repo: https://github.com/zricethezav/gitleaks
    rev: v8.23.3
    hooks:
    -   id: gitleaks
        name: GitLeaks - Detect Secrets
        description: Scan for hardcoded secrets and credentials
        entry: gitleaks protect --verbose --redact --staged
        stages: [pre-commit, pre-push]

-   repo: https://github.com/PyCQA/bandit
    rev: 1.8.2
    hooks:
    -   id: bandit
        args: ["-c", "pyproject.toml"]
        additional_dependencies: ['.[toml]']
        stages: [pre-commit]

-   repo: https://github.com/renovatebot/pre-commit-hooks
    rev: 39.160.1
    hooks:
    -   id: renovate-config-validator
        name: Validate Renovate Config
        files: renovate\.json|\.renovaterc|\.renovaterc\.(json|yaml|yml)

-   repo: https://github.com/Lucas-C/pre-commit-hooks-nodejs
    rev: v1.1.2
    hooks:
    -   id: dockerfile_lint
    -   id: markdown-toc

-   repo: https://github.com/streetsidesoftware/cspell-cli
    rev: v8.17.2
    hooks:
    -   id: cspell
        name: Spell Check
        args: ["--config", ".cspell.json"]
        stages: [pre-commit]

-   repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0
    hooks:
    -   id: detect-secrets
        args: ['--baseline', '.secrets.baseline']
        exclude: package-lock.json

-   repo: local
    hooks:
    -   id: check-lua-syntax
        name: Check Lua Syntax
        entry: lua -e 'for f in pairs(arg) do assert(loadfile(f)) end'
        language: system
        files: \.(lua|rockspec)$
        stages: [pre-commit]