How is #precommit even a thing?
There's apparently _no_ security whatsoever. It just downloads random code from the internet and runs it on your machine.
And everyone with write access to the repo can just tell it to download _more_ code.
Compare this to direnv (direnv.net), which will ask you for permission every time someone changes its config.
scy
Als Antwort auf scy • • •Philip Gillißen
Als Antwort auf scy • • •Hey Gus
Als Antwort auf scy • • •how about getting mad at GitHub actions too.
You can just use private repos, or use public repos. There’s nothing implicitly dangerous or even remotely sketchy about it.
scy
Als Antwort auf Hey Gus • • •Hey Gus
Als Antwort auf scy • • •but not plenty of people execute random code from GitHub actions. There’s even pre-commit actions.
I think you’re saying wtf because the code right? The hooks? How is that different?
chrysn
Als Antwort auf scy • • •fh0
Als Antwort auf scy • • •I don't even get why somebody wants to run these things as pre-commit. This means that every developer has to configure the same pre-commit hooks locally and nothing is enforced.
What is the advantage over having a shell-script or Makefile that has a check (and fix) target, that is part of the repository, runs in CI to enforce it and can be run locally.