Skip to content

Compliance: verification improvements and task-tracker initialization #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
metyatech wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Compliance: verification improvements and task-tracker initialization #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 9 additions & 11 deletions .githooks/pre-commit
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
#!/bin/sh

# Run verification (markdownlint for markdown-only repos)
if command -v markdownlint > /dev/null 2>&1; then
markdownlint **/*.md --ignore node_modules --ignore AGENTS.md || exit 1
fi

# Update AGENTS.md (non-blocking)
if command -v compose-agentsmd > /dev/null 2>&1; then
compose-agentsmd --compose || true
git add AGENTS.md || true
#!/bin/sh
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Normalize pre-commit shebang to LF line endings

The updated hook is committed with CRLF line endings, so on POSIX environments the shebang becomes #!/bin/sh\r and Git cannot execute the hook (cannot execute: required file not found). This blocks all commits for contributors running the repo from Linux/macOS (including WSL/containers), so the hook change effectively breaks the commit workflow outside Git for Windows.

Useful? React with 👍 / 👎.


# Run full verification suite
powershell.exe -NoProfile -ExecutionPolicy Bypass -File scripts/verify.ps1 || exit 1
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pre-commit hook invokes powershell.exe with -ExecutionPolicy Bypass, which disables PowerShell's execution policy and can circumvent enterprise script restrictions, allowing unsigned or tampered scripts/verify.ps1 to run even where such scripts would normally be blocked. An attacker who can modify this repository or the scripts/verify.ps1 file could abuse this hook to bypass host security controls and execute arbitrary code on developers' machines. Remove the -ExecutionPolicy Bypass flag (or adopt a stricter policy with script signing) so that PowerShell's configured execution policy continues to provide its intended protection.

Suggested change
powershell.exe -NoProfile -ExecutionPolicy Bypass -File scripts/verify.ps1 || exit 1
powershell.exe -NoProfile -File scripts/verify.ps1 || exit 1

Copilot uses AI. Check for mistakes.

Comment on lines +4 to +5
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The hook hard-codes powershell.exe, but CI runs the verification script under pwsh. To avoid failures on environments where Windows PowerShell isn’t available (or to keep consistent behavior), consider invoking pwsh when available and falling back to powershell.exe otherwise.

Suggested change
powershell.exe -NoProfile -ExecutionPolicy Bypass -File scripts/verify.ps1 || exit 1
if command -v pwsh > /dev/null 2>&1; then
POWERSHELL_CMD="pwsh"
elif command -v powershell > /dev/null 2>&1; then
POWERSHELL_CMD="powershell"
elif command -v powershell.exe > /dev/null 2>&1; then
POWERSHELL_CMD="powershell.exe"
else
echo "Error: Neither 'pwsh' nor 'powershell'/'powershell.exe' found in PATH." >&2
exit 1
fi
"$POWERSHELL_CMD" -NoProfile -ExecutionPolicy Bypass -File scripts/verify.ps1 || exit 1

Copilot uses AI. Check for mistakes.
# Update AGENTS.md (non-blocking)
if command -v compose-agentsmd > /dev/null 2>&1; then
compose-agentsmd --compose || true
git add AGENTS.md || true
fi
3 changes: 3 additions & 0 deletions .tasks.jsonl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{"id":"atyNml2D","description":"chore: update pre-commit hook to run full verification suite","stage":"done","createdAt":"2026-03-06T02:52:06.435Z","updatedAt":"2026-03-06T03:03:29.514Z"}
{"id":"7SSvuCYY","description":"chore: fill in missing email in CODE_OF_CONDUCT.md","stage":"done","createdAt":"2026-03-06T02:52:06.537Z","updatedAt":"2026-03-06T03:03:29.617Z"}
{"id":"zra1b1kZ","description":"test: add mocked unit tests for UnityEditorLibrary","stage":"done","createdAt":"2026-03-06T02:52:06.641Z","updatedAt":"2026-03-06T03:03:29.725Z"}
Loading