zlacker

[parent] [thread] 5 comments
1. accelb+(OP)[view] [source] 2026-02-03 20:08:08
I wouldn't want hooks modifying the code. They should be only approve/reject. Ideally landlock rules would give them only ro access to repo dir
replies(3): >>sgarla+EG >>jdxcod+qy2 >>timhh+Nd4
2. sgarla+EG[view] [source] 2026-02-03 23:51:34
>>accelb+(OP)
It depends. I wrote a pre-commit hook (in shell, not precommit the tool) at a previous job that ran terraform fmt on any staged files (and add the changes to the commit) because I was really tired of having people push commits that would then fail for trivial things. It was overrideable with an env var.

IMO if there’s a formatting issue, and the tool knows how it should look, it should fix it for you.

replies(1): >>pxc+1h2
◧◩
3. pxc+1h2[view] [source] [discussion] 2026-02-04 12:57:49
>>sgarla+EG
The standard way for this with current tools is to have the formatter/linter make the changes but exit with a non-zero status, failing the hook. Then the person reviews the changes, stages, and commits. (That's what our setup currently has `tofu fmt` do.)

But if you don't want to have hooks modify code, in a case like this you can also just use `tofu validate`. Our setup does `tflint` and `tofu validate` for this purpose, neither of which modifies the code.

This is also, of course, a reasonable place to have people use `tofu plan`. It you want bad code to fail as quickly as possible, you can do:

tflint -> tfsec -> tofu validate -> tofu plan

That'll catch everything Terraform will let you catch before deploy time— most of it very quickly— without modifying any code.

replies(1): >>sgarla+JH6
4. jdxcod+qy2[view] [source] 2026-02-04 14:40:32
>>accelb+(OP)
ok but I was replying to a comment about a tool which advertises precisely that feature
5. timhh+Nd4[view] [source] 2026-02-04 22:28:26
>>accelb+(OP)
It's going to be optional - the hooks will always fix the code if they can, but then you can supply a `--no-fix` flag (or config) if you want to tell it to not actually apply those changes to the real filesystem.

It doesn't need Landlock because WASI already provides a VFS.

◧◩◪
6. sgarla+JH6[view] [source] [discussion] 2026-02-05 17:46:10
>>pxc+1h2
> make the changes but exit with a non-zero status

That's reasonable. My personal (and that of my team at the time) take was that I was willing to let formatting - and only formatting - be auto-merged into the commit, since that isn't going to impact logic. For anything else, though, I would definitely want to let submitter review the changes.

[go to top]