Add pre-commit guard against ETHERPAD_DOMAIN leaks#655
Merged
Conversation
Fails the commit if ETHERPAD_DOMAIN is unset (and not in .env), or if its value appears in any file in the staged index. Backstop against re-leaking the pad host into public history. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Build Performance⚡ +0.08s (+1.3%) average build time
|
Table column padding shifted after recent content edits. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a pre-commit guard that refuses to commit if the production Etherpad domain (read from the ETHERPAD_DOMAIN env var, falling back to a parsed .env) appears anywhere in the staged index. Wires the new script into the existing Husky pre-commit hook after lint-staged.
Changes:
- New
scripts/check-no-etherpad-domain.shthat resolvesETHERPAD_DOMAIN(env →.env), aborts if unset, and usesgit grep --cached -Fto block commits containing the literal value (excluding.env*and the script itself). - Updates
.husky/pre-committo invoke the new script afterlint-staged.
Reviewed changes
Copilot reviewed 2 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| scripts/check-no-etherpad-domain.sh | New bash guard: parses ETHERPAD_DOMAIN from env/.env, then git grep --cached -F against staged content to block commits leaking the value. |
| .husky/pre-commit | Adds invocation of the new guard script after pnpm exec lint-staged. |
Comments suppressed due to low confidence (1)
scripts/check-no-etherpad-domain.sh:22
- If
ETHERPAD_DOMAINis set to a very short or common string (in.envor the environment),git grep -Fwill produce many false-positive matches and block all commits. There is no minimum-length sanity check on the value. Consider validating that the value is plausibly a domain (e.g. contains a dot and is at least a few characters) before running the search.
if [ -z "${ETHERPAD_DOMAIN:-}" ]; then
echo "pre-commit: ETHERPAD_DOMAIN is unset and not found in .env." >&2
echo "Set it (e.g. in .env) so this hook can verify no staged file contains the value." >&2
exit 1
fi
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Strip whitespace and # comments when extracting ETHERPAD_DOMAIN from .env so the guard doesn't silently match a value that includes a trailing comment. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replaces the hand-rolled bash .env parser with `dotenv/config`, which already handles comments, quoting, and escapes correctly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Lets knip discover it and gives the hook a friendlier invocation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Render was relying on a cached node_modules; the recent history rewrite invalidated the cache and there's no auto-install step, so \`pnpm run build\` errored with \`astro: not found\`. Make install explicit so the build is reproducible from a clean checkout. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Render's render.yaml buildCommand is snapshotted at service creation and not re-read on push, so changes there don't take effect without a manual Blueprint sync. Moving the install fallback into a pnpm prebuild hook keeps \`pnpm run build\` self-contained: locally it's a no-op (astro already in node_modules/.bin), on a clean checkout it installs first. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirror the expost approval — pixelteer is also a git-hosted dep that runs prepare scripts during install, which Render rejects under the tightened onlyBuiltDependencies allowlist. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Builds don't reach any devDependency (pixelteer is used only in the manual puppeteer scripts; vitest/diffable-html only in snapshot specs), so installing dev deps just added install time and forced us to whitelist git-hosted dev deps in onlyBuiltDependencies. Switch the prebuild to \`--prod\` and drop the pixelteer entry. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Accessibility IssuesSummaryNo baseline issues found.
Issue Breakdown
|
Previous file-existence check failed silently inside pnpm's script shell. \$RENDER is set by Render and only by Render, so this scopes the install to where it's needed and stays a no-op locally. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
\`pnpm install --prod\` skips devDependencies inside git-hosted deps too — and expost's own prepare script needs tsc (a devDep) to build itself from source. So the install has to include dev deps, which means pixelteer (also git-hosted with build scripts) needs to stay in the allowlist. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
dreeves
temporarily deployed
to
feat/etherpad-domain-precommit-guard - beeblog PR #655
Render
Destroyed
This was referenced May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
scripts/check-no-etherpad-domain.shfails the commit ifETHERPAD_DOMAINis unset (and absent from.env), or if its literal value appears anywhere in the staged index..husky/pre-commitafterlint-staged.Test plan
.env→ commit blocked with explanatory message.envand present in tree → commit blocked🤖 Generated with Claude Code