From 2d1b15ecbc5d2dad695f702d0284133bfa445a8a Mon Sep 17 00:00:00 2001 From: Hongming Wang Date: Wed, 29 Apr 2026 10:12:22 -0700 Subject: [PATCH] fix(pre-commit): add go build ./... gate for staged Go changes (#1770) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Catches the bot-generated-structurally-invalid-Go class that took staging Platform(Go) red for hours on 2026-04-22 (PR #1769 commit 66ea0b64 nested a function declaration inside another function's body). The patch tool applied it; the Go parser rejected it; every Go PR targeting staging during the window failed CI through no fault of its own. Hook now runs `cd workspace-server && go build ./...` when any .go file in workspace-server/ is staged. If the build fails, commit is rejected with the first 20 lines of build output. Skip-with-warning when go isn't installed (CI runners + bots without go bypass cleanly). Cost: ~5-10s per commit that touches Go on a warm cache. Acceptable for the class of bug it catches — the alternative (catch at PR-time via CI) is too late, the malformed commit is already shared. This is one of the three guards proposed in #1770. The other two (branch-protection on `Platform (Go)` as required check; SHARED_RULES clarification on bot-PR overrides) are admin / process changes that need your action. Closes the pre-commit half of #1770. Branch-protection + SHARED_RULES work tracks separately. Co-Authored-By: Claude Opus 4.7 (1M context) --- .githooks/pre-commit | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/.githooks/pre-commit b/.githooks/pre-commit index 6c53dc73..ecbacd6d 100755 --- a/.githooks/pre-commit +++ b/.githooks/pre-commit @@ -95,7 +95,39 @@ if [ -n "$STAGED_GO" ]; then fi # ────────────────────────────────────────────────────────── -# 5. Secrets: No tokens/keys in staged files +# 5. Go: build check — catches bot-generated structurally-invalid Go (#1770) +# ────────────────────────────────────────────────────────── +# +# Background: bot agents have produced syntactically-broken Go that the +# patch tool happily applied (e.g. PR #1769 commit 66ea0b64 — function +# declaration nested inside another function's body). Compilation failed, +# staging Platform(Go) was red for hours. CI catches this AT PR-time but +# by then the malformed commit is already shared. +# +# Pre-commit guard: when ANY .go file in workspace-server/ is staged, run +# `go build ./...` from workspace-server. If it fails, reject the commit. +# Cost: ~5-10s on a warm cache; acceptable for the class of bug it +# catches. Skip when go isn't available (CI runners that need to bypass). + +if [ -n "$STAGED_GO" ]; then + if command -v go >/dev/null 2>&1; then + if ! (cd workspace-server && go build ./... >/tmp/precommit-go-build.log 2>&1); then + echo "❌ GO BUILD FAILED — staged Go changes don't compile (workspace-server/)." + echo " Output:" + sed 's/^/ /' /tmp/precommit-go-build.log | head -20 + echo " Fix the build error before committing. See #1770 for context." + ERRORS=$((ERRORS + 1)) + fi + else + # Bots and CI runners may bypass when go isn't installed — surface a + # warning so the absence is visible, but don't block. Humans hit this + # only if they didn't run setup.sh. + echo "⚠️ go not installed — skipping go-build pre-commit check (#1770)" + fi +fi + +# ────────────────────────────────────────────────────────── +# 6. Secrets: No tokens/keys in staged files # ────────────────────────────────────────────────────────── ALL_STAGED=$(git diff --cached --name-only --diff-filter=ACM || true)