Pre-Commit Hooks for Mac Admins

This repository contains hooks for pre-commit that may be useful to Mac admins, client engineers, and other Apple-focused IT professionals.

Requirements

To use these hooks, you first need to install pre-commit using the instructions here: https://pre-commit.com/#install

Adding hooks to your pre-commit config

For any hook in this repo you wish to use, add the following to your pre-commit config:

-   repo: https://github.com/homebysix/pre-commit-macadmin
    rev: v1.15.0
    hooks:
    -   id: check-plists
    # -   id: ...

After adding a hook to your pre-commit config, it's not a bad idea to run pre-commit autoupdate to ensure you have the latest version of the hooks.

Hooks available

General

• check-git-config-email

  This hook checks to ensure the Git config email matches one of the specified domains: args: ['--domains', 'pretendco.com', 'contoso.com', '--']

• check-plists

  This hook checks XML property list (plist) files for basic syntax errors.

• check-munkipkg-buildinfo

  This hook checks MunkiPkg build-info files to ensure they are valid.

• check-outset-scripts

  This hook checks Outset scripts to ensure they're executable.

AutoPkg

• check-autopkg-recipe-list

  This hook checks AutoPkg recipe lists (in txt, plist, yaml, or json format) for common issues.

• check-autopkg-recipes

  This hook checks AutoPkg recipes to ensure they meet various requirements and conventions.

  • Optionally specify your preferred AutoPkg recipe and/or override prefix, if you wish to enforce them: args: ['--override-prefix=com.yourcompany.autopkg.']
    (default: local.)
    args: ['--recipe-prefix=com.github.yourusername.']
    (default: com.github.)

  • Optionally specify the version of AutoPkg for which you want to ignore MinimumVersion mismatches with processors. args: ['--ignore-min-vers-before=0.5.0']
    (default: 1.0.0)
    Specifying 0.1.0 will not ignore any MinimumVersion mismatches.

  • If you're a purist, you can also enable strict mode. This enforces recipe type conventions, all processor/MinimumVersion mismatches, forbids <!-- --> style comments, and ensures all processor input variables (arguments) are valid.
    args: ['--strict']
    (default: False)

• forbid-autopkg-overrides

  This hook prevents AutoPkg overrides from being added to the repo.

• forbid-autopkg-trust-info

  This hook prevents AutoPkg recipes with trust info from being added to the repo.

Jamf

• check-jamf-extension-attributes

  This hook checks Jamf extension attributes for common issues. (Looks for EAs in a path containing jamf/extension_attributes or jss/extension_attributes.)

• check-jamf-scripts

  This hook checks Jamf scripts for common issues. (Looks for scripts in a path containing jamf/scripts or jss/scripts.)

• check-jamf-profiles

  This hook checks Jamf profiles for common issues. (Looks for profiles in a path containing jamf/profiles or jss/profiles.)

Munki

• check-munki-pkgsinfo

  This hook checks Munki pkginfo files to ensure they are valid.

  • Specify your preferred list of pkginfo catalogs, if you wish to enforce it, followed by -- to signal the end of the list: args: ['--catalogs', 'testing', 'stable', '--']

  • Specify your preferred list of pkginfo categories, if you wish to enforce it, followed by --: args: ['--categories', 'Productivity', 'Design', 'Utilities', 'Web Browsers', '--']

  • Specify required pkginfo keys, followed by --: args: ['--required-keys', 'category', 'description', 'developer', 'name', 'version', '--'] (default: description, name)

  • Specify an alternate munki repo location by passing the argument: args: ['--munki-repo', './my_repo_location'] (default: ".")

  • Choose to just warn on missing icons with a flag, note if no other issues exist this will allow pre-commit to pass without seeing the warnings: args: ['--warn-on-missing-icons]

  • Add additional shebangs that are valid for your environment: args: ['--valid-shebangs', '#!/bin/macadmin/python37', '#!/bin/macadmin/python42', '--']

• check-munkiadmin-scripts

  This hook ensures MunkiAdmin scripts are executable.

• munki-makecatalogs

  This hook runs the "makecatalogs" command to ensure all referenced packages are present and catalogs are up to date.

  • Specify an alternate munki repo location by passing the argument: args: ['--munki-repo', './my_repo_location'] (default: ".")

Note about combining arguments

When combining arguments that take lists (for example: --required-keys, --catalogs, and --categories), only the last list needs to have a trailing --. For example, if you use the check-munki-pkgsinfo hook with only the --catalogs argument, your yaml config would look like this:

-   repo: https://github.com/homebysix/pre-commit-macadmin
    rev: v1.15.0
    hooks:
    -   id: check-munki-pkgsinfo
        args: ['--catalogs', 'testing', 'stable', '--']

But if you also use the --categories argument, you would move the trailing -- to the end, after all the lists, like this:

-   repo: https://github.com/homebysix/pre-commit-macadmin
    rev: v1.15.0
    hooks:
    -   id: check-munki-pkgsinfo
        args: ['--catalogs', 'testing', 'stable', '--categories', 'Design', 'Engineering', 'Web Browsers', '--']

The -- only serves as a signal to the hook that the list of arguments is complete, and is only needed for "list" type arguments.

If it looks better to your eye, feel free to use a multi-line list for long arguments:

-   repo: https://github.com/homebysix/pre-commit-macadmin
    rev: v1.15.0
    hooks:
    -   id: check-munki-pkgsinfo
        args: [
            '--required-keys', 'description', 'name', 'developer', 'category', 'version',
            '--catalogs', 'testing', 'stable',
            '--categories', 'Communication', 'Design', 'Engineering', 'macOS', 'Printers',
                'Productivity', 'Security',  'Utilities', 'Web Browsers',
            '--']

Recommendations

If you find my hooks useful, you may also want to use one or more of the Python, Markdown, and Git-related hooks listed here: https://pre-commit.com/hooks.html

Specifically, here are a few I use for Mac admin work:

• check-added-large-files
• check-executables-have-shebangs
• check-merge-conflict
• check-yaml
• detect-aws-credentials
• detect-private-key
• mixed-line-ending
• no-commit-to-branch
• trailing-whitespace