Pre-Commit Hooks for Mac Admins
This repository contains hooks for pre-commit that may be useful to Mac admins, client engineers, and other Apple-focused IT professionals.
Requirements
To use these hooks, you first need to install pre-commit using the instructions here: https://pre-commit.com/#install
Adding hooks to your pre-commit config
For any hook in this repo you wish to use, add the following to your pre-commit config:
- repo: https://github.com/homebysix/pre-commit-macadmin
rev: v1.12.2
hooks:
- id: check-plists
# - id: ...
After adding a hook to your pre-commit config, it's not a bad idea to run pre-commit autoupdate
to ensure you have the latest version of the hooks.
Hooks available
General
-
check-git-config-email
This hook checks to ensure the Git config email matches one of the specified domains:
args: ['--domains', 'pretendco.com', 'contoso.com', '--']
-
check-plists
This hook checks XML property list (plist) files for basic syntax errors.
-
check-munkipkg-buildinfo
This hook checks MunkiPkg build-info files to ensure they are valid.
-
check-outset-scripts
This hook checks Outset scripts to ensure they're executable.
AutoPkg
-
check-autopkg-recipe-list
This hook checks AutoPkg recipe lists (in txt, plist, yaml, or json format) for common issues.
-
check-autopkg-recipes
This hook checks AutoPkg recipes to ensure they meet various requirements and conventions.
-
Optionally specify your preferred AutoPkg recipe and/or override prefix, if you wish to enforce them:
args: ['--override-prefix=com.yourcompany.autopkg.']
(default:local.
)
args: ['--recipe-prefix=com.github.yourusername.']
(default:com.github.
) -
Optionally specify the version of AutoPkg for which you want to ignore MinimumVersion mismatches with processors.
args: ['--ignore-min-vers-before=0.5.0']
(default:1.0.0
)
Specifying0.1.0
will not ignore any MinimumVersion mismatches. -
If you're a purist, you can also enable strict mode. This enforces recipe type conventions, all processor/MinimumVersion mismatches, forbids
<!-- -->
style comments, and ensures all processor input variables (arguments) are valid.
args: ['--strict']
(default: False)
-
-
forbid-autopkg-overrides
This hook prevents AutoPkg overrides from being added to the repo.
-
forbid-autopkg-trust-info
This hook prevents AutoPkg recipes with trust info from being added to the repo.
Jamf
-
check-jamf-extension-attributes
This hook checks Jamf extension attributes for common issues. (Looks for EAs in a path containing jamf/extension_attributes or jss/extension_attributes.)
-
check-jamf-scripts
This hook checks Jamf scripts for common issues. (Looks for scripts in a path containing jamf/scripts or jss/scripts.)
-
check-jamf-profiles
This hook checks Jamf profiles for common issues. (Looks for profiles in a path containing jamf/profiles or jss/profiles.)
Munki
-
check-munki-pkgsinfo
This hook checks Munki pkginfo files to ensure they are valid.
-
Specify your preferred list of pkginfo catalogs, if you wish to enforce it, followed by
--
to signal the end of the list:
args: ['--catalogs', 'testing', 'stable', '--']
-
Specify your preferred list of pkginfo categories, if you wish to enforce it, followed by
--
:
args: ['--categories', 'Productivity', 'Design', 'Utilities', 'Web Browsers', '--']
-
Specify required pkginfo keys, followed by
--
:
args: ['--required-keys', 'category', 'description', 'developer', 'name', 'version', '--']
(default: description, name)
-
-
check-munkiadmin-scripts
This hook ensures MunkiAdmin scripts are executable.
-
munki-makecatalogs
This hook runs the "makecatalogs" command to ensure all referenced packages are present and catalogs are up to date.
Note about combining arguments
When combining arguments that take lists (for example: --required-keys
, --catalogs
, and --categories
), only the last list needs to have a trailing --
. For example, if you use the check-munki-pkgsinfo hook with only the --catalogs
argument, your yaml config would look like this:
- repo: https://github.com/homebysix/pre-commit-macadmin
rev: v1.12.2
hooks:
- id: check-munki-pkgsinfo
args: ['--catalogs', 'testing', 'stable', '--']
But if you also use the --categories
argument, you would move the trailing --
to the end, after all the lists, like this:
- repo: https://github.com/homebysix/pre-commit-macadmin
rev: v1.12.2
hooks:
- id: check-munki-pkgsinfo
args: ['--catalogs', 'testing', 'stable', '--categories', 'Design', 'Engineering', 'Web Browsers', '--']
The --
only serves as a signal to the hook that the list of arguments is complete, and is only needed for "list" type arguments.
If it looks better to your eye, feel free to use a multi-line list for long arguments:
- repo: https://github.com/homebysix/pre-commit-macadmin
rev: v1.12.2
hooks:
- id: check-munki-pkgsinfo
args: [
'--required-keys', 'description', 'name', 'developer', 'category', 'version',
'--catalogs', 'testing', 'stable',
'--categories', 'Communication', 'Design', 'Engineering', 'macOS', 'Printers',
'Productivity', 'Security', 'Utilities', 'Web Browsers',
'--']
Recommendations
If you find my hooks useful, you may also want to use one or more of the Python, Markdown, and Git-related hooks listed here: https://pre-commit.com/hooks.html
Specifically, here are a few I use for Mac admin work:
check-added-large-files
check-executables-have-shebangs
check-merge-conflict
check-yaml
detect-aws-credentials
detect-private-key
mixed-line-ending
no-commit-to-branch
trailing-whitespace