Add pre-commit hooks and gitleaks pipeline

.envrc

@@ -1 +1 @@
-dotenv_if_exists .test.env
+dotenv_if_exists .test.env

.github/dependabot.yml

@@ -13,7 +13,7 @@ updates:
       # Used to get an immediate test
       time: "05:10"
       timezone: "Etc/UTC"
-      
+
   - package-ecosystem: "github-actions" # See documentation for possible values
     directory: "/" # Location of package manifests
     schedule:

.github/workflows/build-all-targets.yml

@@ -13,6 +13,8 @@ concurrency:
 jobs:
   build-tests:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

.github/workflows/build-and-push-upgrade-hawk.yaml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - main
-  
+
   release:
     types:
       - 'published'

.github/workflows/build-and-push.yaml

@@ -94,4 +94,3 @@ jobs:
             --private-key $WEB_PRIVATE_KEY \
             --rpc-url https://worldchain-sepolia.g.alchemy.com/public \
             "addAllowedHash(bytes32)" ${DIGEST:7}
-

.github/workflows/check-licenses.yaml

@@ -8,6 +8,8 @@ on:
 jobs:
   cargo-deny:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # pin@v5.0.0
       - uses: EmbarkStudios/cargo-deny-action@f2ba7abc2abebaf185c833c3961145a3c275caad

.github/workflows/check-secrets.yml

@@ -0,0 +1,21 @@
+name: Check secret leaks
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  check-secret-leaks:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      - name: Run Gitleaks v8.28.0 on full history
+        run: |
+          docker run --rm -v $(pwd):/repo ghcr.io/gitleaks/gitleaks@sha256:cdbb7c955abce02001a9f6c9f602fb195b7fadc1e812065883f695d1eeaba854 \
+            detect --source /repo --verbose --no-git

.github/workflows/cpu-genesis-e2e-tests.yaml

@@ -15,6 +15,8 @@ jobs:
     timeout-minutes: 20
     runs-on:
       labels: ubuntu-22.04-16core
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
 

.github/workflows/cpu-integration-tests.yaml

@@ -15,6 +15,8 @@ jobs:
     timeout-minutes: 20
     runs-on:
       labels: ubuntu-22.04-16core
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
 

.github/workflows/doc.yml

@@ -13,6 +13,8 @@ concurrency:
 jobs:
   doc:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

.github/workflows/lint-rustfmt.yaml

@@ -10,6 +10,8 @@ concurrency:
 jobs:
   fmt:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

.github/workflows/prod-deploy-approvals.yml

@@ -20,17 +20,17 @@ jobs:
           script: |
             // Configuration - modify these values as needed
             const protectedPath = 'deploy/prod';
-            
+
             // Define approval groups - each group must have at least one approval
             approversGroupA = [
-              'philsippl', 
-              'eaypek-tfh', 
-              'carlomazzaferro', 
-              'wojciechsromek', 
-              'leonanos8', 
+              'philsippl',
+              'eaypek-tfh',
+              'carlomazzaferro',
+              'wojciechsromek',
+              'leonanos8',
               'danielle-tfh'
             ];
-            
+
             approversGroupB = [
               'camelop',      // UC Berkeley
               'stneng',       // UC Berkeley
@@ -43,16 +43,16 @@ jobs:
               'SyrineSlim',   // FAU
               'sebhlr'        // FAU
             ];
-            
+
             const approvalGroups = new Map([
               ['Group A', approversGroupA],
               ['Group B', approversGroupB]
             ]);
-            
+
             const pull_number = context.payload.pull_request.number;
             const { owner, repo } = context.repo;
             core.info(`Checking PR #${pull_number} in ${owner}/${repo}`);
-            
+
             const files = await github.paginate(github.rest.pulls.listFiles, {
               owner,
               repo,
@@ -61,12 +61,12 @@ jobs:
             core.info(`Found ${files.length} changed files`);
             const fileNames = files.map(f => f.filename).join(', ');
             core.info(`Changed files: ${fileNames}`);
-            
+
             const touchesProdDeploy = files.some((file) =>
               file.filename === protectedPath || file.filename.startsWith(`${protectedPath}/`)
             );
             core.info(`Touches ${protectedPath}: ${touchesProdDeploy}`);
-            
+
             if (!touchesProdDeploy) {
               core.info(`No changes in ${protectedPath} detected. Skipping approval requirements.`);
               return;
@@ -110,14 +110,14 @@ jobs:
             // Check approvals for each group
             const groupApprovalStatus = new Map();
             const groupApprovers = new Map();
-            
+
             for (const [groupName, members] of approvalGroups) {
               const approvers = approvedLogins.filter((login) => members.includes(login));
               const hasApproval = approvers.length > 0;
-              
+
               groupApprovers.set(groupName, approvers);
               groupApprovalStatus.set(groupName, hasApproval);
-              
+
               core.info(`${groupName} approvers: [${approvers.join(', ')}] - Has approval: ${hasApproval}`);
             }
 

.github/workflows/run-unit-tests.yaml

@@ -16,6 +16,8 @@ jobs:
     timeout-minutes: 20
     runs-on:
       labels: ubuntu-22.04-16core
+    permissions:
+      contents: read
 
     services:
       postgres:

.github/workflows/temp-branch-build-and-push-upgrade-hawk.yaml

@@ -1,4 +1,4 @@
-name: Branch - Hawk Upgrade Build and push docker image 
+name: Branch - Hawk Upgrade Build and push docker image
 
 on:
   push:
@@ -47,4 +47,3 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           file: Dockerfile.genesis.hawk
-

.github/workflows/test-gpu.yaml

@@ -13,6 +13,8 @@ jobs:
   gpu-e2e:
     runs-on: arc-gpu-amd64-runner
     timeout-minutes: 25
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
@@ -59,7 +61,7 @@ jobs:
         run: sudo apt-get update && sudo apt-get install -y pkg-config libssl-dev protobuf-compiler
 
       - name: Install CUDA and NCCL dependencies
-        if: steps.changed-files-yaml.outputs.src_any_changed == 'true' && 
+        if: steps.changed-files-yaml.outputs.src_any_changed == 'true' &&
             steps.cache-cuda-nccl.outputs.cache-hit != 'true'
         env:
           DEBIAN_FRONTEND: noninteractive

.pre-commit-config.yaml

@@ -0,0 +1,65 @@
+# Pre-commit hooks configuration
+# See https://pre-commit.com for more information
+
+repos:
+  # General pre-commit hooks
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: 2c9f875913ee60ca25ce70243dc24d5b6415598c  # v4.6.0
+    hooks:
+      - id: trailing-whitespace
+        exclude: ^(.*\.md|.*\.sage)$
+      - id: end-of-file-fixer
+      - id: check-yaml
+        args: ['--unsafe']  # Allow custom tags in k8s yaml files
+      - id: check-toml
+      - id: check-added-large-files
+        args: ['--maxkb=1000']
+      - id: check-merge-conflict
+      - id: check-case-conflict
+      - id: mixed-line-ending
+        args: ['--fix=lf']
+      - id: detect-private-key
+
+  # Gitleaks - Secret detection
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: 4fb43823ef3d152d239e92d7d5cb04783b548062  # v8.28.0
+    hooks:
+      - id: gitleaks
+
+  # Rust formatting
+  - repo: local
+    hooks:
+      - id: cargo-fmt
+        name: cargo fmt
+        description: Format Rust code with rustfmt
+        entry: cargo fmt
+        language: system
+        types: [rust]
+        pass_filenames: false
+
+      - id: cargo-clippy
+        name: cargo clippy
+        description: Lint Rust code with clippy
+        entry: cargo clippy
+        args: ['--all-targets', '--all-features', '--', '-D', 'warnings']
+        language: system
+        types: [rust]
+        pass_filenames: false
+
+      - id: cargo-check
+        name: cargo check
+        description: Check Rust code compiles
+        entry: cargo check
+        args: ['--all-targets', '--all-features']
+        language: system
+        types: [rust]
+        pass_filenames: false
+
+      - id: cargo-doc
+        name: cargo doc
+        description: Check Rust documentation
+        entry: cargo doc
+        args: ['--no-deps', '--document-private-items']
+        language: system
+        types: [rust]
+        pass_filenames: false

Dockerfile.genesis.dev.hawk

@@ -56,4 +56,4 @@ COPY scripts/run-server-docker.sh .
 
 USER 65534
 
-ENTRYPOINT ["./run-server-docker.sh", "genesis"] 
+ENTRYPOINT ["./run-server-docker.sh", "genesis"]

README.md

@@ -29,6 +29,13 @@ We welcome contributions to this project! Please follow these guidelines when co
 - Include appropriate tests for new functionality
 - Update documentation as needed
 
+### Pre-commit hooks
+We use pre-commit hooks to ensure our changes adhere to the project's standards. Please set up pre-commit hooks by running:
+```bash
+./scripts/setup-pre-commit.sh
+pre-commit run --all-files
+```
+
 ## How to release
 
 New releases are created automagically by [Release Drafter GH action](https://github.com/worldcoin//gpu-iris-mpc/actions/workflows/release.yaml).

SECURITY.md

@@ -30,4 +30,4 @@ Please report security bugs in third-party software to the original maintainers.
 
 ### Responsible Disclosure
 
-We believe that responsible disclosure is a net benefit for the community and subsequently encourage researchers to publish their findings after the issues have been remediated. We do ask, however, that you allow sufficient time for patches to be deployed globally, so please coordinate with Worldcoin PSIRT prior to publishing, either through the bug bounty program or over email. For more information on responsible disclosure, please see Google Project Zero’s [Vulnerability Disclosure policy](https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html) as an example.
+We believe that responsible disclosure is a net benefit for the community and subsequently encourage researchers to publish their findings after the issues have been remediated. We do ask, however, that you allow sufficient time for patches to be deployed globally, so please coordinate with Worldcoin PSIRT prior to publishing, either through the bug bounty program or over email. For more information on responsible disclosure, please see Google Project Zero’s [Vulnerability Disclosure policy](https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html) as an example.

deploy/README.md

@@ -79,4 +79,3 @@ After updating the image URL in all necessary files, commit the changes and crea
 6. Once the PR is approved, merge it into the main branch.
 
 7. After merging the PR, ArgoCD will automatically detect the configuration updates within 5 minutes, pull the updated configuration, and start the upgrade process. 
-

deploy/dev/README.md

@@ -146,4 +146,4 @@ cargo run --release --bin client -- \
    --response-queue-url https://sqs.eu-central-1.amazonaws.com/238407200320/hnsw-smpc-results.fifo \
    --n-batches 1 \
    --batch-size 5
-```
+```

deploy/dev/ampc-hnsw-0-dev/values-ampc-hnsw.yaml

@@ -187,7 +187,7 @@ env:
 
   - name: SMPC__TLS__CLIENT_ONLY_TLS
     value: "false"
-    
+
 initContainer:
   enabled: true
   image: "amazon/aws-cli:2.17.62"

deploy/e2e/iris-mpc-0.yaml.tpl

@@ -263,7 +263,7 @@ iris-mpc-0:
 
     - name : SMPC__ENABLE_DEBUG_TIMING
       value: "true"
-    
+
     - name : SMPC__FULL_SCAN_SIDE_SWITCHING_ENABLED
       value: "false"
 

deploy/e2e/iris-mpc-1.yaml.tpl

@@ -245,7 +245,7 @@ iris-mpc-1:
 
     - name: SMPC__FIXED_SHARED_SECRETS
       value: "true"
-      
+
     - name: SMPC__NODE_HOSTNAMES
       value: '["iris-mpc-0.$ENV.svc.cluster.local","iris-mpc-1.$ENV.svc.cluster.local","iris-mpc-2.$ENV.svc.cluster.local"]'
 

deploy/prod/common-values-ampc-hnsw.yaml

@@ -122,7 +122,7 @@ nginxSidecar:
       # Run nginx as non-root user - use /tmp for PID file
       pid /tmp/nginx.pid;
       worker_processes  auto;
-  
+
       # Send error logs to stderr
       error_log /dev/stderr info;