fix: Add missing :

.github/workflows/pre-commit.yaml

@@ -0,0 +1,24 @@
+name: pre-commit
+
+on:
+  pull_request: {}
+  push:
+    branches: main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone Repository
+        uses: actions/checkout@v6
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+      - name: Install pre-commit
+        shell: bash
+        run: uv tool install pre-commit --with pre-commit-uv
+      - run: pre-commit run --show-diff-on-failure --color=always --all-files
+        shell: bash

.pre-commit-config.yaml

@@ -5,8 +5,6 @@
 # Available pre-commit hooks
 #   https://pre-commit.com/hooks.html
 
-default_language_version:
-    python: python3.7
 fail_fast: true
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
@@ -22,12 +20,13 @@ repos:
   hooks:
   - id: check-useless-excludes
 - repo: https://github.com/Yelp/detect-secrets
-  rev: v0.13.0
+  rev: v1.5.0
   hooks:
   - id: detect-secrets
     args: ['--baseline', '.secrets.baseline']
-- repo: https://github.com/mozilla-it/jsonschema-on-yaml
-  rev: main
+- repo: https://github.com/python-jsonschema/check-jsonschema
+  rev: 0.35.0
   hooks:
-  - id: jsonschema-on-yaml
-    args: ['refractr/refractr.yml', 'refractr/schema.yml']
+    - id: check-jsonschema
+      files: 'refractr\.yml$'
+      args: ['--schemafile', 'refractr/schema.json']

.secrets.baseline

@@ -1,54 +1,137 @@
 {
-  "exclude": {
-    "files": null,
-    "lines": null
-  },
-  "generated_at": "2020-04-03T02:39:25Z",
+  "version": "1.5.0",
   "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
     {
       "name": "AWSKeyDetector"
     },
     {
-      "name": "ArtifactoryDetector"
+      "name": "AzureStorageKeyDetector"
     },
     {
-      "base64_limit": 4.5,
-      "name": "Base64HighEntropyString"
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
     },
     {
       "name": "BasicAuthDetector"
     },
     {
-      "hex_limit": 3,
-      "name": "HexHighEntropyString"
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
     },
     {
       "name": "JwtTokenDetector"
     },
     {
-      "keyword_exclude": null,
-      "name": "KeywordDetector"
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
     },
     {
       "name": "MailchimpDetector"
     },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
     {
       "name": "PrivateKeyDetector"
     },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
     {
       "name": "SlackDetector"
     },
     {
       "name": "SoftlayerDetector"
     },
+    {
+      "name": "SquareOAuthDetector"
+    },
     {
       "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
     }
   ],
-  "results": {},
-  "version": "0.13.0",
-  "word_list": {
-    "file": null,
-    "hash": null
-  }
+  "results": {
+    "docs/SRE_INFO.md": [
+      {
+        "type": "Hex High Entropy String",
+        "filename": "docs/SRE_INFO.md",
+        "hashed_secret": "19f5128f9b42e46e7ec93f4fc2882c9906c63fc2",
+        "is_verified": false,
+        "line_number": 73
+      }
+    ]
+  },
+  "generated_at": "2025-11-23T20:47:13Z"
 }

docs/refractr-architecture.md

@@ -29,7 +29,7 @@ The refractr.yml spec allows for specifying tests in the form of given-source to
 ### minimal changes
 Due to the nature of redirects and rewrites it is common to add new domains or subtract old ones. This means that the nginx config needs to be told which are the valid list of domains and update them when deploying a new refractr Docker image to GKE. When a new version of the refractr image is pushed to prod, redirects are already live.
 
-In a second step, certificates must be created and linked to refractr's Loadbalancer -- this step currently requires a second PR to be opened after deployment. All certificates are managed with GCP's certificate manager api and attached to the Loadbalancer by a certmap, we manage all of those resources via terraform in refractr's infrastructure project. 
+In a second step, certificates must be created and linked to refractr's Loadbalancer -- this step currently requires a second PR to be opened after deployment. All certificates are managed with GCP's certificate manager api and attached to the Loadbalancer by a certmap, we manage all of those resources via terraform in refractr's infrastructure project.
 
 ## refractr traffic flow
 Traffic flow to refractr starts with DNS. A domain that should be handled by the system must be pointed to it's Loadbalancer, usually by a CNAME, in some cases, by A / AAAA records. Once a request reaches the Loadbalancer, we force HTTPS, then forward to the actual application pods, which then handle individual redirects as configured.

examples/complex-redirect.yml

@@ -59,4 +59,3 @@ validate:
         - 301 http://lockwise.firefox.com/ -> https://www.mozilla.org/firefox/lockwise/ MATCHED
         test-result: MATCHED
     validate-result: SUCCESS
-

examples/complex-rewrite-with-if-and-redirect.yml

@@ -68,4 +68,3 @@ validate:
         hops:
         - 301 http://en-uk.start.mozilla.com/ -> https://start.mozilla.org/en-uk/ MATCHED
         test-result: MATCHED
-

examples/simple-multiple-sources.yml

@@ -41,4 +41,3 @@ validate:
         - 301 http://labs.mozilla.com -> https://labs.mozilla.org/ MATCHED
         test-result: MATCHED
     validate-result: SUCCESS
-

examples/simple-single-source.yml

@@ -31,4 +31,3 @@ validate:
         - 301 http://wiki.mozilla.com -> https://wiki.mozilla.org/ MATCHED
         test-result: MATCHED
     validate-result: SUCCESS
-

prod-refractr.yml

@@ -1228,17 +1228,17 @@ refracts:
   - www.browseagainstthemachine.com
 
 # SREIN-636
-- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=downloadfirefox-us
+- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=downloadfirefox-us:
   - downloadfirefox.us
   - www.downloadfirefox.us
 
 # SREIN-636
-- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=fire-fox-us
+- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=fire-fox-us:
   - fire-fox.us
   - www.fire-fox.us
 
 # SREIN-636
-- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=mozillafirefox-us
+- www.mozilla.org/firefox/new/?utm_medium=referral&utm_source=mozillafirefox-us:
   - mozillafirefox.us
   - www.mozillafirefox.us
 
@@ -1265,6 +1265,6 @@ refracts:
   - www.mozillastore.com
 
 # SREIN-636
-- viewsourceconf.org/
+- viewsourceconf.org/:
   - viewsourceconf.com
   - www.viewsourceconf.com

refractr/image/refractr.sh

@@ -44,4 +44,3 @@ case "$ACTION" in
         exit 1
         ;;
 esac
-