fix(husky): make LTS pre-commit hook work in git worktrees

[mbiuki]

Summary

Closes #35799 for the 25.07.10 LTS line.

The core-web/.husky/pre-commit hook fails on non-core-web commits when authored from a git worktree (rather than a fresh clone). The hook cds into core-web/ mid-execution and then runs git on absolute paths to files outside that subtree. In a normal clone this works because git rediscovers the repo root from cwd. In a worktree, the calling git commit sets GIT_DIR to an absolute path; the hook inherits it, and subsequent git calls from core-web/ infer GIT_WORK_TREE=core-web from cwd — they then reject absolute paths to files outside core-web/ with:

fatal: .../parent/pom.xml: '.../parent/pom.xml' is outside repository at '.../core-web'

This blocked worktree-based dev for LTS branches and forced PRs #35797 and #35798 to be authored from fresh shallow clones rather than worktrees.

Fix

Replace every git add "${root_dir}/<path>" or git restore "${root_dir}/<path>" with git -C "${root_dir}" add -- "<path>" / git -C "${root_dir}" restore -- "<path>". The -C flag tells git to operate as if it were invoked from root_dir, which is unambiguous regardless of cwd or any inherited GIT_DIR. Seven sites updated:

Line	Function	Operation
83	check_sdk_client_affected	add dot-uve.js
127	perform_frontend_fixes	add yarn.lock
146	perform_frontend_fixes	add ${file}
160	perform_frontend_fixes	restore ${file}
306	OpenAPI block	add openapi.yaml
387	backup loop	restore ${file} (the one that surfaced the bug)
396	backup loop tail	restore ${file}

No behavior change in normal-clone workflows; git -C and the previous absolute-path form are equivalent there.

Test plan

• Commit a non-core-web change from a normal clone — hook completes (regression check)
• Commit a non-core-web change from a git worktree add worktree — hook completes (this was the failing scenario)
• Commit a core-web change from either — lint/format steps still run as before

Companion work

• Mirror this fix to release-24.12.27_lts in a sibling PR
• main is not affected (different hook).

[semgrep-code-dotcms-test]

Legal Risk

The following dependencies were released under a license that
has been flagged by your organization for consideration.

Recommendation

While merging is not directly blocked, it's best to pause and consider what it means to use this license before continuing. If you are unsure, reach out to your security team or Semgrep admin to address this issue.

EPL-2.0

• elkjs 0.9.3

GPL-2.0

• node-forge 1.3.1

MPL-2.0

• axe-core 4.7.0
• dompurify 3.1.6

[mbiuki]

Test verification ✅

Reproduced the original failure scenario in a fresh git worktree and confirmed the fix.

Setup

cd ~/Documents/dotCMS/core
git fetch origin security/fix-husky-hook-worktree-25.07.10_lts
git worktree add /tmp/hook-test-25 origin/security/fix-husky-hook-worktree-25.07.10_lts
cd /tmp/hook-test-25
mkdir -p core-web/.husky/_ && <install husky.sh helper>

Test

Made a valid non-core-web change (modified <tomcat.version> in parent/pom.xml) and ran git commit.

Result

Pre-fix (on base branch release-25.07.10_lts), the hook died at:

💾 Backing up parent/pom.xml
fatal: /private/tmp/hook-test-25/parent/pom.xml: '/private/tmp/hook-test-25/parent/pom.xml' is outside repository at '/private/tmp/hook-test-25/core-web'
husky - pre-commit hook exited with code 128 (error)

After this PR's changes, the hook progresses past the backup step and the commit lands:

✅ Completed Maven validation
📋 Using Node.js version specified in .nvmrc
📋 Using Yarn version: 1.22.19
📁 Created temporary directory /var/folders/.../tmp.Tmueoh2smG
💾 Backing up parent/pom.xml
✅ Backed up workspace to /var/folders/.../tmp.Tmueoh2smG
🔄 Restoring untracked files...
🎉 Commit checks completed successfully.
[detached HEAD 1808217033] test: hook fix verification (will be reset)
 1 file changed, 1 insertion(+), 1 deletion(-)

The key line ✅ Backed up workspace to ... is what the original bug prevented — this used to die immediately after the 💾 Backing up parent/pom.xml line. With the git -C "${root_dir}" change, the backup completes cleanly and the rest of the hook runs.

Test plan checklist

• Commit a non-core-web change from a git worktree — hook completes ✅ (this was the failing scenario)
• Commit a non-core-web change from a normal clone — regression check (CI will exercise this)
• Commit a core-web change from either — lint/format steps still run (CI will exercise this)