fix(husky): make LTS pre-commit hook work in git worktrees

[mbiuki]

Summary

Closes #35799 for the 24.12.27 LTS line. Companion to #35800 (same fix on 25.07.10 LTS).

The core-web/.husky/pre-commit hook fails on non-core-web commits when authored from a git worktree (rather than a fresh clone). The hook cds into core-web/ mid-execution and then runs git on absolute paths to files outside that subtree. In a normal clone this works because git rediscovers the repo root from cwd. In a worktree, the calling git commit sets GIT_DIR to an absolute path; the hook inherits it, and subsequent git calls from core-web/ infer GIT_WORK_TREE=core-web from cwd — they then reject absolute paths to files outside core-web/:

fatal: .../parent/pom.xml: '.../parent/pom.xml' is outside repository at '.../core-web'

This blocked worktree-based dev for LTS branches and forced PR #35798 to be authored from a fresh shallow clone rather than a worktree.

Fix

Replace every git add "${root_dir}/<path>" or git restore "${root_dir}/<path>" with git -C "${root_dir}" add -- "<path>" / git -C "${root_dir}" restore -- "<path>". The -C flag tells git to operate as if it were invoked from root_dir, which is unambiguous regardless of cwd or any inherited GIT_DIR. Six sites updated in core-web/.husky/pre-commit:

Line	Function	Operation
91	check_sdk_client_affected	add sdk-editor.js
135	perform_frontend_fixes	add yarn.lock
154	perform_frontend_fixes	add ${file}
168	perform_frontend_fixes	restore ${file}
285	backup loop	restore ${file} (the one that surfaced the bug)
294	backup loop tail	restore ${file}

(25.07.10 LTS has a 7th site for the OpenAPI add that doesn't exist on 24.12.27 LTS.)

No behavior change in normal-clone workflows; git -C and the previous absolute-path form are equivalent there.

Test plan

• Commit a non-core-web change from a normal clone — hook completes (regression check)
• Commit a non-core-web change from a git worktree add worktree — hook completes (this was the failing scenario)
• Commit a core-web change from either — lint/format steps still run as before

[semgrep-code-dotcms-test]

Legal Risk

The following dependencies were released under a license that
has been flagged by your organization for consideration.

Recommendation

While merging is not directly blocked, it's best to pause and consider what it means to use this license before continuing. If you are unsure, reach out to your security team or Semgrep admin to address this issue.

EPL-2.0

• elkjs 0.9.3

GPL-2.0

• node-forge 1.3.1

MPL-2.0

• axe-core 4.7.0
• dompurify 3.1.6

[mbiuki]

Test verification ✅

Reproduced the original failure scenario in a fresh git worktree and confirmed the fix.

Setup

cd ~/Documents/dotCMS/core
git fetch origin security/fix-husky-hook-worktree-24.12.27_lts
git worktree add /tmp/hook-test-24 origin/security/fix-husky-hook-worktree-24.12.27_lts
cd /tmp/hook-test-24
mkdir -p core-web/.husky/_ && <install husky.sh helper>

Test

Made a valid non-core-web change (modified <tomcat.version> in parent/pom.xml) and ran git commit.

Result

Pre-fix (on base branch release-24.12.27_lts), the hook died at the backup step with fatal: ... outside repository at .../core-web.

After this PR's changes, the commit lands cleanly:

[detached HEAD c964b2980e] test: hook fix verification (will be reset)
 1 file changed, 1 insertion(+), 1 deletion(-)

Hook output on 24.12.27 LTS is more concise than 25.07.10 (less scaffolding), but the critical failure mode is gone: the file-backup step no longer aborts on the absolute-path git restore.

Confirmed 6 git -C "${root_dir}" sites in the patched hook (one less than 25.07.10 LTS — that's the OpenAPI add that doesn't exist on this branch).

Test plan checklist

• Commit a non-core-web change from a git worktree — hook completes ✅ (this was the failing scenario)
• Commit a non-core-web change from a normal clone — regression check (CI will exercise this)
• Commit a core-web change from either — lint/format steps still run (CI will exercise this)