HYPERFLEET-1101 - chore: add pre-commit hooks with LeakTK secret scanning

[rafabene]

Summary

Creates the standard HyperFleet pre-commit configuration from scratch:

• LeakTK v0.3.3 for secret scanning — open-source, no VPN required
• hyperfleet-hooks v0.1.1 for commit message validation, Go formatting, linting, and vet
• pre-commit-hooks v6.0.0 for file hygiene (trailing whitespace, end-of-file-fixer, check-added-large-files)

Changes

• .pre-commit-config.yaml — created with standard config
• Makefile — added install-hooks, gofmt (alias for fmt), go-vet (alias for vet) targets
• AGENTS.md — expanded pre-commit hooks section with complete hook list

After merging

Team members should run make install-hooks to install the new hooks. First commit after installation takes 3-5 minutes while LeakTK compiles (one-time).

Ref: https://redhat.atlassian.net/browse/HYPERFLEET-1101

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 378339e7-0b1a-4c9f-92fd-b6465562e9e4

📥 Commits

Reviewing files that changed from the base of the PR and between 1373038 and 120861b.

📒 Files selected for processing (3)

• .pre-commit-config.yaml
• AGENTS.md
• Makefile

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

✅ Files skipped from review due to trivial changes (1)

• AGENTS.md

🚧 Files skipped from review as they are similar to previous changes (2)

• .pre-commit-config.yaml
• Makefile

---

📝 Walkthrough

Summary by CodeRabbit

• Chores

  • Added automated pre-commit hooks covering secret scanning, commit message linting, Go formatting/linting/vet, and basic file hygiene checks.

• Documentation

  • Expanded the setup and verification guidance with a fresh-clone snippet and a dedicated “Pre-commit Hooks” checklist, including the relevant hook/install instructions.

• Chores

  • Introduced Makefile convenience targets to install hooks and provide shorthand commands for Go formatting and vetting.

Walkthrough

Introduces .pre-commit-config.yaml configuring three external hook repositories: leaktk (v0.3.3) for secret scanning, openshift-hyperfleet/hyperfleet-hooks (v0.2.1) for commit-message linting and Go tooling, and pre-commit/pre-commit-hooks (v6.0.0) for whitespace/EOF/large-file hygiene. The Makefile gains install-hooks, gofmt, and go-vet targets. AGENTS.md documents these hooks and the installation command.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

---

Supply chain surface — flag before merging.

.pre-commit-config.yaml — three external repositories now execute code in developer and CI environments.

• leaktk/leaktk @ v0.3.3 — tag-pinned, not commit-pinned. Tags are mutable; CWE-829 (inclusion of functionality from untrusted control sphere). Pin to full commit SHA.
• openshift-hyperfleet/hyperfleet-hooks @ v0.2.1 — same tag-mutability risk. Org-internal source does not mitigate mutable tag injection.
• pre-commit/pre-commit-hooks @ v6.0.0 — same issue.

Recommended fix:

pre-commit autoupdate --freeze

Freeze all rev: values to full commit SHAs (40-character hex, not tags or short SHAs).

---

Makefile — install-hooks target.

install-hooks:
	pre-commit install

Installs hooks into .git/hooks/ globally for all developers. Confirm pre-commit is declared as a development dependency; an absent binary causes silent hook-installation failure (CWE-391).

No issues with gofmt/go-vet alias targets — they delegate to existing fmt/vet with no added logic.

---

AGENTS.md — documentation only; no supply chain surface.

🚥 Pre-merge checks | ✅ 5 | ❌ 6

❌ Failed checks (6 inconclusive)

Check name	Status	Explanation	Resolution
Sec-02: Secrets In Log Output	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No Hardcoded Secrets	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No Weak Cryptography	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No Injection Vectors	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No Privileged Containers	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No Pii Or Sensitive Data In Logs	❓ Inconclusive	Repository clone failed, so this custom check could not run with code access.	Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately describes the main change: adding pre-commit hooks with LeakTK secret scanning. It is concise, specific, and clearly conveys the primary objective.
Description check	✅ Passed	Description is directly related to the changeset, detailing the three tools integrated (LeakTK, hyperfleet-hooks, pre-commit-hooks), the files modified, and post-merge instructions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@AGENTS.md`:
- Line 17: The text on line 17 in AGENTS.md incorrectly states that `make
test-all` runs all of the above commands, but it actually only runs lint, test,
test-integration, and test-helm while excluding fmt and build. Update the line
17 text to accurately describe which commands `make test-all` actually executes
by either listing the specific commands it runs (lint, test, test-integration,
and test-helm) or clarifying that it does not run all the commands listed above
(specifically excluding fmt and build).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: dbf16215-112c-4be5-9051-1526587135fd

📥 Commits

Reviewing files that changed from the base of the PR and between 34ceb40 and 48af3a7.

📒 Files selected for processing (3)

• .pre-commit-config.yaml
• AGENTS.md
• Makefile

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[hyperfleet-ci-bot]

Risk Score: 0 — risk/low

Signal	Detail	Points
PR size	58 lines	+0
Sensitive paths	none	+0

_{Computed by hyperfleet-risk-scorer}

[rafabene]

/retest

[kuudori]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kuudori

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [kuudori]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment