HYPERFLEET-1101 - chore: add pre-commit hooks with LeakTK secret scanning

[rafabene]

Summary

Creates the standard HyperFleet pre-commit configuration from scratch:

• LeakTK v0.3.3 for secret scanning — open-source, no VPN required
• hyperfleet-hooks v0.1.1 for commit message validation, Go formatting, linting, and vet
• pre-commit-hooks v6.0.0 for file hygiene (trailing whitespace, end-of-file-fixer, check-added-large-files)

Changes

• .pre-commit-config.yaml — created with standard config
• Makefile — added install-hooks, gofmt (alias for fmt), go-vet (alias for vet) targets
• AGENTS.md — expanded pre-commit hooks section with complete hook list

After merging

Team members should run make install-hooks to install the new hooks. First commit after installation takes 3-5 minutes while LeakTK compiles (one-time).

Ref: https://redhat.atlassian.net/browse/HYPERFLEET-1101

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 08acbb30-ceb0-4308-bca9-df506add0b5c

📥 Commits

Reviewing files that changed from the base of the PR and between 48af3a7 and 1373038.

📒 Files selected for processing (3)

• .pre-commit-config.yaml
• AGENTS.md
• Makefile

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

🚧 Files skipped from review as they are similar to previous changes (3)

• AGENTS.md
• Makefile
• .pre-commit-config.yaml

---

📝 Walkthrough

Summary by CodeRabbit

• Chores

  • Integrated automated pre-commit hooks for code quality validation, including secret scanning, commit message linting, Go code formatting and analysis, and file hygiene.

• Documentation

  • Enhanced development setup and verification documentation with pre-commit hook installation and configuration details.

Walkthrough

Introduces .pre-commit-config.yaml configuring three pinned external hook repositories: leaktk/leaktk (v0.3.3) for secret scanning, openshift-hyperfleet/hyperfleet-hooks (v0.1.1) for commit-message linting and Go tooling (gofmt, golangci-lint, go-vet), and pre-commit/pre-commit-hooks (v6.0.0) for whitespace/EOF/large-file hygiene. The Makefile gains install-hooks, gofmt, and go-vet targets. AGENTS.md is expanded to document these hooks and the installation command.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Supply chain surface — flag before merging.

.pre-commit-config.yaml — three external repos now execute code in CI and developer environments.

• leaktk/leaktk @ v0.3.3 — no SHA pin. A tag is mutable; CWE-829 (inclusion of functionality from untrusted control sphere). Pin each repo to a full commit SHA.
• openshift-hyperfleet/hyperfleet-hooks @ v0.1.1 — same issue. This repo is org-internal, but tag mutability still applies.
• pre-commit/pre-commit-hooks @ v6.0.0 — same issue.

Recommended fix for all three:

rev: v0.3.3  # replace with full commit SHA, e.g. abc123def456...

Use pre-commit autoupdate --freeze to freeze all revs to SHAs.

---

Makefile — install-hooks target.

install-hooks:
	pre-commit install

This installs hooks into .git/hooks/ globally for all developers cloning the repo. Confirm pre-commit is a declared dev dependency; an absent binary causes silent failure or a misleading error (CWE-391).

No issues with the gofmt/go-vet alias targets — they delegate to existing fmt/vet with no added logic.

---

AGENTS.md — documentation only; no security surface.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title clearly identifies the main change: adding pre-commit hooks with LeakTK secret scanning. Directly related to the primary changeset focus.
Description check	✅ Passed	Description comprehensively covers all changes: LeakTK secret scanning setup, hyperfleet-hooks integration, file hygiene hooks, and post-merge setup instructions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	No log statements found in modified files (.pre-commit-config.yaml, AGENTS.md, Makefile). These are configuration and documentation files, not code containing slog/log/logr/zap/fmt.Print calls.
No Hardcoded Secrets	✅ Passed	No hardcoded secrets found. Examined .pre-commit-config.yaml, AGENTS.md, Makefile additions. Git commit hashes are public repository references, not secrets. All URLs point to public open-source pr...
No Weak Cryptography	✅ Passed	PR introduces zero cryptographic code—only configuration (pre-commit hooks) and documentation. Existing codebase uses only strong primitives: crypto/tls, crypto/x509, crypto/rand. No MD5, DES, RC4,...
No Injection Vectors	✅ Passed	No injection vectors detected. PR modifies only configuration (.pre-commit-config.yaml), Makefile aliases, and documentation—no Go code with SQL/command/template/YAML injection patterns introduced.
No Privileged Containers	✅ Passed	PR introduces no Kubernetes/OpenShift manifests, Helm templates, or Dockerfiles. Changes are limited to .pre-commit-config.yaml (tooling config), Makefile (build targets), and AGENTS.md (documentat...
No Pii Or Sensitive Data In Logs	✅ Passed	PR introduces configuration files (.pre-commit-config.yaml), Makefile targets, and documentation (AGENTS.md) with no logging statements or code that could expose PII/sensitive data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@AGENTS.md`:
- Line 17: The text on line 17 in AGENTS.md incorrectly states that `make
test-all` runs all of the above commands, but it actually only runs lint, test,
test-integration, and test-helm while excluding fmt and build. Update the line
17 text to accurately describe which commands `make test-all` actually executes
by either listing the specific commands it runs (lint, test, test-integration,
and test-helm) or clarifying that it does not run all the commands listed above
(specifically excluding fmt and build).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: dbf16215-112c-4be5-9051-1526587135fd

📥 Commits

Reviewing files that changed from the base of the PR and between 34ceb40 and 48af3a7.

📒 Files selected for processing (3)

• .pre-commit-config.yaml
• AGENTS.md
• Makefile

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tirthct for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hyperfleet-ci-bot]

Risk Score: 0 — risk/low

Signal	Detail	Points
PR size	58 lines	+0
Sensitive paths	none	+0

_{Computed by hyperfleet-risk-scorer}

[rafabene]

/retest