HYPERFLEET-1101 - chore: migrate secret scanning from rh-pre-commit to LeakTK

[rafabene]

Summary

Migrates hyperfleet-api from the VPN-dependent rh-pre-commit and rh-hooks-ai hooks to the standard HyperFleet pre-commit configuration:

• LeakTK v0.3.3 for secret scanning — open-source, no VPN required, same Gitleaks engine
• hyperfleet-hooks v0.1.1 for commit message validation (hyperfleet-commitlint), Go formatting, linting, and vet
• pre-commit-hooks v6.0.0 for file hygiene (trailing whitespace, end-of-file-fixer, check-added-large-files)

Changes

• .pre-commit-config.yaml — replaced rh-pre-commit + rh-hooks-ai with standard config
• Makefile — added install-hooks, gofmt, go-vet targets
• AGENTS.md — updated pre-commit hooks section with new hook list
• docs/development.md — removed "For External Contributors" section (no longer needed since LeakTK has no VPN dependency), updated setup instructions to use make install-hooks
• Several existing files fixed by trailing-whitespace and end-of-file-fixer hooks on first run

After merging

Team members should run make install-hooks to install the new hooks. First commit after installation takes 3-5 minutes while LeakTK compiles (one-time).

Ref: https://redhat.atlassian.net/browse/HYPERFLEET-1101

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mischulee for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ada59de2-04bb-4a75-bf49-b08275c5131b

📥 Commits

Reviewing files that changed from the base of the PR and between dd7f85d and 603fce6.

📒 Files selected for processing (10)

• .bingo/Variables.mk
• .bingo/variables.env
• .pre-commit-config.yaml
• AGENTS.md
• Makefile
• charts/templates/_helpers.tpl
• docs/config.md
• docs/database.md
• docs/deployment.md
• docs/development.md

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

💤 Files with no reviewable changes (4)

• .bingo/variables.env
• docs/config.md
• charts/templates/_helpers.tpl
• .bingo/Variables.mk

✅ Files skipped from review due to trivial changes (3)

• docs/deployment.md
• docs/database.md
• AGENTS.md

🚧 Files skipped from review as they are similar to previous changes (3)

• .pre-commit-config.yaml
• docs/development.md
• Makefile

---

📝 Walkthrough

Summary by CodeRabbit

• New Features
  • Added developer tooling targets for installing pre-commit hooks and running gofmt and go vet checks.
• Bug Fixes
  • Improved Helm-generated database environment variable output for password secret references to ensure clean YAML rendering.
• Chores
  • Updated pre-commit hook configuration to use public hook sources and expanded checks for secret scanning, commit message validation, and file hygiene.
• Documentation
  • Refreshed development setup instructions to use the new hook installation workflow and cleaned up minor formatting.

Walkthrough

PR replaces internal rh-pre-commit hook infrastructure with three public external sources: leaktk for secret scanning (CWE-798), openshift-hyperfleet/hyperfleet-hooks for commitlint and Go quality checks (gofmt, golangci-lint, go-vet), and pre-commit/pre-commit-hooks for file hygiene. Sets default_install_hook_types to [pre-commit, commit-msg]. Adds Makefile targets install-hooks, gofmt, go-vet to expose code quality checks as developer tasks. Updates AGENTS.md and docs/development.md to document make install-hooks workflow. Adjusts .bingo/Variables.mk oapi-codegen recipe to use GOHOST* platform variables and -modfile=oapi-codegen.mod. Fixes Helm template closing block in databaseEnvVars helper. Removes trailing whitespace from documentation files.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title directly and specifically describes the migration from rh-pre-commit to LeakTK for secret scanning, matching the core objective of the changeset.
Description check	✅ Passed	Description comprehensively covers the migration rationale, lists specific tool versions, enumerates affected files, and provides post-merge guidance aligned with the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	PR contains no log statements exposing tokens, passwords, credentials, or secrets. Modified files are config/docs only; no new logging code added. Existing codebase properly redacts secrets via red...
No Hardcoded Secrets	✅ Passed	No hardcoded secrets detected in PR. Git commit hashes are legitimate version refs; password examples are documentation placeholders; Kubernetes secrets use proper secretKeyRef pattern.
No Weak Cryptography	✅ Passed	No weak cryptography primitives (MD5, DES, RC4, SHA1 for security), ECB mode, custom crypto implementations, or non-constant-time secret comparisons detected. PR modifies only build configuration,...
No Injection Vectors	✅ Passed	PR adds 303 files (initial repository setup) with no code logic changes to existing files. No injection vectors found: no exec.Command/SQL string concat with untrusted input, no template.HTML(), no...
No Privileged Containers	✅ Passed	PR contains no privileged container configurations. Dockerfile properly restricts runtime to non-root (USER 65532:65532), Helm templates enforce non-root contexts with allowPrivilegeEscalation disa...
No Pii Or Sensitive Data In Logs	✅ Passed	No logging statements expose PII or sensitive data. The codebase implements comprehensive masking via MaskingMiddleware that redacts sensitive headers, JSON fields, emails, credit cards, and tokens...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[hyperfleet-ci-bot]

Risk Score: 0 — risk/low

Signal	Detail	Points
PR size	99 lines	+0
Sensitive paths	none	+0

_{Computed by hyperfleet-risk-scorer}