feat: add pre-commit with hadolint, shellcheck, and commitlint hooks

Install pre-commit in the container image and add
.pre-commit-config.yaml with hooks for trailing whitespace,
YAML validation, hadolint, shellcheck, and commitlint.

https://claude.ai/code/session_01RofXXAMZxK4irobNYjYn3W

Author: claude

.containerignore

@@ -9,4 +9,5 @@ LICENSE
 .releaserc.yaml
 .commitlintrc.yaml
 .containerignore
+.pre-commit-config.yaml
 scripts/

.pre-commit-config.yaml

@@ -0,0 +1,30 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: detect-private-key
+
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.12.0
+    hooks:
+      - id: hadolint-docker
+        entry: hadolint/hadolint hadolint
+        args: ["--config", ".hadolint.yaml"]
+
+  - repo: https://github.com/shellcheck-py/shellcheck-py
+    rev: v0.10.0.1
+    hooks:
+      - id: shellcheck
+        args: ["-e", "SC1091"]
+
+  - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
+    rev: v9.21.0
+    hooks:
+      - id: commitlint
+        stages: [commit-msg]
+        additional_dependencies: ["@commitlint/config-conventional"]

Containerfile

@@ -98,6 +98,10 @@ RUN curl -sSL -o /tmp/pack.tgz \
     && tar -xzf /tmp/pack.tgz -C /usr/local/bin/ \
     && rm /tmp/pack.tgz
 
+# Install pre-commit
+# hadolint ignore=DL3013
+RUN pip install --no-cache-dir pre-commit
+
 # Install Poetry latest version and add it to PATH
 # hadolint ignore=DL4006
 RUN curl -sSL https://install.python-poetry.org | python3 -

README.md

@@ -36,6 +36,7 @@ These tools allow the image to run its own build pipeline as a self-hosted runne
 | [trivy](https://github.com/aquasecurity/trivy) | Vulnerability scanner |
 | [hadolint](https://github.com/hadolint/hadolint) | Dockerfile/Containerfile linter |
 | [yq](https://github.com/mikefarah/yq) | YAML processor |
+| [pre-commit](https://pre-commit.com/) | Git hooks framework |
 
 ## CI/CD
 
@@ -127,9 +128,37 @@ Run the full build pipeline (lint, build, scan, push):
 ./scripts/builder.sh
 ```
 
+### Pre-commit hooks
+
+Install the git hooks locally:
+
+```bash
+pre-commit install --hook-type pre-commit --hook-type commit-msg
+```
+
+Hooks run automatically on every commit:
+
+| Hook | Stage | Description |
+|------|-------|-------------|
+| trailing-whitespace | pre-commit | Remove trailing whitespace |
+| end-of-file-fixer | pre-commit | Ensure files end with a newline |
+| check-yaml | pre-commit | Validate YAML syntax |
+| check-added-large-files | pre-commit | Prevent large files from being committed |
+| check-merge-conflict | pre-commit | Detect merge conflict markers |
+| detect-private-key | pre-commit | Prevent private keys from being committed |
+| hadolint | pre-commit | Lint Containerfile |
+| shellcheck | pre-commit | Lint shell scripts |
+| commitlint | commit-msg | Validate conventional commit messages |
+
+Run all hooks manually against all files:
+
+```bash
+pre-commit run --all-files
+```
+
 ### Contributing
 
-This project uses [Conventional Commits](https://www.conventionalcommits.org/). Commit messages are validated by commitlint on pull requests.
+This project uses [Conventional Commits](https://www.conventionalcommits.org/). Commit messages are validated by commitlint on pull requests and locally via pre-commit hooks.
 
 ```bash
 # Good
@@ -151,6 +180,7 @@ git commit -m "WIP"
 ├── .releaserc.yaml                      # Semantic release configuration
 ├── .hadolint.yaml                       # Hadolint configuration
 ├── .commitlintrc.yaml                   # Commitlint configuration
+├── .pre-commit-config.yaml              # Pre-commit hooks configuration
 ├── .containerignore                     # Build context exclusions
 ├── .dive-ci                             # Dive efficiency thresholds
 ├── .github/