ci: enforce pre-commit formatting hooks in CI (#99)

* ci: enforce pre-commit formatting hooks in CI

check-yaml, check-json, end-of-file-fixer, and trailing-whitespace
only ran locally via pre-commit. Contributors who skip pre-commit
can introduce formatting drift (see #97). Add a CI job using
pre-commit/action to enforce these four hooks on every PR.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* ci: consolidate lint jobs into single pre-commit pass

Run all pre-commit hooks (ruff, shellcheck, shfmt, check-yaml,
check-json, end-of-file-fixer, trailing-whitespace) in one job
instead of separate CI jobs per tool. Fixes the extra_args error
where pre-commit run only accepts one hook ID positionally.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* style: fix trailing whitespace and EOF in semgrep-rule-creator

Pre-commit hooks caught two files missed by the earlier formatting
PR: trailing blank line in quick-reference.md and trailing
whitespace plus missing final newline in workflow.md.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: dguido

.github/workflows/lint.yml

@@ -14,43 +14,17 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  ruff:
-    name: Python (ruff)
+  pre-commit:
+    name: Pre-commit
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           persist-credentials: false
-      - uses: astral-sh/ruff-action@4919ec5cf1f49eff0871dbcea0da843445b837e6  # v3.6.1
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
         with:
-          args: check --output-format=github
-      - uses: astral-sh/ruff-action@4919ec5cf1f49eff0871dbcea0da843445b837e6  # v3.6.1
-        with:
-          args: format --check
-
-  shellcheck:
-    name: Shell (shellcheck)
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-      - name: Run shellcheck
-        run: find plugins -name "*.sh" -type f -exec shellcheck --severity=warning -x {} +
-
-  shfmt:
-    name: Shell (shfmt)
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-      - name: Install shfmt
-        run: |
-          curl -sS https://webinstall.dev/shfmt | bash
-          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
-      - name: Run shfmt
-        run: find plugins -name "*.sh" -type f -exec shfmt -i 2 -ci -d {} +
+          python-version: "3.13"
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  # v3.0.1
 
   bats:
     name: Shell (bats)

plugins/semgrep-rule-creator/skills/semgrep-rule-creator/references/quick-reference.md

@@ -200,4 +200,3 @@ semgrep -f <rule-id>.yaml <rule-id>.<ext>
 2. Add sanitizers for validation functions
 3. Use `pattern-inside` to limit scope
 4. Use `metavariable-regex` to filter
-

plugins/semgrep-rule-creator/skills/semgrep-rule-creator/references/workflow.md

@@ -235,6 +235,6 @@ Run the Semgrep rule you created using: `semgrep --config <rule-id>.yaml <rule-i
 
 Ensure that message:
  1. Contains a short and concise explanation of the matched pattern
- 2. Has no uninterpolated metavariables (e.g., $OP, $VAR). All metavariables referenced in the message must be captured by the pattern so they interpolate to actual code. 
+ 2. Has no uninterpolated metavariables (e.g., $OP, $VAR). All metavariables referenced in the message must be captured by the pattern so they interpolate to actual code.
 
-Fix any message issues and re-run that Semgrep rule after each fix.
+Fix any message issues and re-run that Semgrep rule after each fix.