chore(renovate): add pre-commit

[yxtay]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @yxtay, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request integrates pre-commit into the project's Renovate configuration. By enabling pre-commit within Renovate, the system will now automatically manage and update pre-commit hooks, ensuring that code quality and consistency checks are always up-to-date without manual intervention. This change streamlines maintenance for development dependencies related to code quality.

Highlights

• Renovate Configuration Update: The Renovate configuration file (renovate.json) has been updated to include and enable pre-commit support.
• Pre-commit Enabled: A new pre-commit block has been added to the Renovate configuration, with enabled set to true, allowing Renovate to manage pre-commit hook updates.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly enables Renovate's pre-commit manager. My review includes a suggestion to also enable automerge for pre-commit updates. This would align with the repository's existing automerge strategy for other dependency types, improving automation and consistency.

[gemini-code-assist]

To maintain consistency with other configurations in this file (like vulnerabilityAlerts) and to streamline the update process, consider enabling automerge for pre-commit hook updates. These updates are generally safe to merge automatically.

  "pre-commit": {
    "enabled": true,
    "automerge": true
  },

[renovate]

Reconfigure PR Results

This is a reconfigure PR comment to help you understand and re-configure your renovate bot settings. If this Reconfigure PR were to be merged, we'd expect to see the following outcome:

---

Detected Package Files

• compose.yaml (docker-compose)
• Dockerfile (dockerfile)
• .github/workflows/automerge.yml (github-actions)
• .github/workflows/ci.yml (github-actions)
• .github/workflows/ossf.yml (github-actions)
• .github/workflows/pr.yml (github-actions)
• .github/workflows/scans.yml (github-actions)
• pyproject.toml (pep621)
• .pre-commit-config.yaml (pre-commit)
• .python-version (pyenv)

Configuration Summary

Based on the default config's presets, Renovate will:

• Hopefully safe environment variables to allow users to configure.
• Show all Merge Confidence badges for pull requests.
• Enable Renovate Dependency Dashboard creation.
• Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use.
• Ignore node_modules, bower_components, vendor and various test/tests (except for nuget) directories.
• Group known monorepo packages together.
• Use curated list of recommended non-monorepo package groupings.
• Show only the Age and Confidence Merge Confidence badges for pull requests.
• Apply crowd-sourced package replacement rules.
• Apply crowd-sourced workarounds for known problems with packages.
• Pin Docker digests.
• Pin github-action digests.
• Enable Renovate configuration migration PRs when needed.
• Pin dependency versions for development dependencies.
• Automerge digest upgrades if they pass tests.
• Automerge patch and minor upgrades if they pass tests.
• Raise PR when vulnerability alerts are detected.
• Run lock file maintenance (updates) early Monday mornings.
• Separate each major version of dependencies into individual branches/PRs.
• Group all minor and patch updates together.
• Group all digest updates together.
• Show OpenSSF badge on pull requests.

---

What to Expect

With your current configuration, Renovate will create 2 Pull Requests:

chore(deps): update pre-commit hook markdownlint/markdownlint to v0.13.0

• Schedule: ["at any time"]
• Branch name: renovate/all-minor-patch
• Merge into: main
• Upgrade markdownlint/markdownlint to v0.13.0

chore(deps): lock file maintenance

• Schedule: ["* 0-3 * * 1"]
• Branch name: renovate/lock-file-maintenance
• Merge into: main
• Regenerate lock files to use latest dependency versions

---

Warning

Please correct - or verify that you can safely ignore - these dependency lookup failures before you merge this PR.

• Could not determine new digest for update (github-tags package ossf/scorecard-action)
• Could not determine new digest for update (github-tags package checkmarx/dustilock)
• Could not determine new digest for update (github-tags package microsoft/security-devops-action)
• Could not determine new digest for update (github-tags package google/osv-scanner-action)
• Could not determine new digest for update (github-tags package aquasecurity/trivy-action)
• Could not determine new digest for update (github-tags package trufflesecurity/trufflehog)
• Could not determine new digest for update (github-tags package checkmarx/vorpal-reviewdog-github-action)

Files affected: .github/workflows/ossf.yml, .github/workflows/scans.yml

[github-actions]

KICS version: v2.1.14

Category Results CRITICAL 0 HIGH 0 MEDIUM 4 LOW 0 INFO 0 TRACE 0 TOTAL 4	Metric Values Files scanned 7 Files parsed 7 Files failed to scan 0 Total executed queries 73 Queries failed to execute 0 Execution time 1

Queries Results

Query Name Query Id Severity Platform Cwe Category Experimental Description File Name Line Issue Type Search Key Expected Value Actual Value Apt Get Install Pin Version Not Defined 965a08d7-ef86-4f14-8792-4a3b2098937e MEDIUM Dockerfile 1357 Supply-Chain false When installing a package, its pin version should be defined Dockerfile 94 MissingAttribute FROM={{dev AS compile}}.RUN={{apt-get update && apt-get install --yes --no-install-recommends binutils patchelf && rm -rf /var/lib/apt/lists/*}} Package 'binutils' has version defined Package 'binutils' does not have version defined Apt Get Install Pin Version Not Defined 965a08d7-ef86-4f14-8792-4a3b2098937e MEDIUM Dockerfile 1357 Supply-Chain false When installing a package, its pin version should be defined Dockerfile 46 MissingAttribute FROM={{base AS dev}}.RUN={{apt-get update && apt-get install --yes --no-install-recommends build-essential && rm -rf /var/lib/apt/lists/*}} Package 'build-essential' has version defined Package 'build-essential' does not have version defined Apt Get Install Pin Version Not Defined 965a08d7-ef86-4f14-8792-4a3b2098937e MEDIUM Dockerfile 1357 Supply-Chain false When installing a package, its pin version should be defined Dockerfile 36 MissingAttribute FROM={{debian:stable-slim@sha256:d6743b7859c917a488ca39f4ab5e174011305f50b44ce32d3b9ea5d81b291b3b AS base}}.RUN={{apt-get update && apt-get upgrade --yes && apt-get install --yes --no-install-recommends curl && rm -rf /var/lib/apt/lists/*}} Package 'curl' has version defined Package 'curl' does not have version defined Apt Get Install Pin Version Not Defined 965a08d7-ef86-4f14-8792-4a3b2098937e MEDIUM Dockerfile 1357 Supply-Chain false When installing a package, its pin version should be defined Dockerfile 94 MissingAttribute FROM={{dev AS compile}}.RUN={{apt-get update && apt-get install --yes --no-install-recommends binutils patchelf && rm -rf /var/lib/apt/lists/*}} Package 'patchelf' has version defined Package 'patchelf' does not have version defined

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ COPYPASTE	jscpd	yes		no	no	1.18s
✅ EDITORCONFIG	editorconfig-checker	2		0	0	0.25s
✅ JSON	prettier	1	0	0	0	0.35s
✅ JSON	v8r	1		0	0	3.32s
✅ REPOSITORY	gitleaks	yes		no	no	1.14s
✅ REPOSITORY	git_diff	yes		no	no	0.0s
✅ REPOSITORY	grype	yes		no	no	25.2s
✅ REPOSITORY	secretlint	yes		no	no	0.84s
✅ REPOSITORY	semgrep	yes		no	no	17.32s
✅ REPOSITORY	syft	yes		no	no	1.98s
✅ REPOSITORY	trivy	yes		no	no	5.17s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.08s
✅ REPOSITORY	trufflehog	yes		no	no	3.78s
✅ SPELL	lychee	2		0	0	0.92s
✅ YAML	prettier	1	0	0	0	0.33s
✅ YAML	v8r	1		0	0	2.2s
✅ YAML	yamllint	1		0	0	0.37s

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff