[CI] Pin to sha all pre-commit hooks and clean up

[jbampton]

Tested with:

pre-commit run --all-files

https://docs.github.com/en/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories#pre-commit

You can use a # frozen: comment after the rev value to pin a hook to a particular version or version prefix. Dependabot uses this comment to determine whether an update is needed and which tag to resolve.

Example on Apache Airflow:

https://github.com/apache/airflow/blob/fd9241cdf0bb64d5b3c4619be83619db62671824/.pre-commit-config.yaml#L301

---

Lucas-C/pre-commit-hooks@ad1b27d

codespell-project/codespell@2ccb47f

pre-commit/pre-commit-hooks@3e8a870

igorshubovych/markdownlint-cli@e72a3ca

adrienverge/yamllint@cba56bc

gitleaks/gitleaks@83d9cd6

zizmorcore/zizmor-pre-commit@9257c60

rhysd/actionlint@914e7df

tcort/markdown-link-check@3a8992d

oxipng/oxipng@628e241

python-jsonschema/check-jsonschema@f805888

shellcheck-py/shellcheck-py@745efac

editorconfig-checker/editorconfig-checker.python@bebfac8

[steinarb]

@lprimak Not sure I understand how this change is meant to work, based on the description in the PR.
So I will have to study up before I can give any meaningful opinion on this PR (so I hope this isn't hanging on me...).

[jbampton]

@lprimak Not sure I understand how this change is meant to work, based on the description in the PR. So I will have to study up before I can give any meaningful opinion on this PR (so I hope this isn't hanging on me...).

Hey @steinarb we are running prek-action which runs our Git hook framework:

https://github.com/apache/infrastructure-actions/blob/6c512df8de8203dfc22579b9f17769983ca6de76/approved_patterns.yml#L213

https://github.com/apache/shiro/blob/main/.github/workflows/pre-commit.yml

https://github.com/apache/shiro/blob/main/.github/workflows/pre-commit-manual.yml

We have both standard and manual hooks.

https://prek.j178.dev

Originally we were running pre-commit but have moved to prek.

See below from Google but check the official site for more ways to install prek and use it locally.

So prek is meant to run on developer machines before pushing up to GitHub.

You should also checkout the homepage of the original pre-commit site for info on why git hook scripts are useful:

https://pre-commit.com

Perhaps I should explain more in another PR with some of this information for the contributing guide ?

---

Overview: Transitioning to prek

prek is a fast Git hook manager written in Rust. It serves as a modern, drop-in replacement for the traditional Python-based pre-commit framework.

• Speed: It runs hooks and fetches repositories in parallel.
• Zero Dependencies: Because it compiles to a single static binary, developers don't need a Python runtime or virtual environment setup just to run basic linting, security, or style hooks.
• Compatibility: It is fully backward-compatible with our existing .pre-commit-config.yaml files, but natively supports modern prek.toml configuration formats.

---

1. Local Developer Setup

To set up and run the hooks locally on your development machine, follow these quick steps:

Installation

prek can be installed quickly via system package managers or toolchains:

# Via uv
uv tool install prek

# Via Homebrew (macOS/Linux)
brew install prek

Git Integration

Once installed, register prek with the repository's internal Git hooks so that it executes automatically on every git commit:

prek install

Note: If the project uses specific stages (like moving heavy static analysis or security audits to the push phase), you can also opt-in to pre-push hooks using prek install --hook-type pre-push.

---

2. Core CLI Commands

Developers can trigger checks manually without committing code using the following essential commands:

• Run on Staged Files (Default):

prek run

This only runs the configured hooks against the files currently staged in Git (git add).

• Run on the Entire Repository:

prek run -a

The -a (or --all-files) flag tells prek to evaluate every single file in the codebase, regardless of its Git staging status. This is highly useful when adding a new rule, auditing the repo for security, or doing a large style cleanup.

• Shortcut Syntax:

prek -a

prek allows omitting the run keyword entirely as a quality-of-life shortcut.

---

• Run Manual / Specific Stage Hooks:

prek run --hook-stage manual -a

By default, prek only runs hooks assigned to the commit stage. To trigger our custom security scanners, deep structural audits, or heavy style rules that are configured as stage: [manual], you explicitly pass the --hook-stage manual flag. Combining it with -a forces the manual sweep across the entire repository.

• Run a Single Specific Hook:

prek run <hook-id> -a

If you only want to isolate and run one single hook (for example, a specific static analysis tool or dependency auditor without running the whole suite), you can call it directly by its ID defined in our configuration file.

---

3. Continuous Integration: The prek-action Workflow

To guarantee that code style, security safeguards, and manual/audit hooks are respected before PRs are merged, we are utilizing the official GitHub Actions workflow integration via j178/prek-action.

This ensures that the exact same suite of checks running on a developer's laptop is enforced upstream in CI.

• Automated Setup: The prek-action automatically downloads and provisions the optimized Rust binary in the runner environment.
• Implicit Complete Audit: By default, the action executes prek run --all-files under the hood. This ensures that pull requests are evaluated completely, catching any hidden configuration or styling deviations before they impact the main branch.
• Caching & Speed: It uses optimized global toolchain caching, ensuring that GitHub Actions jobs complete in seconds rather than waiting on heavy environment bootstraps.