Add pinact and ghalint hooks

[5ouma]

Users don't need to write the details by themselves.

[Copilot]

Pull request overview

This PR adds three new pre-commit hooks (pinact, ghalint, and ghalint-act) to enable validation and pinning of GitHub Actions workflows and action files. This allows users to leverage these security and maintenance tools without configuring them manually.

• Added pinact hook for pinning versions of GitHub Actions and reusable workflows
• Added ghalint hooks for validating GitHub Actions workflows and action files
• Updated Renovate configuration to track dependency updates for both hook definition and config files

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
.pre-commit-hooks.yaml	Adds three new hook definitions (pinact, ghalint, ghalint-act) with appropriate entry points, file patterns, and Go dependencies
README.md	Updates documentation example to include the new hooks and adds pre-commit to the default hook types
.github/renovate.json	Updates the regex custom manager pattern to match both .pre-commit-hooks.yaml and .pre-commit-config.yaml files

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Updated Renovate configuration to match both .pre-commit-hooks.yaml and .pre-commit-config.yaml files via regex pattern. Added three new pre-commit hooks for GitHub Actions validation and version pinning (pinact, ghalint, ghalint-act). Removed one existing hook. Updated README documentation.

Changes

Cohort / File(s)	Summary
Pre-commit configuration .github/renovate.json, .pre-commit-hooks.yaml	Updated Renovate's custom manager regex pattern from literal filename to path-based regex matching either .pre-commit-hooks.yaml or .pre-commit-config.yaml. Added three new pre-commit hooks: pinact (version pinning for Actions), ghalint (GitHub Actions workflow validation), and ghalint-act (Action file validation). Removed upload-git-commit-notion hook.
Documentation README.md	Added documentation for new pre-commit hooks including pinact, ghalint, and ghalint-act under default_install_hook_types and repos.hooks sections.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description relates to the changeset by noting that users don't need to write hook details themselves, which aligns with hosting pre-commit hooks.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title 'Add pinact and ghalint hooks' directly and clearly summarizes the main changes in the changeset, matching the PR objectives.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat-pre-commit-hooks-pinact-ghalint

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/renovate.json (1)

18-25: Escape the dots in the regex pattern.

The forward-slash delimiters are correct for Renovate's managerFilePatterns syntax, and the alternation (hooks|config) is RE2-compatible. However, the unescaped dots (.) in the pattern should be escaped as \. to match literal dots. The current pattern /.pre-commit-(hooks|config).yaml/ will incorrectly match filenames like .pre-commit-hooksXyaml where any character replaces the dot. Correct it to:

/\.pre-commit-(hooks|config)\.yaml/

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 13f4247 and 087fae1.

📒 Files selected for processing (3)

• .github/renovate.json
• .pre-commit-hooks.yaml
• README.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Cleanup artifacts

🔇 Additional comments (3)

README.md (1)

78-91: Verify the version number for new hooks.

The example shows rev: v0.7.2, but the new hooks (pinact, ghalint, ghalint-act) are being added in this PR. Users will need to reference a version that includes these changes (likely v0.8.0 or newer after this PR is merged) to access these hooks.

Consider updating the documentation to indicate the minimum version required for each hook, or ensure the version in the example reflects the upcoming release that will include these hooks.

.pre-commit-hooks.yaml (2)

12-29: Hooks are properly configured with current dependency version.

Both ghalint and ghalint-act hooks are well-structured with appropriate file patterns:

• ghalint targets workflow files in .github/workflows/
• ghalint-act targets action definition files (action.yml/action.yaml)

The separation into two hooks with different entry points (ghalint run vs ghalint act) is appropriate. The specified version v1.5.4 is the latest stable release.

---

1-10: Hook configuration is correct and current.

v3.8.0 is the latest stable release of pinact (released Dec 30, 2025). The hook definition is well-structured with appropriate file patterns and the --verify flag is a good default to check if versions are already pinned.