chore: SHA-pin pre-commit hook revisions

[27Bslash6]

Summary

• Pin all pre-commit hook rev: values to full commit SHAs instead of mutable version tags
• Covers ruff-pre-commit, actionlint, pre-commit-hooks, and detect-secrets
• Adds pragma: allowlist secret to prevent detect-secrets false positives on SHA strings

Why

Mutable tags are a supply chain attack vector — anyone with write access to the hook repo can move a tag to point at malicious code. SHA pins are immutable.

Test plan

• Pre-commit hooks install and run successfully with SHA revs
• detect-secrets passes (allowlist pragmas in place)

Summary by CodeRabbit

• Chores
  • Updated development tool dependencies to latest stable versions for improved code quality checks.

[coderabbitai]

📝 Walkthrough

Walkthrough

The .pre-commit-config.yaml configuration file is updated to bump the pinned versions of four pre-commit tool repositories: ruff-pre-commit (v0.14.3 → v0.15.9), actionlint (v1.7.7 → v1.7.12), pre-commit-hooks, and detect-secrets. Each updated revision includes an inline comment marking secret allowlisting.

Changes

Cohort / File(s)	Summary
Pre-commit Configuration .pre-commit-config.yaml	Updated pinned versions for four pre-commit tool repositories: ruff, actionlint, pre-commit-hooks, and detect-secrets. Each updated rev includes # pragma: allowlist secret inline comment. No functional or hook configuration changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Four tools hop to newer ground,
Versions bump without a sound,
Ruff and linters, fresh and bright,
Config hopping left and right! 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description covers motivation and test plan but lacks key template sections like Type of Change, Security Checklist, Documentation Validation, Backward Compatibility, and proper formatting.	Complete the PR description template by adding Type of Change checkbox (select 'CI/CD or tooling change'), full Security Checklist, and Backward Compatibility sections.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: converting pre-commit hook revisions from version tags to SHA pins for supply chain security.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/sha-pin-pre-commit

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.pre-commit-config.yaml (1)

8-8: Ruff version bump (v0.14.3 → v0.15.9) may introduce new behavior.

While the explicit rule selection in pyproject.toml (lines 107-119) mitigates risk from newly promoted rules, a minor version jump of this magnitude could still include:

• Changes to existing rule behavior or severity
• Formatter output differences
• New deprecation warnings

If CI passes cleanly, this is likely fine. If you encounter unexpected lint failures or formatting changes, this upgrade is the likely cause.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.pre-commit-config.yaml at line 8, The pre-commit hook was bumped to Ruff
rev c60c980e561ed3e73101667fe8365c609d19a438 (v0.15.9) which can introduce
behavioral changes; verify and pin or adjust accordingly by running Ruff locally
and in CI with the repo's current pyproject.toml rule set (the explicit rule
selection in pyproject.toml lines ~107-119) to surface any new lint/format
differences, and if you see unexpected failures either revert the rev to the
previous stable commit, add a pinned version constraint in
.pre-commit-config.yaml, or update pyproject.toml to explicitly disable/adjust
any newly problematic rules before merging.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.pre-commit-config.yaml:
- Line 8: The pre-commit hook was bumped to Ruff rev
c60c980e561ed3e73101667fe8365c609d19a438 (v0.15.9) which can introduce
behavioral changes; verify and pin or adjust accordingly by running Ruff locally
and in CI with the repo's current pyproject.toml rule set (the explicit rule
selection in pyproject.toml lines ~107-119) to surface any new lint/format
differences, and if you see unexpected failures either revert the rev to the
previous stable commit, add a pinned version constraint in
.pre-commit-config.yaml, or update pyproject.toml to explicitly disable/adjust
any newly problematic rules before merging.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5201eb71-a191-4e2c-bb2e-e1413f4a6b33

📥 Commits

Reviewing files that changed from the base of the PR and between 6d1c6e2 and 8873985.

📒 Files selected for processing (1)

• .pre-commit-config.yaml