feat: pre-commit hook 설정 추가 (SwiftLint + action-validator)

[kargnas]

Summary

• 커밋 전 자동 린트 검사를 위한 Git hooks 설정 추가
• Node.js 의존성 없이 순수 Git core.hooksPath 방식 사용

Changes

새 파일

• .githooks/pre-commit: Pre-commit hook 스크립트
  • SwiftLint: staged .swift 파일 검사
  • action-validator: staged .github/workflows/*.yml 파일 검사
• Makefile: 개발 편의 명령어
  • make setup: Git hooks 설정
  • make lint: 전체 린트 실행
  • make lint-swift: SwiftLint만 실행
  • make lint-actions: action-validator만 실행

문서 업데이트

• README.md: Development Setup 가이드 업데이트
• AGENTS.md: Pre-Development Setup 섹션 추가

Usage

# Clone 후 한 번만 실행
make setup

# 이후 커밋 시 자동으로 lint 검사 실행
git commit -m "..."

Why this approach?

• No Node.js dependency: npm install 불필요
• Simple: make setup 한 줄로 완료
• Git native: git config core.hooksPath 사용
• Fast: node_modules 설치 시간 없음

[Copilot]

Pull request overview

This PR adds Git pre-commit hook configuration using Git's native core.hooksPath feature to automatically run code quality checks before commits. The implementation replaces the previous scripts/setup-git-hooks.sh approach with a simpler Makefile-based setup.

Changes:

• Adds .githooks/pre-commit script that runs SwiftLint and action-validator on staged files
• Adds Makefile with convenience targets for setup and manual linting
• Updates README.md and AGENTS.md documentation to reflect the new setup process

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 11 comments.

File	Description
.githooks/pre-commit	Pre-commit hook script that validates staged Swift and workflow files
Makefile	Provides make setup for Git hooks configuration and make lint commands
README.md	Updates contribution guide to use new make setup command
AGENTS.md	Adds pre-development setup instructions for the Git hooks

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The Makefile's lint-actions target uses npx --yes @action-validator/cli, which requires Node.js and npm to be installed. This contradicts the PR description's claim of "No Node.js dependency" and "npm install 불필요". Either the description should be updated to clarify that Node.js is optional (only needed for workflow validation), or the implementation should be changed to not require Node.js/npx.

[Copilot]

The SwiftLint command here runs on the entire CopilotMonitor/CopilotMonitor directory, which is consistent with the full manual lint but potentially misleading when comparing to the pre-commit hook behavior. The pre-commit hook checks for staged files but also runs on the entire directory. For consistency and clarity, consider documenting that both run on the full directory, or update both to support file-specific linting.

[Copilot]

The pre-commit hook script needs to be executable. Ensure that the file has executable permissions (chmod +x .githooks/pre-commit). Git should preserve these permissions when the file is committed with executable bits set. Verify that the file mode is 755 or similar when committing.

[Copilot]

The STAGED_WORKFLOWS variable should be quoted in the for loop to properly handle filenames with spaces or special characters. Change for file in $STAGED_WORKFLOWS; do to while IFS= read -r file; do ... done <<< "$STAGED_WORKFLOWS" or ensure the variable is properly quoted. While workflow filenames are unlikely to contain spaces, this is a shell scripting best practice.

Suggested change

	for file in $STAGED_WORKFLOWS; do
	echo "Validating $file..."
	npx --yes @action-validator/cli "$file"
	if [ $? -ne 0 ]; then
	echo "❌ action-validator found issues in $file"
	EXIT_CODE=1
	fi
	done
	while IFS= read -r file; do
	[ -z "$file" ] && continue
	echo "Validating $file..."
	npx --yes @action-validator/cli "$file"
	if [ $? -ne 0 ]; then
	echo "❌ action-validator found issues in $file"
	EXIT_CODE=1
	fi
	done <<< "$STAGED_WORKFLOWS"

[Copilot]

The documentation mentions "action-validator" but the CI workflows (ci.yml, lint.yml) use "actionlint". This inconsistency should be clarified to avoid confusion about which tool is used where.

[Copilot]

The documentation mentions "action-validator" for validating GitHub Actions workflow files, but the CI workflows use "actionlint" for this purpose. This creates confusion about which tool is actually being used. The description should clarify that action-validator is used locally while actionlint is used in CI, or better yet, align both to use the same tool for consistency.

[Copilot]

The SwiftLint command runs on the entire CopilotMonitor/CopilotMonitor directory, not just the staged Swift files. This is inconsistent with the check on line 25 which identifies staged Swift files. The hook should either:

1. Pass the staged files to SwiftLint: echo "$STAGED_SWIFT" | xargs swiftlint lint --quiet
2. Or remove the staged files check and always lint the entire directory

The old setup-git-hooks.sh script correctly linted only staged files, which is faster and more appropriate for a pre-commit hook.

Suggested change

	swiftlint lint --quiet CopilotMonitor/CopilotMonitor
	echo "$STAGED_SWIFT" | xargs swiftlint lint --quiet

[Copilot]

The pre-commit hook uses @action-validator/cli via npx, but the CI workflows (ci.yml and lint.yml) use actionlint for validation. This creates an inconsistency where different tools validate the same files locally vs in CI, potentially leading to discrepancies where one tool accepts what the other rejects. Consider using actionlint locally as well for consistency with the CI pipeline.

[Copilot]

This pre-commit hook invokes npx --yes @action-validator/cli "$file", which downloads and executes a third-party CLI from the public npm registry on every commit without pinning a specific version or verifying integrity. If the @action-validator/cli package or the npm resolution for this name is compromised, an attacker can achieve code execution on developer machines, modify repository contents, or exfiltrate local secrets during commits. To reduce this supply-chain risk, pin the tool to a specific trusted version or vendored install and invoke that fixed binary instead of relying on on-demand npx resolution.

[Copilot]

The lint-actions target uses npx --yes @action-validator/cli "$$f", which causes a third-party npm CLI to be downloaded and executed on demand without version pinning or integrity verification. A compromised @action-validator/cli release or npm registry attack would give an attacker code execution in developer environments when make lint-actions is run, allowing tampering with source code or stealing credentials. Prefer installing a pinned version of this tool (for example via a lockfile or vendored binary) and invoking that fixed artifact instead of relying on npx with an unpinned package name.