Add pre-commit guards to prevent agent shortcuts (#1)

* feat: add pre-commit guards to prevent agent shortcuts

* ci: add pull_request trigger to run checks on PRs

Add pull_request trigger to buildah.yml so that pre-commit checks
and build verification run on pull requests. Push to registry is
now conditional and only runs on push to main branch.

Author: xnoto

.github/workflows/buildah.yml

@@ -8,6 +8,10 @@ on:
     paths:
       - '*/**'
       - '!.github/**'
+  pull_request:
+    paths:
+      - '*/**'
+      - '!.github/**'
   workflow_dispatch:
     inputs:
       image:
@@ -85,6 +89,7 @@ jobs:
           extra-args: --squash
 
       - name: Push to registry
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
         uses: redhat-actions/push-to-registry@v2
         with:
           image: ${{ matrix.image }}

.pre-commit-config.yaml

@@ -10,6 +10,10 @@ repos:
       - id: detect-private-key
       - id: mixed-line-ending
       - id: trailing-whitespace
+      - id: no-commit-to-branch
+        args: ['--branch', 'main']
+      - id: check-added-large-files
+        args: ['--maxkb=1000']
   - repo: https://github.com/hadolint/hadolint
     rev: v2.14.0
     hooks:

tfroot-runner/pre-commit-config.yaml

@@ -47,3 +47,7 @@ repos:
         exclude: README.md
       - id: mixed-line-ending
       - id: trailing-whitespace
+      - id: no-commit-to-branch
+        args: ['--branch', 'main']
+      - id: check-added-large-files
+        args: ['--maxkb=1000']