feat: add require-signed-commits hook

[injectedfusion]

Summary

• Adds hooks/require-signed-commits.sh — checks commit.gpgsign=true and user.signingkey is configured before allowing a commit
• Adds hook entry to .pre-commit-hooks.yaml

Motivation

Unsigned commits slipping through non-interactive shells (e.g. agentic AI workflows) is a real failure mode. This hook enforces signing discipline at the pre-commit layer.

Usage

repos:
  - repo: https://github.com/injectedfusion/pre-commit-hooks
    rev: <tag>
    hooks:
      - id: require-signed-commits

Test plan

• Verify hook blocks commit when commit.gpgsign is not true
• Verify hook blocks commit when user.signingkey is unset
• Verify hook passes when both are configured (1Password SSH agent)
• Import in rk1-k8s-apps .pre-commit-config.yaml after tag

[gemini-code-assist]

Summary of Changes

Hello @injectedfusion, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances repository security and integrity by introducing a new pre-commit hook. This hook ensures that all commits are signed, preventing unsigned commits from being pushed, which is particularly crucial for maintaining an auditable and secure commit history in automated development environments. It provides immediate feedback and instructions to developers if their Git configuration does not meet the signing requirements.

Highlights

• New Pre-Commit Hook: Introduced a new pre-commit hook named require-signed-commits to enforce Git commit signing discipline.
• Commit Signing Enforcement: The hook checks if commit.gpgsign is set to true and if user.signingkey is configured, blocking commits that do not meet these criteria.
• Motivation: Aimed at preventing unsigned commits, particularly in automated or agentic AI workflows where such commits might otherwise slip through non-interactive shells.
• Usage Guidance: The hook provides clear instructions on how to configure Git for commit signing, including specific guidance for 1Password SSH agent users.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .pre-commit-hooks.yaml
  • Added a new entry for the require-signed-commits hook, including its ID, name, description, entry point, language, and execution stages.
• hooks/require-signed-commits.sh
  • Created a new bash script that implements the logic for checking Git's commit.gpgsign and user.signingkey configurations.
  • Included user-friendly error messages and instructions for enabling commit signing, covering both standard GPG and 1Password SSH agent setups.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds a new pre-commit hook to enforce that all commits are signed. The hook is implemented as a shell script and configured in .pre-commit-hooks.yaml. The overall approach is sound. My review found a couple of minor issues in the shell script: an inaccurate comment that misrepresents the script's logic, and an unused variable. I've provided suggestions to correct these for better clarity and maintainability.

[injectedfusion]

/gemini review

[injectedfusion]

@claude please review this PR

[gemini-code-assist]

Code Review

The pull request introduces a new pre-commit hook to enforce signed commits, which is a good security practice, especially for automated workflows. The implementation correctly checks for commit.gpgsign and user.signingkey and provides clear instructions to the user. The .pre-commit-hooks.yaml entry is also correctly configured. The overall approach is sound and addresses the stated motivation effectively.