docs: add require-signed-commits hook and global git hook pattern

[injectedfusion]

Summary

• Adds require-signed-commits to the hooks table
• Documents the global git hook pattern for personal hooks that scale to all repos without per-repo setup

The pattern

core.hooksPath set globally → one hook script covers every repo. Chains to the repo's .pre-commit-config.yaml so team hooks still run. No pre-commit install per repo needed.

[gemini-code-assist]

Summary of Changes

Hello @injectedfusion, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances repository security and developer workflow by introducing a new require-signed-commits pre-commit hook and documenting a global Git hook pattern. The new hook ensures all commits are signed, which is crucial for maintaining integrity, especially in automated or AI-driven workflows. The documented global hook pattern provides a flexible way for developers to enforce personal discipline, like commit signing, across all their repositories without interfering with team-specific pre-commit configurations.

Highlights

• New require-signed-commits hook: Introduced a new pre-commit hook that enforces GPG/SSH commit signing by checking commit.gpgsign and user.signingkey configurations, crucial for integrity in agentic AI workflows.
• Global Git Hook Pattern Documentation: Added documentation for setting up a global Git hook using core.hooksPath to apply personal pre-commit checks across all repositories without per-repo setup, while still chaining to repository-specific pre-commit configurations.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .pre-commit-hooks.yaml
  • Added the definition for the new require-signed-commits hook, including its ID, name, description, entry script, language, and stage.
• README.md
  • Updated the hooks table to include require-signed-commits with its description.
  • Added a new section detailing how to set up personal global Git hooks using core.hooksPath, including example bash scripts for a global pre-commit hook that checks for signed commits and chains to repository-specific pre-commit configurations.
• hooks/require-signed-commits.sh
  • Created a new bash script that checks if commit.gpgsign is set to true and user.signingkey is configured, failing the commit if these conditions are not met and providing instructions for setup.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/pr-pipeline.yml

Activity

• No human activity has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[claude]

Claude finished @injectedfusion's task in 32s —— View job

---

PR Review: require-signed-commits hook + global hook pattern

Review Summary

Reviewing the implementation of the require-signed-commits hook and global git hook pattern documentation.

Status: ✅ APPROVED

The PR is production-ready. The shell script follows best practices, the hook configuration is valid, and the documentation is clear and accurate.

---

Shell Script Analysis (hooks/require-signed-commits.sh)

Strengths:

• ✅ Proper shebang (#!/usr/bin/env bash)
• ✅ set -euo pipefail for safety (exit on error, undefined variables, pipe failures)
• ✅ Safe command substitution with error handling: git config --get commit.gpgsign 2>/dev/null || echo 'false'
• ✅ Proper string comparison using [[ ]] (bash-safe)
• ✅ Clear, helpful error messages with actionable remediation steps
• ✅ Handles both GPG and SSH signing methods (1Password SSH agent example is useful)
• ✅ Logical flow: checks commit.gpgsign first, then validates user.signingkey is set
• ✅ No security vulnerabilities (no eval, no credential leaks, safe variable usage)

Execution Logic:
The script correctly:

1. Defaults to false if commit.gpgsign is not set
2. Fails fast if signing not enabled
3. Validates the signing key is configured
4. Provides user instructions for setup (multiple signing methods)
5. Mentions --no-verify bypass option for emergencies

---

Hook Configuration (.pre-commit-hooks.yaml)

Configuration is valid:

• ✅ id: require-signed-commits — unique identifier
• ✅ name: — descriptive
• ✅ description: — explains purpose and use case (agentic AI workflows)
• ✅ entry: hooks/require-signed-commits.sh — correct path
• ✅ language: script — appropriate for bash
• ✅ always_run: true — correct (must check every commit regardless of file changes)
• ✅ pass_filenames: false — correct (hook doesn't process files)
• ✅ stages: [pre-commit] — appropriate stage

---

Documentation Accuracy (README.md)

Table Update:

• ✅ Hook added to table with clear, concise description
• ✅ Accurately reflects the behavior

Global Hook Pattern Section:

• ✅ Clear setup instructions for core.hooksPath
• ✅ Example bash script demonstrates proper pattern:
  • Uses set -euo pipefail
  • Safely retrieves git config
  • Shows how to chain to repo-specific .pre-commit-config.yaml
  • Handles both .pre-commit-config.local.yaml and .pre-commit-config.yaml
• ✅ Correct file permissions reminder (chmod +x)
• ✅ Well-explained rationale: personal discipline without imposing on teammates

Documentation Quality:

• Consistent with existing hook documentation
• Explains the "why" (especially for agentic AI workflows)
• Provides practical examples

---

Integration & Consistency

• ✅ Hook integrates cleanly with existing hooks (check-branch-staleness, trivy-deps, no-hardcoded-secrets)
• ✅ Naming and style consistent with existing hooks
• ✅ Error messages align with existing hooks (✗ prefix, clear guidance)

---

CI Workflow

The CI pipeline (.github/workflows/pr-pipeline.yml) includes:

• ✅ ShellCheck validation (covered in workflow)
• ✅ Code review automation

---

Final Decision

✅ APPROVED — Ready to merge

This PR adds a well-implemented security hook with proper error handling, clear documentation, and a practical pattern for developers using global git hooks. The code is safe, the hook config is valid, and the documentation is accurate and helpful.

---

[gemini-code-assist]

Code Review

This pull request introduces a new require-signed-commits pre-commit hook and documentation for a global git hook pattern. The changes are well-implemented. The new hook script is robust and provides helpful user feedback. I have one minor suggestion to improve the clarity of the example script in the documentation.

[gemini-code-assist]

The current comment is slightly ambiguous. The script that follows will execute only the first configuration file it finds, preferring .local.yaml over the standard .pre-commit-config.yaml. The use of a for loop with exec can be misleading, as it might imply iteration over all found files. Updating the comment to clarify this behavior would improve the script's readability for users who copy it.

Suggested change

	# Chain to repo pre-commit config if present
	# Chain to repo pre-commit config if present, running the first one found (prefers .local.yaml)