Replace prek with hk for pre-commit hooks

[gtbuchanan]

Migrates the pre-commit runner from prek to hk (jdx), configured in Pkl (hk.pkl).

What changed

• hk.pkl (new) — file-hygiene checks via native Builtins.* (no Python/venv layer), actionlint, two renovate-config-validator --strict steps, a per-OS forbid-submodules guard, and a pnpm exec eslint step (non-modifying check for CI, autofixing fix on commit). check-illegal-windows-names was dropped (no builtin; redundant on a Windows-primary repo). .pre-commit-config.yaml removed.
• mise — dropped prek; added hk/pkl/actionlint (aqua, real mise.lock integrity) + npm:renovate; HK_MISE=1; [hooks] postinstall = "hk install --mise"; experimental = true (required for [hooks]).
• gtb prepare — now skill-sync only; hook installation moved to mise''s postinstall. Command + tests updated.
• CI — pre-commit.yml runs hk check --from-ref/--to-ref on changed files. hk has no hook environments to build or cache, so the seed workflow is gone and the release pipeline is just CI + CD.
• Renovate — repo-local throttle for the noisy npm:renovate tool.
• Docs — README, AGENTS, CONTRIBUTING (incl. rewritten Termux/Android out-of-band tool setup), cli/README, eslint-config skill.

Windows notes

Two Windows-specific wrinkles, both handled inside the hk:* mise tasks:

• cmd.exe arg limit. hk passes matched files as argv and its auto-batching is Unix-ARG_MAX-tuned, so a full-repo run can overflow cmd.exe''s 8191-char limit. The hk:all task sets HK_BATCH=1, which flips the batch = batchFiles steps in hk.pkl on so hk chunks files (~one batch per core) under the limit. Commits and hk:base leave it unset so the common path stays single-invocation (batching a small changeset just means repeated linter startup). Filed upstream: jdx/hk discussion #971.
• Git Bash PATH. mise runs file tasks through Git Bash, which leaves the mise-injected tool dirs in POSIX /c/… form; native hk then can''t find pkl to load hk.pkl, and its cmd.exe steps can''t find System32 tools like findstr. mise-tasks/lib.sh''s run_native resolves the binary on the POSIX PATH, then runs it with a cygpath-converted Windows PATH (a no-op off Windows). The commit-time git hook is unaffected — it runs hk via mise x from native git.exe.

Verification

• hk validate passes; the hk pre-commit hook runs green (one invocation per step).
• pnpm check green — typecheck + lint + fast tests (215 cli tests).

Closes #81

[coderabbitai]

📝 Walkthrough

Walkthrough

Migrates pre-commit tooling from prek to hk: adds mise hk tasks and native runner helpers, updates mise and Renovate configs, switches CI workflows to run mise hk:base (with conditional pnpm install), simplifies CLI prepare, and aligns docs/README.

Changes

Prek to hk migration: hook system replacement

Layer / File(s)	Summary
Mise hk tool configuration and postinstall integration mise.toml	Adds HK_MISE env, hk install --mise postinstall hook, enables experimental settings, and replaces prek with pinned hk, pkl, actionlint, and renovate tool entries.
Renovate hk version tracking & throttling default.json	Adds customManagers regex to extract hk versions for hk.pkl URLs and updates packageRules to throttle renovate npm package instead of renovatebot/pre-commit-hooks.
Hk execution task scripts and Windows PATH handling mise-tasks/lib.sh, mise-tasks/hk/all, mise-tasks/hk/base	Adds run_native() helper that resolves binaries and performs Windows PATH conversion when cygpath exists; hk:all runs hk across all files with batching; hk:base runs hk on files changed from a base ref (shallow-fetch support, safe path handling, CI vs local mode).
GitHub Actions workflows updated to run hk:base .github/workflows/pre-commit.yml, .github/workflows/pr.yml, .github/workflows/release.yml	pre-commit.yml now forces color env vars, sets up mise, conditionally runs pnpm setup when use-pnpm is true, and invokes mise run hk:base with BASE_SHA; pr.yml comment clarified; release.yml comment reworded.
CLI prepare command: remove pre-commit hook installation packages/cli/src/commands/root/prepare.ts, packages/cli/test/prepare.test.ts, packages/cli/README.md	prepare now only syncs skills via skills-npm; removed hook-install logic/imports; tests and README updated to reflect the simplified behavior.
Documentation: hk system, mise integration, and contributor guidance AGENTS.md, CONTRIBUTING.md, README.md, packages/eslint-config/skills/gtb-eslint-config/SKILL.md	Docs updated to describe hk usage, hk.pkl, mise postinstall, hk task semantics including Windows batching, Termux/Android setup changes, removed pre-commit-seed.yml references, and guidance on ESM→CJS resolution for pre-commit hooks.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• gtbuchanan/tooling#137: Also modifies .github/workflows/pre-commit.yml and .github/workflows/pr.yml around pnpm dependency gating for lint steps.
• gtbuchanan/tooling#147: Adds actionlint to .pre-commit-config.yaml, which conflicts with this PR's removal of .pre-commit-config.yaml.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Replace prek with hk for pre-commit hooks' is concise (41 chars), descriptive, and clearly summarizes the main migration objective.
Description check	✅ Passed	The description comprehensively documents the prek→hk migration, covering hk.pkl configuration, mise updates, gtb prepare changes, CI modifications, Renovate throttling, documentation updates, and Windows-specific handling.
Linked Issues check	✅ Passed	The PR fully implements the active hk evaluation from issue #81, addressing Termux/Android single-runner architecture, cross-repo config inheritance via Pkl, and native file-hygiene checks without Python venv layer.
Out of Scope Changes check	✅ Passed	All changes are directly related to the prek→hk migration: workflow updates, mise configuration, pre-commit hook replacement, gtb prepare command simplification, documentation alignment, and Renovate throttling are all within scope.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@AGENTS.md`:
- Around line 248-252: Update the documentation to correctly describe how
pre-commit triggers hk: instead of saying it runs "hk check
--from-ref/--to-ref", state that pre-commit.yml invokes the mise-tasks/hk/base
script which computes changed files via "git diff --name-only" (as noted in the
comment around mise-tasks/hk/base lines that mention "We diff ourselves") and
then runs "hk check $files" with that explicit file list; reference
pre-commit.yml and mise-tasks/hk/base and the hk check $files invocation so
readers know the repo diffs are computed locally rather than using hk's
--from-ref/--to-ref flags.

In `@default.json`:
- Around line 3-19: The extractVersionTemplate currently requires a leading "v"
which fails to match the currentValue captured by matchStrings (which yields
values like "1.46.0"); update extractVersionTemplate to accept an optional
leading "v" (so it matches both "v1.2.3" and "1.2.3") or alternatively change
the matchStrings entries to include the "v" in the captured currentValue; ensure
you modify the extractVersionTemplate and/or matchStrings so that the captured
group name (currentValue) can be normalized by extractVersionTemplate.

In `@mise-tasks/hk/base`:
- Line 33: The current invocation run_native hk "$cmd" "$@" $files suffers
word-splitting on $files and will break filenames with spaces; change the code
to pass files as a proper array and expand it with "${files[@]}" (or, if you
cannot convert callers, ensure files is a single quoted value and split on
newlines only), so update the call site (the run_native invocation) and any code
that constructs files to build a shell array (e.g., files+=(...)) and then call
run_native hk "$cmd" "$@" "${files[@]}".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: c9589761-a8a1-4829-8be4-2289560a195d

📥 Commits

Reviewing files that changed from the base of the PR and between b75420f and aa35a77.

⛔ Files ignored due to path filters (2)

• hk.pkl is excluded by !**/*.pkl
• mise.lock is excluded by !**/*.lock

📒 Files selected for processing (17)

• .github/workflows/pr.yml
• .github/workflows/pre-commit-seed.yml
• .github/workflows/pre-commit.yml
• .github/workflows/release.yml
• .pre-commit-config.yaml
• AGENTS.md
• CONTRIBUTING.md
• README.md
• default.json
• mise-tasks/hk/all
• mise-tasks/hk/base
• mise-tasks/lib.sh
• mise.toml
• packages/cli/README.md
• packages/cli/src/commands/root/prepare.ts
• packages/cli/test/prepare.test.ts
• packages/eslint-config/skills/gtb-eslint-config/SKILL.md

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• gtbuchanan/tooling (manual)

💤 Files with no reviewable changes (2)

• .pre-commit-config.yaml
• .github/workflows/pre-commit-seed.yml

📜 Review details

🧰 Additional context used

📓 Path-based instructions (4)

**/.github/workflows/*.{yml,yaml}

📄 CodeRabbit inference engine (AGENTS.md)

For GitHub Actions workflow files, reference in-repo composite actions by full path gtbuchanan/tooling/.github/actions/<name>@main`` instead of relative paths ./

Use GitHub Actions composite action mise-setup as the first step of every job that needs mise tools to restore the mise data dir with arch-specific fallback

Use turbo-run composite action to run turbo tasks, which skips pnpm install when turbo remote cache covers all tasks

Use pnpm-tasks composite action to restore the pnpm store from cache, install dependencies, and run optional pnpm commands

Use pnpm-resolve-pinned composite action to resolve a package's exact version from the lockfile without install for pnpm dlx invocations

Files:

• .github/workflows/pr.yml
• .github/workflows/pre-commit.yml
• .github/workflows/release.yml

mise.toml

📄 CodeRabbit inference engine (AGENTS.md)

Set idiomatic_version_file_enable_tools = ['pnpm'] in mise configuration to share the pnpm version between packageManager in package.json and mise

Files:

• mise.toml

README.md

📄 CodeRabbit inference engine (AGENTS.md)

When adding or removing a package, update the packages table in README.md and the structure tree

Files:

• README.md

**/test/**/*.test.{ts,tsx,js}

📄 CodeRabbit inference engine (AGENTS.md)

Use test.slow tag or /** @module-tag slow */ JSDoc for slow tests in Vitest, controlled via --tags-filter CLI option

When asserting on CommandResult (exit code, stdout, stderr), use expect(result).toMatchObject({ exitCode: 0 }) instead of expect(result.exitCode).toBe(0)

Generate incidental test data via @gtbuchanan/test-utils/builders or @faker-js/faker directly for one-off primitives, capturing result in a local variable for assertions

Use import * as build from '@gtbuchanan/test-utils/builders' and reference captured values in assertions instead of duplicate literals

Files:

• packages/cli/test/prepare.test.ts

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
Repo: gtbuchanan/tooling

Timestamp: 2026-06-09T18:45:16.930Z
Learning: Set `MISE_LOCKED=1` environment variable so `mise install` fails on `mise.toml` ↔ `mise.lock` drift

Learnt from: CR
Repo: gtbuchanan/tooling

Timestamp: 2026-06-09T18:45:16.930Z
Learning: Prefer per-package Vitest configuration with `configurePackage()` over global configuration for most packages

Learnt from: CR
Repo: gtbuchanan/tooling

Timestamp: 2026-06-09T18:45:16.930Z
Learning: Maintain separate ESLint plugin set bundled in `gtbuchanan/eslint-config` with two-plugin Markdown lint split for different file types

Learnt from: CR
Repo: gtbuchanan/tooling

Timestamp: 2026-06-09T18:45:16.930Z
Learning: On Termux/Android, run `pnpm build`, `pnpm test:slow`, and `pnpm test:e2e` with `--concurrency=1` to avoid OOM

Learnt from: CR
Repo: gtbuchanan/tooling

Timestamp: 2026-06-09T18:45:16.930Z
Learning: Keep reusable workflows (`workflow_call`-only) separate from pipeline workflows with direct triggers to ensure `inputs` context always populates

Learnt from: CR
Repo: gtbuchanan/tooling

Timestamp: 2026-06-09T18:45:16.930Z
Learning: Define leaf job names in branch protection as unique and descriptive (e.g., 'Build', 'E2E Test', 'Pre-Commit Run', 'Dependency Review') rather than workflow or calling job names

📚 Learning: 2026-06-04T18:38:29.949Z

Learnt from: gtbuchanan
Repo: gtbuchanan/tooling PR: 141
File: .github/workflows/changeset-check.yml:15-15
Timestamp: 2026-06-04T18:38:29.949Z
Learning: In this repository (gtbuchanan/tooling), GitHub Actions used in workflows are intentionally referenced by moving tags/branches (e.g., `actions/checkoutv*`, `actions/upload-artifactv*`, `actions/cachev*`, `actions/create-github-app-tokenv*`, and other third-party actions like `rharkor/caching-for-turbov*`), and should never be pinned to a commit SHA. There is no repo-wide SHA-pinning policy; therefore, do not flag these as “unpinned” or suggest SHA-pinning (zizmor’s default `unpinned-uses` rule does not apply here). For in-repo composite actions referenced by reusable workflows, the deliberate documented convention is to use `main` (e.g., `gtbuchanan/tooling/.github/actions/mise-setupmain`), matching how consumers reference the reusable workflows themselves (`.../.github/workflows/<name>main`). Do not change `main` references to SHAs to avoid hash bumps and the self-reference paradox.

Applied to files:

• .github/workflows/pr.yml
• .github/workflows/pre-commit.yml
• .github/workflows/release.yml

📚 Learning: 2026-06-04T02:26:02.824Z

Learnt from: gtbuchanan
Repo: gtbuchanan/tooling PR: 139
File: packages/cli/test/coverage-codecov-upload.test.ts:2-2
Timestamp: 2026-06-04T02:26:02.824Z
Learning: In tests within **/{test,e2e,__tests__}/**/*.{test,spec}.{ts,tsx,js,jsx}, follow the AGENTS.md faker convention: direct `faker-js/faker` usage is allowed only for one-off primitives when the produced value’s shape is exactly what faker returns (e.g., `faker.git.commitSha()`, `faker.string.uuid()`). Use `gtbuchanan/test-utils/builders` only when there is a domain-shaped value worth centralizing (e.g., scoped package names, semver ranges, GitHub URLs). Do not wrap a native faker generator in a builder for a plain primitive (e.g., a raw commit SHA), since that adds indirection without centralizing any domain shape.

Applied to files:

• packages/cli/test/prepare.test.ts

🪛 Shellcheck (0.11.0)

mise-tasks/lib.sh

[error] 1-1: Tips depend on target shell and yours is unknown. Add a shebang or a 'shell' directive.

(SC2148)

🪛 zizmor (1.25.2)

.github/workflows/pre-commit.yml

[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🔇 Additional comments (36)

.github/workflows/pre-commit.yml (5)

2-6: LGTM!

---

16-16: LGTM!

---

18-22: LGTM!

---

24-27: LGTM!

---

34-39: LGTM!

.github/workflows/pr.yml (1)

22-23: LGTM!

.github/workflows/release.yml (1)

19-22: LGTM!

AGENTS.md (6)

94-115: LGTM!

---

118-128: LGTM!

---

215-215: LGTM!

---

246-252: LGTM!

---

299-310: LGTM!

---

331-331: LGTM!

CONTRIBUTING.md (3)

5-10: LGTM!

---

65-79: LGTM!

---

91-124: LGTM!

README.md (3)

11-17: LGTM!

---

81-81: LGTM!

---

153-155: LGTM!

packages/eslint-config/skills/gtb-eslint-config/SKILL.md (1)

56-64: LGTM!

mise.toml (4)

1-4: LGTM!

---

6-7: LGTM!

---

10-11: LGTM!

---

34-39: Validate pinned tool versions in mise.toml

• actionlint v1.7.12, hk v1.46.0, pkl v0.31.1: release tags exist; the GitHub security advisory query returned no vulnerabilities.
• npm:renovate 43.213.1: npm version exists, but npm audit couldn’t run here (no lockfile), so vulnerability status remains inconclusive.
• node 24.16.0: not checked—also validate existence and security advisories.

default.json (1)

59-71: LGTM!

mise-tasks/lib.sh (1)

1-17: LGTM!

mise-tasks/hk/all (1)

1-16: LGTM!

mise-tasks/hk/base (1)

1-32: LGTM!

packages/cli/src/commands/root/prepare.ts (2)

12-20: LGTM!

---

23-23: LGTM!

packages/cli/test/prepare.test.ts (4)

4-7: LGTM!

Also applies to: 19-19

---

35-43: LGTM!

---

45-54: LGTM!

---

56-61: LGTM!

packages/cli/README.md (2)

60-61: LGTM!

---

91-91: LGTM!

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

AGENTS.md (1)

289-289: 🧹 Nitpick | 🔵 Trivial

Clarify pre-commit.enabled rationale in the shareable preset docs.

default.json sets "pre-commit": { "enabled": true }, and AGENTS.md describes it as enabling Renovate to bump .pre-commit-config.yaml hooks; consider explicitly noting this is primarily for consumer repos that still include .pre-commit-config.yaml (rather than implying it’s a no-op for this repo due to hk migration).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@AGENTS.md` at line 289, Update the AGENTS.md shareable preset documentation
to explicitly explain why default.json sets "pre-commit": { "enabled": true }:
state that this flag enables Renovate to bump .pre-commit-config.yaml hooks for
consumer repositories that still use pre-commit, and clarify that in this repo
the setting is effectively a no-op due to the hk migration; reference the
"pre-commit.enabled" key and default.json preset so readers understand the
intended target (consumer repos) versus this repo's migration status.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@AGENTS.md`:
- Line 289: Update the AGENTS.md shareable preset documentation to explicitly
explain why default.json sets "pre-commit": { "enabled": true }: state that this
flag enables Renovate to bump .pre-commit-config.yaml hooks for consumer
repositories that still use pre-commit, and clarify that in this repo the
setting is effectively a no-op due to the hk migration; reference the
"pre-commit.enabled" key and default.json preset so readers understand the
intended target (consumer repos) versus this repo's migration status.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 96d27b4a-77a9-4623-8821-39aedae731f2

📥 Commits

Reviewing files that changed from the base of the PR and between aa35a77 and 95d2320.

📒 Files selected for processing (4)

• AGENTS.md
• default.json
• mise-tasks/hk/base
• mise-tasks/lib.sh

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• gtbuchanan/tooling (manual)

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: CI / Codecov Upload
• GitHub Check: CI / E2E Test

🧰 Additional context used

📓 Path-based instructions (2)

default.json

📄 CodeRabbit inference engine (AGENTS.md)

Renovate preset (default.json) must override these defaults: labels: ['dependencies'], minimumReleaseAge: '3 days', osvVulnerabilityAlerts: true, platformCommit: 'enabled', postUpdateOptions: ['pnpmDedupe'], pre-commit.enabled: true, rebaseWhen: 'conflicted', semanticCommits: 'disabled', timezone: 'America/Chicago'

Renovate preset must include packageRules throttles for fast-moving deps (renovatebot/pre-commit-hooks, renovate CLI) at bi-monthly schedule (1,15) with cleared minimumReleaseAge

Renovate preset must include a customManagers regex entry to keep hk version in hk.pkl package URLs in sync with the hk release tracked in mise.toml

Files:

• default.json

**/*.{ts,tsx,js,jsx,json,md,yml,yaml}

📄 CodeRabbit inference engine (AGENTS.md)

ESLint suppressions must include a -- reason suffix explaining why the rule is suppressed

Files:

• default.json
• AGENTS.md

🧠 Learnings (1)

📓 Common learnings

Learnt from: CR
Repo: gtbuchanan/tooling

Timestamp: 2026-06-09T19:55:04.979Z
Learning: Use the Repository pattern for data access

Learnt from: CR
Repo: gtbuchanan/tooling

Timestamp: 2026-06-09T19:55:04.979Z
Learning: Use `pnpm build`, `pnpm test:slow`, and `pnpm test:e2e` with `--concurrency=1` on Termux to avoid OOM due to workspace resolution constraints

Learnt from: CR
Repo: gtbuchanan/tooling

Timestamp: 2026-06-09T19:55:04.979Z
Learning: Source tests live in `test/` directory (unit + integration with coverage), while artifact tests live in `e2e/` directory (no source coverage, requires tarballs from pack)

Learnt from: CR
Repo: gtbuchanan/tooling

Timestamp: 2026-06-09T19:55:04.979Z
Learning: Turbo cache invalidation occurs on any source changes in `packages/*` workspace packages due to root devDeps transitive reach; root-only edits (docs, `.github/`) still hit cache

🔇 Additional comments (8)

AGENTS.md (2)

248-252: Documentation improved but could be more precise.

The text now correctly states that pre-commit.yml runs the hk:base mise task rather than incorrectly claiming hk check --from-ref/--to-ref. However, the past review comment requested more detail about the mechanism—that mise-tasks/hk/base computes changed files via git diff --name-only and passes them to hk check $files. The current phrasing "on PR changed files" is accurate but leaves the implementation details implicit.

---

11-17: LGTM!

Also applies to: 94-115, 307-310

default.json (3)

9-9: LGTM!

---

59-71: LGTM!

---

3-8: LGTM!

Also applies to: 10-18, 20-58, 72-89

mise-tasks/hk/base (2)

34-39: LGTM!

---

1-32: LGTM!

mise-tasks/lib.sh (1)

1-18: LGTM!