docs: add require-signed-commits hook and global git hook pattern (#2)

injectedfusion · web-flow · commit b2ff71ae5039 · 2026-02-18T11:36:32.000Z
* feat: add require-signed-commits hook Checks commit.gpgsign=true and user.signingkey is set before allowing a commit. Blocks unsigned commits in non-interactive shells (e.g. agentic AI workflows) where signing can silently fall through. Usage in .pre-commit-config.yaml: - repo: https://github.com/injectedfusion/pre-commit-hooks rev: <tag> hooks: - id: require-signed-commits * fix: correct misleading comment and remove unused gpg_format variable * ci: add PR pipeline with shellcheck and Claude reviewer * docs: add require-signed-commits hook and global git hook pattern
diff --git a/README.md b/README.md
@@ -9,6 +9,7 @@ Reusable [pre-commit](https://pre-commit.com/) hooks for GitOps, security, and m
 | `check-branch-staleness` | Fail if branch is behind the default branch. Prevents stale commits in multi-agent or team workflows. |
 | `trivy-deps` | Scan dependency lockfiles for HIGH/CRITICAL CVEs. Catches what `trivy config` misses. |
 | `no-hardcoded-secrets` | Detect hardcoded passwords and API keys in YAML files. |
+| `require-signed-commits` | Block commits where `commit.gpgsign` is not `true` or `user.signingkey` is unset. |
 
 ## Usage
 
@@ -30,6 +31,46 @@ pip install pre-commit  # if not already installed
 pre-commit install
 ```
 
+## Personal hooks without per-repo setup
+
+Some hooks (like `require-signed-commits`) enforce personal discipline that shouldn't be imposed on teammates. Use a global git hook instead — fires on every repo with zero per-repo setup:
+
+```bash
+mkdir -p ~/.config/git/hooks
+git config --global core.hooksPath ~/.config/git/hooks
+```
+
+Create `~/.config/git/hooks/pre-commit`:
+
+```bash
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Personal check (e.g. signing)
+gpgsign="$(git config --get commit.gpgsign 2>/dev/null || echo 'false')"
+if [[ "$gpgsign" != "true" ]]; then
+  echo "✗ Unsigned commit blocked: commit.gpgsign is not set to true"
+  exit 1
+fi
+signingkey="$(git config --get user.signingkey 2>/dev/null || echo '')"
+if [[ -z "$signingkey" ]]; then
+  echo "✗ Unsigned commit blocked: user.signingkey is not set"
+  exit 1
+fi
+
+# Chain to repo pre-commit config if present
+repo_root="$(git rev-parse --show-toplevel)"
+for config in "$repo_root/.pre-commit-config.local.yaml" "$repo_root/.pre-commit-config.yaml"; do
+  if [[ -f "$config" ]]; then
+    exec pre-commit run --config "$config" --hook-stage pre-commit
+  fi
+done
+```
+
+```bash
+chmod +x ~/.config/git/hooks/pre-commit
+```
+
 ## Hook Details
 
 ### check-branch-staleness
