Implement pre-commit hooks and automated dependency updates with Renovate

When you let a repo accumulate unscreened commits and unmanaged dependency drift, every pull request fights unrelated lint noise and every quarterly upgrade becomes a multi-week firefight — and at some point a developer commits an API key, a malformed prompt JSON, or a 200 MB checkpoint that nobody catches until production breaks. Pre-commit hooks and Renovate are the two cheapest controls that prevent both classes of failure: hooks block bad commits before they reach the remote, and Renovate keeps the dependency surface honest by opening a labelled PR every time something publishes a new version. By the end of this lesson you'll be able to author a .pre-commit-config.yaml that screens prompt JSON, JSONL training rows, and secrets, and a renovate.json whose package rules treat LLM SDK bumps differently from dev-dependency patches.

• Pre-commit framework — the Python tool (pre-commit) that orchestrates hooks declared in .pre-commit-config.yaml; relevant here because it is the single mechanism every developer runs to block bad commits locally before push.
• Hook repository — a Git repo whose .pre-commit-hooks.yaml exposes reusable hook definitions (id, language, files pattern, entry command); you compose these into your config to avoid re-implementing common checks.
• Renovate — a dependency-update bot that opens PRs when npm, PyPI, Docker, Helm, or GitHub Action versions change; it is the mechanism by which dependency upgrades become a steady drip rather than a quarterly firefight.
• Package rule — a Renovate config block that selects a subset of packages and overrides defaults (schedule, automerge, group name); the place where AI-specific policy lives, e.g. "never auto-merge LLM SDKs."
• Automerge — a Renovate setting that lets the bot merge a PR once status checks pass; reserved for low-risk update classes like dev-dependency patches.

Three-layer pre-commit configuration

A useful pre-commit config has a structural layer (whitespace, large files, YAML/JSON well-formedness), a language layer (Ruff for Python, formatters), and an AI-specific layer (prompt JSON schemas, JSONL row validators, secret detection). Each hook declares a files: regex so unrelated commits skip work. The full file is committed at the repo root and every developer runs pre-commit install once to wire the git hook — see Code Walkthrough for the assembled file.

Hook flow and re-staging

A failed hook does not just print an error: hooks that auto-fix (trailing whitespace, Ruff --fix) re-stage the modified files so the next git add -u && git commit typically succeeds without further human action. This is what makes hooks habit-forming rather than annoying.

Renovate package rules for AI codebases

Renovate's defaults assume a generic web app. AI projects diverge in three places: (a) LLM SDK bumps must NEVER auto-merge because a minor release can change tokenization or default sampling — they need an evaluation suite run first; (b) dev-dependency patch/minor bumps should auto-merge aggressively to keep the queue short; (c) Docker base image updates should be grouped so a single security advisory cascades through every service in one PR. The mechanism is packageRules — see Code Walkthrough.

Supply-chain pinning for GitHub Actions

uses: actions/checkout@v4 is a moving target — a compromised tag re-points your build at malicious code. Renovate's pinDigests: true rewrites every action reference to a 40-character commit SHA with the version as a trailing comment, and continues to bump the SHA on real releases.

The two files below assemble the three-layer hook config and the package-rule policy described in Concepts. Copy them to the repo root, run pre-commit install once, and enable Renovate on the repository.

Code snippetyaml
1# .pre-commit-config.yaml
2repos:
3  - repo: https://github.com/pre-commit/pre-commit-hooks
4    rev: v4.6.0
5    hooks:
6      - id: trailing-whitespace
7      - id: end-of-file-fixer
8      - id: check-merge-conflict
9      - id: check-added-large-files
10        args: ['--maxkb=1024']
11      - id: check-yaml
12        args: ['--unsafe']
13      - id: check-json
14
15  - repo: https://github.com/astral-sh/ruff-pre-commit
16    rev: v0.5.7
17    hooks:
18      - id: ruff
19        args: ['--fix']
20      - id: ruff-format
21
22  - repo: https://github.com/Yelp/detect-secrets
23    rev: v1.5.0
24    hooks:
25      - id: detect-secrets
26        args: ['--baseline', '.secrets.baseline']
27        exclude: package-lock\.json|\.ipynb$
28
29  - repo: local
30    hooks:
31      - id: prompt-json-schema
32        name: Validate prompt JSON files against schema
33        entry: python scripts/hooks/validate_prompt_schema.py
34        language: python
35        files: ^prompts/.*\.json$
36        additional_dependencies: [pydantic>=2.7]
37      - id: jsonl-row-validate
38        name: Validate JSONL training data rows
39        entry: python scripts/hooks/validate_jsonl.py
40        language: python
41        files: ^data/training/.*\.jsonl$
42        additional_dependencies: [pydantic>=2.7]

The structural block (pre-commit-hooks) catches the routine defects and — critically for AI repos — refuses commits over 1 MB so checkpoints don't sneak in. --unsafe on check-yaml permits Helm templating like {{ .Values.foo }}. The Ruff block replaces Black + isort + flake8 with one Rust binary, so style is never the reason a PR diff is noisy. detect-secrets scans staged files against .secrets.baseline, which records known false positives; package-lock.json and .ipynb are excluded because their high-entropy content trips the detector. The local block is the AI-specific layer: prompt-json-schema validates every file under prompts/ against a Pydantic model, and jsonl-row-validate parses each line of every training JSONL and asserts the row schema.

Code snippetjson
1{
2  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
3  "extends": ["config:recommended", ":semanticCommits"],
4  "schedule": ["after 7am every weekday"],
5  "timezone": "America/Los_Angeles",
6  "labels": ["dependencies"],
7  "prHourlyLimit": 4,
8  "prConcurrentLimit": 12,
9  "packageRules": [
10    {
11      "description": "Never auto-merge AI SDK packages",
12      "matchPackagePatterns": ["^openai", "^anthropic", "^google-generativeai", "^langchain", "^llama-index"],
13      "automerge": false,
14      "labels": ["dependencies", "ai-sdk", "needs-evaluation"]
15    },
16    {
17      "description": "Auto-merge dev-dependency patch + minor",
18      "matchDepTypes": ["devDependencies"],
19      "matchUpdateTypes": ["patch", "minor"],
20      "automerge": true,
21      "automergeType": "branch"
22    },
23    {
24      "description": "Group Docker base image updates",
25      "matchDatasources": ["docker"],
26      "groupName": "docker base images"
27    },
28    {
29      "description": "Pin GitHub Actions to commit SHA",
30      "matchDepTypes": ["action"],
31      "pinDigests": true
32    }
33  ]
34}

config:recommended opts into Renovate's curated baseline; :semanticCommits makes the PR titles parse cleanly in changelog generators. The weekday schedule and the two limits cap the bot's noise — without them a fresh repo wakes up to fifty open PRs and the team learns to ignore the bot. The four package rules encode the AI-specific policy: SDK bumps carry needs-evaluation and refuse to auto-merge; dev-dependency patches auto-merge via GitHub's branch protection; Docker base images group; actions pin to digests.

You'll know it works when (a) pre-commit run --all-files exits 0 on a clean checkout, (b) a planted fake secret on a test branch is rejected by the hook, (c) Renovate's onboarding PR has been merged, and (d) an openai bump opens with needs-evaluation and refuses to auto-merge while a devDependencies patch bump auto-merges once status checks pass.

Do's

1. ✓Do run pre-commit run --all-files in CI — developers who skipped pre-commit install will still push violating commits; the CI step makes the rules unskippable at PR time.
2. ✓Do pin GitHub Actions by commit SHA — tag hijacking is a real supply-chain attack; let Renovate manage the digest bumps so pinning costs you nothing.
3. ✓Do re-baseline secret detection quarterly — .secrets.baseline accumulates entries; a stale baseline can mask a real leak that happens to match an old false-positive line.

Don'ts

1. ✗Don't auto-merge anything that touches model behavior — LLM SDKs, tokenizers, prompt templates; minor bumps can change sampling defaults overnight, so require an evaluation run.
2. ✗Don't let the Renovate queue grow past two pages — when it does, the team has stopped reviewing; pause the schedule, drain the queue, then resume.
3. ✗Don't skip the files: regex on custom hooks — without it, every commit runs every validator and the latency tax trains developers to bypass hooks with --no-verify.