From 8d0f1231ea701f368a82b4ab6e285725246086ad Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Tue, 3 Mar 2026 00:04:43 -0700
Subject: [PATCH 1/2] feat: add pre-commit guards to prevent agent shortcuts

---
 .pre-commit-config.yaml              | 4 ++++
 tfroot-runner/pre-commit-config.yaml | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 6382f30..135fd27 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -10,6 +10,10 @@ repos:
       - id: detect-private-key
       - id: mixed-line-ending
       - id: trailing-whitespace
+      - id: no-commit-to-branch
+        args: ['--branch', 'main']
+      - id: check-added-large-files
+        args: ['--maxkb=1000']
   - repo: https://github.com/hadolint/hadolint
     rev: v2.14.0
     hooks:
diff --git a/tfroot-runner/pre-commit-config.yaml b/tfroot-runner/pre-commit-config.yaml
index ff71b8e..4e048ac 100644
--- a/tfroot-runner/pre-commit-config.yaml
+++ b/tfroot-runner/pre-commit-config.yaml
@@ -47,3 +47,7 @@ repos:
         exclude: README.md
       - id: mixed-line-ending
       - id: trailing-whitespace
+      - id: no-commit-to-branch
+        args: ['--branch', 'main']
+      - id: check-added-large-files
+        args: ['--maxkb=1000']

From 63c54457d0b27a45f910e116f596876cb1c3ddfb Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Tue, 3 Mar 2026 00:15:47 -0700
Subject: [PATCH 2/2] ci: add pull_request trigger to run checks on PRs

Add pull_request trigger to buildah.yml so that pre-commit checks
and build verification run on pull requests. Push to registry is
now conditional and only runs on push to main branch.
---
 .github/workflows/buildah.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/buildah.yml b/.github/workflows/buildah.yml
index c52a36c..7d8f16a 100644
--- a/.github/workflows/buildah.yml
+++ b/.github/workflows/buildah.yml
@@ -8,6 +8,10 @@ on:
     paths:
       - '*/**'
       - '!.github/**'
+  pull_request:
+    paths:
+      - '*/**'
+      - '!.github/**'
   workflow_dispatch:
     inputs:
       image:
@@ -85,6 +89,7 @@ jobs:
           extra-args: --squash
 
       - name: Push to registry
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
         uses: redhat-actions/push-to-registry@v2
         with:
           image: ${{ matrix.image }}