Add frozen rev enforcement option

[dbravender]

This implements a solution to #2146 so CI can check for frozen revs and fail if tags are used.

Add an opt-in --require-frozen-revs policy for run, validate-config, and try-repo. The check rejects remote hook repos whose rev is not SHA-like before hook initialization, and points users at auto-update --freeze for remediation.

Also dogfood frozen hook revisions in the repository pre-commit config and add CLI integration coverage for validation and run behavior.

After this, j178/prek-action#154 will need one more update to the version this is on. Then, a new PR into prek is needed to update to the latest prek-action and turn on this new flag.

[codecov]

Codecov Report

❌ Patch coverage is 92.07921% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.64%. Comparing base (2ba09a7) to head (02f24d9).
⚠️ Report is 18 commits behind head on master.

Files with missing lines	Patch %	Lines
crates/prek/src/cli/run/run.rs	90.24%	4 Missing ⚠️
crates/prek/src/cli/validate.rs	91.48%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2230      +/-   ##
==========================================
+ Coverage   92.59%   92.64%   +0.05%     
==========================================
  Files         126      126              
  Lines       26917    27006      +89     
==========================================
+ Hits        24923    25021      +98     
+ Misses       1994     1985       -9     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6f9d3f3abb

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[prek-ci-bot]

📦 Cargo Bloat Comparison

Binary size change: +0.38% (26.6 MiB → 26.7 MiB)

Expand for cargo-bloat output

Head Branch Results

 File  .text     Size             Crate Name
 1.2%   2.5% 332.0KiB        aws_lc_sys aws_lc_0_41_0_aes_gcm_encrypt_avx512
 1.2%   2.5% 332.0KiB        aws_lc_sys aws_lc_0_41_0_aes_gcm_decrypt_avx512
 0.4%   0.7%  96.0KiB              prek prek::languages::<impl prek::config::Language>::run::{{closure}}::{{closure}}
 0.3%   0.7%  92.2KiB              prek prek::languages::<impl prek::config::Language>::run::{{closure}}::{{closure}}
 0.3%   0.7%  92.0KiB              prek prek::languages::<impl prek::config::Language>::install::{{closure}}
 0.2%   0.5%  66.1KiB             prek? <prek::cli::Command as clap_builder::derive::Subcommand>::augment_subcommands
 0.2%   0.4%  49.9KiB              prek prek::run::{{closure}}
 0.2%   0.4%  49.4KiB annotate_snippets annotate_snippets::renderer::render::render
 0.2%   0.3%  44.0KiB             prek? <prek::config::_::<impl serde_core::de::Deserialize for prek::config::Config>::deserialize::__Visitor as serde_core::de::Visitor>::visit_map
 0.2%   0.3%  43.9KiB              prek prek::cli::run::run::run::{{closure}}
 0.1%   0.3%  33.2KiB             prek? <prek::cli::RunOptions as clap_builder::derive::Args>::augment_args
 0.1%   0.2%  33.0KiB               std core::ptr::drop_in_place<prek::languages::<impl prek::config::Language>::install::{{closure}}>
 0.1%   0.2%  29.8KiB     granit_parser granit_parser::scanner::Scanner<T>::fetch_more_tokens
 0.1%   0.2%  28.0KiB        aws_lc_sys aws_lc_0_41_0_edwards25519_scalarmuldouble_alt
 0.1%   0.2%  27.7KiB             prek? <prek::config::_::<impl serde_core::de::Deserialize for prek::config::RemoteHook>::deserialize::__Visitor as serde_core::de::Visitor>::visit_map
 0.1%   0.2%  27.5KiB        aws_lc_sys aws_lc_0_41_0_edwards25519_scalarmuldouble
 0.1%   0.2%  26.1KiB              prek prek::cli::try_repo::try_repo::{{closure}}
 0.1%   0.2%  24.1KiB             prek? <prek::config::_::<impl serde_core::de::Deserialize for prek::config::LocalHook>::deserialize::__Visitor as serde_core::de::Visitor>::visit_map
 0.1%   0.2%  23.8KiB     granit_parser granit_parser::scanner::Scanner<T>::fetch_more_tokens
 0.1%   0.2%  22.3KiB         [Unknown] Lp384_montjscalarmul_alt_p384_montjadd
41.8%  86.1%  11.2MiB                   And 24401 smaller methods. Use -n N to show more.
48.6% 100.0%  13.0MiB                   .text section size, the file size is 26.7MiB

Base Branch Results

 File  .text     Size             Crate Name
 1.2%   2.5% 332.0KiB        aws_lc_sys aws_lc_0_41_0_aes_gcm_encrypt_avx512
 1.2%   2.5% 332.0KiB        aws_lc_sys aws_lc_0_41_0_aes_gcm_decrypt_avx512
 0.4%   0.7%  95.9KiB              prek prek::languages::<impl prek::config::Language>::run::{{closure}}::{{closure}}
 0.3%   0.7%  91.9KiB              prek prek::languages::<impl prek::config::Language>::install::{{closure}}
 0.3%   0.7%  91.6KiB              prek prek::languages::<impl prek::config::Language>::run::{{closure}}::{{closure}}
 0.2%   0.5%  65.2KiB             prek? <prek::cli::Command as clap_builder::derive::Subcommand>::augment_subcommands
 0.2%   0.4%  49.4KiB annotate_snippets annotate_snippets::renderer::render::render
 0.2%   0.4%  49.1KiB              prek prek::run::{{closure}}
 0.2%   0.3%  43.6KiB              prek prek::cli::run::run::run::{{closure}}
 0.2%   0.3%  42.6KiB             prek? <prek::config::_::<impl serde_core::de::Deserialize for prek::config::Config>::deserialize::__Visitor as serde_core::de::Visitor>::visit_map
 0.1%   0.2%  32.8KiB               std core::ptr::drop_in_place<prek::languages::<impl prek::config::Language>::install::{{closure}}>
 0.1%   0.2%  31.9KiB             prek? <prek::cli::RunOptions as clap_builder::derive::Args>::augment_args
 0.1%   0.2%  29.8KiB     granit_parser granit_parser::scanner::Scanner<T>::fetch_more_tokens
 0.1%   0.2%  28.0KiB        aws_lc_sys aws_lc_0_41_0_edwards25519_scalarmuldouble_alt
 0.1%   0.2%  27.5KiB        aws_lc_sys aws_lc_0_41_0_edwards25519_scalarmuldouble
 0.1%   0.2%  27.3KiB             prek? <prek::config::_::<impl serde_core::de::Deserialize for prek::config::RemoteHook>::deserialize::__Visitor as serde_core::de::Visitor>::visit_map
 0.1%   0.2%  25.9KiB              prek prek::cli::try_repo::try_repo::{{closure}}
 0.1%   0.2%  24.7KiB             prek? <prek::config::_::<impl serde_core::de::Deserialize for prek::config::LocalHook>::deserialize::__Visitor as serde_core::de::Visitor>::visit_map
 0.1%   0.2%  23.8KiB     granit_parser granit_parser::scanner::Scanner<T>::fetch_more_tokens
 0.1%   0.2%  22.3KiB         [Unknown] Lp384_montjscalarmul_alt_p384_montjadd
41.9%  86.1%  11.2MiB                   And 24372 smaller methods. Use -n N to show more.
48.6% 100.0%  13.0MiB                   .text section size, the file size is 26.6MiB

[prek-ci-bot]

⚡️ Hyperfine Benchmarks

Summary: 1 regressions, 0 improvements above the 10% threshold.

Environment

• OS: Linux 6.17.0-1018-azure
• CPU: 4 cores
• prek version: prek 0.4.5+22 (d055fd8 2026-06-24)
• Rust version: rustc 1.96.0 (ac68faa20 2026-05-25)
• Hyperfine version: hyperfine 1.20.0

CLI Commands

Benchmarking basic commands in the main repo:

prek --version

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base --version	2.1 ± 0.1	2.0	2.3	1.00
prek-head --version	2.1 ± 0.1	2.0	2.9	1.01 ± 0.07

prek list

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base list	8.8 ± 0.1	8.6	9.1	1.00
prek-head list	8.8 ± 0.1	8.6	9.1	1.01 ± 0.02

prek validate-config .pre-commit-config.yaml

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base validate-config .pre-commit-config.yaml	2.9 ± 0.0	2.9	3.1	1.00
prek-head validate-config .pre-commit-config.yaml	3.1 ± 1.5	2.8	13.3	1.07 ± 0.50

prek sample-config

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base sample-config	2.4 ± 0.0	2.3	2.5	1.01 ± 0.03
prek-head sample-config	2.3 ± 0.0	2.3	2.5	1.00

Cold vs Warm Runs

Comparing first run (cold) vs subsequent runs (warm cache):

prek run --all-files (cold - no cache)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run --all-files	74.8 ± 1.8	71.9	76.6	1.03 ± 0.04
prek-head run --all-files	72.5 ± 2.5	70.0	77.7	1.00

prek run --all-files (warm - with cache)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run --all-files	72.5 ± 2.7	69.3	77.3	1.00 ± 0.05
prek-head run --all-files	72.3 ± 2.7	69.2	78.5	1.00

Full Hook Suite

Running the builtin hook suite on the benchmark workspace:

prek run --all-files (full builtin hook suite)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run --all-files	73.2 ± 2.7	69.8	80.9	1.00
prek-head run --all-files	73.7 ± 2.4	70.4	79.8	1.01 ± 0.05

Individual Hook Performance

Benchmarking each hook individually on the test repo:

prek run trailing-whitespace --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run trailing-whitespace --all-files	19.7 ± 0.4	19.1	20.7	1.02 ± 0.02
prek-head run trailing-whitespace --all-files	19.4 ± 0.3	18.7	19.9	1.00

prek run end-of-file-fixer --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run end-of-file-fixer --all-files	25.9 ± 1.8	23.1	29.6	1.02 ± 0.10
prek-head run end-of-file-fixer --all-files	25.4 ± 1.9	23.0	28.9	1.00

prek run check-json --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run check-json --all-files	7.5 ± 0.3	6.9	7.9	1.02 ± 0.05
prek-head run check-json --all-files	7.3 ± 0.2	7.0	7.9	1.00

prek run check-yaml --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run check-yaml --all-files	7.5 ± 0.4	7.0	8.4	1.05 ± 0.06
prek-head run check-yaml --all-files	7.2 ± 0.1	6.9	7.4	1.00

prek run check-toml --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run check-toml --all-files	7.2 ± 0.2	6.7	7.6	1.00
prek-head run check-toml --all-files	7.2 ± 0.3	6.9	8.0	1.01 ± 0.05

prek run check-xml --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run check-xml --all-files	7.3 ± 0.2	6.8	7.8	1.00
prek-head run check-xml --all-files	7.4 ± 0.3	6.8	8.3	1.02 ± 0.05

prek run detect-private-key --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run detect-private-key --all-files	13.5 ± 1.0	11.7	15.3	1.04 ± 0.11
prek-head run detect-private-key --all-files	13.0 ± 1.0	11.5	15.7	1.00

prek run fix-byte-order-marker --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run fix-byte-order-marker --all-files	17.9 ± 0.7	17.0	19.3	1.00 ± 0.06
prek-head run fix-byte-order-marker --all-files	17.9 ± 0.8	16.9	19.4	1.00

Installation Performance

Benchmarking hook installation (fast path hooks skip Python setup):

prek install-hooks (cold - no cache)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base install-hooks	4.3 ± 0.1	4.2	4.5	1.00 ± 0.02
prek-head install-hooks	4.3 ± 0.0	4.3	4.4	1.00

prek install-hooks (warm - with cache)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base install-hooks	4.3 ± 0.0	4.3	4.3	1.00
prek-head install-hooks	4.4 ± 0.1	4.3	4.4	1.02 ± 0.01

File Filtering/Scoping Performance

Testing different file selection modes:

prek run (staged files only)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run	36.1 ± 1.1	34.8	39.0	1.00
prek-head run	36.3 ± 0.9	35.2	38.3	1.01 ± 0.04

prek run --files '*.json' (specific file type)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run --files '*.json'	7.6 ± 0.1	7.4	7.8	1.00 ± 0.02
prek-head run --files '*.json'	7.6 ± 0.1	7.5	7.7	1.00

Workspace Discovery & Initialization

Benchmarking hook discovery and initialization overhead:

prek run --dry-run --all-files (measures init overhead)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run --dry-run --all-files	6.5 ± 0.1	6.4	6.6	1.00
prek-head run --dry-run --all-files	6.6 ± 0.3	6.4	8.0	1.01 ± 0.05

Meta Hooks Performance

Benchmarking meta hooks separately:

prek run check-hooks-apply --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run check-hooks-apply --all-files	10.9 ± 0.5	10.1	11.7	1.07 ± 0.06
prek-head run check-hooks-apply --all-files	10.2 ± 0.2	10.0	11.0	1.00

prek run check-useless-excludes --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run check-useless-excludes --all-files	10.1 ± 0.1	10.0	10.2	1.00
prek-head run check-useless-excludes --all-files	10.1 ± 0.1	10.0	10.3	1.00 ± 0.01

prek run identity --all-files

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
prek-base run identity --all-files	9.3 ± 0.1	9.1	9.5	1.00
prek-head run identity --all-files	12.2 ± 10.3	9.2	49.4	1.32 ± 1.11

⚠️ Warning: Performance regression for prek run identity --all-files: 31.8600% slower

[j178]

Thanks for the PR! I’m hesitant to expose a dedicated CLI flag for it right now.

I’m still thinking through the right shape for this, so I’ll keep this as a draft for now. Thanks again for putting it together.

[dbravender]

Thanks for the PR! I’m hesitant to expose a dedicated CLI flag for it right now.

I’m still thinking through the right shape for this, so I’ll keep this as a draft for now. Thanks again for putting it together.

Would a setting be better for this? That would make it harder to miss when running locally. I'll happily make any changes required to get this functionality in prek. At work we really need this to enforce safely pinned versions during CI and locally when running prek locally so engineers can quickly see that they have introduced a potentially dangerous unpinned dependency.

prek would also directly benefit from this so users get feedback right away if they added unpinned dependencies.