Add pre-commit for linting

.github/workflows/release.yaml

@@ -0,0 +1,33 @@
+name: Release Charts
+
+on:
+  push:
+    branches:
+    - main
+  workflow_dispatch: {}
+
+jobs:
+  release:
+    # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions
+    # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+
+    - name: Configure Git
+      run: |
+        git config user.name "$GITHUB_ACTOR"
+        git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+    - name: Install Helm
+      uses: azure/setup-helm@v3
+
+    - name: Run chart-releaser
+      uses: helm/chart-releaser-action@v1.5.0
+      env:
+        CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.pre-commit-config.yaml

@@ -0,0 +1,73 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v6.0.0
+  hooks:
+  # Security
+  - id: detect-aws-credentials
+    args: ['--allow-missing-credentials']
+  - id: detect-private-key
+
+  # Standard checks
+  - id: check-executables-have-shebangs
+  - id: check-json
+  - id: check-symlinks
+  - id: check-toml
+  - id: check-yaml
+    # Skip Helm templates (they're not valid plain YAML due to {{ ... }})
+    exclude: '^charts/[^/]+/templates/'
+  - id: end-of-file-fixer
+    exclude: '.*\.svg$'
+  - id: pretty-format-json
+    args:
+    - '--autofix'
+    - '--no-ensure-ascii'
+  - id: trailing-whitespace
+    args: ['--markdown-linebreak-ext=md']
+
+  # Cross platform
+  - id: check-case-conflict
+  - id: destroyed-symlinks
+  - id: mixed-line-ending
+    args: ['--fix=lf']
+
+  # Git
+  - id: check-added-large-files
+  - id: check-merge-conflict
+  - id: forbid-submodules
+  - id: no-commit-to-branch
+
+- repo: https://github.com/shellcheck-py/shellcheck-py
+  rev: v0.11.0.1
+  hooks:
+  - id: shellcheck
+
+- repo: https://github.com/google/yamlfmt
+  rev: v0.21.0
+  hooks:
+  - id: yamlfmt
+    exclude: '^charts/[^/]+/templates/'
+    args:
+    - '-formatter=indentless_arrays=true'
+    - '-formatter=pad_line_comments=2'
+    - '-formatter=retain_line_breaks=true'
+
+- repo: local
+  hooks:
+  - id: yaml-extension
+    name: Check if YAML files use *.yaml extension.
+    entry: YAML filenames must have .yaml extension.
+    language: fail
+    files: '.yml$'
+
+- repo: https://github.com/gruntwork-io/pre-commit
+  rev: v0.1.30
+  hooks:
+  - id: helmlint
+
+- repo: https://github.com/norwoodj/helm-docs
+  rev: v1.14.2
+  hooks:
+  - id: helm-docs
+    args:
+    # Search for charts only under the `charts` directory
+    - --chart-search-root=charts

CLAUDE.md

@@ -34,8 +34,30 @@ helm package charts/spicedb-operator/
 
 # Regenerate README.md from README.md.gotmpl (run after changing Chart.yaml or README.md.gotmpl)
 helm-docs
+
+# Run pre-commit checks on all files (SKIP=no-commit-to-branch avoids failure when main is checked out)
+SKIP=no-commit-to-branch pre-commit run --show-diff-on-failure --color=always --all-files
+
+# Run a specific pre-commit hook
+SKIP=no-commit-to-branch pre-commit run <hook-id> --show-diff-on-failure --color=always --all-files
 ```
 
+## Pre-commit
+
+This repo uses [pre-commit](https://pre-commit.com/) to enforce formatting and catch common issues. The configuration is in `.pre-commit-config.yaml`. Hooks run automatically on `git commit`; run `pre-commit install` to set up the git hook if needed.
+
+Key conventions enforced by pre-commit:
+
+- **YAML formatting**: `yamlfmt` auto-formats YAML files (indentless arrays, padded line comments, retained line breaks). Helm template files under `charts/*/templates/` are excluded since they contain Go template syntax.
+- **YAML extension**: All YAML files must use the `.yaml` extension, not `.yml`.
+- **Helm linting**: `helmlint` runs `helm lint` on all charts.
+- **Helm docs**: `helm-docs` automatically regenerates `README.md` from `README.md.gotmpl` when chart files change.
+- **Shell scripts**: `shellcheck` validates any shell scripts.
+- **Trailing whitespace and EOF**: Files must have no trailing whitespace and end with a newline.
+- **JSON formatting**: JSON files are auto-formatted with `pretty-format-json`.
+- **Security**: Checks for accidentally committed AWS credentials and private keys.
+- **Git hygiene**: Prevents commits directly to the default branch, checks for merge conflict markers, and flags large files.
+
 ## Updating to a New SpiceDB Operator Version
 
 This chart is derived from the `bundle.yaml` files published in the [SpiceDB Operator releases](https://github.com/authzed/spicedb-operator/releases). To update the chart, you diff the old and new bundle.yaml files and apply the changes to the Helm templates.
@@ -87,4 +109,4 @@ This chart is derived from the `bundle.yaml` files published in the [SpiceDB Ope
 
 ## Release Process
 
-Releases are automated via GitHub Actions (`.github/workflows/release.yml`). Pushing to `main` triggers `helm/chart-releaser-action` which packages and publishes the chart to GitHub Pages.
+Releases are automated via GitHub Actions (`.github/workflows/release.yaml`). Pushing to `main` triggers `helm/chart-releaser-action` which packages and publishes the chart to GitHub Pages.

README.md

@@ -8,4 +8,4 @@ A Helm chart to install the [SpiceDB Operator](https://github.com/authzed/spiced
 helm repo add spicedb-operator-chart https://bushelpowered.github.io/spicedb-operator-chart/
 helm repo update
 helm repo upgrade --install ... <release> spicedb-operator-chart/spicedb-operator
-```
+```