chore(pre-commit): add priority tiers to .pre-commit-config.yaml (#10842)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.pre-commit-config.yaml

@@ -1,17 +1,34 @@
+# Priority tiers (lower = runs first, same priority = concurrent):
+#   P0  — fast file fixers
+#   P10 — validators and guards
+#   P20 — auto-formatters
+#   P30 — linters
+#   P40 — security scanners
+#   P50 — dependency validation
+
+default_install_hook_types: [pre-commit, pre-push]
+
 repos:
   ## GENERAL (prek built-in — no external repo needed)
   - repo: builtin
     hooks:
       - id: check-merge-conflict
+        priority: 10
       - id: check-yaml
         args: ["--allow-multiple-documents"]
         exclude: (prowler/config/llm_config.yaml|contrib/)
+        priority: 10
       - id: check-json
+        priority: 10
       - id: end-of-file-fixer
+        priority: 0
       - id: trailing-whitespace
+        priority: 0
       - id: no-commit-to-branch
+        priority: 10
       - id: pretty-format-json
         args: ["--autofix", --no-sort-keys, --no-ensure-ascii]
+        priority: 10
 
   ## TOML
   - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
@@ -20,6 +37,7 @@ repos:
       - id: pretty-format-toml
         args: [--autofix]
         files: pyproject.toml
+        priority: 20
 
   ## GITHUB ACTIONS
   - repo: https://github.com/zizmorcore/zizmor-pre-commit
@@ -27,6 +45,7 @@ repos:
     hooks:
       - id: zizmor
         files: ^\.github/
+        priority: 30
 
   ## BASH
   - repo: https://github.com/koalaman/shellcheck-precommit
@@ -34,6 +53,7 @@ repos:
     hooks:
       - id: shellcheck
         exclude: contrib
+        priority: 30
 
   ## PYTHON — SDK (prowler/, tests/, dashboard/, util/, scripts/)
   - repo: https://github.com/myint/autoflake
@@ -48,6 +68,7 @@ repos:
             "--remove-all-unused-imports",
             "--remove-unused-variable",
           ]
+        priority: 20
 
   - repo: https://github.com/pycqa/isort
     rev: 8.0.1
@@ -56,6 +77,7 @@ repos:
         name: "SDK - isort"
         files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
         args: ["--profile", "black"]
+        priority: 20
 
   - repo: https://github.com/psf/black
     rev: 26.3.1
@@ -63,6 +85,7 @@ repos:
       - id: black
         name: "SDK - black"
         files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
+        priority: 20
 
   - repo: https://github.com/pycqa/flake8
     rev: 7.3.0
@@ -71,6 +94,7 @@ repos:
         name: "SDK - flake8"
         files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
         args: ["--ignore=E266,W503,E203,E501,W605"]
+        priority: 30
 
   ## PYTHON — API + MCP Server (ruff)
   - repo: https://github.com/astral-sh/ruff-pre-commit
@@ -80,9 +104,11 @@ repos:
         name: "API + MCP - ruff check"
         files: { glob: ["{api,mcp_server}/**/*.py"] }
         args: ["--fix"]
+        priority: 30
       - id: ruff-format
         name: "API + MCP - ruff format"
         files: { glob: ["{api,mcp_server}/**/*.py"] }
+        priority: 20
 
   ## PYTHON — Poetry
   - repo: https://github.com/python-poetry/poetry
@@ -93,24 +119,28 @@ repos:
         args: ["--directory=./api"]
         files: { glob: ["api/{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
+        priority: 50
 
       - id: poetry-lock
         name: API - poetry-lock
         args: ["--directory=./api"]
         files: { glob: ["api/{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
+        priority: 50
 
       - id: poetry-check
         name: SDK - poetry-check
         args: ["--directory=./"]
         files: { glob: ["{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
+        priority: 50
 
       - id: poetry-lock
         name: SDK - poetry-lock
         args: ["--directory=./"]
         files: { glob: ["{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
+        priority: 50
 
   ## CONTAINERS
   - repo: https://github.com/hadolint/hadolint
@@ -118,6 +148,7 @@ repos:
     hooks:
       - id: hadolint
         args: ["--ignore=DL3013"]
+        priority: 30
 
   ## LOCAL HOOKS
   - repo: local
@@ -128,6 +159,7 @@ repos:
         language: system
         types: [python]
         files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
+        priority: 30
 
       - id: trufflehog
         name: TruffleHog
@@ -138,6 +170,7 @@ repos:
         language: system
         pass_filenames: false
         stages: ["pre-commit", "pre-push"]
+        priority: 40
 
       - id: bandit
         name: bandit
@@ -148,6 +181,7 @@ repos:
         files: '.*\.py'
         exclude:
           { glob: ["{contrib,skills}/**", "**/.venv/**", "**/*_test.py"] }
+        priority: 40
 
       - id: safety
         name: safety
@@ -166,6 +200,7 @@ repos:
                 ".safety-policy.yml",
               ],
           }
+        priority: 40
 
       - id: vulture
         name: vulture
@@ -174,3 +209,4 @@ repos:
         language: system
         types: [python]
         files: '.*\.py'
+        priority: 40