feat: add utility to check hashes and frozen: tags match #1864
Description
If you use --freeze, which adds a little security (see recent litellm disaster), it also introduces a problem keeping them in sync. For example, say I have this:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # frozen: v6.0.0In GitHub, if you make a fork, your comments are also accessible as an SHA on the upstream. So, for example, I could fork the above repo, get a new hash, and then open a seemingly innocuous PR that puts a fake take on a rev from downstream. I think pre-commit and prek are both immune to this problem since they actually fetch the repo (GitHub Actions is not! And nevermind, prek is absolutely susceptible!). It would be really nice to have a utility to verify the hash and tag match. Since this would need the repo, I think it would make sense in prek util, but it could be a flag on prek validate-config instead. If it is in util, maybe it could even update the frozen tag if it's wrong.
Though I'd (also?) want a pre-commit hook tool too, also looking into that separately.
For example, repo: https://github.com/henryiii/cibuildwheel rev: 58a0b274ea29c1e7899d45ab324b4ccdfc78d17d, which is not my commit, is happy downloaded by prek and pre-commit - it fails due to no hook file, but check the readme of that repo downloaded by either one, it's # i like spam!.