Implemented linters in CI

[markshleifer-coralogix]

Description

Most of the added lines (around 97%) are Helm golden render snapshots.

Add CI coverage for security and hygiene checks:

• gitleaks current-tree secret scanning
• shellcheck for checked-in shell scripts
• hadolint for Dockerfiles
• Helm golden render checks for high-risk presets

Some shellcheck/hadolint ignores were added where changing the code would be riskier than documenting the existing baseline. Examples include preserving existing Docker label keys that may be externally consumed, keeping established package-install commands unchanged, and avoiding behavior changes in installer/runtime scripts where lint-only rewrites could affect execution.

How Has This Been Tested?

1. Deliberately added or changed files to force each new CI job to fail:

   • fake private key for gitleaks
   • unquoted shell variable for shellcheck
   • bad Dockerfile fixture for hadolint
   • golden render mismatch for Helm

2. Confirmed the jobs failed for the expected reasons, then reverted the failure fixtures.

3. Re-ran the checks and verified the scripts/jobs passed again.

4. Built the changed Linux Dockerfiles with Docker where possible; the buildable images passed. Windows Dockerfiles were not built locally because macOS Docker Desktop cannot build Windows container images.

Checklist:

• I have updated the relevant Helm chart(s) version(s)
• I have updated the relevant component changelog(s)
• This change does not affect any particular component (e.g. it's CI or docs change)

[CLAassistant]

All committers have signed the CLA.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ff2973654f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[iblancasa]

Why ignoring?

[markshleifer-coralogix]

SC1091 is ignored because /etc/os-release exists on the target Linux host at runtime, but shellcheck cannot follow that system file during static analysis.

[iblancasa]

How about adding some script we can run locally to install these tools in our machines and reuse here?
Or maybe use one of the GitHub Actions for Hadolint or Gitleaks.

[markshleifer-coralogix]

As discussed, will do in a separate PR.