The pre-commit/action@v3 used actions/cache@v4 internally, which the
repository's security policy forbids because it is not SHA-pinned.
Remove the pre-commit dependency entirely by:
* deleting .pre-commit-config.yaml
* replacing the pre-commit CI step with a new scripts/file-hygiene.sh
that implements the equivalent checks (trailing whitespace, EOF
newline, BOM, CR, merge markers, large files, case collisions,
broken symlinks, shebang/executable consistency, submodule ban)
* removing the pre-commit Makefile targets and adding a file-hygiene
target
* removing pre-commit from the renovate configuration
Markdown linting is already handled by the dedicated markdownlint step
in the lint workflow, so no replacement is needed for that hook.
