1Password (CLI) getting permissions error from inside of pre-commit

[aRustyDev]

Describe the bug

Trying to run git commit ... w/ a .pre-commit-config.yaml that has an entry field containing op run -- <binary> is resulting in a PermissionsError, even though this will work fine from my macOS.

Not sure which package is to blame for it? From what I can gather it seems it may simply be a file permissions issue? But its not clear what the fix would be, since it seems 1PW intentionally restricts the onepassword-cli group membership. I tried viewing it, but it doesn't show w/ groups or sudo groups, but trying to add it yields a "group already exists" error. So not clear how I could allow pre-commit to access it, and just running op read "op://<VAULT>/<ITEM>/<ITEM_FIELD>" works just fine, so I have 1PW configured correctly.

I'm still really new to NixOS too, so I'm probably just forgetting/missing some very simple step. But I couldn't find any good resources covering this combo of pkgs, and pre-commit doesn't support any NixOS issues.

Steps To Reproduce

Steps to reproduce the behavior:

1. Have 1Password-GUI App Started & the 1Password CLI installed & properly configured (see https://developer.1password.com/docs/cli/get-started)
2. From inside of the target repo call pre-commit install --install-hooks (to create the git hooks)
3. git add . (w/ a change)
4. git commit -m "testing permissionsError" (Also have commit signing enabled)

output

Trim Trailing Whitespace.................................................Passed
Fix End of Files.........................................................Passed
Check Yaml...............................................................Passed
Check for added large files..............................................Passed
Check for case conflicts.................................................Passed
Detect Private Key.......................................................Passed
Don't commit to branch...................................................Passed
ggshield (pre-commit)....................................................An unexpected error has occurred: PermissionError: [Errno 13] Permission denied: '/run/wrappers/bin/op'
Check the log at /home/user/.cache/pre-commit/pre-commit.log

Expected behavior

Pre-Commit should be able to run the op binary w/o error, and any hooks fail/succeed based on they're internals

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

/path/to/repo/.pre-commit-config.yaml

repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v3.2.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
      - id: check-yaml
      - id: check-added-large-files
      - id: check-case-conflict
#      - id: detect-aws-credentials
      - id: detect-private-key
      - id: no-commit-to-branch
        args: [--branch, main]
  - repo: https://github.com/gitguardian/ggshield
    rev: v1.29.0
    hooks:
      - id: ggshield
        language_version: python3
        stages: [commit]
        entry: op run --env-file="./op.env" -- ggshield secret scan pre-commit

/path/to/repo/op.env

GITGUARDIAN_API_KEY="op://<VAULT>/<ITEM>/<ITEM_FIELD>"

/etc/nixos/configuration.nix (only packages & program settings)

  environment.systemPackages = with pkgs; [
    git
    vim
    _1password
    _1password-gui
    pre-commit
    python3
  ];

   programs = { 
        _1password.enable = true;
        _1password-gui = {
                enable = true;
                polkitPolicyOwners = ["user"];
        };
  };

OUTPUT ls -al /run/wrappers/bin/op

-r-x--s--x 1 root onepassword-cli 63472 Jul 15 12:27 /run/wrappers/bin/op

~/.cache/pre-commit/pre-commit.log

version information

pre-commit version: 3.7.1
git --version: git version 2.44.1
sys.version:
    3.11.9 (main, Apr  2 2024, 08:25:04) [GCC 13.2.0]
sys.executable: /nix/store/4rf5qybw37b4lh1g0xczlv14sqdbmnpm-python3-3.11.9/bin/python3.11
os.name: posix
sys.platform: linux

error information

An unexpected error has occurred: PermissionError: [Errno 13] Permission denied: '/run/wrappers/bin/op'

Traceback (most recent call last):
  File "/nix/store/1v97z47ckf2kv0fb2r4z2ggv3ls7jb86-pre-commit-3.7.1/lib/python3.11/site-packages/pre_commit/error_handler.py", line 73, in error_handler
    yield
  File "/nix/store/1v97z47ckf2kv0fb2r4z2ggv3ls7jb86-pre-commit-3.7.1/lib/python3.11/site-packages/pre_commit/main.py", line 389, in main
    return hook_impl(
           ^^^^^^^^^^
  File "/nix/store/1v97z47ckf2kv0fb2r4z2ggv3ls7jb86-pre-commit-3.7.1/lib/python3.11/site-packages/pre_commit/commands/hook_impl.py", line 271, in hook_impl
    return retv | run(config, store, ns)
                  ^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/1v97z47ckf2kv0fb2r4z2ggv3ls7jb86-pre-commit-3.7.1/lib/python3.11/site-packages/pre_commit/commands/run.py", line 444, in run
    return _run_hooks(config, hooks, skips, args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/1v97z47ckf2kv0fb2r4z2ggv3ls7jb86-pre-commit-3.7.1/lib/python3.11/site-packages/pre_commit/commands/run.py", line 296, in _run_hooks
    current_retval, prior_diff = _run_single_hook(
                                 ^^^^^^^^^^^^^^^^^
  File "/nix/store/1v97z47ckf2kv0fb2r4z2ggv3ls7jb86-pre-commit-3.7.1/lib/python3.11/site-packages/pre_commit/commands/run.py", line 193, in _run_single_hook
    retcode, out = language.run_hook(
                   ^^^^^^^^^^^^^^^^^^
  File "/nix/store/1v97z47ckf2kv0fb2r4z2ggv3ls7jb86-pre-commit-3.7.1/lib/python3.11/site-packages/pre_commit/lang_base.py", line 187, in basic_run_hook
    return run_xargs(
           ^^^^^^^^^^
  File "/nix/store/1v97z47ckf2kv0fb2r4z2ggv3ls7jb86-pre-commit-3.7.1/lib/python3.11/site-packages/pre_commit/lang_base.py", line 170, in run_xargs
    return xargs.xargs(cmd, file_args, target_concurrency=jobs, color=color)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/1v97z47ckf2kv0fb2r4z2ggv3ls7jb86-pre-commit-3.7.1/lib/python3.11/site-packages/pre_commit/xargs.py", line 151, in xargs
    cmd = parse_shebang.normalize_cmd(cmd)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/1v97z47ckf2kv0fb2r4z2ggv3ls7jb86-pre-commit-3.7.1/lib/python3.11/site-packages/pre_commit/parse_shebang.py", line 80, in normalize_cmd
    cmd = parse_filename(exe) + (exe,) + cmd[1:]
          ^^^^^^^^^^^^^^^^^^^
  File "/nix/store/1v97z47ckf2kv0fb2r4z2ggv3ls7jb86-pre-commit-3.7.1/lib/python3.11/site-packages/pre_commit/parse_shebang.py", line 19, in parse_filename
    return parse_shebang_from_file(filename)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/47bqjsx4ig7hbmhiw0yyz7bigydhqwlf-python3.11-identify-2.5.36/lib/python3.11/site-packages/identify/identify.py", line 213, in parse_shebang_from_file
    with open(path, 'rb') as f:
         ^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/run/wrappers/bin/op'

Notify maintainers

@borisbabic @joelburget

Metadata

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.6.37, NixOS, 24.05 (Uakari), 24.05.2539.49ee0e94463a`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.4`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

---

Add a :+1: reaction to issues you find important.

[aRustyDev]

Ok so I'm still not clear on the "Why" here, but I do have a fix/workaround

It seems that NixOS stores the op bin in a weird way that changes the permissions on it? (still not entirely clear on this part)

But my solution ended up being to do the following in my .pre-commit-config.yaml

  - repo: https://github.com/gitguardian/ggshield
    rev: v1.29.0
    hooks:
      - id: ggshield
        language_version: python3
        stages: [commit]
        entry: bash -c 'op run --env-file="./op.env" -- ggshield secret scan pre-commit'

It might also have been that when pre-commit runs it tries to start a shell from python, so that might have funked up the permissions? Either way, spinning up the new shell fixed my errors.