From a0f7137a0ed90522b9b19b823be9f30d77e39091 Mon Sep 17 00:00:00 2001
From: Sander <hey@sandydoo.me>
Date: Mon, 27 Jan 2025 16:38:22 +0400
Subject: [PATCH 1/2] git-hooks: prevent pre-commit leaking build inputs into
 env

---
 src/modules/integrations/git-hooks.nix | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/src/modules/integrations/git-hooks.nix b/src/modules/integrations/git-hooks.nix
index 4df4cdebf..db427d43e 100644
--- a/src/modules/integrations/git-hooks.nix
+++ b/src/modules/integrations/git-hooks.nix
@@ -1,10 +1,22 @@
 { pkgs, self, lib, config, inputs, ... }:
 
 let
+  cfg = config.git-hooks;
+
   git-hooks-module =
     inputs.git-hooks
       or inputs.pre-commit-hooks
       or (throw "git-hooks or pre-commit-hooks input required");
+
+  # `propagatedBuildInputs` in Python apps are leaked into the environment.
+  # This normally leaks the Python interpreter and its site-packages, causing collision errors.
+  # This affects all packages built with `buildPythonApplication` or `toPythonApplication`.
+  # pre-commit is particularly annoying as it is difficult for end-users to track down.
+  # Tracking: https://github.com/NixOS/nixpkgs/issues/302376
+  packageBin = pkgs.runCommandLocal "pre-commit-bin" { } ''
+    mkdir -p $out/bin
+    ln -s ${cfg.package}/bin/pre-commit $out/bin/pre-commit
+  '';
 in
 {
   imports = [
@@ -28,14 +40,14 @@ in
     description = "Integration with https://github.com/cachix/git-hooks.nix";
   };
 
-  config = lib.mkIf ((lib.filterAttrs (id: value: value.enable) config.git-hooks.hooks) != { }) {
-    ci = [ config.git-hooks.run ];
+  config = lib.mkIf ((lib.filterAttrs (id: value: value.enable) cfg.hooks) != { }) {
+    ci = [ cfg.run ];
     # Add the packages for any enabled hooks at the end to avoid overriding the language-defined packages.
-    packages = lib.mkAfter ([ config.git-hooks.package ] ++ (config.git-hooks.enabledPackages or [ ]));
+    packages = lib.mkAfter ([ packageBin ] ++ (cfg.enabledPackages or [ ]));
     tasks = {
       # TODO: split installation script into status + exec
       "devenv:git-hooks:install" = {
-        exec = config.git-hooks.installationScript;
+        exec = cfg.installationScript;
         before = [ "devenv:enterShell" ];
       };
       "devenv:git-hooks:run" = {

From 44d6123d9e9a9a174874f36bc05f22b0ed139a60 Mon Sep 17 00:00:00 2001
From: Sander <hey@sandydoo.me>
Date: Mon, 27 Jan 2025 16:46:45 +0400
Subject: [PATCH 2/2] tests: assert that pre-commit doesn't leak its
 dependencies

---
 tests/git-hooks-no-python-leak/devenv.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 tests/git-hooks-no-python-leak/devenv.nix

diff --git a/tests/git-hooks-no-python-leak/devenv.nix b/tests/git-hooks-no-python-leak/devenv.nix
new file mode 100644
index 000000000..4d0fb8ab7
--- /dev/null
+++ b/tests/git-hooks-no-python-leak/devenv.nix
@@ -0,0 +1,12 @@
+# Assert that the pre-commit package does not leak its dependencies into the environment.
+{
+  git-hooks.hooks.nixfmt-rfc-style.enable = true;
+
+  enterTest = ''
+    if [ -n "$PYTHONPATH" ]; then
+      echo "PYTHONPATH is non-empty: $PYTHONPATH" >&2
+      echo "The pre-commit package is leaking its dependencies into the environment." >&2
+      exit 1
+    fi
+  '';
+}