You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On a NixOS host, pre-commit run / git commit cannot run several hooks because
their tools are distributed as generic-linux (manylinux) binaries that NixOS
cannot execute out of the box (no FHS ld-linux, no libstdc++.so.6 on the
loader path). This forces --no-verify for every local commit on NixOS — the
exact friction hit while landing #695.
This issue covers the standalone-binary hooks, which have clean Nix-native
replacements. The Python C-extension case (pymarkdown) is split into a
follow-up because it needs a different mechanism (see Refs).
Affected hooks (empirically confirmed on a NixOS host)
pre-commit run <hook> --all-files, outside an FHS environment:
Hook
Source
Result
Cause
ruff, ruff-format
astral-sh/ruff-pre-commit
BROKEN
Rust manylinux wheel; Could not start dynamically linked executable
typos
crate-ci/typos
BROKEN
Rust manylinux wheel; same
shellcheck
shellcheck-py
OK
statically linked binary — no change needed
check-*, trailing-whitespace, yamllint
pure-Python repos
OK
no native deps
all repo: local (taplo, just, nixfmt, uv run …)
language: system
OK
resolved from the flake dev-shell
So the broken-and-fixable-here set is ruff, ruff-format, typos.
Root cause
These hooks pull a compiled binary from a rev:-pinned upstream repo as a
manylinux wheel. The binary is dynamically linked against the generic Linux
loader, which does not exist on NixOS. The local language: system hooks already
work because they resolve their tool from the Nix dev-shell (the #625 toolchain
SSoT) — that is the pattern to extend.
Make these hooks resolve their tool from the flake instead of an upstream wheel,
consistent with the #625 "toolchain is the flake SSoT" direction:
Add ruff and typos to devTools in flake.nix (both are in nixpkgs: ruff 0.15.x, typos 1.46.x; ruff is already in imageTools). The
per-tool parity test (tests/test_flake_devshell.py) covers them automatically.
Convert the three hooks to repo: local / language: system:
Remove the astral-sh/ruff-pre-commit and crate-ci/typos repo blocks.
Confirm CI stays green: test-project runs uv run pre-commit run --all-files
under provision-via-flake, so ruff/typos are already on PATH from the flake.
Re-sync the scaffolded .pre-commit-config.yaml (it is mirrored into assets/workspace/ via scripts/sync_manifest.py), so downstream workspaces
inherit the fix.
Update docs/NIX.md / CONTRIBUTE.md: pre-commit runs inside the dev-shell
(direnv) and needs no host setup.
Tradeoff: hook versions move from upstream rev: pins (Renovate pre-commit manager) to nixpkgs/flake.lock (Renovate nix manager). This is
the same SSoT consolidation #625 already applies to the rest of the toolchain.
Alternative considered — nix-ld
Enabling programs.nix-ld on the NixOS host (optionally with stdenv.cc.cc.lib) would let the upstream wheels run unchanged, preserving rev: pinning. Rejected as the primary fix because it is per-contributor system configuration the repo cannot enforce, and it is impure (relies on
host setup) — counter to the #625 hermetic/SSoT goal. It remains a fine documented interim/fallback and is the likely mechanism for the pymarkdown
follow-up.
Acceptance criteria
ruff, ruff-format, typos run via the flake (language: system)
ruff and typos added to devTools; parity test green
pre-commit run --all-files passes in the dev-shell on a NixOS host for
these hooks (no --no-verify needed for them)
Description
On a NixOS host,
pre-commit run/git commitcannot run several hooks becausetheir tools are distributed as generic-linux (manylinux) binaries that NixOS
cannot execute out of the box (no FHS
ld-linux, nolibstdc++.so.6on theloader path). This forces
--no-verifyfor every local commit on NixOS — theexact friction hit while landing #695.
This issue covers the standalone-binary hooks, which have clean Nix-native
replacements. The Python C-extension case (
pymarkdown) is split into afollow-up because it needs a different mechanism (see Refs).
Affected hooks (empirically confirmed on a NixOS host)
pre-commit run <hook> --all-files, outside an FHS environment:ruff,ruff-formatastral-sh/ruff-pre-commitCould not start dynamically linked executabletyposcrate-ci/typosshellcheckshellcheck-pycheck-*,trailing-whitespace,yamllintrepo: local(taplo,just,nixfmt,uv run …)language: systemSo the broken-and-fixable-here set is
ruff,ruff-format,typos.Root cause
These hooks pull a compiled binary from a
rev:-pinned upstream repo as amanylinux wheel. The binary is dynamically linked against the generic Linux
loader, which does not exist on NixOS. The local
language: systemhooks alreadywork because they resolve their tool from the Nix dev-shell (the #625 toolchain
SSoT) — that is the pattern to extend.
Proposed solution (recommended: flake-sourced
language: system)Make these hooks resolve their tool from the flake instead of an upstream wheel,
consistent with the #625 "toolchain is the flake SSoT" direction:
ruffandtypostodevToolsinflake.nix(both are innixpkgs:ruff0.15.x,typos1.46.x;ruffis already inimageTools). Theper-tool parity test (
tests/test_flake_devshell.py) covers them automatically.repo: local/language: system:ruff→entry: ruff check --fix,types: [python]ruff-format→entry: ruff format,types: [python]typos→entry: typosPreserve existing args/filters.
astral-sh/ruff-pre-commitandcrate-ci/typosrepo blocks.test-projectrunsuv run pre-commit run --all-filesunder
provision-via-flake, soruff/typosare already on PATH from the flake..pre-commit-config.yaml(it is mirrored intoassets/workspace/viascripts/sync_manifest.py), so downstream workspacesinherit the fix.
docs/NIX.md/CONTRIBUTE.md: pre-commit runs inside the dev-shell(direnv) and needs no host setup.
Tradeoff: hook versions move from upstream
rev:pins (Renovatepre-commitmanager) tonixpkgs/flake.lock(Renovatenixmanager). This isthe same SSoT consolidation #625 already applies to the rest of the toolchain.
Alternative considered —
nix-ldEnabling
programs.nix-ldon the NixOS host (optionally withstdenv.cc.cc.lib) would let the upstream wheels run unchanged, preservingrev:pinning. Rejected as the primary fix because it is per-contributorsystem configuration the repo cannot enforce, and it is impure (relies on
host setup) — counter to the #625 hermetic/SSoT goal. It remains a fine
documented interim/fallback and is the likely mechanism for the
pymarkdownfollow-up.
Acceptance criteria
ruff,ruff-format,typosrun via the flake (language: system)ruffandtyposadded todevTools; parity test greenpre-commit run --all-filespasses in the dev-shell on a NixOS host forthese hooks (no
--no-verifyneeded for them)assets/workspace/.pre-commit-config.yamlre-syncedOut of scope
pymarkdown(Python C-extension /libstdc++) — separate follow-upprek— tracked in [DISCUSSION] Migration to prek #40Refs: #625