1password / shell-plugins Goto Github PK

Platform or tool

Docker

Relevant links

• https://docs.docker.com/engine/reference/commandline/login/

Goal or desired behavior

Probably implement a credential helper for the Docker CLI, since logging in using username/password is probably not ideal.

The link above also references the "very simple protocol": https://docs.docker.com/engine/reference/commandline/login/#credential-helper-protocol

Contribution

• I'd be up for building the plugin myself.

Additional information

No response

What does it concern?

The plugin SDK, design, or schema

Goal or desired behavior

(apologies in advance if this is a silly question, I'm a bit new to Go!)

I'm attempting to create a new plugin for rdme (see #106 #108) and I'm trying to use the needsauth.ForCommands helper function:

When I create a new array of commands and pass it into this function, I would expect that each of the following commands would have the NeedsAuthentication rule set to true and therefore get the env variables provisioned properly:

rdme openapi
rdme docs
rdme docs:prune
rdme guides
rdme guides:prune
rdme changelogs
rdme custompages
rdme versions
rdme versions:create
rdme versions:delete
rdme versions:update
rdme categories
rdme categories:create

Current behavior

When I attempt to create the aforementioned array and pass it into this function, env variables aren't being provisioned for the specified commands (e.g., rdme openapi).

I'm not sure how to debug this further but I believe it's because the plugin configuration doesn't think that those commands need auth for some reason. But when I comment out these lines so the commands array only contains a single value, the env vars are provisioned as expected 🤔

Relevant log output

No response

op CLI version

2.9.1

shell-plugins local ref

9fc032c (full branch here)

Platform or tool

wrangler

Desired or expected behavior

Wrangler is the CLI to deploy Cloudflare Workers

It's looks like really easy to support that.

https://developers.cloudflare.com/workers/wrangler/system-environment-variables/

I will look tomorrow into it

Current behavior

Nope

Relevant log output

No response

op CLI version

No response

Platform or tool

Exercism

Relevant links

• https://exercism.org/docs/using/solving-exercises/working-locally

Goal or desired behavior

Authenticate the Exercism CLI with API token stored in 1Password.

Contribution

• I'd be up for building the plugin myself.

Additional information

No response

Platform or tool

Sourcegraph

Relevant links

• https://docs.sourcegraph.com/cli/
• https://docs.sourcegraph.com/cli/quickstart
• https://docs.sourcegraph.com/cli/explanations/env

Goal or desired behavior

Authenticate Sourcegraph CLI to a Sourcegraph instance.

Contribution

• I'd be up for building the plugin myself.

Additional information

No response

op CLI version

2.12.0

Goal or desired behavior

Credential template file is generated correctly.

Current behavior

Credential template file generated is missing the field name (not credential name) when the credential name is entered to be Credentials in the setup flow:

func Credentials() schema.CredentialType {
	return schema.CredentialType{
		Name:          credname.Credentials,
		DocsURL:       sdk.URL("https://ngrok.com/docs/credentials"), // TODO: Replace with actual URL
		ManagementURL: sdk.URL("https://console.ngrok.com/user/security/tokens"), // TODO: Replace with actual URL
		Fields: []schema.CredentialField{
			{
				Name:                fieldname.,
				MarkdownDescription: " used to authenticate to ngrok.",
				Secret:              true,
				Composition: &schema.ValueComposition{
					Length: 43,
					Charset: schema.Charset{
						Uppercase: true,
						Lowercase: true,
						Digits:    true,
					},
				},
			},
		},
		DefaultProvisioner: provision.EnvVars(defaultEnvVarMapping),
		Importer: importer.TryAll(
			importer.TryEnvVarPair(defaultEnvVarMapping),
			TryngrokConfigFile(),
		)}
}

Notice the fieldname. part in the above code.

Relevant log output

No response

Platform or tool

Vultr

Relevant links

• Platform homepage: https://vultr.com/
• API docs: https://www.vultr.com/api/#section/Authentication
• API Key management: https://my.vultr.com/settings/#settingsapi
• CLI docs on GitHub: https://github.com/vultr/vultr-cli

Goal or desired behavior

Authenticate to the Vultr platform.

Contribution

• I'd be up for building the plugin myself.

Additional information

This is fairly straightforward:

• Authentication is handled using environment variable VULTR_API_KEY
• If a ~/.vultr-cli.yaml file exists, api-key value from that file is used. The config file can live anywhere, in which case config file is supplied to the command using --config /path/to/file option.
• If the config file is missing a api-key value, the CLI program defaults to using the value of the environment variable.

For the shell plugin:

• We can build support for importing the API Key from the config file.
• We can handle authentication/provision using environment variable.

What does it concern?

The plugin SDK, design, or schema

Goal or desired behavior

Many plugins use $XDG_CONFIG_HOME as default location for their configuration file, defaulting to $HOME/.config if this is not defined.

The plugin system should have support for this, such that plugins can only define one path in their importers.

This has already been explored here:
d44a749

Current behavior

Plugins need to define importers for two paths: $XDG_CONFIG_HOME/... and $HOME/.config/....

Relevant log output

No response

op CLI version

No response

shell-plugins local ref

No response

op CLI version

2.12.0

Goal or desired behavior

I want to preface by saying that this is a "me problem" 😄

When attempting to generate example secrets, I always end up trying various incorrect commands before trying example-secrets. Various variations that I try:

• make plugin-name/sample-secrets
• make plugin-name/example-creds
• make plugin-name/sample-creds
• make plugin-name/test-secrets
• make plugin-name/test-creds

I am pretty sure I have tried a few other versions.

May I suggest simplifying the command to just make plugin-name/secrets or make plugin-name/examples, or do we feel that it doesn't quite indicate what it does?

Current behavior

Not applicable/Described above

Relevant log output

No response

Platform or tool

Fly.io

Relevant links

• https://fly.io
• https://fly.io/docs/flyctl/integrating/

Goal or desired behavior

Just set a FLY_ACCESS_TOKEN it's easy

Additional information

No response

Platform or tool

Linode

Desired or expected behavior

Would be nice for the Linode plugin to support importing the token from the ~/.config/linode-cli.

Current behavior

We're only looking at environment variables now.

Relevant log output

No response

op CLI version

No response

To make it very easy to add tests, it would be useful to have a Makefile command to generate an example secret, based on the specified credential schema.

This command could be make <plugin>/example-secrets and would output example values for each credential field that has ValueComposition specified. To not raise any false alarms, the generated value should make clear that it's just an example and is nothing sensitive. We can do that by appending EXAMPLE (for secrets that allow uppercase letters) or example (for secrets that don't allow uppercase letters).

Example:

$ make aws/example-secrets
Access Key:
  Access Key ID: AKIAIOSFODNN7EXAMPLE
  Secret Access Key: wJalrXUtnFEMIwK7MDENGwbPxRfiCYsTrEXAMPLE

Platform or tool

Google Cloud Platform (GCP)

Relevant links

• https://cloud.google.com/
• https://cloud.google.com/sdk/gcloud
• https://cloud.google.com/sdk/docs/initializing

Goal or desired behavior

• Authenticate the CLI using credentials stored in 1Password
  • The credentials are a JSON blob which the CLI generates using OAuth2 which may add complexity

Contribution

• I'd be up for building the plugin myself.

Additional information

I'd be willing to build it myself, but I am struggling to work anything out about whether gcloud supports any kind of external authentication file/variable etc. So any ideas anyone can suggest would be greatly appreciated!

op CLI version

2.12.0

Goal or desired behavior

"-v" flag in a CLI program works as expected. In the case of Railway CLI, "-v" is for verbose output.

Current behavior

Right now, the NotForVersion() check (used in the parent NotForHelpOrVersion() check) in Shell Plugins code causes "-v" flag in Railway CLI to fail. Since different plugins use "-v" as a shorthand for either version or verbose output, the simplest solution would be to remove "-v" from the NotForVersion() check.

Relevant log output

No response

Platform or tool

tunnelto

Relevant links

• https://tunnelto.dev/ (Platform homepage)
• https://github.com/agrinman/tunnelto (tunnelto CLI and setup docs)

Goal or desired behavior

Authenticate to the tunnelto platform.

Contribution

• I'd be up for building the plugin myself.

Additional information

No response

The Stripe plugin currently only defines one credential type: secret key (sk_). We can add support for restricted keys (rk_) and publishable keys (pk_) as well.

Platform or tool

AWS, Okta, AzureAD

Desired or expected behavior

Some organizations have switched to a purely federated access control for AWS. The access keys and sts tokens are auto-generated each session. It would be great if the AWS plugin can also include the ability to use SSO login.

If this is extremely out of scope, let me know. I might even try making this plugin addon

Current behavior

Currently, I am using saml2aws that would log into aws using okta as the sso backend. My organization hasnt migrated over to a single cross-account access (using source_profile in the ~/.aws/config).

saml2aws login -a [account] --force --skip-prompt --mfa=TOTP --password=$(op item get 'okta' --fields password) --mfa-token=$(op item get 'okta' --otp)

Relevant log output

No response

op CLI version

2.9.1

op CLI version

2.12.0

Goal or desired behavior

Terraform is a popular tool for provisioning things over APIs. I regularly use Terraform with AWS, GitHub, GitHub Enterprise, PagerDuty, New Relic, and others. Each project I work on will regularly touch a smattering of these services, and each one requires credentials that the Terraform Providers understand.

For example, I vend a Terraform module for configuring New Relic inside our company. Because of how things work, and the patterns we've adopted, this module also hits the GitHub Enterprise APIs, PagerDuty APIs, and also AWS APIs alongside the New Relic API.

In my case, when working on/using this Terraform module, I need to hydrate multiple sets of credentials when running tests (via Terratest) or even running the module for real.

Clearly, this has no benefit to anyone outside of my company, and I have no intention of submitting it to a central repo of op shell plugins.

So… I'm looking for a supported pathway for distributing op shell plugins using something like GitHub Enterprise or Artifactory as a source, that op knows how to consume, that will never be part of the "official" set of plugins.

Ideally, this would not be tied to any kind of 1Password Cloud/Enterprise solution.

Current behavior

It's not clear that this is supported, nor have I discovered the documentation for building plugins that are intentionally internal-only.

Relevant log output

No response

Platform or tool

OCI

Relevant links

https://github.com/oracle/oci-cli

Goal or desired behavior

Similar to the AWS plugin.
Authenticate the oci cli tool with a token or key.

Contribution

• I'd be up for building the plugin myself.

Additional information

No response

Platform or tool

ReadMe

Relevant links

Homepage:

• https://readme.com/

Various links to rdme docs and package registries:

• https://docs.readme.com/main/docs/rdme
• https://github.com/readmeio/rdme
• https://www.npmjs.com/package/rdme
• https://github.com/marketplace/actions/rdme-sync-to-readme

Goal or desired behavior

Run authenticated commands with a ReadMe API key.

Contribution

• I'd be up for building the plugin myself.

Additional information

No response

Platform or tool

Render

Relevant links

• Platform homepage: https://render.com/
• CLI announcement: https://community.render.com/t/release-announcement-render-cli-v0-1-3-now-via-homebrew/8430
• API key docs: https://render.com/docs/api

I couldn't find a specific doc page that explains the CLI. Since the CLI is fairly new, I think the team is still working on putting up a docs page. I have asked about it here.

Goal or desired behavior

Authenticate to the Render.com platform.

Contribution

• I'd be up for building the plugin myself.

Additional information

No response

We should improve the Validate functions now on the plugin, executable, and credential type schemas to make them return a report of all validation checks, whether they passed or not.

We can use this in a make <plugin>/validate command, that runs the validate function and nicely formats it into a checklist.

Example

$ make aws/validate
# Plugin: aws

✔ Has name set
✔ Name only using lowercase characters or digits
✔ Has platform name set
✔ Has platform homepage URL set
𝘹 Has a credential type or executable defined

# Credential: Access Key

✔ Has name set
✔ Name is using title case
✔ Has docs URL set
✔ Has management URL set
✔ Has at least 1 field
✔ All field names are using title case
✔ All fields have name set
✔ All fields have a description set
✔ All specified value compositions are valid
✔ Has at least 1 field that is secret
𝘹 Has a provisioner set
𝘹 Has an importer set

# Executable: aws

✔ Has executable command set
✔ Has name set
✔ Has docs URL set
✔ Has specified which commands need authentication
𝘹 Has a credential type defined

Details

• For checks that pass, we can use ✔ and make the line green.
• For optional checks that don't pass, we can use ⚠, make the line yellow, and move the line to the bottom.
• For required checks that don't pass, we can use 𝘹, make the line red, and move the line to the bottom.
• For headings, we can prepend those with # and make the line bold.

Platform or tool

Cachix

Desired or expected behavior

The Cachix CLI can store auth tokens to a file: ~/.config/cachix/cachix.dhall. The shell plugin should be able to import a token in this file.

See the original PR that implemented the plugin for more details.

Current behavior

Only tokens in the CACHIX_AUTH_TOKEN environment variable are imported.

Relevant log output

No response

op CLI version

No response

op CLI version

2.12.0

Goal or desired behavior

It is not clear from the documentation or the examples whether or not it is possible to set multiple environment variables when invoking a CLI command.

Desired behavior is that it would be possible to write a custom plugin which can do so.

A concrete example is Homebrew. I am a user of GitHub.com as well as GitHub Enterprise. I have tap definitions which live in both places. When I invoke brew, I want to hydrate the GitHub.com credential into one environment variable, and the GitHub Enterprise credential into another environment variable so that both types of taps can update/install.

Current behavior

Current behavior is unclear.

Relevant log output

N/A

Platform or tool

Terraform

Relevant links

https://developer.hashicorp.com/terraform/cli/commands/login

https://developer.hashicorp.com/terraform/cli/config/config-file#credentials-1

Goal or desired behavior

Authenticate Terraform against a remote backend (e.g. Terraform Cloud or Scalr)

Contribution

• I'd be up for building the plugin myself.

Additional information

Running terraform login generates a plaintext JSON credential file. Alternatively you can specify login credentials via env vars

op CLI version

2.12.0

Goal or desired behavior

There are several cases where I manage different credential sets for the same CLI command.

For example, I manage over 180 AWS accounts (I use AWS Vault for this and am not planning on switching, but it makes for a good example.)

I have read-only + admin tokens for both GitHub.com as well as multiple GitHub Enterprise users. If I'm using the gh command, switching between them should be easy.

Current behavior

Unknown. I can't tell if/how this is supported.

Relevant log output

N/A

Platform or tool

Railway

Relevant links

• https://railway.app/
• https://docs.railway.app/develop/cli

Goal or desired behavior

Authenticate to the Railway platform.

Contribution

• I'd be up for building the plugin myself.

Additional information

No response

What does it concern?

The Makefile commands and tooling

Goal or desired behavior

Everytime when I run make build commands on a new system I get afterwards the error

[ERROR] 2022/12/17 12:54:18 Can't continue. We can't safely access "/home/shyim/.op" because its permissions are too broad. Change its permissions to 700 and try again.

Current behavior

rm -rf .op
run any make tool/build
and you will have afterwards
[ERROR] 2022/12/17 12:54:18 Can't continue. We can't safely access "/home/shyim/.op" because its permissions are too broad. Change its permissions to 700 and try again.

Relevant log output

No response

op CLI version

No response

shell-plugins local ref

No response

Platform or tool

Heroku

Desired or expected behavior

When SSO is enabled for a Heroku account, the API key issued is short lived (8 hours). This means the key imported into 1Password expires w/in 8 hours.

The heroku CLI itself will notice when a key is no longer working and prompt the user to re-authenticated (by popping up a browser session to do the auth dance). The 1Password CLI plugin needs to do something similar to support SSO accounts - or perhaps even to better support a token being revoked/expired.

Current behavior

When the toke has expired, we see the following with the 1Password CLI plugin:

$ heroku info --app=my-app
 ▸    Invalid credentials provided.
 ›   Error: Cannot log in with HEROKU_API_KEY set
 ▸    Command failed: heroku login

Trying to do a heroku login then fails with the same error message

$ heroku login
 ›   Error: Cannot log in with HEROKU_API_KEY set

The only workaround I know of right now is to not use the plugin. Which makes me very sad.

Relevant log output

No response

op CLI version

2.9.1

Platform or tool

ngrok

Relevant links

• https://ngrok.com/ (Platform homepage)
• https://ngrok.com/docs/ngrok-agent/ngrok (CLI docs)
• https://dashboard.ngrok.com/get-started/your-authtoken (Authtoken -- it is called Authtoken instead of Auth Token for some reason -- to connect to the ngrok platform)
• https://dashboard.ngrok.com/api/ (API Key to connect to the ngrok API platform)

Goal or desired behavior

Authenticate to the ngrok platform to serve two purposes:

• Securely tunnel traffic to the internet.
• Interact with the ngrok API.

Contribution

• I'd be up for building the plugin myself.

Additional information

I would like some advise on how to proceed there though as the ngrok CLI (called ngrok Agent as per the docs here) serves two purposes: tunnel traffic to the internet and interact with the ngrok API.

• The first is done using their Authtoken: https://dashboard.ngrok.com/get-started/your-authtoken
• The second is done using the API Key: https://dashboard.ngrok.com/api/

Should I define two "credential names", or just one for Authtoken and define the other, API Key, as just a "field name"?

The AWS importer currently depends on the AWS SDK for simple file loading, which is overkill for importing. We should instead load the config file ourselves.

Platform or tool

Cachix

Relevant links

• https://www.cachix.org
• https://docs.cachix.org

Goal or desired behavior

Authenticate the CLI, cachix, using an auth token.

Additional information

No response

Platform or tool

Linode

Relevant links

• https://www.linode.com/
• https://www.linode.com/docs/products/tools/cli/get-started/
• https://www.linode.com/docs/products/tools/cli/guides/install/
• https://www.linode.com/docs/products/tools/cloud-manager/guides/cloud-api-keys/

Goal or desired behavior

Authenticate the CLI using an API Token.

Additional information

It would be nice if you could also optionally let us use just linode as the command to run.

Platform or tool

Generic

Relevant links

Goal or desired behavior

When you built in your Company a custom tool and don't want to contribute it to this repo. It would make sense to have a basic generic plugin.

So my idea would be to have in the .config folder a yaml file something like

.config/1password/tools/my_comany.yml

executeables:
 - my-company
 mapping:
    MY_SECRET_ENV: field.APIToken
locator:
    DOMAIN: fooo

Deploying these build go files is annoying for Companies. Also break when the SDK moves forward. I have to re-build my plugins from last week :)

Contribution

• I'd be up for building the plugin myself.

Additional information

No response

Platform or tool

SnowSQL

Relevant links

• General: https://docs.snowflake.com/en/user-guide/snowsql.html
• Getting Started with SnowSQL: https://quickstarts.snowflake.com/guide/getting_started_with_snowsql/index.html
• Installing SnowSQL: https://docs.snowflake.com/en/user-guide/snowsql-install-config.html
• Connecting through SnowSQL: https://docs.snowflake.com/en/user-guide/snowsql-start.html

Goal or desired behavior

Authenticate the SnowSQL (Snowflake) CLI using credentials so Snowflake users can quickly authenticate into and control all aspects of their Snowflake Data Cloud.

Contribution

• I'd be up for building the plugin myself.

Additional information

After installing the SnowSQL CLI (I installed on macOS using Homebrew), you sign-in to your Snowflake account using snowsql (you may include -a and -u flags for account and username). You then get prompted for your account, username, and password in the terminal.

It seems that there are three ways to specify credentials to authenticate:

1. Entered via interactive prompt in SnowSQL (applies to passwords only).
2. Defined in the SnowSQL configuration file using the password option. For details, see Configuring Default Connection Settings.
3. Specified using the SNOWSQL_PWD environment variables. For details, see Using Environment Variables.

For development of this plugin, it seems that taking advantage of option 2 and the file provisioner may be the best option. The credentials can be stored in ~/.snowsql/config then used to authenticate.

To easily add plugin tests in a consistent manner, we should create a testing utility package in the SDK.

op CLI version

2.10.0

Goal or desired behavior

I have a shell script that runs doctl, something like:

#!/usr/bin/env bash

doctl account get

Current behavior

It currently will output:

$ ./bin/test.sh
Error: GET https://api.digitalocean.com/v2/account: 401 (request "...") Unable to authenticate you

It should just work, though.

Relevant log output

No response

The prompt text makes it seem like it is open ended, so I typed "Password".

However, when opening the source files that are generated, you get an error, because "Password" is not a declared credential type:

We should list the possible types, and validate that the provided type is an actual valid value, and if not, error or re-prompt.

op CLI version

2.12.0

Goal or desired behavior

It would be great being able to use plugins with configurable executables.

I'm using Terraform in an AWS environment for example. I'd like to use the aws plugin to authenticate when using Terraform.

Maybe a new flag can be introduced:

alias aws="op plugin run -- aws"
alias terraform="op plugin run --exec /usr/bin/terraform -- aws"

That should also help on #120

Additional safety measures are required to protect malicious misuse. Somebody could enter to an open terminal session:

alias aws="op plugin run --exec /tmp/evil_aws_credential_sniffer -- aws"

Maybe a configurable whitelist for valid executables?

Merry Christmas! 🎅

Current behavior

Currently I'm using https://github.com/broamski/aws-mfa which unfortunately lacks 1Password support for obtaining the MFA token.

Relevant log output

No response

Platform or tool

GitLab

Desired or expected behavior

Hi team, really enjoying the GitLab 1password plugin. https://developer.1password.com/docs/cli/shell-plugins/gitlab

One thing I noticed once I installed the glab shell plugin is that my completions stopped working, since op aliases glab

I had to add setopt completealiases to my ~/.zshrc file so zsh does not expand aliases before performing completion.

I was thinking if it would be worth mentioning here: https://developer.1password.com/docs/cli/shell-plugins/gitlab ?

Current behavior

Completions don't work by default with zsh + op

Relevant log output

No response

op CLI version

2.8.0-beta.10

What does it concern?

Ease of contribution and review cycles.

Goal or desired behavior

It is currently not immediately clear that the ManagementURL of a credential is an optional field.

Furthermore, it's not clear that is should be left out if the ManagementURL is not a statically defined URL.

Current behavior

The template currently shows:

It is not clear that besides replacing the value, another option is to remove the line altogether.

Relevant occurances

- https://github.com/1Password/shell-plugins/pull/143#discussion_r1071059149
- https://github.com/1Password/shell-plugins/pull/106#discussion_r1049357649

Create GitHub Action job that runs on each push.
It should execute make validate command that validates all the plugins and prints the ERROR lines ONLY.

Platform or tool

GitHub

Desired or expected behavior

The GitHub plugin should ensure that the GitHub CLI can talk to a custom host, when the user uses GitHub Enterprise.

Possible solutions:

1. When used with Github Enterprise, the GitHub CLI expects a GH_ENTERPRISE_TOKEN envvar rather than GH_TOKEN. User should be able to opt for overriding the default envvar by the enterprise-specific one.
2. Based on the GitHub host, shell plugins could determine whether GitHub enterprise is used and to inject the GH_ENTERPRISE_TOKEN envvar instead without any extra config required from the user.

Current behavior

GH_TOKEN always gets injected, regardless of what GH_HOST is.

Relevant log output

No response

op CLI version

No response

Platform or tool

IBM Cloud

Relevant links

• https://cloud.ibm.com/docs/cli?topic=cli-getting-started
• https://cloud.ibm.com/docs/cli?topic=cli-cri-login

Goal or desired behavior

Authenticate the IBM Cloud CLI using credentials so IBM Cloud users can quickly authenticate into and access their IBM Cloud cloud computing services.

Contribution

• I'd be up for building the plugin myself.

Additional information

The IBM Cloud CLI seems to use environment variables: https://cloud.ibm.com/docs/cli?topic=cli-cri-login.

Platform or tool

Fastly

Relevant links

• https://fastly.com

Goal or desired behavior

Personal Access Token

Contribution

• I'd be up for building the plugin myself.

Additional information

No response

Platform or tool

Cargo

Relevant links

• Cargo environment variables

Goal or desired behavior

Authenticate cargo publish with crates.io using CARGO_REGISTRY_TOKEN

Additional information

No response

op CLI version

2.9.1

Goal or desired behavior

Sometimes there is a weird RPC client error see below

Current behavior

panic: unexpected EOF

goroutine 1 [running]:
go.1password.io/op/op-cli/command/plugin/local.(*RPCClient).provisionCredential(0xe5?, {{0xc000386da8, 0x3}, {0xc000386db0, 0xa}, 0x0}, {{0xc00003a035, 0xb}, {0xc0001a63f0, 0x25}, ...}, ...)
	/builds/dev/b5/op/op-cli/command/plugin/local/rpc.go:57 +0x185
go.1password.io/op/op-cli/command/plugin/local.rpcProvisioner.Provision(...)
	/builds/dev/b5/op/op-cli/command/plugin/local/rpc.go:163
go.1password.io/op/op-cli/command/plugin.provision(0x3bd?, {{0xc000384c40, 0x1, 0x1}, {0xc00038f2c0, 0x1f}, {0xc000383860, 0x1, 0x1}, 0xc00039c510, ...}, ...)
	/builds/dev/b5/op/op-cli/command/plugin/provision_executable.go:164 +0xa76
go.1password.io/op/op-cli/command/plugin.Run(0x0?, {{0xc000384c40, 0x1, 0x1}, {0xc00038f2c0, 0x1f}, {0xc000383860, 0x1, 0x1}, 0xc00039c510, ...}, ...)
	/builds/dev/b5/op/op-cli/command/plugin/provision_executable.go:63 +0x338
go.1password.io/op/op-cli/command.(*pluginRunCommand).Run(0xc00042e870)
	/builds/dev/b5/op/op-cli/command/plugin_run.go:180 +0xccc
go.1password.io/op/op-cli/command.Bind.func3(0xc00048b340?, {0xc0004017c0?, 0x3?, 0x4?})
	/builds/dev/b5/op/op-cli/command/command.go:71 +0x4e
github.com/spf13/cobra.(*Command).execute(0xc00048b340, {0xc000401780, 0x4, 0x4})
	/builds/dev/b5/op/vendor/github.com/spf13/cobra/command.go:844 +0x67c
github.com/spf13/cobra.(*Command).ExecuteC(0x15a8860)
	/builds/dev/b5/op/vendor/github.com/spf13/cobra/command.go:952 +0x39d
go.1password.io/op/op-cli/command.Execute()
	/builds/dev/b5/op/op-cli/command/root.go:327 +0x71
main.main()
	/builds/dev/b5/op/op-cli/main.go:15 +0x36

Relevant log output

No response