Merge pull request #7 from age-sops/push-kmxmkkqkolyo

Incorporate changes from sops v3.9.3
age-sops · Jan 6, 2025 · a891aaa · a891aaa
2 parents df6d1d3 + a3ae542
commit a891aaa
Show file tree

Hide file tree

Showing 17 changed files with 385 additions and 329 deletions.
diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml
@@ -29,13 +29,15 @@ jobs:
       VAULT_ADDR: "http://127.0.0.1:8200"
     steps:
       - name: Set up Go ${{ matrix.go-version }}
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: ${{ matrix.go-version }}
         id: go
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
@@ -69,14 +71,14 @@ jobs:
 
       - name: Upload artifact for ${{ matrix.os }}
         if: matrix.os != 'windows'
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
           path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
 
       - name: Upload artifact for ${{ matrix.os }}
         if: matrix.os == 'windows'
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }}
           path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }}
@@ -94,6 +96,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       # Rustup will detect toolchain version and profile from rust-toolchain.toml
       # It will download and install the toolchain and components automatically

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -30,10 +30,12 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           languages: go
           # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
@@ -50,6 +52,6 @@ jobs:
           make install
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           category: "/language:go"
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -24,6 +24,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Install rstcheck and markdownlint
         run: |

diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
@@ -22,6 +22,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       # Rustup will detect toolchain version and profile from rust-toolchain.toml
       # It will download and install the toolchain and components automatically

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -28,15 +28,16 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v4.0.1
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v4.0.1
         with:
           go-version-file: go.mod
           cache: false
 
       - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@55dc4ee22412511ee8c3142cbea40418e6cec693 # v0.17.8
+        uses: anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9
 
       - name: Setup Cosign
         uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
@@ -45,7 +46,7 @@ jobs:
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
 
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,26 @@
 Changelog
 =========
 
+3.9.3
+-----
+
+Improvements:
+
+* Dependency updates (#1699, #1703, #1710, #1714, #1715, #1723).
+* Add ``persist-credentials: false`` to checkouts in GitHub workflows (#1704).
+* Tests: use container images from https://github.com/getsops/ci-container-images (#1722).
+
+Bugfixes:
+
+* GnuPG: do not incorrectly trim fingerprint in presence of exclamation marks for specfic subkey selection (#1720).
+* ``updatekeys`` subcommand: fix ``--input-type`` CLI flag being ignored (#1721).
+
+Project changes:
+
+* CI dependency updates (#1698, #1708, #1717).
+* Rust dependency updates (#1707, #1716, #1725).
+
+
 3.9.2
 -----
 

diff --git a/README.rst b/README.rst
@@ -188,6 +188,22 @@ the example files and pgp key provided with the repository::
 
 This last step will decrypt ``example.yaml`` using the test private key.
 
+Encrypting with GnuPG subkeys
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you want to encrypt with specific GnuPG subkeys, it does not suffice to provide the
+exact key ID of the subkey to SOPS, since GnuPG might use *another* subkey instead
+to encrypt the file key with. To force GnuPG to use a specific subkey, you need to
+append ``!`` to the key's fingerprint.
+
+.. code:: yaml
+
+    creation_rules:
+        - pgp: >-
+            85D77543B3D624B63CEA9E6DBC17301B491B3F21!,
+            E60892BB9BD89A69F759A1A0A3D652173B763E8F!
+
+Please note that this is only passed on correctly to GnuPG since SOPS 3.9.3.
 
 Encrypting using age
 ~~~~~~~~~~~~~~~~~~~~

diff --git a/cmd/sops/subcommand/updatekeys/updatekeys.go b/cmd/sops/subcommand/updatekeys/updatekeys.go
@@ -45,7 +45,7 @@ func updateFile(opts Opts) error {
 	if err != nil {
 		return err
 	}
-	store := common.DefaultStoreForPath(sc, opts.InputPath)
+	store := common.DefaultStoreForPathOrFormat(sc, opts.InputPath, opts.InputType)
 	log.Printf("Syncing keys for file %s", opts.InputPath)
 	tree, err := common.LoadEncryptedFile(store, opts.InputPath)
 	if err != nil {