feat: add Alibaba Cloud KMS Support

.github/workflows/custom-release.yml

@@ -0,0 +1,32 @@
+name: Custom Release
+
+on:
+  push:
+    tags: [ 'v*' ]
+  workflow_dispatch:
+
+permissions:
+  contents: write # For creating the GitHub release.
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.26
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: latest
+          args: release --clean --config .goreleaser-custom.yaml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -1,8 +1,9 @@
 name: Release
 
 on:
-  push:
-    tags: [ 'v*' ]
+  workflow_dispatch:
+  # push:
+  #   tags: [ 'v*' ]
 
 permissions:
   contents: read

.goreleaser-custom.yaml

@@ -0,0 +1,159 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+
+project_name: sops
+
+before:
+  hooks:
+    - go mod download
+
+env:
+  - CGO_ENABLED=0
+  - PKG=github.com/getsops/sops/v3/version
+
+report_sizes: true
+
+builds:
+  - id: binary-linux
+    main: ./cmd/sops
+    binary: "{{ .ProjectName }}"
+    flags:
+      - -trimpath
+      - -mod=readonly
+    ldflags:
+      - >
+        -s -w
+        -X "{{ .Env.PKG }}.Version={{ .Version }}"
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
+  - id: binary-darwin
+    main: ./cmd/sops
+    binary: "{{ .ProjectName }}"
+    flags:
+      - -trimpath
+      - -mod=readonly
+    ldflags:
+      - >
+        -s -w
+        -X {{ .Env.PKG }}.Version={{ .Version }}
+    goos:
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
+  - id: binary-windows
+    main: ./cmd/sops
+    binary: "{{ .ProjectName }}"
+    flags:
+      - -trimpath
+      - -buildmode=pie
+      - -mod=readonly
+    ldflags:
+      - >
+        -s -w
+        -X {{ .Env.PKG }}.Version={{ .Version }}
+    goos:
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
+universal_binaries:
+  - id: binary-darwin-universal
+    ids:
+      - binary-darwin
+    name_template: '{{ .ProjectName }}'
+    replace: false
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
+nfpms:
+  - id: deb
+    package_name: '{{ .ProjectName }}'
+    file_name_template: '{{ .ConventionalFileName }}'
+    vendor: custom-sops
+    homepage: https://github.com/{{ .Env.GITHUB_REPOSITORY }}
+    maintainer: custom-sops <custom@example.com>
+    description: Simple and flexible tool for managing secrets
+    license: MPL-2.0
+    formats:
+      - deb
+      - rpm
+
+snapshot:
+  name_template: "{{ incpatch .Version }}-dev-{{ .ShortCommit }}"
+
+archives:
+  - id: archive-unix
+    format: binary
+    builds:
+      - binary-linux
+      - binary-darwin
+    name_template: '{{ .ProjectName }}-v{{ .Version }}.{{ .Os }}.{{ .Arch }}'
+
+  - id: archive-windows
+    format: binary
+    builds:
+      - binary-windows
+    name_template: '{{ .ProjectName }}-v{{ .Version }}.{{ .Arch }}'
+
+  - id: archive-darwin-universal
+    format: binary
+    builds:
+      - binary-darwin-universal
+    name_template: '{{ .ProjectName }}-v{{ .Version }}.darwin'
+
+checksum:
+  name_template: "{{ .ProjectName }}-v{{ .Version }}.checksums.txt"
+  algorithm: sha256
+  ids:
+    - archive-unix
+    - archive-windows
+    - archive-darwin-universal
+
+changelog:
+  use: github-native
+
+release:
+  prerelease: auto
+  draft: false # 自动发布，而不是存为草稿
+  header: |
+    ## Installation
+
+    To install `{{ .ProjectName }}`, download one of the pre-built binaries provided for your platform from the artifacts attached to this release.
+
+    For instance, if you are using Linux on an AMD64 architecture:
+
+    ```shell
+    # Download the binary
+    curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-v{{ .Version }}.linux.amd64
+
+    # Move the binary in to your PATH
+    mv {{ .ProjectName }}-v{{ .Version }}.linux.amd64 /usr/local/bin/{{ .ProjectName }}
+
+    # Make the binary executable
+    chmod +x /usr/local/bin/{{ .ProjectName }}
+    ```
+
+brews:
+  - name: sops
+    repository:
+      owner: peiliqiancdt
+      name: sops
+      token: "{{ .Env.GITHUB_TOKEN }}"
+    directory: Formula
+    homepage: "https://github.com/peiliqiancdt/sops"
+    description: "Editor of encrypted files"
+    license: "MPL-2.0"
+    ids:
+      - archive-unix
+    install: |
+      bin.install "sops-v#{version}.#{OS.kernel_name.downcase}.#{Hardware::CPU.arch}" => "sops"
+    test: |
+      system "#{bin}/sops", "--version"

Formula/sops.rb

@@ -0,0 +1,50 @@
+# typed: false
+# frozen_string_literal: true
+
+# This file was generated by GoReleaser. DO NOT EDIT.
+class Sops < Formula
+  desc "Editor of encrypted files"
+  homepage "https://github.com/peiliqiancdt/sops"
+  version "3.12.1-acs-0.10"
+  license "MPL-2.0"
+
+  on_macos do
+    if Hardware::CPU.intel?
+      url "https://github.com/peiliqiancdt/sops/releases/download/v3.12.1-acs-0.10/sops-v3.12.1-acs-0.10.darwin.amd64"
+      sha256 "532f6ea17e7a7bba9b6d7daeea77191ef02c4276befeaefa93492067b397281c"
+
+      define_method(:install) do
+        bin.install "sops-v#{version}.#{OS.kernel_name.downcase}.#{Hardware::CPU.arch}" => "sops"
+      end
+    end
+    if Hardware::CPU.arm?
+      url "https://github.com/peiliqiancdt/sops/releases/download/v3.12.1-acs-0.10/sops-v3.12.1-acs-0.10.darwin.arm64"
+      sha256 "f6353471f28a4664b0b71dd08d8c3dedb3f78624bdd692a716ac74ed90ee539e"
+
+      define_method(:install) do
+        bin.install "sops-v#{version}.#{OS.kernel_name.downcase}.#{Hardware::CPU.arch}" => "sops"
+      end
+    end
+  end
+
+  on_linux do
+    if Hardware::CPU.intel? && Hardware::CPU.is_64_bit?
+      url "https://github.com/peiliqiancdt/sops/releases/download/v3.12.1-acs-0.10/sops-v3.12.1-acs-0.10.linux.amd64"
+      sha256 "6f586bc6ff82813bbb43391ff49ef5255bd4f62ae6165782430862880516b06b"
+      define_method(:install) do
+        bin.install "sops-v#{version}.#{OS.kernel_name.downcase}.#{Hardware::CPU.arch}" => "sops"
+      end
+    end
+    if Hardware::CPU.arm? && Hardware::CPU.is_64_bit?
+      url "https://github.com/peiliqiancdt/sops/releases/download/v3.12.1-acs-0.10/sops-v3.12.1-acs-0.10.linux.arm64"
+      sha256 "2adbb84a230773f7a4dd5f159252bb0258ef4c632f2c2534fed5655a3fb2466e"
+      define_method(:install) do
+        bin.install "sops-v#{version}.#{OS.kernel_name.downcase}.#{Hardware::CPU.arch}" => "sops"
+      end
+    end
+  end
+
+  test do
+    system "#{bin}/sops", "--version"
+  end
+end

README.rst

@@ -2,7 +2,7 @@ SOPS: Secrets OPerationS
 ========================
 
 **SOPS** is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY
-formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, HuaweiCloud KMS, age, and PGP.
+formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, Alibaba Cloud KMS, HuaweiCloud KMS, age, and PGP.
 (`demo <https://www.youtube.com/watch?v=YTEVyLXFiq0>`_)
 
 .. image:: https://i.imgur.com/X0TM5NI.gif
@@ -604,13 +604,52 @@ You can also configure HuaweiCloud KMS keys in the ``.sops.yaml`` config file:
           hckms:
             - tr-west-1:abc12345-6789-0123-4567-890123456789,tr-west-2:def67890-1234-5678-9012-345678901234
 
+Encrypting using Alibaba Cloud KMS
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The Alibaba Cloud KMS integration uses the Alibaba Cloud SDK to communicate with the KMS service.
+It supports authentication via:
+
+1.  **Environment Variables**: ``ALIBABA_CLOUD_ACCESS_KEY_ID`` and ``ALIBABA_CLOUD_ACCESS_KEY_SECRET``.
+2.  **CLI Configuration**: It can read credentials from the Alibaba Cloud CLI configuration (``~/.aliyun/config.json``).
+3.  **Instance RAM Roles**: When running on an ECS instance with an attached RAM role.
+
+For example, using environment variables:
+
+.. code:: bash
+
+    export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
+    export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
+
+To encrypt a file, specify the Alibaba Cloud KMS key using its ARN format:
+``acs:kms:RegionId:UserId:key/CmkId``.
+
+.. code:: sh
+
+    $ sops encrypt --acs-kms acs:kms:cn-shanghai:1234567890:key/key-idxxxx test.yaml > test.enc.yaml
+
+Or using the ``SOPS_ACS_KMS_ARN`` environment variable:
+
+.. code:: bash
+
+    export SOPS_ACS_KMS_ARN="acs:kms:cn-shanghai:1234567890:key/key-idxxxx"
+    $ sops encrypt test.yaml > test.enc.yaml
+
+You can also configure Alibaba Cloud KMS keys in the ``.sops.yaml`` config file:
+
+.. code:: yaml
+
+    creation_rules:
+        - path_regex: \.acs\.yaml$
+          acs_kms: "acs:kms:cn-shanghai:1234567890:key/key-idxxxx"
+
 Adding and removing keys
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
 When creating new files, ``sops`` uses the PGP, KMS and GCP KMS defined in the
-command line arguments ``--kms``, ``--pgp``, ``--gcp-kms``, ``--hckms`` or ``--azure-kv``, or from
+command line arguments ``--kms``, ``--pgp``, ``--gcp-kms``, ``--acs-kms``, ``--hckms`` or ``--azure-kv``, or from
 the environment variables ``SOPS_KMS_ARN``, ``SOPS_PGP_FP``, ``SOPS_GCP_KMS_IDS``,
-``SOPS_HUAWEICLOUD_KMS_IDS``, ``SOPS_AZURE_KEYVAULT_URLS``. That information is stored in the file under the
+``SOPS_ACS_KMS_ARN``, ``SOPS_HUAWEICLOUD_KMS_IDS``, ``SOPS_AZURE_KEYVAULT_URLS``. That information is stored in the file under the
 ``sops`` section, such that decrypting files does not require providing those
 parameters again.
 
@@ -654,9 +693,9 @@ disabled by supplying the ``-y`` flag.
 
 The ``rotate`` command generates a new data encryption key and reencrypt all values
 with the new key. At the same time, the command line flag ``--add-kms``, ``--add-pgp``,
-``--add-gcp-kms``, ``--add-hckms``, ``--add-azure-kv``, ``--rm-kms``, ``--rm-pgp``, ``--rm-gcp-kms``,
-``--rm-hckms`` and ``--rm-azure-kv`` can be used to add and remove keys from a file. These flags use
-the comma separated syntax as the ``--kms``, ``--pgp``, ``--gcp-kms``, ``--hckms`` and ``--azure-kv``
+``--add-gcp-kms``, ``--add-acs-kms``, ``--add-hckms``, ``--add-azure-kv``, ``--rm-kms``, ``--rm-pgp``, ``--rm-gcp-kms``,
+``--rm-acs-kms``, ``--rm-hckms`` and ``--rm-azure-kv`` can be used to add and remove keys from a file. These flags use
+the comma separated syntax as the ``--kms``, ``--pgp``, ``--gcp-kms``, ``--acs-kms``, ``--hckms`` and ``--azure-kv``
 arguments when creating new files.
 
 Use ``updatekeys`` if you want to add a key without rotating the data key.
@@ -832,7 +871,7 @@ stdout.
 Using .sops.yaml conf to select KMS, PGP and age for new files
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-It is often tedious to specify the ``--kms`` ``--gcp-kms`` ``--hckms`` ``--pgp`` and ``--age`` parameters for creation
+It is often tedious to specify the ``--kms`` ``--gcp-kms`` ``--acs-kms`` ``--hckms`` ``--pgp`` and ``--age`` parameters for creation
 of all new files. If your secrets are stored under a specific directory, like a
 ``git`` repository, you can create a ``.sops.yaml`` configuration file at the root
 directory to define which keys are used for which filename.
@@ -1873,6 +1912,15 @@ To directly specify a single key group, you can use the following keys:
       - hc_vault_transit_uri:
           - http://my.vault/v1/sops/keys/secondkey
 
+* ``acs_kms`` (list of strings): list of Alibaba Cloud KMS key ARNs.
+  Example:
+
+  .. code:: yaml
+
+    creation_rules:
+      - acs_kms:
+          - acs:kms:cn-shanghai:1234567890:key/key-idxxxx
+
 * ``hckms`` (list of strings): list of HuaweiCloud KMS key IDs (format: ``<region>:<key-uuid>``).
   Example:
 
@@ -1989,6 +2037,17 @@ A key group supports the following keys:
 
 * ``hc_vault`` (list of strings): list of HashiCorp Vault transit URIs.
 
+* ``acs_kms`` (list of objects): list of Alibaba Cloud KMS key ARNs.
+  Every object must have the following key:
+
+  * ``arn`` (string): the key ARN.
+
+  Example:
+
+  .. code:: yaml
+
+    - arn: acs:kms:cn-shanghai:1234567890:key/key-idxxxx
+
 * ``hckms`` (list of objects): list of HuaweiCloud KMS key IDs.
   Every object must have the following key: