64 lines
1.6 KiB
Bash
Executable File
64 lines
1.6 KiB
Bash
Executable File
#!/usr/bin/env sh
|
|
# Update SOPS keys for every encrypted file in the project.
|
|
# Discovers files by matching path_regex rules from .sops.yaml —
|
|
# no directories are hardcoded.
|
|
#
|
|
# Usage: script/update-sops-keys [--dry-run]
|
|
set -eu
|
|
|
|
REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
|
DRY_RUN=0
|
|
|
|
for arg in "$@"; do
|
|
case "$arg" in
|
|
--dry-run) DRY_RUN=1 ;;
|
|
*) printf 'unknown argument: %s\n' "$arg" >&2; exit 9 ;;
|
|
esac
|
|
done
|
|
|
|
SOPS_CONFIG="$REPO_ROOT/.sops.yaml"
|
|
|
|
if [ ! -f "$SOPS_CONFIG" ]; then
|
|
printf 'error: .sops.yaml not found at %s\n' "$SOPS_CONFIG" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Extract every path_regex value from .sops.yaml.
|
|
# Lines look like: - path_regex: some/pattern$
|
|
regexes="$(grep '^\s*-\s*path_regex:' "$SOPS_CONFIG" | sed 's/.*path_regex:[[:space:]]*//')"
|
|
|
|
if [ -z "$regexes" ]; then
|
|
printf 'no path_regex rules found in .sops.yaml\n' >&2
|
|
exit 0
|
|
fi
|
|
|
|
# Collect all repo files (committed + untracked, excluding .gitignore).
|
|
# Write matches to a temp file to avoid subshell variable scoping issues.
|
|
tmp="$(mktemp)"
|
|
trap 'rm -f "$tmp"' EXIT
|
|
|
|
git -C "$REPO_ROOT" ls-files --cached --others --exclude-standard | while read -r rel; do
|
|
for regex in $regexes; do
|
|
if printf '%s\n' "$rel" | grep -qE "$regex"; then
|
|
printf '%s\n' "$rel" >> "$tmp"
|
|
break
|
|
fi
|
|
done
|
|
done
|
|
|
|
if [ ! -s "$tmp" ]; then
|
|
printf 'no matching sops files found\n'
|
|
exit 0
|
|
fi
|
|
|
|
while read -r rel; do
|
|
abs="$REPO_ROOT/$rel"
|
|
[ -f "$abs" ] || continue
|
|
if [ "$DRY_RUN" -eq 1 ]; then
|
|
printf '[dry-run] would updatekeys: %s\n' "$rel"
|
|
else
|
|
printf 'updating keys: %s\n' "$rel"
|
|
sops updatekeys --yes "$abs"
|
|
fi
|
|
done < "$tmp"
|