Pull in 4 years of changes from upstream repo

.circleci/config.yml

@@ -0,0 +1,109 @@
+version: 2.1
+
+workflows:
+  build-and-deploy:
+    jobs:
+      - build
+      - push:
+          filters:
+            tags:
+              only: /^v.*/
+            branches:
+              ignore: /.*/
+jobs:
+  build:
+    working_directory: /go/src/go.mozilla.org/sops
+    docker:
+      - image: circleci/golang:1.13
+    resource_class: large
+    steps:
+      - checkout
+      - setup_remote_docker:
+          version: 20.10.11
+      - run:
+          name: Build containers
+          command: |
+            docker build -t mozilla/sops .
+            docker tag mozilla/sops "mozilla/sops:$CIRCLE_SHA1"
+      - run:
+          name: Build containers (alpine)
+          command: |
+            # Just to ensure the container can be built.
+            docker build -f Dockerfile.alpine -t mozilla/sops:alpine .
+
+  push:
+    machine:
+      image: ubuntu-2004:202111-02
+    resource_class: large
+    steps:
+      - checkout
+      - run:
+          name: semver check
+          command: |
+            MAJOR=$(echo ${CIRCLE_TAG#v} | cut -d"." -f1)
+            MINOR=$(echo ${CIRCLE_TAG#v} | cut -d"." -f2)
+            PATCH=$(echo ${CIRCLE_TAG#v} | cut -d"." -f3)
+            echo "export MAJOR=${MAJOR}" >> $BASH_ENV
+            echo "export MINOR=${MINOR}" >> $BASH_ENV
+            echo "export PATCH=${PATCH}" >> $BASH_ENV
+
+            if [ -z $MAJOR ];then
+            cat \<< EOF
+            Failure Info:
+
+            This job uses the semver from the git TAG as the public version to publish.
+
+            - This should only run on workflows triggered by a tag.
+            - The tag name should be a semver like 'v1.2.3'
+            - The version should follow conventions documented at https://github.com/fsaintjacques/semver-tool
+            EOF
+            exit 1
+            fi
+      - run:
+          name: Build containers
+          command: |
+            docker build -t mozilla/sops .
+            docker build -f Dockerfile.alpine -t mozilla/sops:alpine .
+      - run:
+          name: Tag & Push containers
+          command: |
+            #latest
+            bin/ci/deploy_dockerhub.sh "latest"
+            bin/ci/deploy_dockerhub.sh "alpine"
+
+            # by sha
+            echo "Tag and push mozilla/sops:$CIRCLE_SHA1"
+            docker tag mozilla/sops "mozilla/sops:$CIRCLE_SHA1"
+            bin/ci/deploy_dockerhub.sh "$CIRCLE_SHA1"
+
+            # no sha for alpine
+
+            # by semver
+            # v1.2.3
+            if [ ! -z $PATCH ];then
+              echo "Tag and Push mozilla/sops:v$MAJOR.$MINOR.$PATCH"
+              docker tag mozilla/sops "mozilla/sops:v$MAJOR.$MINOR.$PATCH"
+              bin/ci/deploy_dockerhub.sh "v$MAJOR.$MINOR.$PATCH"
+
+              echo "Tag and Push mozilla/sops:v$MAJOR.$MINOR.$PATCH-alpine"
+              docker tag mozilla/sops:alpine "mozilla/sops:v$MAJOR.$MINOR.$PATCH-alpine"
+              bin/ci/deploy_dockerhub.sh "v$MAJOR.$MINOR.$PATCH-alpine"
+            fi
+            # v1.2
+            if [ ! -z $MINOR ];then
+              echo "Tag and Push mozilla/sops:v$MAJOR.$MINOR"
+              docker tag mozilla/sops "mozilla/sops:v$MAJOR.$MINOR"
+              bin/ci/deploy_dockerhub.sh "v$MAJOR.$MINOR"
+
+              echo "Tag and Push mozilla/sops:v$MAJOR.$MINOR-alpine"
+              docker tag mozilla/sops:alpine "mozilla/sops:v$MAJOR.$MINOR-alpine"
+              bin/ci/deploy_dockerhub.sh "v$MAJOR.$MINOR-alpine"
+            fi
+            # v1
+            echo "Tag and Push mozilla/sops:v$MAJOR"
+            docker tag mozilla/sops "mozilla/sops:v$MAJOR"
+            bin/ci/deploy_dockerhub.sh "v$MAJOR"
+
+            echo "Tag and Push mozilla/sops:v$MAJOR-alpine"
+            docker tag mozilla/sops:alpine "mozilla/sops:v$MAJOR-alpine"
+            bin/ci/deploy_dockerhub.sh "v$MAJOR-alpine"

.dockerignore

@@ -0,0 +1,3 @@
+/.git
+/Dockerfile
+/Dockerfile.alpine

.github/workflows/cli.yml

@@ -0,0 +1,96 @@
+name: CLI
+
+on:
+  push:
+    branches:
+      - develop
+      - master
+  pull_request:
+    branches:
+      - develop
+      - master
+
+jobs:
+  build:
+    name: Build and test ${{ matrix.os }} ${{ matrix.arch }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [linux, darwin, windows]
+        arch: [amd64, arm64]
+        exclude:
+          - os: windows
+            arch: arm64
+    env:
+      VAULT_VERSION: "1.1.3"
+      VAULT_TOKEN: "root"
+      VAULT_ADDR: "http://127.0.0.1:8200"
+    steps:
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install git -y
+      - name: Set up Go 1.17
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+        id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Build Linux and Darwin
+        if: matrix.os != 'windows'
+        run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} -v ./cmd/sops
+      - name: Build Windows
+        if: matrix.os == 'windows'
+        run: GOOS=${{ matrix.os }} go build -o sops-${{ matrix.os }}-${{ github.sha }} -v ./cmd/sops
+      - name: Import test GPG keys
+        run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done
+      - name: Test
+        run: make test
+      - name: Upload artifact for Linux and Darwin
+        if: matrix.os != 'windows'
+        uses: actions/upload-artifact@v2
+        with:
+          name: sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
+          path: sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
+      - name: Upload artifact for Windows
+        if: matrix.os == 'windows'
+        uses: actions/upload-artifact@v2
+        with:
+          name: sops-${{ matrix.os }}-${{ github.sha }}
+          path: sops-${{ matrix.os }}-${{ github.sha }}
+  test:
+    name: Functional tests
+    runs-on: ubuntu-latest
+    needs: [build]
+    env:
+      VAULT_VERSION: "1.1.3"
+      VAULT_TOKEN: "root"
+      VAULT_ADDR: "http://127.0.0.1:8200"
+    steps:
+      - name: Install rustup
+        run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain 1.47.0
+      - name: Check out code
+        uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
+        with:
+          name: sops-linux-amd64-${{ github.sha }}
+      - name: Move SOPS binary
+        run: mv sops-linux-amd64-${{ github.sha }} ./functional-tests/sops
+      - name: Make SOPS binary executable
+        run: chmod +x ./functional-tests/sops
+      - name: Download Vault
+        run: curl -O "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" && sudo unzip vault_${VAULT_VERSION}_linux_amd64.zip -d /usr/local/bin/
+      - name: Start Vault server
+        run: vault server -dev -dev-root-token-id="$VAULT_TOKEN" &
+      - name: Enable Vault KV
+        run: vault secrets enable -version=1 kv
+      - name: Import test GPG keys
+        run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done
+      - name: Run tests
+        run: cargo test
+        working-directory: ./functional-tests

.github/workflows/release.yml

@@ -0,0 +1,65 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  tagged-release:
+    name: "Tagged Release"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install git ruby rpm -y
+      - name: Install fpm
+        run: gem install fpm || sudo gem install fpm
+      - name: Set up Go 1.17
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+        id: go
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+      - name: Go vendor
+        run: go mod vendor
+      - name: Make release directory
+        run: mkdir dist
+      - name: Build deb and rpm
+        run: make deb-pkg rpm-pkg
+      - name: Move deb and rpm into release directory
+        run: mv *.deb *.rpm dist/
+      - name: Set RELEASE_VERSION
+        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+      - name: Set RELEASE_NUMBER
+        run: echo "RELEASE_NUMBER=$(echo $RELEASE_VERSION | cut -c2-)" >> $GITHUB_ENV
+      - name: Build linux amd64 binary
+        run: GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 go.mozilla.org/sops/v3/cmd/sops && cp dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 dist/sops-${{ env.RELEASE_VERSION }}.linux
+      - name: Build linux arm64 binary
+        run: GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.linux.arm64 go.mozilla.org/sops/v3/cmd/sops
+      - name: Build darwin amd64 binary
+        run: GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 go.mozilla.org/sops/v3/cmd/sops
+      - name: Copy darwin amd64 to have a no-architecture labeled version
+        run: cp dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 dist/sops-${{ env.RELEASE_VERSION }}.darwin
+      - name: Build darwin arm64 binary
+        run: GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin.arm64 go.mozilla.org/sops/v3/cmd/sops
+      - name: Build windows binary
+        run: GOOS=windows CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.exe go.mozilla.org/sops/v3/cmd/sops
+      - name: Create release
+        uses: "mozilla/action-automatic-releases@latest"
+        with:
+          repo_token: "${{ secrets.GITHUB_TOKEN }}"
+          prerelease: true
+          files: |
+            dist/sops-${{ env.RELEASE_VERSION }}.exe
+            dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64
+            dist/sops-${{ env.RELEASE_VERSION }}.darwin.arm64
+            dist/sops-${{ env.RELEASE_VERSION }}.darwin
+            dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64
+            dist/sops-${{ env.RELEASE_VERSION }}.linux.arm64
+            dist/sops-${{ env.RELEASE_VERSION }}.linux
+            dist/sops_${{ env.RELEASE_NUMBER }}_amd64.deb
+            dist/sops_${{ env.RELEASE_NUMBER }}_arm64.deb
+            dist/sops-${{ env.RELEASE_NUMBER }}-1.x86_64.rpm
+            dist/sops-${{ env.RELEASE_NUMBER }}-1.aarch64.rpm

.gitignore

@@ -1,2 +1,5 @@
 target
 Cargo.lock
+vendor/
+coverage.txt
+profile.out

.sops.yaml

@@ -1,2 +1,4 @@
 creation_rules:
-    - pgp: 1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A
+    - pgp: >-
+        FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4,
+        D7229043384BCC60326C6FB9D8720D957C3D3074