Merge remote-tracking branch 'upstream/develop' into develop

.circleci/config.yml

@@ -4,10 +4,10 @@ workflows:
   build-and-deploy:
     jobs:
       - build
-      - push:     
+      - push:
           filters:
             tags:
-              only: /^v.*/   
+              only: /^v.*/
             branches:
               ignore: /.*/
 jobs:
@@ -18,19 +18,26 @@ jobs:
     resource_class: large
     steps:
       - checkout
-      - setup_remote_docker
+      - setup_remote_docker:
+          version: 20.10.11
       - run:
           name: Build containers
           command: |
             docker build -t mozilla/sops .
             docker tag mozilla/sops "mozilla/sops:$CIRCLE_SHA1"
+      - run:
+          name: Build containers (alpine)
+          command: |
+            # Just to ensure the container can be built.
+            docker build -f Dockerfile.alpine -t mozilla/sops:alpine .
 
   push:
-    machine: true
+    machine:
+      image: ubuntu-2004:202111-02
     resource_class: large
     steps:
       - checkout
-      - run: 
+      - run:
           name: semver check
           command: |
             MAJOR=$(echo ${CIRCLE_TAG#v} | cut -d"." -f1)
@@ -46,8 +53,8 @@ jobs:
 
             This job uses the semver from the git TAG as the public version to publish.
 
-            - This should only run on workflows triggered by a tag. 
-            - The tag name should be a semver like 'v1.2.3' 
+            - This should only run on workflows triggered by a tag.
+            - The tag name should be a semver like 'v1.2.3'
             - The version should follow conventions documented at https://github.com/fsaintjacques/semver-tool
             EOF
             exit 1

.github/workflows/cli.yml

@@ -12,22 +12,26 @@ on:
 
 jobs:
   build:
-    name: Build and test ${{ matrix.os }}
+    name: Build and test ${{ matrix.os }} ${{ matrix.arch }}
     runs-on: ubuntu-latest
     strategy:
       matrix:
         os: [linux, darwin, windows]
+        arch: [amd64, arm64]
+        exclude:
+          - os: windows
+            arch: arm64
     env:
       VAULT_VERSION: "1.1.3"
       VAULT_TOKEN: "root"
       VAULT_ADDR: "http://127.0.0.1:8200"
     steps:
       - name: Install dependencies
         run: sudo apt-get update && sudo apt-get install git -y
-      - name: Set up Go 1.13
+      - name: Set up Go 1.17
         uses: actions/setup-go@v2
         with:
-          go-version: 1.13
+          go-version: 1.17
         id: go
       - name: Check out code into the Go module directory
         uses: actions/checkout@v2
@@ -37,13 +41,24 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
-      - name: Build
+      - name: Build Linux and Darwin
+        if: matrix.os != 'windows'
+        run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} -v ./cmd/sops
+      - name: Build Windows
+        if: matrix.os == 'windows'
         run: GOOS=${{ matrix.os }} go build -o sops-${{ matrix.os }}-${{ github.sha }} -v ./cmd/sops
       - name: Import test GPG keys
         run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done
       - name: Test
         run: make test
-      - name: Upload artifact
+      - name: Upload artifact for Linux and Darwin
+        if: matrix.os != 'windows'
+        uses: actions/upload-artifact@v2
+        with:
+          name: sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
+          path: sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
+      - name: Upload artifact for Windows
+        if: matrix.os == 'windows'
         uses: actions/upload-artifact@v2
         with:
           name: sops-${{ matrix.os }}-${{ github.sha }}
@@ -63,9 +78,9 @@ jobs:
         uses: actions/checkout@v2
       - uses: actions/download-artifact@v2
         with:
-          name: sops-linux-${{ github.sha }}
+          name: sops-linux-amd64-${{ github.sha }}
       - name: Move SOPS binary
-        run: mv sops-linux-${{ github.sha }} ./functional-tests/sops
+        run: mv sops-linux-amd64-${{ github.sha }} ./functional-tests/sops
       - name: Make SOPS binary executable
         run: chmod +x ./functional-tests/sops
       - name: Download Vault

.github/workflows/release.yml

@@ -15,13 +15,15 @@ jobs:
         run: sudo apt-get update && sudo apt-get install git ruby rpm -y
       - name: Install fpm
         run: gem install fpm || sudo gem install fpm
-      - name: Set up Go 1.15
+      - name: Set up Go 1.17
         uses: actions/setup-go@v2
         with:
-          go-version: 1.15
+          go-version: 1.17
         id: go
       - name: Check out code into the Go module directory
         uses: actions/checkout@v2
+      - name: Go vendor
+        run: go mod vendor
       - name: Make release directory
         run: mkdir dist
       - name: Build deb and rpm
@@ -32,20 +34,32 @@ jobs:
         run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
       - name: Set RELEASE_NUMBER
         run: echo "RELEASE_NUMBER=$(echo $RELEASE_VERSION | cut -c2-)" >> $GITHUB_ENV
-      - name: Build darwin binary
-        run: GOOS=darwin CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin go.mozilla.org/sops/v3/cmd/sops
+      - name: Build linux amd64 binary
+        run: GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 go.mozilla.org/sops/v3/cmd/sops && cp dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 dist/sops-${{ env.RELEASE_VERSION }}.linux
+      - name: Build linux arm64 binary
+        run: GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.linux.arm64 go.mozilla.org/sops/v3/cmd/sops
+      - name: Build darwin amd64 binary
+        run: GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 go.mozilla.org/sops/v3/cmd/sops
+      - name: Copy darwin amd64 to have a no-architecture labeled version
+        run: cp dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 dist/sops-${{ env.RELEASE_VERSION }}.darwin
+      - name: Build darwin arm64 binary
+        run: GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin.arm64 go.mozilla.org/sops/v3/cmd/sops
       - name: Build windows binary
         run: GOOS=windows CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.exe go.mozilla.org/sops/v3/cmd/sops
-      - name: Copy already built linux binary
-        run: cp tmppkg/usr/local/bin/sops dist/sops-${{ env.RELEASE_VERSION }}.linux
       - name: Create release
         uses: "mozilla/action-automatic-releases@latest"
         with:
           repo_token: "${{ secrets.GITHUB_TOKEN }}"
           prerelease: true
           files: |
             dist/sops-${{ env.RELEASE_VERSION }}.exe
+            dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64
+            dist/sops-${{ env.RELEASE_VERSION }}.darwin.arm64
             dist/sops-${{ env.RELEASE_VERSION }}.darwin
+            dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64
+            dist/sops-${{ env.RELEASE_VERSION }}.linux.arm64
             dist/sops-${{ env.RELEASE_VERSION }}.linux
             dist/sops_${{ env.RELEASE_NUMBER }}_amd64.deb
+            dist/sops_${{ env.RELEASE_NUMBER }}_arm64.deb
             dist/sops-${{ env.RELEASE_NUMBER }}-1.x86_64.rpm
+            dist/sops-${{ env.RELEASE_NUMBER }}-1.aarch64.rpm

CHANGELOG.rst

@@ -1,123 +1,138 @@
 Changelog
 =========
 
+3.7.2
+-----
+Changes:
+
+* README updates (#861, #860)
+* Various test fixes (#909, #906, #1008)
+* Added Linux and Darwin arm64 releases (#911, #891)
+* Upgrade to go v1.17 (#1012)
+* Support SOPS_AGE_KEY environment variable (#1006)
+
+Bug fixes:
+
+* Make sure comments in yaml files are not duplicated (#866)
+* Make sure configuration file paths work correctly relative to the config file in us (#853)
+
 3.7.1
 -----
 Changes:
 
-    * Security fix
-    * Add release workflow (#843)
-    * Fix issue where CI wouldn't run against master (#848)
-    * Trim extra whitespace around age keys (#846)
+* Security fix
+* Add release workflow (#843)
+* Fix issue where CI wouldn't run against master (#848)
+* Trim extra whitespace around age keys (#846)
 
 3.7.0
 -----
 Features:
 
-    * Add support for age (#688)
-    * Add filename to exec-file (#761)
+* Add support for age (#688)
+* Add filename to exec-file (#761)
 
 Changes:
 
-    * On failed decryption with GPG, return the error returned by GPG to the sops user (#762)
-    * Use yaml.v3 instead of modified yaml.v2 for handling YAML files (#791)
-    * Update aws-sdk-go to version v1.37.18 (#823)
+* On failed decryption with GPG, return the error returned by GPG to the sops user (#762)
+* Use yaml.v3 instead of modified yaml.v2 for handling YAML files (#791)
+* Update aws-sdk-go to version v1.37.18 (#823)
 
 Project Changes:
 
-    * Switch from TravisCI to Github Actions (#792)
+* Switch from TravisCI to Github Actions (#792)
 
 3.6.1
 -----
 Features:
 
-    * Add support for --unencrypted-regex (#715)
+* Add support for --unencrypted-regex (#715)
 
 Changes:
 
-    * Use keys.openpgp.org instead of gpg.mozilla.org (#732)
-    * Upgrade AWS SDK version (#714)
-    * Support --input-type for exec-file (#699)
+* Use keys.openpgp.org instead of gpg.mozilla.org (#732)
+* Upgrade AWS SDK version (#714)
+* Support --input-type for exec-file (#699)
 
 Bug fixes:
 
-    * Fixes broken Vault tests (#731)
-    * Revert "Add standard newline/quoting behavior to dotenv store" (#706)
+* Fixes broken Vault tests (#731)
+* Revert "Add standard newline/quoting behavior to dotenv store" (#706)
 
 
 3.6.0
 -----
 Features:
 
-    * Support for encrypting data through the use of Hashicorp Vault (#655)
-    * `sops publish` now supports `--recursive` flag for publishing all files in a directory (#602)
-    * `sops publish` now supports `--omit-extensions` flag for omitting the extension in the destination path (#602)
-    * sops now supports JSON arrays of arrays (#642)
+* Support for encrypting data through the use of Hashicorp Vault (#655)
+* `sops publish` now supports `--recursive` flag for publishing all files in a directory (#602)
+* `sops publish` now supports `--omit-extensions` flag for omitting the extension in the destination path (#602)
+* sops now supports JSON arrays of arrays (#642)
 
 Improvements:
 
-    * Updates and standardization for the dotenv store (#612, #622)
-    * Close temp files after using them for edit command (#685)
+* Updates and standardization for the dotenv store (#612, #622)
+* Close temp files after using them for edit command (#685)
 
 Bug fixes:
 
-    * AWS SDK usage now correctly resolves the `~/.aws/config` file (#680)
-    * `sops updatekeys` now correctly matches config rules (#682)
-    * `sops updatekeys` now correctly uses the config path cli flag (#672)
-    * Partially empty sops config files don't break the use of sops anymore (#662)
-    * Fix possible infinite loop in PGP's passphrase prompt call (#690)
+* AWS SDK usage now correctly resolves the `~/.aws/config` file (#680)
+* `sops updatekeys` now correctly matches config rules (#682)
+* `sops updatekeys` now correctly uses the config path cli flag (#672)
+* Partially empty sops config files don't break the use of sops anymore (#662)
+* Fix possible infinite loop in PGP's passphrase prompt call (#690)
 
 Project changes:
 
-    * Dockerfile now based off of golang version 1.14 (#649)
-    * Push alpine version of docker image to Dockerhub (#609)
-    * Push major, major.minor, and major.minor.patch tagged docker images to Dockerhub (#607)
-    * Removed out of date contact information (#668)
-    * Update authors in the cli help text (#645)
+* Dockerfile now based off of golang version 1.14 (#649)
+* Push alpine version of docker image to Dockerhub (#609)
+* Push major, major.minor, and major.minor.patch tagged docker images to Dockerhub (#607)
+* Removed out of date contact information (#668)
+* Update authors in the cli help text (#645)
 
 
 3.5.0
 -----
 Features:
 
-    * `sops exec-env` and `sops exec-file`, two new commands for utilizing sops secrets within a temporary file or env vars
+* `sops exec-env` and `sops exec-file`, two new commands for utilizing sops secrets within a temporary file or env vars
 
 Bug fixes:
 
-    * Sanitize AWS STS session name, as sops creates it based off of the machines hostname
-    * Fix for `decrypt.Data` to support `.ini` files
-    * Various package fixes related to switching to Go Modules
-    * Fixes for Vault-related tests running locally and in CI.
+* Sanitize AWS STS session name, as sops creates it based off of the machines hostname
+* Fix for `decrypt.Data` to support `.ini` files
+* Various package fixes related to switching to Go Modules
+* Fixes for Vault-related tests running locally and in CI.
 
 Project changes:
 
-    * Change to proper use of go modules, changing to primary module name to `go.mozilla.org/sops/v3`
-    * Change tags to requiring a `v` prefix.
-    * Add documentation for `sops updatekeys` command
+* Change to proper use of go modules, changing to primary module name to `go.mozilla.org/sops/v3`
+* Change tags to requiring a `v` prefix.
+* Add documentation for `sops updatekeys` command
 
 3.4.0
 -----
 Features:
 
-    * `sops publish`, a new command for publishing sops encrypted secrets to S3, GCS, or Hashicorp Vault
-    * Support for multiple Azure authentication mechanisms
-    * Azure Keyvault support to the sops config file
-    * `encrypted_regex` option to the sops config file
+* `sops publish`, a new command for publishing sops encrypted secrets to S3, GCS, or Hashicorp Vault
+* Support for multiple Azure authentication mechanisms
+* Azure Keyvault support to the sops config file
+* `encrypted_regex` option to the sops config file
 
 Bug fixes:
 
-    * Return non-zero exit code for invalid CLI flags
-    * Broken path handling for sops editing on Windows
-    * `go lint/fmt` violations
-    * Check for pgp fingerprint before slicing it
+* Return non-zero exit code for invalid CLI flags
+* Broken path handling for sops editing on Windows
+* `go lint/fmt` violations
+* Check for pgp fingerprint before slicing it
 
 Project changes:
 
-    * Build container using golang 1.12
-    * Switch to using go modules
-    * Hashicorp Vault server in Travis CI build
-    * Mozilla Publice License file to repo
-    * Replaced expiring test gpg keys
+* Build container using golang 1.12
+* Switch to using go modules
+* Hashicorp Vault server in Travis CI build
+* Mozilla Publice License file to repo
+* Replaced expiring test gpg keys
 
 3.3.1
 -----

Dockerfile

@@ -1,10 +1,10 @@
-FROM golang:1.15
+FROM golang:1.17
 
 COPY . /go/src/go.mozilla.org/sops
 WORKDIR /go/src/go.mozilla.org/sops
 
 RUN CGO_ENABLED=1 make install
 RUN apt-get update
-RUN apt-get install -y vim python-pip emacs
+RUN apt-get install -y vim python3-pip emacs
 RUN pip install awscli
 ENV EDITOR vim

Dockerfile.alpine

@@ -1,4 +1,4 @@
-FROM golang:1.12-alpine3.10 AS builder
+FROM golang:1.17-alpine3.15 AS builder
 
 RUN apk --no-cache add make
 
@@ -8,7 +8,7 @@ WORKDIR /go/src/go.mozilla.org/sops
 RUN CGO_ENABLED=1 make install
 
 
-FROM alpine:3.10
+FROM alpine:3.15
 
 RUN apk --no-cache add \
   vim ca-certificates