Test SOPS 3.6.1, 3.7.0, and 3.9.1 in CI (#209)

* Test SOPS 3.9.1 in CI.

* Only test latest bugfix releases in main matrix; move initial minor releases to special cases.

* age_key only work with 3.7.1+ and not with 3.7.0.

* Document minimum SOPS version for age_key* options.

* Add 3.7.0 to README.

.github/workflows/ansible-test.yml

@@ -77,11 +77,10 @@ jobs:
           - fedora40
         sops_version:
           - 3.5.0
-          - 3.6.0
+          - 3.6.1
           - 3.7.3
-          - 3.8.0
           - 3.8.1
-          - 3.9.0
+          - 3.9.1
         python_version:
           - ''
         include:
@@ -132,6 +131,18 @@ jobs:
             docker_container: ubuntu2404
             sops_version: 3.9.0
           # devel
+          - ansible: devel
+            docker_container: ubuntu2204
+            sops_version: 3.6.0
+          - ansible: devel
+            docker_container: ubuntu2204
+            sops_version: 3.7.0
+          - ansible: devel
+            docker_container: ubuntu2404
+            sops_version: 3.8.0
+          - ansible: devel
+            docker_container: fedora40
+            sops_version: 3.9.0
           - ansible: devel
             docker_container: quay.io/ansible-community/test-image:archlinux
             python_version: '3.12'

README.md

@@ -19,11 +19,9 @@ Please note that this collection does **not** support Windows targets.
 
 The following table shows which versions of SOPS were tested with which versions of the collection. Older (or newer) versions of SOPS can still work fine, it just means that we did not test them. In some cases, it could be that a minimal required version of SOPS is explicitly documented for a specific feature. This is the case from community.sops 1.8.0 on; from that version on the collection automatically detects the SOPS version to determine whether a feature is supported or not.
 
-|`community.sops` version|SOPS version|
+|`community.sops` version|SOPS versions|
 |---|---|
-|0.1.0|`3.5.0+`|
-|1.0.6|`3.5.0+`|
-|`main` branch|`3.5.0`, `3.6.0`, `3.7.3`, `3.8.0`, `3.8.1`, `3.9.0`|
+|`main` branch|`3.5.0`, `3.6.0`, `3.6.1`, `3.7.0`, `3.7.3`, `3.8.0`, `3.8.1`, `3.9.0`, `3.9.1`|
 
 ## Code of Conduct
 

plugins/doc_fragments/sops.py

@@ -24,6 +24,7 @@ class ModuleDocFragment(object):
         description:
             - One or more age private keys that can be used to decrypt encrypted files.
             - Will be set as the E(SOPS_AGE_KEY) environment variable when calling SOPS.
+            - Requires SOPS 3.7.1+.
         type: str
         version_added: 1.4.0
     age_keyfile:
@@ -33,6 +34,7 @@ class ModuleDocFragment(object):
             - Will be set as the E(SOPS_AGE_KEY_FILE) environment variable when calling SOPS.
             - By default, SOPS looks for C(sops/age/keys.txt) inside your user configuration
               directory.
+            - Requires SOPS 3.7.0+.
         type: path
         version_added: 1.4.0
     aws_profile:

tests/integration/targets/age/tasks/main.yml

@@ -3,15 +3,10 @@
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-- name: Get sops version
-  command: sops --version
-  when: sops_installed
-  register: installed_sops_version
-
 - name: Determine whether sops, age, and sops with age are supported
   set_fact:
     supports_sops_and_age: >-
-      {{ sops_installed and age_installed and (installed_sops_version.stdout | regex_search('sops (\d+\.\d+\.\d+)', '\1') | first) is version('3.7.0', '>=') }}
+      {{ sops_installed and age_installed and sops_version_remote is version('3.7.0', '>=') }}
 
 - when: supports_sops_and_age
   block:

tests/integration/targets/age/tasks/test.yml

@@ -47,20 +47,14 @@
     - enc-2
     - enc-3
 
-- name: Decrypt some data
+- name: Decrypt some data (3.7.0+)
   set_fact:
     decrypt_1: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identities_all') | from_yaml }}"
     decrypt_1_1: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_1') | from_yaml }}"
     decrypt_1_2: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_2') | from_yaml }}"
     decrypt_1_3: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_3') | from_yaml }}"
     decrypt_1_4: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_4') | from_yaml }}"
     decrypt_1_1_2_3: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_keyfile=local_tmp_dir ~ '/identities_1_2_3') | from_yaml }}"
-    decrypt_1b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identities_all')) | from_yaml }}"
-    decrypt_1_1b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_1')) | from_yaml }}"
-    decrypt_1_2b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_2')) | from_yaml }}"
-    decrypt_1_3b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_3')) | from_yaml }}"
-    decrypt_1_4b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_4')) | from_yaml }}"
-    decrypt_1_1_2_3b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identities_1_2_3')) | from_yaml }}"
     decrypt_2: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identities_all') | from_yaml }}"
     decrypt_2_1: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_1') | from_yaml }}"
     decrypt_2_2: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_2') | from_yaml }}"
@@ -81,12 +75,6 @@
       - decrypt_1 == decrypt_1_3
       - decrypt_1 == decrypt_1_4
       - decrypt_1 == decrypt_1_1_2_3
-      - decrypt_1 == decrypt_1b
-      - decrypt_1 == decrypt_1_1b
-      - decrypt_1 == decrypt_1_2b
-      - decrypt_1 == decrypt_1_3b
-      - decrypt_1 == decrypt_1_4b
-      - decrypt_1 == decrypt_1_1_2_3b
       - decrypt_2.foo == 19
       - decrypt_2.bar == 'this is another secret'
       - decrypt_2.bam is undefined
@@ -101,6 +89,28 @@
       - decrypt_3.int is undefined
       - decrypt_3 == decrypt_3_4
 
+- when: >-
+    {{ sops_version_controller is version('3.7.1', '>=') }}
+  block:
+    - name: Decrypt some data (3.7.1+)
+      set_fact:
+        decrypt_1b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identities_all')) | from_yaml }}"
+        decrypt_1_1b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_1')) | from_yaml }}"
+        decrypt_1_2b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_2')) | from_yaml }}"
+        decrypt_1_3b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_3')) | from_yaml }}"
+        decrypt_1_4b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identity_4')) | from_yaml }}"
+        decrypt_1_1_2_3b: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-1.sops.yaml', age_key=lookup('file', local_tmp_dir ~ '/identities_1_2_3')) | from_yaml }}"
+
+    - name: Validate decryption
+      assert:
+        that:
+          - decrypt_1 == decrypt_1b
+          - decrypt_1 == decrypt_1_1b
+          - decrypt_1 == decrypt_1_2b
+          - decrypt_1 == decrypt_1_3b
+          - decrypt_1 == decrypt_1_4b
+          - decrypt_1 == decrypt_1_1_2_3b
+
 - name: Failed encryption 1
   debug:
     msg: "{{ lookup('community.sops.sops', local_tmp_dir ~ '/enc-2.sops.yaml', age_keyfile=local_tmp_dir ~ '/identity_3') | from_yaml }}"