Merge branch 'main' into pass

getsops · Oct 12, 2024 · b6ce3c7 · b6ce3c7
2 parents 24dae3a + 365d924
commit b6ce3c7
Show file tree

Hide file tree

Showing 40 changed files with 4,119 additions and 1,022 deletions.
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -2,7 +2,7 @@ version: 2
 
 updates:
   - package-ecosystem: "docker"
-    directory: "/"
+    directory: "/.release"
     labels: ["dependencies"]
     schedule:
       # By default, this will be on a Monday.
@@ -39,3 +39,16 @@ updates:
       go:
         patterns:
           - "*"
+
+  - package-ecosystem: "cargo"
+    directory: "/functional-tests"
+    labels: ["area/CI", "dependencies"]
+    schedule:
+      # By default, this will be on a Monday.
+      interval: "weekly"
+    groups:
+      # Group all updates together, so that they are all applied in a single PR.
+      # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
+      rust:
+        patterns:
+          - "*"
diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml
@@ -13,30 +13,31 @@ permissions:
 
 jobs:
   build:
-    name: Build and test ${{ matrix.os }} ${{ matrix.arch }}
+    name: Build and test ${{ matrix.os }} ${{ matrix.arch }} ${{ matrix.go-version }}
     runs-on: ubuntu-latest
     strategy:
       matrix:
         os: [linux, darwin, windows]
         arch: [amd64, arm64]
+        go-version: ['1.22', '1.23']
         exclude:
           - os: windows
             arch: arm64
     env:
-      VAULT_VERSION: "1.1.3"
+      VAULT_VERSION: "1.14.0"
       VAULT_TOKEN: "root"
       VAULT_ADDR: "http://127.0.0.1:8200"
     steps:
-      - name: Set up Go 1.20
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - name: Set up Go ${{ matrix.go-version }}
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: '1.20'
+          go-version: ${{ matrix.go-version }}
         id: go
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
-      - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+      - uses: actions/cache@2cdf405574d6ef1f33a1d12acccd3ae82f47b3f2 # v4.1.0
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -49,54 +50,63 @@ jobs:
       - name: Ensure clean working tree
         run: git diff --exit-code
 
-      - name: Build Linux and Darwin
+      - name: Build ${{ matrix.os }}
         if: matrix.os != 'windows'
-        run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} -v ./cmd/sops
+        run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} -v ./cmd/sops
 
-      - name: Build Windows
+      - name: Build ${{ matrix.os }}
         if: matrix.os == 'windows'
-        run: GOOS=${{ matrix.os }} go build -o sops-${{ matrix.os }}-${{ github.sha }} -v ./cmd/sops
+        run: GOOS=${{ matrix.os }} go build -o sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }} -v ./cmd/sops
 
       - name: Import test GPG keys
         run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done
 
       - name: Test
         run: make test
 
-      - name: Upload artifact for Linux and Darwin
+      - name: Upload artifact for ${{ matrix.os }}
         if: matrix.os != 'windows'
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
-          name: sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
-          path: sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
+          name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
+          path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }}
 
-      - name: Upload artifact for Windows
+      - name: Upload artifact for ${{ matrix.os }}
         if: matrix.os == 'windows'
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
-          name: sops-${{ matrix.os }}-${{ github.sha }}
-          path: sops-${{ matrix.os }}-${{ github.sha }}
+          name: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }}
+          path: sops-${{ matrix.go-version }}-${{ matrix.os }}-${{ github.sha }}
   test:
     name: Functional tests
     runs-on: ubuntu-latest
     needs: [build]
+    strategy:
+      matrix:
+        go-version: ['1.22']
     env:
-      VAULT_VERSION: "1.1.3"
+      VAULT_VERSION: "1.14.0"
       VAULT_TOKEN: "root"
       VAULT_ADDR: "http://127.0.0.1:8200"
     steps:
-      - name: Install rustup
-        run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain 1.70.0
-
       - name: Check out code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
-      - uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0
+      # Rustup will detect toolchain version and profile from rust-toolchain.toml
+      # It will download and install the toolchain and components automatically
+      # and make them available for subsequent commands
+      - name: Install Rust toolchain
+        run: rustup show
+
+      - name: Show Rust version
+        run: cargo --version
+
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
-          name: sops-linux-amd64-${{ github.sha }}
+          name: sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }}
 
       - name: Move SOPS binary
-        run: mv sops-linux-amd64-${{ github.sha }} ./functional-tests/sops
+        run: mv sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }} ./functional-tests/sops
 
       - name: Make SOPS binary executable
         run: chmod +x ./functional-tests/sops
@@ -116,3 +126,22 @@ jobs:
       - name: Run tests
         run: cargo test
         working-directory: ./functional-tests
+
+  # The 'check' job should depend on all other jobs so it's possible to configure branch protection only for 'check'
+  # instead of having to explicitly list all individual jobs that need to pass.
+  check:
+    if: always()
+
+    needs:
+      - build
+      - test
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Decide whether the needed jobs succeeded or failed
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+        with:
+          allowed-failures: docs, linters
+          allowed-skips: non-voting-flaky-job
+          jobs: ${{ toJSON(needs) }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -29,11 +29,11 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/init@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
         with:
           languages: go
           # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
@@ -48,6 +48,6 @@ jobs:
         run: make install
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/analyze@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
         with:
           category: "/language:go"
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.0.0
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Install rstcheck and markdownlint
         run: |

diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
@@ -0,0 +1,37 @@
+name: Linters
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+    # Only run when Rust version or linted files change
+    paths:
+      - 'rust-toolchain.toml'
+      - 'functional-tests/**/*.rs'
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint Rust source files
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+
+      # Rustup will detect toolchain version and profile from rust-toolchain.toml
+      # It will download and install the toolchain and components automatically
+      # and make them available for subsequent commands
+      - name: Install Rust toolchain and additional components
+        run: rustup component add rustfmt
+
+      - name: Show Rust version
+        run: cargo --version
+
+      - name: Run Formatting Check
+        run: cargo fmt --check
+        working-directory: ./functional-tests
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -25,47 +25,50 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
           fetch-depth: 0
 
       - name: Setup Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v4.0.1
         with:
-          go-version: 1.20.x
+          go-version-file: go.mod
           cache: false
 
       - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@5ecf649a417b8ae17dc8383dc32d46c03f2312df # v0.15.1
+        uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
 
       - name: Setup Cosign
-        uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
 
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to Quay.io
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_BOT_USERNAME }}
           password: ${{ secrets.QUAY_BOT_TOKEN }}
 
       - name: Run GoReleaser
         id: goreleaser
-        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+        uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
         with:
-          version: 1.20.x
+          # Note that the following is the version of goreleaser, and NOT a Go version!
+          # When bumping it, make sure to check out goreleaser's changelog first!
+          # (https://github.com/goreleaser/goreleaser/releases)
+          version: 1.21.x
           args: release --clean --timeout 1h
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -165,7 +168,7 @@ jobs:
       id-token: write # For creating OIDC tokens for signing.
       contents: write # For adding assets to a release.
 
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
     with:
       base64-subjects: "${{ needs.combine-subjects.outputs.all-subjects }}"
       upload-assets: true
@@ -182,7 +185,7 @@ jobs:
     strategy:
       matrix: ${{ fromJSON(needs.release.outputs.container-subjects) }}
 
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
     with:
       image: ghcr.io/${{ matrix.image }}
       digest: ${{ matrix.digest }}
@@ -201,7 +204,7 @@ jobs:
     strategy:
       matrix: ${{ fromJSON(needs.release.outputs.container-subjects) }}
 
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
     with:
       image: quay.io/${{ matrix.image }}
       digest: ${{ matrix.digest }}

diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,5 @@
 bin/
 dist/
 functional-tests/sops
-Cargo.lock
 vendor/
 profile.out