sync (#2)

MarvinImmick · felixfontein · dependabot[bot] · web-flow · commit aed3d9caa083 · 2026-03-24T11:38:49.000+01:00
* Delete temporary file on termination. Signed-off-by: Felix Fontein <felix@fontein.de> * build(deps): Bump the ci group with 4 updates Bumps the ci group with 4 updates: [actions/download-artifact](https://github.com/actions/download-artifact), [github/codeql-action](https://github.com/github/codeql-action), [anchore/sbom-action](https://github.com/anchore/sbom-action) and [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer). Updates `actions/download-artifact` from 8.0.0 to 8.0.1 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@70fc10c...3e5f45b) Updates `github/codeql-action` from 4.32.6 to 4.33.0 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@0d579ff...b1bff81) Updates `anchore/sbom-action` from 0.23.0 to 0.23.1 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@17ae174...57aae52) Updates `sigstore/cosign-installer` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@faadad0...ba7bc0a) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: github/codeql-action dependency-version: 4.33.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: anchore/sbom-action dependency-version: 0.23.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: sigstore/cosign-installer dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps): Bump tempfile in /functional-tests in the rust group Bumps the rust group in /functional-tests with 1 update: [tempfile](https://github.com/Stebalien/tempfile). Updates `tempfile` from 3.26.0 to 3.27.0 - [Changelog](https://github.com/Stebalien/tempfile/blob/master/CHANGELOG.md) - [Commits](Stebalien/tempfile@v3.26.0...v3.27.0) --- updated-dependencies: - dependency-name: tempfile dependency-version: 3.27.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: rust ... Signed-off-by: dependabot[bot] <support@github.com> * Revert "Merge pull request getsops#1697 from onjen/fix-1142" This reverts commit 37fe172, reversing changes made to bf5e7ae. Signed-off-by: Felix Fontein <felix@fontein.de> * Add 3.12.2 changelog entry. Signed-off-by: Felix Fontein <felix@fontein.de> * Set version to 3.12.2. Signed-off-by: Felix Fontein <felix@fontein.de> * build(deps): Bump google.golang.org/grpc from 1.79.1 to 1.79.3 Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.79.1 to 1.79.3. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.79.1...v1.79.3) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-version: 1.79.3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps): Bump the ci group with 3 updates Bumps the ci group with 3 updates: [actions/cache](https://github.com/actions/cache), [github/codeql-action](https://github.com/github/codeql-action) and [anchore/sbom-action](https://github.com/anchore/sbom-action). Updates `actions/cache` from 5.0.3 to 5.0.4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@cdf6c1f...6682284) Updates `github/codeql-action` from 4.33.0 to 4.34.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@b1bff81...3869755) Updates `anchore/sbom-action` from 0.23.1 to 0.24.0 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@57aae52...e22c389) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: github/codeql-action dependency-version: 4.34.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci - dependency-name: anchore/sbom-action dependency-version: 0.24.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci ... Signed-off-by: dependabot[bot] <support@github.com> --------- Signed-off-by: Felix Fontein <felix@fontein.de> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml
@@ -40,7 +40,7 @@ jobs:
           cache: false
         id: go
 
-      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -106,7 +106,7 @@ jobs:
       - name: Show Rust version
         run: cargo --version
 
-      - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: sops-${{ matrix.go-version }}-linux-amd64-${{ github.sha }}
 
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -35,7 +35,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         with:
           languages: go
           # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
@@ -52,6 +52,6 @@ jobs:
           make install
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         with:
           category: "/language:go"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -37,10 +37,10 @@ jobs:
           cache: false
 
       - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0
+        uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
 
       - name: Setup Cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
         with:
           # TODO: update cosign and go-releaser, and adjust go-releaser config
           cosign-release: 'v2.6.2'
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,36 @@
 # Changelog
 
+## 3.12.2
+
+Improvements:
+
+* Dependency updates ([#2085](https://github.com/getsops/sops/pull/2085),
+  [#2087](https://github.com/getsops/sops/pull/2087), [#2089](https://github.com/getsops/sops/pull/2089),
+  [#2095](https://github.com/getsops/sops/pull/2095)).
+
+Bugfixes:
+
+* GCP: Revert the fix introduced in 3.12.0 that sets quota project to API
+  project in GCP KMS. This change unintentionally resulted in requiring
+  more permissions for GCP users. The original issue will be addressed in
+  another way in a future release ([#2099](https://github.com/getsops/sops/pull/2099)).
+* Ensure to delete temporary file and directory when editing in more
+  situations, like when user presses Ctrl+C or SOPS receives a SIGTERM
+  ([#2104](https://github.com/getsops/sops/pull/2104)).
+* Fix message that you need to enter (and not any key) after SOPS rejects
+  an edited file ([#2098](https://github.com/getsops/sops/pull/2098)).
+* Reject files with ``sops`` keys when editing files ([#2098](https://github.com/getsops/sops/pull/2098)).
+* Fix handling of ``--mac-only-encrypted`` option in subcommands ([#2100](https://github.com/getsops/sops/pull/2100)).
+
+Project changes:
+
+* CI dependency updates ([#2084](https://github.com/getsops/sops/pull/2084),
+  [#2091](https://github.com/getsops/sops/pull/2091), [#2101](https://github.com/getsops/sops/pull/2101),
+  [#2106](https://github.com/getsops/sops/pull/2106)).
+* Rust dependency updates for functional tests ([#2090](https://github.com/getsops/sops/pull/2090),
+  [#2105](https://github.com/getsops/sops/pull/2105)).
+* Improve CI workflows ([#2081](https://github.com/getsops/sops/pull/2081)).
+
 ## 3.12.1
 
 This is a re-release of 3.12.0 with no code changes.
diff --git a/cmd/sops/edit.go b/cmd/sops/edit.go
@@ -3,12 +3,15 @@ package main
 import (
 	"bufio"
 	"bytes"
+	"context"
 	"crypto/sha256"
 	"fmt"
 	"io"
 	"os"
+	"os/signal"
 	"path/filepath"
 	"strings"
+	"syscall"
 
 	"github.com/getsops/sops/v3"
 	"github.com/getsops/sops/v3/cmd/sops/codes"
@@ -96,6 +99,24 @@ func edit(opts editOpts) ([]byte, error) {
 	return editTree(opts, tree, dataKey)
 }
 
+type cancelError struct{}
+
+func (err *cancelError) Error() string {
+	return "User canceled operation"
+}
+
+type editTreeResult struct {
+	value []byte
+	err   error
+}
+
+func createError(err error) editTreeResult {
+	return editTreeResult{
+		value: nil,
+		err:   err,
+	}
+}
+
 func editTree(opts editOpts, tree *sops.Tree, dataKey []byte) ([]byte, error) {
 	// Create temporary file for editing
 	tmpdir, err := os.MkdirTemp("", "")
@@ -117,33 +138,58 @@ func editTree(opts editOpts, tree *sops.Tree, dataKey []byte) ([]byte, error) {
 
 	tmpfileName := tmpfile.Name()
 
+	// Catch when the user presses Ctrl+C, or kills SOPS.
+	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGINT, syscall.SIGTERM, syscall.SIGKILL)
+	defer stop()
+
+	result := make(chan editTreeResult, 1)
+
+	// This goroutine handles signals that exit SOPS, that usually lead to termination
+	// before editTree() can clean up the temporary directory and file.
+	go func() {
+		<-ctx.Done()
+		result <- createError(&cancelError{})
+	}()
+
+	// This goroutine handles regular execution of editing.
+	go func() {
+		result <- editTreeImpl(tmpfile, tmpfileName, opts, tree, dataKey)
+	}()
+
+	// Wait until the first result shows up (either an exit is requested, or editTreeImpl returns).
+	res := <-result
+	return res.value, res.err
+}
+
+func editTreeImpl(tmpfile *os.File, tmpfileName string, opts editOpts, tree *sops.Tree, dataKey []byte) editTreeResult {
 	// Write to temporary file
 	var out []byte
+	var err error
 	if opts.ShowMasterKeys {
 		out, err = opts.OutputStore.EmitEncryptedFile(*tree)
 	} else {
 		out, err = opts.OutputStore.EmitPlainFile(tree.Branches)
 	}
 	if err != nil {
-		return nil, common.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), codes.ErrorDumpingTree)
+		return createError(common.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), codes.ErrorDumpingTree))
 	}
 	_, err = tmpfile.Write(out)
 	if err != nil {
-		return nil, common.NewExitError(fmt.Sprintf("Could not write output file: %s", err), codes.CouldNotWriteOutputFile)
+		return createError(common.NewExitError(fmt.Sprintf("Could not write output file: %s", err), codes.CouldNotWriteOutputFile))
 	}
 
 	// Compute file hash to detect if the file has been edited
 	origHash, err := hashFile(tmpfileName)
 	if err != nil {
-		return nil, common.NewExitError(fmt.Sprintf("Could not hash file: %s", err), codes.CouldNotReadInputFile)
+		return createError(common.NewExitError(fmt.Sprintf("Could not hash file: %s", err), codes.CouldNotReadInputFile))
 	}
 
 	// Close the temporary file, so that an editor can open it.
 	// We need to do this because some editors (e.g. VSCode) will refuse to
 	// open a file on Windows due to the Go standard library not opening
 	// files with shared delete access.
 	if err := tmpfile.Close(); err != nil {
-		return nil, err
+		return createError(err)
 	}
 
 	// Let the user edit the file
@@ -155,23 +201,26 @@ func editTree(opts editOpts, tree *sops.Tree, dataKey []byte) ([]byte, error) {
 		ShowMasterKeys: opts.ShowMasterKeys,
 		Tree:           tree})
 	if err != nil {
-		return nil, err
+		return createError(err)
 	}
 
 	// Encrypt the file
 	err = common.EncryptTree(common.EncryptTreeOpts{
 		DataKey: dataKey, Tree: tree, Cipher: opts.Cipher,
 	})
 	if err != nil {
-		return nil, err
+		return createError(err)
 	}
 
 	// Output the file
 	encryptedFile, err := opts.OutputStore.EmitEncryptedFile(*tree)
 	if err != nil {
-		return nil, common.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), codes.ErrorDumpingTree)
+		return createError(common.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), codes.ErrorDumpingTree))
+	}
+	return editTreeResult{
+		value: encryptedFile,
+		err:   nil,
 	}
-	return encryptedFile, nil
 }
 
 const pressKeyMsg = "Press enter to return to the editor, or Ctrl+C to exit."
diff --git a/functional-tests/Cargo.lock b/functional-tests/Cargo.lock
diff --git a/functional-tests/Cargo.toml b/functional-tests/Cargo.toml
@@ -5,7 +5,7 @@ edition = "2021"
 authors = ["Adrian Utrilla <adrianutrilla@gmail.com>"]
 
 [dependencies]
-tempfile = "3.26.0"
+tempfile = "3.27.0"
 serde = "1.0"
 serde_json = "1.0.149"
 serde_yaml = "0.9.34"
diff --git a/gcpkms/keysource.go b/gcpkms/keysource.go
@@ -280,14 +280,13 @@ func (key *MasterKey) TypeToIdentifier() string {
 // It returns an error if the ResourceID is invalid, or if the setup of the
 // client fails.
 func (key *MasterKey) newKMSClient(ctx context.Context) (*kms.KeyManagementClient, error) {
-	re := regexp.MustCompile(`^projects/(?P<project>[^/]+)/locations/[^/]+/keyRings/[^/]+/cryptoKeys/[^/]+$`)
+	re := regexp.MustCompile(`^projects/[^/]+/locations/[^/]+/keyRings/[^/]+/cryptoKeys/[^/]+$`)
 	matches := re.FindStringSubmatch(key.ResourceID)
 	if matches == nil {
 		return nil, fmt.Errorf("no valid resource ID found in %q", key.ResourceID)
 	}
 
 	var opts []option.ClientOption
-	opts = append(opts, option.WithQuotaProject(matches[1]))
 	switch {
 	case key.tokenSource != nil:
 		opts = append(opts, option.WithTokenSource(key.tokenSource))
diff --git a/go.mod b/go.mod
@@ -43,7 +43,7 @@ require (
 	golang.org/x/term v0.40.0
 	google.golang.org/api v0.267.0
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20
-	google.golang.org/grpc v1.79.1
+	google.golang.org/grpc v1.79.3
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/ini.v1 v1.67.1
 )
diff --git a/go.sum b/go.sum
@@ -467,8 +467,8 @@ google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZi
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY=
-google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
+google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=
+google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
diff --git a/version/version.go b/version/version.go
@@ -12,7 +12,7 @@ import (
 )
 
 // Version represents the value of the current semantic version.
-var Version = "3.12.1"
+var Version = "3.12.2"
 
 // PrintVersion prints the current version of sops. If the flag
 // `--disable-version-check` is set or if the environment variable

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ require (`
`43`	`43`	`golang.org/x/term v0.40.0`
`44`	`44`	`google.golang.org/api v0.267.0`
`45`	`45`	`google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20`
`46`		`- google.golang.org/grpc v1.79.1`
	`46`	`+ google.golang.org/grpc v1.79.3`
`47`	`47`	`google.golang.org/protobuf v1.36.11`
`48`	`48`	`gopkg.in/ini.v1 v1.67.1`
`49`	`49`	`)`