Merge branch 'main' into patch-3

felixfontein · web-flow · commit 0dfe6b71483c · 2026-03-11T06:54:46.000+01:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -35,7 +35,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
         with:
           languages: go
           # xref: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
@@ -52,6 +52,6 @@ jobs:
           make install
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
         with:
           category: "/language:go"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -46,20 +46,20 @@ jobs:
           cosign-release: 'v2.6.2'
 
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
 
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to Quay.io
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_BOT_USERNAME }}
diff --git a/cmd/sops/edit.go b/cmd/sops/edit.go
@@ -39,6 +39,7 @@ type runEditorUntilOkOpts struct {
 	TmpFileName    string
 	OriginalHash   []byte
 	InputStore     sops.Store
+	OutputStore    common.Store
 	ShowMasterKeys bool
 	Tree           *sops.Tree
 }
@@ -147,8 +148,12 @@ func editTree(opts editOpts, tree *sops.Tree, dataKey []byte) ([]byte, error) {
 
 	// Let the user edit the file
 	err = runEditorUntilOk(runEditorUntilOkOpts{
-		InputStore: opts.InputStore, OriginalHash: origHash, TmpFileName: tmpfileName,
-		ShowMasterKeys: opts.ShowMasterKeys, Tree: tree})
+		InputStore:     opts.InputStore,
+		OutputStore:    opts.OutputStore,
+		OriginalHash:   origHash,
+		TmpFileName:    tmpfileName,
+		ShowMasterKeys: opts.ShowMasterKeys,
+		Tree:           tree})
 	if err != nil {
 		return nil, err
 	}
@@ -169,6 +174,12 @@ func editTree(opts editOpts, tree *sops.Tree, dataKey []byte) ([]byte, error) {
 	return encryptedFile, nil
 }
 
+const pressKeyMsg = "Press enter to return to the editor, or Ctrl+C to exit."
+
+func waitForKeyPress() {
+	bufio.NewReader(os.Stdin).ReadByte()
+}
+
 func runEditorUntilOk(opts runEditorUntilOkOpts) error {
 	for {
 		err := runEditor(opts.TmpFileName)
@@ -191,10 +202,8 @@ func runEditorUntilOk(opts runEditorUntilOkOpts) error {
 			log.WithField(
 				"error",
 				err,
-			).Errorf("Could not load tree, probably due to invalid " +
-				"syntax. Press a key to return to the editor, or Ctrl+C to " +
-				"exit.")
-			bufio.NewReader(os.Stdin).ReadByte()
+			).Errorf("Could not load tree, probably due to invalid syntax. " + pressKeyMsg)
+			waitForKeyPress()
 			continue
 		}
 		if opts.ShowMasterKeys {
@@ -205,14 +214,22 @@ func runEditorUntilOk(opts runEditorUntilOkOpts) error {
 				log.WithField(
 					"error",
 					err,
-				).Errorf("SOPS metadata is invalid. Press a key to " +
-					"return to the editor, or Ctrl+C to exit.")
-				bufio.NewReader(os.Stdin).ReadByte()
+				).Errorf("SOPS metadata is invalid. " + pressKeyMsg)
+				waitForKeyPress()
 				continue
 			}
 			// Replace the whole tree, because otherwise newBranches would
 			// contain the SOPS metadata
 			opts.Tree = &t
+		} else {
+			if userErr, _ := validateFileForEncryption(opts.OutputStore, newBranches); userErr != nil {
+				log.WithField(
+					"error",
+					userErr.UserError(),
+				).Errorf("Tree not valid for encryption. " + pressKeyMsg)
+				waitForKeyPress()
+				continue
+			}
 		}
 		opts.Tree.Branches = newBranches
 		needVersionUpdated, err := version.AIsNewerThanB(version.Version, opts.Tree.Metadata.Version)
@@ -223,10 +240,8 @@ func runEditorUntilOk(opts runEditorUntilOkOpts) error {
 			opts.Tree.Metadata.Version = version.Version
 		}
 		if opts.Tree.Metadata.MasterKeyCount() == 0 {
-			log.Error("No master keys were provided, so sops can't " +
-				"encrypt the file. Press a key to return to the editor, or " +
-				"Ctrl+C to exit.")
-			bufio.NewReader(os.Stdin).ReadByte()
+			log.Error("No master keys were provided, so sops can't encrypt the file. " + pressKeyMsg)
+			waitForKeyPress()
 			continue
 		}
 		break
diff --git a/cmd/sops/encrypt.go b/cmd/sops/encrypt.go
@@ -52,15 +52,28 @@ func (err *fileAlreadyEncryptedError) UserError() string {
 		"encrypt files that already contain such an entry.\n\n" +
 		"If this is an unencrypted file, rename the '" + stores.SopsMetadataKey + "' entry.\n\n" +
 		"If this is an encrypted file and you want to edit it, use the " +
-		"editor mode, for example: `sops my_file.yaml`"
+		"editor mode, for example: `sops edit my_file.yaml`"
 	return wordwrap.WrapString(message, 75)
 }
 
-func ensureNoMetadata(opts encryptOpts, branch sops.TreeBranch) error {
-	if opts.OutputStore.HasSopsTopLevelKey(branch) {
-		return &fileAlreadyEncryptedError{}
+type needAtLeastOneDocument struct{}
+
+func (err *needAtLeastOneDocument) Error() string {
+	return "Empty file"
+}
+
+func (err *needAtLeastOneDocument) UserError() string {
+	return "File cannot be completely empty, it must contain at least one document"
+}
+
+func validateFileForEncryption(outputStore sops.Store, branches []sops.TreeBranch) (sops.UserError, int) {
+	if len(branches) < 1 {
+		return &needAtLeastOneDocument{}, codes.NeedAtLeastOneDocument
+	}
+	if outputStore.HasSopsTopLevelKey(branches[0]) {
+		return &fileAlreadyEncryptedError{}, codes.FileAlreadyEncrypted
 	}
-	return nil
+	return nil, 0
 }
 
 func metadataFromEncryptionConfig(config encryptConfig) sops.Metadata {
@@ -96,11 +109,8 @@ func encrypt(opts encryptOpts) (encryptedFile []byte, err error) {
 	if err != nil {
 		return nil, common.NewExitError(fmt.Sprintf("Error unmarshalling file: %s", err), codes.CouldNotReadInputFile)
 	}
-	if len(branches) < 1 {
-		return nil, common.NewExitError("File cannot be completely empty, it must contain at least one document", codes.NeedAtLeastOneDocument)
-	}
-	if err := ensureNoMetadata(opts, branches[0]); err != nil {
-		return nil, common.NewExitError(err, codes.FileAlreadyEncrypted)
+	if err, code := validateFileForEncryption(opts.OutputStore, branches); err != nil {
+		return nil, common.NewExitError(err, code)
 	}
 	path, err := filepath.Abs(opts.InputPath)
 	if err != nil {
diff --git a/cmd/sops/set.go b/cmd/sops/set.go
@@ -51,6 +51,10 @@ func set(opts setOpts) ([]byte, bool, error) {
 	var changed bool
 	tree.Branches[0], changed = tree.Branches[0].Set(opts.TreePath, opts.Value)
 
+	if err, code := validateFileForEncryption(opts.OutputStore, tree.Branches); err != nil {
+		return nil, false, common.NewExitError(err, code)
+	}
+
 	err = common.EncryptTree(common.EncryptTreeOpts{
 		DataKey: dataKey, Tree: tree, Cipher: opts.Cipher,
 	})
