From 46a4eaf96c3a2d17ffc0e459b5853aeec6d1c7bd Mon Sep 17 00:00:00 2001 From: xnoto Date: Thu, 18 Jun 2026 21:53:39 -0600 Subject: [PATCH 1/4] chore: add sops kms recipient --- .sops.yaml | 3 ++- secrets/secrets.yaml | 15 ++++++++++----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 8967c45..44d4ef5 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,3 +1,4 @@ --- creation_rules: - - age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l + - kms: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91 + age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index bf8f187..d39603c 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -11,15 +11,20 @@ github_warp_client_secret: ENC[AES256_GCM,data:/9PdKHBNkCvb+3uaPhkgjQ/d/7uO/BKKu #ENC[AES256_GCM,data:NRrIGgCWh0MOpRWx7Cw6wCaZLcOxoCEjXmQ+rwrFfhe2myjGHRA=,iv:EUxsPxSb1dKAMGrLEhipLdvi2ASXVRK7c8MWoHHYIyQ=,tag:ZdPL96rSbeF7JI8i0aABNA==,type:comment] warp_private_network: ENC[AES256_GCM,data:GgohATv3bceMezxfesM=,iv:SypBrFaK1DAH5DLca0dodfeV0uZ7pTEh/5WamdFj0u4=,tag:Zv28Trazx45VCLGyCilbmQ==,type:str] sops: + kms: + - arn: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91 + created_at: "2026-06-19T03:45:00Z" + enc: AQICAHj1IggLFhM4nJnKEvmbEpk5E9RxZZoxpZYUW0taoyrz1AFpK8KP6zFFXcNxUp8j6fZEAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMocVFDtuf50wkJU90AgEQgDuVglQ1g61eZAj4QqUGp8Nvd872rCg82oMWlfXi57myJ385ugFT5LnoRPPvAy9fZ3WquILK8S8N3pRoGA== + aws_profile: "" age: - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTQktvS3NPcGRXaGwzc254 - TGEwMlBkWXZ2dGRtMFdDNmpMdHViVDducER3CmtNY3pnNDkrZ2RnMmZVakx1ZlBU - a3l1UUZ1bmlmVHM0eTBqZHZIeG94dEkKLS0tIFlRYU5WeFR3VlViUlFBa0ZCKzFC - MTBFY21HTlhGV01tM0pVRGFuc1E5NVUKZE2VS+5cYdHhcSkZlLlX7nvfW3PLuSK7 - ostSDKZK935LA6iiZoIk7Q9l4xPenhOXv6Oi6uXWq4sJXLAYC2qX1w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZWVpdHFIbWtQMmtjZzRZ + K0w3NmVNNE5JdVFIdHdRdTRoSS9mUW9pR0hVCjRLZ1M3eCswd2hRN2JuM3l3R3RZ + NEhsN0Z5bG9RTU0vSGk1cDlreEtFTG8KLS0tIHNuS1doYmFKZExVd0tzVmRMQlA0 + MTFidEpZTDRDWk0vTllZNjJYS3BibzQKOqXcFLj0SqMHNernaX7lAUnPqV8IItKB + g9lTlrG67f5CBC/0WfPstwRYdkDKxmAQL7AxMZCyD0GynYjOKtENbw== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-12-28T21:48:14Z" mac: ENC[AES256_GCM,data:zYZY9hVSuVwvY8ZmAi+IjgppQxZ76alGESUe2QG3DEiS71uBdOuzZ/4PSMbV95BU8HMmDuFI06BUV8FWSGVM6izWfiQbwWYZmXdAG+wlbIBoKMkO0TuqvD718G6dK5ecPc/8GZxU+dsjWc9hnT7q42ZYw1GjRYY8g3L+9vfNeVs=,iv:M1AGFXYgfkDE3LyVH32M2opv/SYH2phEfHWYl6DeJrY=,tag:HscClM9n5GP9QMU9Ekkt1g==,type:str] From 3bdc0f2efe9638646e71222c663b272f78212203 Mon Sep 17 00:00:00 2001 From: xnoto Date: Thu, 18 Jun 2026 22:01:08 -0600 Subject: [PATCH 2/4] ci: allow github oidc for sops kms --- .github/workflows/opentofu.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/opentofu.yml b/.github/workflows/opentofu.yml index 91f72ff..80400d0 100644 --- a/.github/workflows/opentofu.yml +++ b/.github/workflows/opentofu.yml @@ -10,6 +10,7 @@ on: permissions: contents: read + id-token: write pull-requests: write jobs: From ca08b095f66e6b597403d1554a522d7e40271219 Mon Sep 17 00:00:00 2001 From: xnoto Date: Thu, 18 Jun 2026 22:18:34 -0600 Subject: [PATCH 3/4] chore: remove sops age recipient --- .sops.yaml | 1 - secrets/secrets.yaml | 14 ++------------ 2 files changed, 2 insertions(+), 13 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 44d4ef5..99901db 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,4 +1,3 @@ --- creation_rules: - kms: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91 - age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index d39603c..5844659 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -13,19 +13,9 @@ warp_private_network: ENC[AES256_GCM,data:GgohATv3bceMezxfesM=,iv:SypBrFaK1DAH5D sops: kms: - arn: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91 - created_at: "2026-06-19T03:45:00Z" - enc: AQICAHj1IggLFhM4nJnKEvmbEpk5E9RxZZoxpZYUW0taoyrz1AFpK8KP6zFFXcNxUp8j6fZEAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMocVFDtuf50wkJU90AgEQgDuVglQ1g61eZAj4QqUGp8Nvd872rCg82oMWlfXi57myJ385ugFT5LnoRPPvAy9fZ3WquILK8S8N3pRoGA== + created_at: "2026-06-19T04:16:51Z" + enc: AQICAHj1IggLFhM4nJnKEvmbEpk5E9RxZZoxpZYUW0taoyrz1AEPDTOl9Io3KatXnxPUvKWkAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMyoLVpOVV/XwemMKHAgEQgDuLRRX9BEavxz2UU387cuD/3+lwn3pS+r6CsXI2ho6B+cxR45qHvvoSYg2fi+SXEzo0MgMSdpXhLxlrTw== aws_profile: "" - age: - - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZWVpdHFIbWtQMmtjZzRZ - K0w3NmVNNE5JdVFIdHdRdTRoSS9mUW9pR0hVCjRLZ1M3eCswd2hRN2JuM3l3R3RZ - NEhsN0Z5bG9RTU0vSGk1cDlreEtFTG8KLS0tIHNuS1doYmFKZExVd0tzVmRMQlA0 - MTFidEpZTDRDWk0vTllZNjJYS3BibzQKOqXcFLj0SqMHNernaX7lAUnPqV8IItKB - g9lTlrG67f5CBC/0WfPstwRYdkDKxmAQL7AxMZCyD0GynYjOKtENbw== - -----END AGE ENCRYPTED FILE----- lastmodified: "2025-12-28T21:48:14Z" mac: ENC[AES256_GCM,data:zYZY9hVSuVwvY8ZmAi+IjgppQxZ76alGESUe2QG3DEiS71uBdOuzZ/4PSMbV95BU8HMmDuFI06BUV8FWSGVM6izWfiQbwWYZmXdAG+wlbIBoKMkO0TuqvD718G6dK5ecPc/8GZxU+dsjWc9hnT7q42ZYw1GjRYY8g3L+9vfNeVs=,iv:M1AGFXYgfkDE3LyVH32M2opv/SYH2phEfHWYl6DeJrY=,tag:HscClM9n5GP9QMU9Ekkt1g==,type:str] unencrypted_suffix: _unencrypted From a73c8db29786b4d541f8763ebc091402288bb7c3 Mon Sep 17 00:00:00 2001 From: xnoto Date: Thu, 18 Jun 2026 22:28:46 -0600 Subject: [PATCH 4/4] ci: stop passing sops age key --- .github/workflows/opentofu.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/opentofu.yml b/.github/workflows/opentofu.yml index 80400d0..f7265bc 100644 --- a/.github/workflows/opentofu.yml +++ b/.github/workflows/opentofu.yml @@ -16,5 +16,3 @@ permissions: jobs: opentofu: uses: makeitworkcloud/shared-workflows/.github/workflows/opentofu.yml@main - secrets: - SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}