chore: use KMS-only SOPS encryption and stop age key publishing (#10)

## Summary
- add the Make IT Work Cloud SOPS AWS KMS key as the SOPS recipient
- remove the age recipient from `.sops.yaml`
- re-key `secrets/secrets.yaml` so SOPS metadata is KMS-only
- grant the caller workflow `id-token: write` for the shared workflow's
GitHub OIDC role assumption
- stop publishing `SOPS_AGE_KEY` as a GitHub Actions secret to tfroot
repositories
- remove the encrypted `sops_age_key` value from this repo's SOPS
secrets file

## Dependency / rollout
- Requires `makeitworkcloud/tfroot-aws#6` and
`makeitworkcloud/shared-workflows#7`, both now merged/applied.
- Applying this PR will remove managed `SOPS_AGE_KEY` GitHub Actions
secrets from the tfroot repositories.

## Validation
- `AWS_PROFILE=makeitwork sops decrypt --output /dev/null
secrets/secrets.yaml`
- verified SOPS metadata has `kms=1` and `age=0`
- verified no remaining `SOPS_AGE_KEY` / `sops_age_key` references
- `PCT_TFPATH=$(command -v tofu) pre-commit run --all-files`

Author: xnoto

.github/workflows/opentofu.yml

@@ -10,10 +10,9 @@ on:
 
 permissions:
   contents: read
+  id-token: write
   pull-requests: write
 
 jobs:
   opentofu:
     uses: makeitworkcloud/shared-workflows/.github/workflows/opentofu.yml@main
-    secrets:
-      SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}

.sops.yaml

@@ -1,3 +1,3 @@
 ---
 creation_rules:
-  - age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
+  - kms: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91

main.tf

@@ -93,16 +93,6 @@ locals {
         "tfroot-github"
       ]
     }
-    "sops_age_key" = {
-      name  = "SOPS_AGE_KEY"
-      value = data.sops_file.secret_vars.data["sops_age_key"]
-      repositories = [
-        "tfroot-aws",
-        "tfroot-cloudflare",
-        "tfroot-github",
-        "tfroot-libvirt"
-      ]
-    }
     "ssh_private_key" = {
       name  = "SSH_PRIVATE_KEY"
       value = data.sops_file.secret_vars.data["ssh_private_key"]

secrets/secrets.yaml

@@ -13,25 +13,19 @@ onion_aws_region: ENC[AES256_GCM,data:kP66iQ2k6vXO,iv:5f+KdsYfkv+SPW0ra9w270TlSk
 onion_s3_bucket: ENC[AES256_GCM,data:KmfWCcoufDnZiv/KpRMeYyg1HLqbFA==,iv:5bIEcMZHl2ijTsOnd/CNk8Sqh9jrvA7ZGL4Ugx2psqs=,tag:uSXOUfk9FgIgOvB+CuT+Ug==,type:str]
 onion_aws_access_key_id: ENC[AES256_GCM,data:aP4lIpJvjUUn4tDabVG/XN5MCCw=,iv:Qt56iiwYHWSt7LmJhBGk1s8SZyeBchnUswOPkIgnMcE=,tag:+WKU5gy6xiBGebFL4qcQ8A==,type:str]
 onion_aws_secret_access_key: ENC[AES256_GCM,data:VyTmQP0ePPwub0ii3jhpeBlXCw9jJcO1n1UWElzIoQ/hKzRxYB6fuA==,iv:aVtTdR6xVgHw9GNiidvVpENgVEex/NVAauCBr5Di+c8=,tag:XyjxwZhNnTBdq1wiVlNXEA==,type:str]
-sops_age_key: ENC[AES256_GCM,data:kK8zWix/ixpRHbkIO+7H9njNjNvyywJf47qzyUnZ1gGIDrXvsbucfsVkXQ8KCJNFaMFtV2Q8za74zHoDvaIHGMIrqO/lZEU3Mkk=,iv:ZrS0+rzlhF7c3yTP6p95cvGgiCcIKCFmR3ciNZF08a8=,tag:R7mToFSZynMeDppDrHoCcg==,type:str]
 www_aws_region: ENC[AES256_GCM,data:zNlYVEdfWSt7,iv:1EuJEcGCehdNXefjdxbsf+EIQAAriahlsLvSFX1juuQ=,tag:rKXSez3x63hQOW5dxfuORQ==,type:str]
 www_s3_bucket: ENC[AES256_GCM,data:IAv46XzbFFYnQnwvwxR6CA==,iv:1VrY1BHtSH0h1GZ33A0dB86yEuWBa7iYyYBoMPfSBEU=,tag:FASm43yXO3G0ZPG4q2TeWg==,type:str]
 www_aws_access_key_id: ENC[AES256_GCM,data:jb1vtp/sjpYE+9/ZxIhnpezUCzM=,iv:u5wB2bmFVl9KD+ULvCauWzUJ0FoF7H6ENByKPirdgiY=,tag:5KtO4jnXEff8oG/woPa6qA==,type:str]
 www_aws_secret_access_key: ENC[AES256_GCM,data:x7YarHj9pKPiYHM04xkaU+fACjoOmM7eaMj1rU+iIYq2jYgY11X74g==,iv:NEY6uHKvIWnw7m8ym0cYVXDMvbmCu9iAZ5N9WGyZgYM=,tag:xL1Pgyidj4Nw73vKFeCziQ==,type:str]
 cloudflare_zone_id: ENC[AES256_GCM,data:6RjS806r2iMX9dfWBJeLIG54jRu3DhylNP7QOmrOVWc=,iv:picCNDWPduEMzqcm3gh7oRaGEs+4n2E/P91EGC/3iDs=,tag:9G/KG68JLu/rxI+fLpQQ7Q==,type:str]
 cloudflare_api_token: ENC[AES256_GCM,data:z5WDjwxFZ7VaufG17WciwbbOVQlaZP+OSGOkRCTJQJAPxZCv8pHc6Q==,iv:jiUky+4sIka3Kkw4JcteY2eoj8uzSwsMAREamseJ/Vo=,tag:ChGagBsNZKUVka6rlcB/FQ==,type:str]
 sops:
-    age:
-        - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDc2dHd2I0dGNHQ2NNMXZJ
-            OGd3QVVCc0VOaG1pZGdjWEkrRU13Rnlibm40CnFvbE0xVEFxemdnQ3ZRbFhob2lo
-            MVVGa3AzM2VabFI1MjVqNGFzMWczcm8KLS0tIEtWNmlFUUU4SytUdGttS1hXL3g1
-            YlFmOUhWbWlsd2ttYWRaYTk4T3dCbFUKzXuqXD6QH9orC7kCcSKNQhIyUNBtlITv
-            FIk3D7Niz2eNMyom5OobkRKVg33NpYdOusvchxqpJc0i4ydqyGkMzw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-30T16:17:12Z"
-    mac: ENC[AES256_GCM,data:kqtjOb9eAziiyyty+gToF+iadFJFnTKy8v8UftWHey868LNVL5Dq/TS8hmpYNLxzgFsu06uqHPmFNEIaeJQIPDL7ZwOdCKk6hf2tDx2BR1+EBEgGGoe9Hx7stuXGx0Vg+zhPv3/Z3yc+po46EtpuF+OyujOwWOBt2xbBEZL1yz4=,iv:A1h6EFCWD/1Oxzx7Lpt70yHKQWepiETnB9J+i8IE02g=,tag:7CBnxg3Dgp7tESpqLzeklQ==,type:str]
+    kms:
+        - arn: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91
+          created_at: "2026-06-19T04:16:52Z"
+          enc: AQICAHj1IggLFhM4nJnKEvmbEpk5E9RxZZoxpZYUW0taoyrz1AF/kg94UKFDzajWL4wI8KwkAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMmVOJEF56prSE5mcxAgEQgDt27+5rh3R0yvgpohI7YEEeZqxAJQiRdIomE22ohFcv2WGRfPXvbh43PlSwUAekZwmkLMM440d0Pu8zcA==
+          aws_profile: ""
+    lastmodified: "2026-06-19T04:13:08Z"
+    mac: ENC[AES256_GCM,data:l0RC91HKiFmaYRNLv07KJXwjAXm9HMvUUFCZmFMrJ1SoKn1ICoP+Lj64bIUCcKdnB5nrNNcyYvjgyhWssu0/wn5qMUH+9ZyWVDPhYj8GBGT7ZGuwbjNef8WV+WwyO8Qw4FDg6kesJeemuEwOHhXyaKOtZNb+kdWllFvjfsasZXs=,iv:kxf3aqVIJeZbUvzOtY6Uq4YpCkkStctezgy+91PpTJc=,tag:ScaLQ9zqj+Xuc5eCu+hxRQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.2