Skip to content

feat: implement SOPS provider #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
euphemism wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

feat: implement SOPS provider #58

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5d0b154
docs: make Astro config a .ts file
Jun 15, 2026
973f679
docs: run TypeScript check on build
Jun 15, 2026
6620b48
providers: implement SOPS provider
Jun 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions CLAUDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,10 +63,10 @@ Providers support URI-based configuration (e.g., `keyring://`, `onepassword://va
When adding a new provider, update **every** location below — provider names appear in several listings that drift out of sync if any are missed:

1. `docs/src/content/docs/providers/<provider>.md` - Create the provider's doc page
2. `docs/astro.config.mjs` - Add to sidebar navigation under "Providers" **and** to the providers sentence in the `starlightLlmsTxt` description block
2. `docs/astro.config.ts` - Add to sidebar navigation under "Providers" **and** to the providers sentence in the `starlightLlmsTxt` description block
3. `docs/src/content/docs/concepts/providers.md` - Add a row to the "Available Providers" table
4. `docs/src/content/docs/reference/providers.md` - Add a provider section **and** a row in the "Security Considerations" table
5. `docs/src/pages/index.astro` - Add to the `providerMetadata` array (top of file) **and** to the `secretspec config init` mini-terminal in the hero
5. `docs/src/pages/index.astro` - Add to the `providerMetadata` array (top of file).
6. `docs/src/content/docs/quick-start.mdx` - Update the `secretspec config init` example output to include the new provider
7. `README.md` (symlink to `secretspec/README.md`) - Add to the "Providers" bullet list **and** to the `secretspec config init` example output

Expand Down Expand Up @@ -178,7 +178,7 @@ The docs site is an Astro Starlight site deployed to https://secretspec.dev/.

### Structure

- `docs/astro.config.mjs` - Sidebar navigation and site config
- `docs/astro.config.ts` - Sidebar navigation and site config
- `docs/src/pages/index.astro` - Home page (custom landing layout, not in the content collection)
- `docs/src/content/docs/` - All other content pages (markdown/mdx)
- `quick-start.mdx` - Getting started guide
Expand All @@ -189,7 +189,7 @@ The docs site is an Astro Starlight site deployed to https://secretspec.dev/.

### What to update

- **New doc page**: Create the `.md` file and add it to the sidebar in `docs/astro.config.mjs`
- **New doc page**: Create the `.md` file and add it to the sidebar in `docs/astro.config.ts`
- **New CLI command**: Update `docs/src/content/docs/reference/cli.md`
- **New config option**: Update `docs/src/content/docs/reference/configuration.md`
- **New provider**: See [Adding Provider Documentation](#adding-provider-documentation) above
Expand Down
122 changes: 118 additions & 4 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ colored = "3.0"
dotenvy = "0.15"
inquire = { version = "0.9.4", features = ["experimental-multiline-input"] }
miette = { version = "7.6", features = ["fancy"] }
rust-ini = "0.21.3"
saphyr = "0.0.6"
serde_json = "1.0"
tempfile = "3.0"
http = "1.0"
Expand Down Expand Up @@ -50,6 +52,7 @@ rsa = { version = "0.9", features = ["pem"] }
uuid = { version = "1", features = ["v4"] }
data-encoding = "2"
detect-coding-agent = "0.1"
regex = "1.12.4"

# The profile that 'dist' will build with
[profile.dist]
Expand Down
41 changes: 33 additions & 8 deletions devenv.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
channel = "stable";
version = "1.92.0";
};

languages.javascript = {
enable = true;
npm = {
Expand All @@ -20,6 +21,8 @@
pkgs.cargo-tarpaulin
# installers
pkgs.cargo-dist
# For development of the SOPS provider
pkgs.sops
];

git-hooks.hooks = {
Expand All @@ -33,14 +36,36 @@
cargo test --all
'';

scripts.test-cli-integration.exec = ''
# Build the CLI for integration tests
cargo build --release
export PATH="$PWD/target/release:$PATH"

# Run CLI integration tests
bash tests/cli-integration.sh
'';
scripts = {
generate-encrypted-secrets-files-for-sops-tests =
let
SOPS_AGE_KEY_FILE = "./secretspec/src/provider/sops/test_fixtures/key.txt";
age-public-key = "age1jpa8rf5qmrg6pw444fcgpkaxg8x4neueszrexzagdjpunjlgeyzq304w34";
in
{
exec = ''
extensions=(json yaml bin ini)

for ext in "''${extensions[@]}"; do
infile="./secretspec/src/provider/sops/test_fixtures/single_file/some-project-name.''${ext}"

outfile="./secretspec/src/provider/sops/test_fixtures/single_file/some-project-name.enc.''${ext}"

SOPS_AGE_KEY_FILE="${SOPS_AGE_KEY_FILE}" \
sops encrypt --age "${age-public-key}" "$infile" > "$outfile"
done
'';
};

test-cli-integration.exec = ''
# Build the CLI for integration tests
cargo build --release
export PATH="$PWD/target/release:$PATH"

# Run CLI integration tests
bash tests/cli-integration.sh
'';
};

processes.docs.exec = ''
cd docs && npm run dev
Expand Down
2 changes: 1 addition & 1 deletion docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ Inside of your Astro + Starlight project, you'll see the following folders and f
│ ├── content/
│ │ ├── docs/
│ └── content.config.ts
├── astro.config.mjs
├── astro.config.ts
├── package.json
└── tsconfig.json
```
Expand Down
7 changes: 4 additions & 3 deletions docs/astro.config.mjs → docs/astro.config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// @ts-check
import type {PluginOption} from "vite";
import { defineConfig } from "astro/config";
import starlight from "@astrojs/starlight";
import starlightLlmsTxt from "starlight-llms-txt";
Expand All @@ -8,7 +8,7 @@ import starlightBlog from "starlight-blog";
// /api/stars would 404 and the star pill would stay hidden locally. Mirror the
// worker's GitHub proxy here so the pill populates during local development.
// Production is unaffected — it is served by worker.js.
const devStarsApi = {
const devStarsApi: PluginOption = {
name: "dev-stars-api",
apply: "serve",
enforce: "pre",
Expand Down Expand Up @@ -109,7 +109,7 @@ $ secretspec import dotenv://.env.production

## Providers

Secrets can be stored in: keyring (default), dotenv files, environment variables, 1Password, LastPass, Pass, Proton Pass, Google Cloud Secret Manager, AWS Secrets Manager, HashiCorp Vault / OpenBao, or Bitwarden Secrets Manager.`,
Secrets can be stored in: keyring (default), dotenv files, environment variables, 1Password, LastPass, Pass, Proton Pass, Google Cloud Secret Manager, AWS Secrets Manager, HashiCorp Vault / OpenBao, Bitwarden Secrets Manager, or SOPS: Secrets OPerationS.`,
}),
],
title: "SecretSpec",
Expand Down Expand Up @@ -185,6 +185,7 @@ Secrets can be stored in: keyring (default), dotenv files, environment variables
label: "Bitwarden Secrets Manager",
slug: "providers/bws",
},
{ label: "SOPS: Secrets OPerationS", slug: "providers/sops" },
],
},
{
Expand Down
Loading