From 54dbb296ddc5cd4379a6ef9244bc3cdc6a465469 Mon Sep 17 00:00:00 2001 From: Deeman Date: Fri, 27 Feb 2026 07:40:03 +0100 Subject: [PATCH] fix(secrets): add secrets-updatekeys-prod target, use --input-type dotenv sops updatekeys doesn't inherit --input-type from context, so calling it bare on .env.prod.sops causes "Error unmarshalling input json" (guesses JSON from the .sops extension). Explicit --input-type dotenv fixes it. Co-Authored-By: Claude Sonnet 4.6 --- Makefile | 7 ++++++- infra/setup_server.sh | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 13554a4..f888826 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,8 @@ SOPS_DOTENV := sops --input-type dotenv --output-type dotenv .PHONY: help dev css-build css-watch \ secrets-decrypt-dev secrets-decrypt-prod \ secrets-edit-dev secrets-edit-prod \ - secrets-encrypt-dev secrets-encrypt-prod + secrets-encrypt-dev secrets-encrypt-prod \ + secrets-updatekeys-prod help: @echo "Available targets:" @@ -18,6 +19,7 @@ help: @echo " secrets-edit-prod Edit .env.prod.sops in \$$EDITOR" @echo " secrets-encrypt-dev Encrypt .env (plaintext) → .env.dev.sops" @echo " secrets-encrypt-prod Encrypt .env (plaintext) → .env.prod.sops" + @echo " secrets-updatekeys-prod Re-encrypt .env.prod.sops for all keys in .sops.yaml" # ── Dev environment ─────────────────────────────────────────────────────────── @@ -65,3 +67,6 @@ secrets-encrypt-dev: secrets-encrypt-prod: $(SOPS_DOTENV) --encrypt --in-place .env.prod.sops @echo "Encrypted .env.prod.sops (commit this file)" + +secrets-updatekeys-prod: + sops updatekeys --input-type dotenv .env.prod.sops diff --git a/infra/setup_server.sh b/infra/setup_server.sh index 89a3071..c1bcb31 100644 --- a/infra/setup_server.sh +++ b/infra/setup_server.sh @@ -168,7 +168,7 @@ echo " 2. Add the server age key to .sops.yaml (comma-separated):" echo " age: ,${AGE_PUB}" echo "" echo " 3. Re-encrypt and push:" -echo " sops updatekeys .env.prod.sops" +echo " make secrets-updatekeys-prod" echo " git add .sops.yaml .env.prod.sops" echo " git commit -m 'chore: add server age key'" echo " git push"