fix(secrets): add secrets-updatekeys-prod target, use --input-type dotenv

sops updatekeys doesn't inherit --input-type from context, so calling it bare on .env.prod.sops causes "Error unmarshalling input json" (guesses JSON from the .sops extension). Explicit --input-type dotenv fixes it. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-27 07:40:03 +01:00
parent 7d3263a39c
commit 54dbb296dd
2 changed files with 7 additions and 2 deletions
--- a/7
+++ b/7
@@ -5,7 +5,8 @@ SOPS_DOTENV      := sops --input-type dotenv --output-type dotenv
 .PHONY: help dev css-build css-watch \
        secrets-decrypt-dev secrets-decrypt-prod \
        secrets-edit-dev secrets-edit-prod \
-        secrets-encrypt-dev secrets-encrypt-prod
+        secrets-encrypt-dev secrets-encrypt-prod \
        secrets-updatekeys-prod
 help:
 	@echo "Available targets:"
@@ -18,6 +19,7 @@ help:
 	@echo "  secrets-edit-prod      Edit .env.prod.sops in \$$EDITOR"
 	@echo "  secrets-encrypt-dev    Encrypt .env (plaintext) → .env.dev.sops"
 	@echo "  secrets-encrypt-prod   Encrypt .env (plaintext) → .env.prod.sops"
 	@echo "  secrets-updatekeys-prod  Re-encrypt .env.prod.sops for all keys in .sops.yaml"
 # ── Dev environment ───────────────────────────────────────────────────────────
@@ -65,3 +67,6 @@ secrets-encrypt-dev:
 secrets-encrypt-prod:
 	$(SOPS_DOTENV) --encrypt --in-place .env.prod.sops
 	@echo "Encrypted .env.prod.sops (commit this file)"
 secrets-updatekeys-prod:
 	sops updatekeys --input-type dotenv .env.prod.sops
--- a/infra/setup_server.sh
+++ b/infra/setup_server.sh
@@ -168,7 +168,7 @@ echo "  2. Add the server age key to .sops.yaml (comma-separated):"
 echo "       age: <your-dev-key>,${AGE_PUB}"
 echo ""
 echo "  3. Re-encrypt and push:"
-echo "       sops updatekeys .env.prod.sops"
+echo "       make secrets-updatekeys-prod"
 echo "       git add .sops.yaml .env.prod.sops"
 echo "       git commit -m 'chore: add server age key'"
 echo "       git push"