47 lines
1.2 KiB
Bash
Executable File
47 lines
1.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Block commits that add/modify plaintext files under secrets/
|
|
set -euo pipefail
|
|
|
|
# Find added/modified paths under secrets/ in the index
|
|
changed_files=$(git diff --cached --name-only --diff-filter=ACMR | grep -E '^secrets/' || true)
|
|
|
|
[ -z "$changed_files" ] && exit 0 # nothing to check
|
|
|
|
fail=0
|
|
msg="❌ Commit blocked: Unencrypted file(s) detected under secrets/.
|
|
Each file in secrets/ must be SOPS-encrypted (contain a top-level 'sops:' block).
|
|
Use 'sops <file>' to edit or 'sops --encrypt --in-place <file>' to encrypt."
|
|
|
|
while IFS= read -r f; do
|
|
if ! git cat-file -e ":$f" 2>/dev/null; then
|
|
continue
|
|
fi
|
|
if [ -d "$f" ]; then
|
|
continue
|
|
fi
|
|
content="$(git show ":$f" || true)"
|
|
if [ -z "$content" ]; then
|
|
echo " - $f (empty)"; fail=1; continue
|
|
fi
|
|
if echo "$content" | grep -qE '^[[:space:]]*sops:[[:space:]]*$|"sops"[[:space:]]*:'; then
|
|
continue
|
|
fi
|
|
case "$f" in
|
|
*.age|*.gpg) continue ;;
|
|
esac
|
|
echo " - $f"
|
|
fail=1
|
|
done <<< "$changed_files"
|
|
|
|
if [ "$fail" -ne 0 ]; then
|
|
echo ""
|
|
echo "$msg"
|
|
echo ""
|
|
echo "Tips:"
|
|
echo " • Edit with SOPS: sops secrets/<file>.yaml"
|
|
echo " • Encrypt in place: sops --encrypt --in-place secrets/<file>.yaml"
|
|
exit 1
|
|
fi
|
|
|
|
exit 0
|