johba/disinto
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

fix: secrets migrate-vault: missing post-encrypt verification step (#39)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details

Browse source
This commit is contained in:
Agent 2026-03-29 07:27:52 +00:00
parent f6cb387a2e
commit 26467ad818
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
bin/disinto
View file

@ -2150,6 +2150,12 @@ disinto_secrets() {
fi fi
_secrets_ensure_sops _secrets_ensure_sops
encrypt_env_file "$vault_env_file" "$vault_enc_file" encrypt_env_file "$vault_env_file" "$vault_enc_file"
# Verify decryption works before removing plaintext
if ! sops -d "$vault_enc_file" >/dev/null 2>&1; then
echo "Error: failed to verify .env.vault.enc decryption" >&2
rm -f "$vault_enc_file"
exit 1
fi
rm -f "$vault_env_file" rm -f "$vault_env_file"
echo "Migrated: .env.vault -> .env.vault.enc (plaintext removed)" echo "Migrated: .env.vault -> .env.vault.enc (plaintext removed)"
;; ;;