nix-dotfiles/utils/sops-mergetool.sh

#!/usr/bin/env bash
# Exit on first error and verify variables have been set/passed via CLI
#set -eu
set -v
set -x

# Rename our variables to friendlier equivalents
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1"
local_="$2"
remote="$3"
merged="$4"

echo "$base"
echo "$local_"
echo "$remote"
echo "$merged"

# Resolve our default mergetool
# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L3
mergetool="$(git config --get merge.tool)"
GIT_DIR="$(git --exec-path)"
if test "$mergetool" = ""; then
  echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2
  exit 1
fi

# Create file names for our decrypted contents
#   example_LOCAL_2823.yaml -> example_LOCAL_2823.decrypted.yaml
extension=".${base##*.}"
base_decrypted="${base/$extension/.decrypted$extension}"
local_decrypted="${local_/$extension/.decrypted$extension}"
remote_decrypted="${remote/$extension/.decrypted$extension}"
merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"

# If anything goes wrong, then delete our decrypted files
handle_trap_exit() {
  rm $base_decrypted || true
  rm $local_decrypted || true
  rm $remote_decrypted || true
  rm $merged_decrypted || true
  rm $backup_decrypted || true
}
trap handle_trap_exit EXIT

# Decrypt our file contents
sops --decrypt --show-master-keys "$base" >"$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"

# Create a merge-diff to compare against
set +e
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
set -e
cp "$merged_decrypted" "$backup_decrypted"

# Set up variables for our mergetool
# https://github.com/git/git/blob/v2.8.2/mergetools/meld
# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L95-L111
export LOCAL="$local_decrypted"
export BASE="$base_decrypted"
export REMOTE="$remote_decrypted"
export MERGED="$merged_decrypted"
export BACKUP="$backup_decrypted"

# Load our mergetool scripts
source "$GIT_DIR/git-mergetool--lib"
source "$GIT_DIR/mergetools/$mergetool"

# Override `check_unchanged` with a custom script
check_unchanged() {
  # If the contents haven't changed, then fail
  if test "$MERGED" -nt "$BACKUP"; then
    return 0
  else
    exit 1
  fi
}

# Run our mergetool
set +eu
export merge_tool_path="$(get_merge_tool_path "$mergetool")"
merge_cmd
set -eu

# Re-encrypt content
sops --encrypt "$merged_decrypted" >"$merged"
Add NUT to palatine-hill and add SOPS merging Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-04-27 20:48:44 -04:00			`#!/usr/bin/env bash`
			`# Exit on first error and verify variables have been set/passed via CLI`
Merge branch 'main' into merge/docker 2024-11-28 13:58:26 -05:00			`#set -eu`
add gitea Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-10-26 15:51:00 -04:00			`set -v`
			`set -x`
Add NUT to palatine-hill and add SOPS merging Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-04-27 20:48:44 -04:00
			`# Rename our variables to friendlier equivalents`
			`# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver`
format json/yml/sh 2025-03-13 17:50:03 -04:00			`base="$1"`
			`local_="$2"`
			`remote="$3"`
			`merged="$4"`
Add NUT to palatine-hill and add SOPS merging Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-04-27 20:48:44 -04:00
Merge branch 'main' into merge/docker 2024-11-28 13:58:26 -05:00			`echo "$base"`
			`echo "$local_"`
			`echo "$remote"`
			`echo "$merged"`

Add NUT to palatine-hill and add SOPS merging Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-04-27 20:48:44 -04:00			`# Resolve our default mergetool`
			`# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L3`
			`mergetool="$(git config --get merge.tool)"`
			`GIT_DIR="$(git --exec-path)"`
			`if test "$mergetool" = ""; then`
format json/yml/sh 2025-03-13 17:50:03 -04:00			echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2
Add NUT to palatine-hill and add SOPS merging Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-04-27 20:48:44 -04:00			`exit 1`
			`fi`

			`# Create file names for our decrypted contents`
			`# example_LOCAL_2823.yaml -> example_LOCAL_2823.decrypted.yaml`
			`extension=".${base##*.}"`
			`base_decrypted="${base/$extension/.decrypted$extension}"`
			`local_decrypted="${local_/$extension/.decrypted$extension}"`
			`remote_decrypted="${remote/$extension/.decrypted$extension}"`
			`merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"`
			`backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"`

			`# If anything goes wrong, then delete our decrypted files`
format json/yml/sh 2025-03-13 17:50:03 -04:00			`handle_trap_exit() {`
Add NUT to palatine-hill and add SOPS merging Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-04-27 20:48:44 -04:00			`rm $base_decrypted \|\| true`
			`rm $local_decrypted \|\| true`
			`rm $remote_decrypted \|\| true`
			`rm $merged_decrypted \|\| true`
			`rm $backup_decrypted \|\| true`
			`}`
			`trap handle_trap_exit EXIT`

			`# Decrypt our file contents`
format json/yml/sh 2025-03-13 17:50:03 -04:00			`sops --decrypt --show-master-keys "$base" >"$base_decrypted"`
			`sops --decrypt --show-master-keys "$local_" >"$local_decrypted"`
			`sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"`
Add NUT to palatine-hill and add SOPS merging Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-04-27 20:48:44 -04:00
			`# Create a merge-diff to compare against`
			`set +e`
format json/yml/sh 2025-03-13 17:50:03 -04:00			`git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"`
Add NUT to palatine-hill and add SOPS merging Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-04-27 20:48:44 -04:00			`set -e`
			`cp "$merged_decrypted" "$backup_decrypted"`

			`# Set up variables for our mergetool`
			`# https://github.com/git/git/blob/v2.8.2/mergetools/meld`
			`# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L95-L111`
			`export LOCAL="$local_decrypted"`
			`export BASE="$base_decrypted"`
			`export REMOTE="$remote_decrypted"`
			`export MERGED="$merged_decrypted"`
			`export BACKUP="$backup_decrypted"`

			`# Load our mergetool scripts`
			`source "$GIT_DIR/git-mergetool--lib"`
			`source "$GIT_DIR/mergetools/$mergetool"`

			# Override `check_unchanged` with a custom script
format json/yml/sh 2025-03-13 17:50:03 -04:00			`check_unchanged() {`
Add NUT to palatine-hill and add SOPS merging Signed-off-by: ahuston-0 <aliceghuston@gmail.com> 2024-04-27 20:48:44 -04:00			`# If the contents haven't changed, then fail`
			`if test "$MERGED" -nt "$BACKUP"; then`
			`return 0`
			`else`
			`exit 1`
			`fi`
			`}`

			`# Run our mergetool`
			`set +eu`
			`export merge_tool_path="$(get_merge_tool_path "$mergetool")"`
			`merge_cmd`
			`set -eu`

			`# Re-encrypt content`
format json/yml/sh 2025-03-13 17:50:03 -04:00			`sops --encrypt "$merged_decrypted" >"$merged"`