feat(sops): support standard SOPS environment variables#7461
Merged
Conversation
yordis
commented
Dec 20, 2025
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds support for standard SOPS environment variables (SOPS_AGE_KEY_FILE and SOPS_AGE_KEY) to improve compatibility with existing SOPS workflows. The implementation checks these standard variables first before falling back to mise-specific settings.
Key changes:
- Modified the age key lookup logic to prioritize standard SOPS environment variables over mise-specific settings
- Updated documentation to describe the new precedence order and environment variable support
- Added comprehensive e2e tests to verify the new functionality and precedence behavior
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 29 comments.
Show a summary per file
| File | Description |
|---|---|
| src/sops.rs | Implements precedence logic: checks SOPS_AGE_KEY_FILE, then SOPS_AGE_KEY, then mise-specific settings; stores and restores environment variables |
| settings.toml | Updates descriptions for age_key and age_key_file settings to mention SOPS environment variable fallback |
| schema/mise.json | Updates JSON schema descriptions to match settings.toml changes |
| e2e/secrets/test_secrets | Adds comprehensive tests for standard SOPS environment variables and precedence verification; fixes age-keygen output parsing |
| docs/environments/secrets/sops.md | Documents the new environment variables support and precedence order |
| docs/cli/tasks/validate.md | Updates command examples from mise tasks validate to mise task validate |
| docs/cli/tasks/run.md | Contains documentation updates with some grammar issues |
| docs/cli/tasks/edit.md | Contains documentation updates with some grammar issues |
| docs/cli/tasks/add.md | Updates command examples from mise tasks to mise task |
| docs/cli/run.md | Contains documentation updates with some grammar issues |
| docs/cli/index.md | Updates shorthand description to use mise task instead of mise tasks |
| docs/cli/generate/task-stubs.md | Updates example to use mise task add instead of mise tasks add |
| mise.usage.kdl | Contains many documentation updates including fixes to command references and some grammar issues |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Author
|
@jdx I am not sure what is happening with the CI to be honest, could you give me a north star here? |
rrad5409
suggested changes
Dec 22, 2025
95d0147 to
5bf193d
Compare
Contributor
Author
|
@rrad5409 thanks for the help, check latest version |
rrad5409
approved these changes
Dec 29, 2025
Contributor
Author
|
@jdx it sounds to be ready for CR |
Owner
|
you can't just set an env var. It will be set for subprocesses like EDIT: it looks like this was already happening, I'll have to take a closer look later |
Owner
|
The precedence should be the other way around, mise-specific should override |
Contributor
Author
|
Working on it! |
e8aa64e to
79f4de0
Compare
Contributor
Author
|
@jdx ready to CR |
Owner
|
bugbot run |
Add support for SOPS_AGE_KEY_FILE and SOPS_AGE_KEY environment variables, falling back to mise-specific settings if not set. This improves compatibility with existing SOPS workflows without requiring duplicate configuration. Signed-off-by: Yordis Prieto <yordis.prieto@gmail.com>
0778585 to
1350790
Compare
Contributor
Author
|
bugbot run |
|
Skipping Bugbot: Bugbot is disabled for this repository |
Contributor
Author
|
@jdx I can not trigger it it seems |
Owner
|
bugbot run |
jdx
pushed a commit
that referenced
this pull request
Jan 7, 2026
### 🚀 Features - **(hooks)** add tool context env vars to postinstall hooks by @jdx in [#7521](#7521) - **(sops)** support standard SOPS environment variables by @yordis in [#7461](#7461) - **(tasks)** Add disable_spec_from_run_scripts setting by @iamkroot in [#7471](#7471) - **(tasks)** Add task_show_full_cmd setting by @iamkroot in [#7344](#7344) - **(tasks)** enable naked task completions and ::: separator by @jdx in [#7524](#7524) - add Forgejo backend by @roele in [#7469](#7469) - override node bundled npm by specified version of npm by @risu729 in [#7559](#7559) ### 🐛 Bug Fixes - **(aqua)** fix tree-sitter bin path regression by @risu729 in [#7535](#7535) - **(ci)** exclude subcrate tags from release workflow by @jdx in [#7517](#7517) - **(e2e)** remove hardcoded year from version check by @jdx in [#7584](#7584) - **(github)** asset matcher does not handle mixed archive/binary assets properly by @roele in [#7566](#7566) - **(github)** prioritize .zip on windows by @risu729 in [#7568](#7568) - **(github)** prefer .zip over non-archive extensions on linux by @risu729 in [#7587](#7587) - **(npm)** always use hoisted installs of bun by @sushichan044 in [#7542](#7542) - **(npm)** suppress NPM_CONFIG_UPDATE_NOTIFIER by @risu729 in [#7556](#7556) - **(registry)** fix biome test to handle version prefix by @jdx in [#7585](#7585) - **(tasks)** load monorepo task dirs without config by @matixlol in [#7478](#7478) - force reshim when windows_shim_mode is hardlink by @roele in [#7537](#7537) - simple .tar files are not extracted properly by @roele in [#7567](#7567) - quiet kerl update output by @iloveitaly in [#7467](#7467) ### 📚 Documentation - **(registry)** remove ubi backend from preferred backends list by @risu729 in [#7555](#7555) - **(tasks)** remove advanced usage specs sections from toml-tasks.md by @risu729 in [#7538](#7538) - fix invalid config section `[aliases]` by @muzimuzhi in [#7518](#7518) - Fix path to GitLab backend source by @henrebotha in [#7529](#7529) - Fix path to GitLab backend source by @henrebotha in [#7531](#7531) - update `mise --version` output by @muzimuzhi in [#7530](#7530) ### 🧪 Testing - **(win)** use pester in backend tests by @risu729 in [#7536](#7536) - update e2e tests to use `[tool_alias]` instead of `[alias]` by @muzimuzhi in [#7520](#7520) ### 📦️ Dependency Updates - update alpine:edge docker digest to ea71a03 by @renovate[bot] in [#7545](#7545) - update docker/setup-buildx-action digest to 8d2750c by @renovate[bot] in [#7546](#7546) - update ghcr.io/jdx/mise:copr docker digest to 23f4277 by @renovate[bot] in [#7548](#7548) - update ghcr.io/jdx/mise:alpine docker digest to 0adc211 by @renovate[bot] in [#7547](#7547) - lock file maintenance by @renovate[bot] in [#7211](#7211) - lock file maintenance by @renovate[bot] in [#7572](#7572) - replace dependency @tsconfig/node18 with @tsconfig/node20 by @renovate[bot] in [#7543](#7543) - replace dependency @tsconfig/node20 with @tsconfig/node22 by @renovate[bot] in [#7544](#7544) ### 📦 Registry - add zarf by @joonas in [#7525](#7525) - update aws-vault to maintained fork by @h3y6e in [#7527](#7527) - fix claude backend http for windows-x64 by @granstrand in [#7540](#7540) - add sqlc by @phm07 in [#7570](#7570) - use spm backend for swift-package-list by @risu729 in [#7569](#7569) - add npm (npm:npm) by @risu729 in [#7557](#7557) - add github backend for tmux by @ll-nick in [#7472](#7472) ### Chore - **(release)** update Changelog for v2025.12.13 by @muzimuzhi in [#7522](#7522) ### New Contributors - @ll-nick made their first contribution in [#7472](#7472) - @sushichan044 made their first contribution in [#7542](#7542) - @phm07 made their first contribution in [#7570](#7570) - @granstrand made their first contribution in [#7540](#7540) - @h3y6e made their first contribution in [#7527](#7527) - @matixlol made their first contribution in [#7478](#7478) ## 📦 Aqua Registry Updates #### New Packages (9) - [`anomalyco/opencode`](https://github.com/anomalyco/opencode) - [`astral-sh/ty`](https://github.com/astral-sh/ty) - [`github/copilot-cli`](https://github.com/github/copilot-cli) - [`github/gh-ost`](https://github.com/github/gh-ost) - [`golangci/golines`](https://github.com/golangci/golines) - [`jamf/Notifier`](https://github.com/jamf/Notifier) - [`microsoft/vscode/code`](https://github.com/microsoft/vscode/code) - [`pranshuparmar/witr`](https://github.com/pranshuparmar/witr) - [`spinel-coop/rv`](https://github.com/spinel-coop/rv) #### Updated Packages (37) - [`FiloSottile/age`](https://github.com/FiloSottile/age) - [`alvinunreal/tmuxai`](https://github.com/alvinunreal/tmuxai) - [`aquasecurity/starboard`](https://github.com/aquasecurity/starboard) - [`aristocratos/btop`](https://github.com/aristocratos/btop) - [`biomejs/biome`](https://github.com/biomejs/biome) - [`bootandy/dust`](https://github.com/bootandy/dust) - [`borgbackup/borg`](https://github.com/borgbackup/borg) - [`bvaisvil/zenith`](https://github.com/bvaisvil/zenith) - [`cri-o/cri-o`](https://github.com/cri-o/cri-o) - [`cubefs/cubefs`](https://github.com/cubefs/cubefs) - [`domoritz/arrow-tools/csv2arrow`](https://github.com/domoritz/arrow-tools/csv2arrow) - [`domoritz/arrow-tools/csv2parquet`](https://github.com/domoritz/arrow-tools/csv2parquet) - [`domoritz/arrow-tools/json2arrow`](https://github.com/domoritz/arrow-tools/json2arrow) - [`domoritz/arrow-tools/json2parquet`](https://github.com/domoritz/arrow-tools/json2parquet) - [`fission/fission`](https://github.com/fission/fission) - [`folbricht/desync`](https://github.com/folbricht/desync) - [`go-acme/lego`](https://github.com/go-acme/lego) - [`gohugoio/hugo`](https://github.com/gohugoio/hugo) - [`gohugoio/hugo/hugo-extended`](https://github.com/gohugoio/hugo/hugo-extended) - [`golang.org/x/perf/cmd/benchstat`](https://github.com/golang.org/x/perf/cmd/benchstat) - [`gsamokovarov/jump`](https://github.com/gsamokovarov/jump) - [`haskell/cabal/cabal-install`](https://github.com/haskell/cabal/cabal-install) - [`kptdev/kpt`](https://github.com/kptdev/kpt) - [`kubescape/kubescape`](https://github.com/kubescape/kubescape) - [`mas-cli/mas`](https://github.com/mas-cli/mas) - [`maxpert/marmot`](https://github.com/maxpert/marmot) - [`mistakenelf/fm`](https://github.com/mistakenelf/fm) - [`psf/black`](https://github.com/psf/black) - [`redpanda-data/connect`](https://github.com/redpanda-data/connect) - [`rest-sh/restish`](https://github.com/rest-sh/restish) - [`saucelabs/forwarder`](https://github.com/saucelabs/forwarder) - [`sethvargo/ratchet`](https://github.com/sethvargo/ratchet) - [`stackrox/kube-linter`](https://github.com/stackrox/kube-linter) - [`steveyegge/beads`](https://github.com/steveyegge/beads) - [`suzuki-shunsuke/rgo`](https://github.com/suzuki-shunsuke/rgo) - [`txn2/kubefwd`](https://github.com/txn2/kubefwd) - [`zyedidia/micro`](https://github.com/zyedidia/micro)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add support for SOPS_AGE_KEY_FILE and SOPS_AGE_KEY environment
variables, falling back to mise-specific settings if not set. This
improves compatibility with existing SOPS workflows without requiring
duplicate configuration.
Note
Introduces compatibility with standard SOPS environment variables and clarifies precedence, improving decryption behavior and CLI interop.
MISE_SOPS_AGE_KEY>MISE_SOPS_AGE_KEY_FILE/sops.age_key_file>SOPS_AGE_KEY_FILE>SOPS_AGE_KEY>~/.config/mise/age.txt; caches the resolved key file path and temporarily setsSOPS_AGE_KEY_FILEfor thesopsCLI; restores previous env vars after decryptionMISE_SOPS_AGE_KEY_FILEage-keygenpublic key parsing; reset settings/env between testsWritten by Cursor Bugbot for commit ddba0fd. This will update automatically on new commits. Configure here.