Skip to content

Instantly share code, notes, and snippets.

@twolfson

twolfson/.gitconfig

Last active May 21, 2024 07:24
Show Gist options
  • Save twolfson/962b1eb776ce9947a09d4924d91fd8b2 to your computer and use it in GitHub Desktop.
Save twolfson/962b1eb776ce9947a09d4924d91fd8b2 to your computer and use it in GitHub Desktop.
Download ZIP
Proof of concept to explore merge conflict resolution with SOPS encoded files for https://github.com/mozilla/sops/issues/52
Raw
.gitconfig
[mergetool "sops-mergetool"]
cmd = ./sops-mergetool.sh "$BASE" "$LOCAL" "$REMOTE" "$MERGED"
Raw
README.md

gist-sops-merge-conflict

Proof of concept to explore merge conflict resolution with SOPS encoded files for getsops/sops#52

Getting started

Here are the steps to try out this repo:

# Clone this repo
git clone https://gist.github.com/962b1eb776ce9947a09d4924d91fd8b2.git gist-sops-merge-conflict
cd gist-sops-merge-conflict

# Install our PGP key
#   Same as https://github.com/mozilla/sops/blob/5bf336baa822821c729278e43440a93816b0d53c/tests/sops_functional_tests_key.asc
gpg --import sops_key.asc

# Append `.gitconfig` to local `.git/config`
cat .gitconfig >> .git/config

# Try out our conflicting branches
git checkout -B conflict first && git checkout master -- sops-mergetool.sh && git reset && git merge second

Brainstorm notes

Creation of this repo

These are the steps we took to create this repo:

  • Installed PGP key: gpg --import sops_key.asc
  • Created secret file: sops example.yaml --pgp '1022 470D E3F0 BC54 BC6A B62D E055 50BC 07FB 1A0A
    • Contents: foo: foo\nbar: bar
  • Created 2 conflicting branches:
    • git checkout -B first master && sops example.yaml && git add example.yaml && git commit -m "First commit" && git checkout -
      • Content: foo: baz\nbar: bar
    • git checkout -B second master && sops example.yaml && git add example.yaml && git commit -m "Second commit" && git checkout -
      • Content: foo: foo\nbar: baz
    • Force push branches if necessary git push origin first --force && git push origin second --force
  • Try out our conflicting branches
    • git checkout -B conflict first && git checkout master -- . && git checkout HEAD -- example.yaml && git reset && git merge second
Raw
example.yaml
foo: ENC[AES256_GCM,data:9l9h,iv:c/QuxSHYuqV4DWLbMMg1MKEKVbsP14sKFYChHSjxJeU=,tag:EDyqP6ckK0aRhE/XcNt6WQ==,type:str]
bar: ENC[AES256_GCM,data:j0IW,iv:UfLssMQa3jFphLBELas2vjA0WdVAWuCaCOflhHG2gP0=,tag:jAuqBqD6FJRKtkJIYei6RA==,type:str]
sops:
mac: ENC[AES256_GCM,data:qPJChe0liDUesq0wlMUXv6KXgFHSXPrGQ49EKTJVBOuL75yWEqXnnuLQ8fnBrMNSH82IM/Ug7KmFg6PLqs/MVamcN9ZG8YPsORSfW52PcKw4HS4h8SQdomtHHHbSa1B7ZkALpi0AJj39W6fI+gvmMFT2hF0f9N0QgKDRC7NZVXg=,iv:8d8sG3nTcAul2kNl1J6qAhWEEx95qRYu5NRDmXACWCk=,tag:ZyDnn++45oJNokEuzfwCdw==,type:str]
version: 1.7
kms:
- arn: ''
pgp:
- fp: 1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A
created_at: '2016-04-29T05:55:32Z'
enc: |
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
hIwDEEVDpnzXnMABA/4wzl/o5TRSXb7/jKK1RjoTTjOhiO0MNJWBgS+UKpoPr5qm
wGPLW51r83EPSPLxVJ+axKIvCiuWCFf6al0BWxNzdL2NhNqicE5Tmx8ohOXXiDZh
wiGPmXbPYVZCl1qu64OBdSywZJbFNUrEOhtQo5o+wnJLGJb5w+/Ly1TzGV6FidJc
AR8WnYfkk1INAsWW5WzLDSmNq8m+0ss51OKZZHl6nOzhJqtT54sdX8uDf52da1jH
pNC6FrzFYWmmTBGKoSBlnVLWp+MCNK/O0LDXc20DYKhcPg9qfG7Bpi0/ZoE=
=cTai
-----END PGP MESSAGE-----
lastmodified: '2016-04-30T02:16:46Z'
attention: This section contains key material that should only be modified with
extra care. See `sops -h`.
unencrypted_suffix: _unencrypted
Raw
sops-mergetool.sh
#!/usr/bin/env bash
# Exit on first error and verify variables have been set/passed via CLI
set -eu
# Rename our variables to friendlier equivalents
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1"; local_="$2"; remote="$3"; merged="$4"
# Resolve our default mergetool
# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L3
mergetool="$(git config --get merge.tool)"
GIT_DIR="$(git --exec-path)"
if test "$mergetool" = ""; then
echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool <tool>\`" 1>&2
exit 1
fi
# Create file names for our decrypted contents
# example_LOCAL_2823.yaml -> example_LOCAL_2823.decrypted.yaml
extension=".${base##*.}"
base_decrypted="${base/$extension/.decrypted$extension}"
local_decrypted="${local_/$extension/.decrypted$extension}"
remote_decrypted="${remote/$extension/.decrypted$extension}"
merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files
handle_trap_exit () {
rm $base_decrypted || true
rm $local_decrypted || true
rm $remote_decrypted || true
rm $merged_decrypted || true
rm $backup_decrypted || true
}
trap handle_trap_exit EXIT
# Decrypt our file contents
sops --decrypt --show_master_keys "$base" > "$base_decrypted"
sops --decrypt --show_master_keys "$local_" > "$local_decrypted"
sops --decrypt --show_master_keys "$remote" > "$remote_decrypted"
# Create a merge-diff to compare against
set +e
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
set -e
cp "$merged_decrypted" "$backup_decrypted"
# Set up variables for our mergetool
# https://github.com/git/git/blob/v2.8.2/mergetools/meld
# https://github.com/git/git/blob/v2.8.2/git-mergetool--lib.sh#L95-L111
export LOCAL="$local_decrypted"
export BASE="$base_decrypted"
export REMOTE="$remote_decrypted"
export MERGED="$merged_decrypted"
export BACKUP="$backup_decrypted"
# Load our mergetool scripts
source "$GIT_DIR/git-mergetool--lib"
source "$GIT_DIR/mergetools/$mergetool"
# Override `check_unchanged` with a custom script
check_unchanged () {
# If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then
return 0
else
exit 1
fi
}
# Run our mergetool
set +eu
export merge_tool_path="$(get_merge_tool_path "$mergetool")"
merge_cmd
set -eu
# Re-encrypt content
sops --encrypt "$merged_decrypted" > "$merged"
Raw
sops_key.asc
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1
lQHYBFYWi4IBBADQCJUOJC3UOFtH2CTL0z1q+MiqX0/nDWCT+/HcmopzAv4g6nC4
cYNohy2wImR4pLR2IoYdBBzV8iH/E030SSuY+KkO2WAA1QqyJChglrfIlC7VZL+R
/iA6IijQod6uhDUqjDrGVXQUWdEsFRyTjnH7wFiXCQz+Y9lgSMYhP63owwARAQAB
AAP+MJ+w5ytBovbBLxuwDgwDsPsRO/EnJeQUjMI4l81vSs6KQ3tIeXPeuRHPdfmz
7hbhLzOGkUWiz8bWd141vEFV9PFMfGUU4U4lxUT+fdCFdH7gcmfLeCcryeKvmORo
z8hlb/3rIpSXcdDVxA0hARsohZqqeIAVurzZC51BLIxL+uECAOAAEoVwJtb3hJDR
w9eVEqA8vtI80Y709Bu26uDaDO12XdPg80PQvKbJgV2W37LFil8HfUwl0eFVEvgR
sO9cDIkCAO3AlrDE/pva5okDmuy9N14v5wnOQk/ibGOKmvuVSkv0LCiSgSZCvQFI
w2+sxau3IEWbQCI1pDGzDjRQZt0Hb+sB/2+H5lDzh25XUTmNfHPWLob/4amPjaRf
NWGnVSBbXamA/q/dJnt3odNuUFZ1jBhFGrcDzjYPztk69cDhlmJY/TCow7RVU09Q
UyBGdW5jdGlvbmFsIFRlc3RzIChodHRwczovL2dpdGh1Yi5jb20vbW96aWxsYS9z
b3BzLykgPHVsZnIrc29wc3Rlc3RzQG1vemlsbGEuY29tPoi3BBMBCAAhBQJWFouC
AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEOBVULwH+xoKn6cD/RcsXBkD
afH1kscS2zxhOeEqZiV8J+T3M2ZCrw1gEDn8tWyVdy/O5hwwOKVf10dqrXiKG9ld
3UeokljIhOpGE4izwTQQvE2O/ACdb70kp6BgBUpGsGHU0q+3/wCbDPJjtp4EqzwO
36LzLbaMZyrw0unTSR96sYRuEonuaxRKMwNZnQHYBFYWi4IBBACue2Pc46G2Hki2
eVc5K7uroCTCsOf86WMX36c/jqTnXXsoaKPt3TrGoGo7w3fJvZfdTOseRzuoLVPd
Rel6npyTzvMzajDKOPL/DeVeleT8sn/GKeJwS9cqDxUH6ytZ4fo5nuUM/IGeRXSD
sK9Ri6gWytX7eRflXk0dySVuY5KeXwARAQABAAP+KG6CWRTMi8mfut0KV76pGd+d
tRnOYD5qzoTumh1BXDW+zMHWvs9lh9JzW47ziqWq88aXsyf5jIKYbO1+6YGosXt8
mpc7JFxCthwDWcEGs3J6lSgjlNnsXVlHNwJB74Z/6nmRqVbLUBr2TuuCC+DvWIR2
EP5i5PmwOp4dEdd/NE0CAMZJFrIT69YAXsxyE+6mP6IWYeAvBYPDU1KiHMt/unWk
JPLeiVSoE/AdvNouJJVadoCLO8uRS6dH9wg+j5zlUVsCAOFEn3LX1mGMIx0F3AFq
EfHkNcrWwhWTAy+Sv4pK12xpwN4Fb92/aeD8BSuIQeyZI2HsmCPuiPud1m6lAqe+
Uk0B/2QiApmJOCBeqhXeJV5CaxDebaPKV0UVBsMLORnmAWRNBZ3onzU/XJYP5U5F
zhVfjg3smzHXD/vkfzO0xUqVfiGfUYifBBgBCAAJBQJWFouCAhsMAAoJEOBVULwH
+xoKz18D/2rLxAacpnu+qfKVUNdq+xQAlBF4Tt1xgmRayuYSI0ougvxKwyMFeuXj
sZlaMHbqJX6TpOiFU8FvMU8syhBgWNYYq/3JNKw9GVDabO5Ggbluup/q1/uJHO1y
v8bK3sq5s580DSaWamLgSLwl3UfCnL3Qa0XDT6SoY1L/Wzr1iW+9
=zqxY
-----END PGP PRIVATE KEY BLOCK-----
@zionyx
Copy link

zionyx commented Oct 11, 2021

Something worth fixing:

In the last command:

git checkout -B conflict first && git checkout master -- sops-mergetool.sh && git reset && git merge second

Several issues:

  1. conflict first is not a valid branch name. Try git checkout -B conflict/first
  2. git merge second only works when second was checked out before, instead, try git merge origin/second

Thanks for this POC.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment