Add secrets management tasks. Add .tool-versions. Add GPG keys. Update dependencies.

Author: tobyclemson

.envrc

@@ -3,4 +3,11 @@
 PROJECT_DIR="$(pwd)"
 
 PATH_add "${PROJECT_DIR}"
-PATH_add "${PROJECT_DIR}"/vendor/terraform/bin
+PATH_add "${PROJECT_DIR}"/vendor/**/bin
+
+if has asdf; then
+  asdf install
+fi
+
+layout ruby
+layout node

.gitignore

@@ -14,6 +14,7 @@ build/
 dist/
 .bundle
 .rakeTasks
+.direnv
 
 # OS
 .DS_Store

.tool-versions

@@ -0,0 +1 @@
+ruby 3.1.1

CODE_OF_CONDUCT.md

@@ -37,11 +37,11 @@ Project maintainers are responsible for clarifying the standards of acceptable
 behavior and are expected to take appropriate and fair corrective action in
 response to any instances of unacceptable behavior.
 
-Project maintainers have the right and responsibility to remove, edit, or
-reject comments, commits, code, wiki edits, issues, and other contributions
-that are not aligned to this Code of Conduct, or to ban temporarily or
-permanently any contributor for other behaviors that they deem inappropriate,
-threatening, offensive, or harmful.
+Project maintainers have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, or to ban temporarily or permanently any
+contributor for other behaviors that they deem inappropriate, threatening,
+offensive, or harmful.
 
 ## Scope
 
@@ -72,4 +72,5 @@ This Code of Conduct is adapted from the [Contributor Covenant][homepage],
 version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
 
 [homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+
+[version]: http://contributor-covenant.org/version/1/4/

Gemfile

@@ -7,6 +7,8 @@ gem 'git'
 gem 'httparty'
 gem 'rake'
 gem 'rake_circle_ci'
+gem 'rake_git'
+gem 'rake_git_crypt'
 gem 'rake_github'
 gem 'rake_gpg'
 gem 'rake_ssh'

Gemfile.lock

@@ -1,80 +1,107 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.0.4)
+    activesupport (7.1.1)
+      base64
+      bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
+      mutex_m
       tzinfo (~> 2.0)
-    addressable (2.8.1)
+    addressable (2.8.5)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
     aws-eventstream (1.2.0)
-    aws-sigv4 (1.5.2)
+    aws-sigv4 (1.6.1)
       aws-eventstream (~> 1, >= 1.0.2)
+    base64 (0.1.1)
+    bigdecimal (3.1.4)
     colored2 (3.1.2)
-    concurrent-ruby (1.1.10)
+    concurrent-ruby (1.2.2)
     confidante (0.28.0)
       activesupport (>= 4)
       hiera (~> 3.3)
       shikashi (~> 0.6)
       vault (~> 0.17)
+    connection_pool (2.4.1)
     diff-lcs (1.5.0)
+    down (5.4.1)
+      addressable (~> 2.8)
+    drb (2.1.1)
+      ruby2_keywords
     evalhook (0.6.0)
       partialruby (~> 0.3)
       sexp_processor (~> 4.0)
-    excon (0.95.0)
-    faraday (2.7.2)
+    excon (0.104.0)
+    faraday (2.7.11)
+      base64
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
     getsource (0.2.2)
-    git (1.13.0)
+    git (1.18.0)
       addressable (~> 2.8)
       rchardet (~> 1.8)
     hamster (3.0.0)
       concurrent-ruby (~> 1.0)
-    hiera (3.11.0)
+    hiera (3.12.0)
     httparty (0.21.0)
       mini_mime (>= 1.0.0)
       multi_xml (>= 0.5.2)
-    i18n (1.12.0)
+    i18n (1.14.1)
       concurrent-ruby (~> 1.0)
     immutable-struct (2.4.1)
     json (2.6.3)
+    language_server-protocol (3.17.0.3)
     lino (3.1.0)
       hamster (~> 3.0)
       open4 (~> 1.3)
-    mini_mime (1.1.2)
+    mini_mime (1.1.5)
     minitar (0.9)
-    minitest (5.16.3)
+    minitest (5.20.0)
     multi_xml (0.6.0)
-    octokit (6.0.1)
+    mutex_m (0.1.2)
+    octokit (6.1.1)
       faraday (>= 1, < 3)
       sawyer (~> 0.9)
     open4 (1.3.4)
-    parallel (1.22.1)
-    parser (3.1.3.0)
+    parallel (1.23.0)
+    parser (3.2.2.4)
       ast (~> 2.4.1)
+      racc
     partialruby (0.3.0)
       ruby2ruby (~> 2)
       ruby_parser (~> 3)
-    public_suffix (5.0.1)
+    public_suffix (5.0.3)
+    racc (1.7.1)
     rainbow (3.1.1)
-    rake (13.0.6)
+    rake (13.1.0)
     rake_circle_ci (0.11.0)
       colored2 (~> 3.1)
       excon (~> 0.72)
       rake_factory (~> 0.23)
       sshkey (~> 2.0)
-    rake_dependencies (3.1.0)
+    rake_dependencies (3.5.0)
+      down (~> 5.3)
       hamster (~> 3.0)
       minitar (~> 0.9)
       rake_factory (~> 0.23)
       rubyzip (>= 1.3)
-    rake_factory (0.31.0)
+    rake_factory (0.32.0.pre.2)
       activesupport (>= 4)
       rake (~> 13.0)
+    rake_git (0.1.0.pre.9)
+      colored2 (~> 3.1)
+      git (~> 1.13, >= 1.13.2)
+      rake_factory (= 0.32.0.pre.2)
+    rake_git_crypt (0.1.0.pre.28)
+      colored2 (~> 3.1)
+      rake_factory (= 0.32.0.pre.2)
+      ruby_git_crypt (= 0.1.0.pre.2)
+      ruby_gpg2 (~> 0.6)
     rake_github (0.11.0)
       colored2 (~> 3.1)
       octokit (>= 4.16, < 7.0)
@@ -83,7 +110,7 @@ GEM
     rake_gpg (0.18.0)
       rake_factory (~> 0.23)
       ruby_gpg2 (~> 0.6)
-    rake_ssh (0.8.0)
+    rake_ssh (0.10.0)
       colored2 (~> 3.1)
       rake_factory (~> 0.23)
       sshkey (~> 2.0)
@@ -93,71 +120,84 @@ GEM
       rake_factory (~> 0.23)
       ruby-terraform (~> 1.4)
     rchardet (1.8.0)
-    regexp_parser (2.6.1)
-    rexml (3.2.5)
+    regexp_parser (2.8.2)
+    rexml (3.2.6)
     rspec (3.12.0)
       rspec-core (~> 3.12.0)
       rspec-expectations (~> 3.12.0)
       rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.0)
+    rspec-core (3.12.2)
       rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.0)
+    rspec-expectations (3.12.3)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.0)
+    rspec-mocks (3.12.6)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
-    rspec-support (3.12.0)
+    rspec-support (3.12.1)
     rspec-terraform (0.4.0)
       confidante (>= 0.27)
       rspec (>= 3.0)
       ruby-terraform (= 1.7.0.pre.18)
-    rubocop (1.41.1)
+    rubocop (1.57.2)
       json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
-      parser (>= 3.1.2.1)
+      parser (>= 3.2.2.4)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.23.0, < 2.0)
+      rubocop-ast (>= 1.28.1, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.24.0)
-      parser (>= 3.1.1.0)
+      unicode-display_width (>= 2.4.0, < 3.0)
+    rubocop-ast (1.30.0)
+      parser (>= 3.2.1.0)
+    rubocop-capybara (2.19.0)
+      rubocop (~> 1.41)
+    rubocop-factory_bot (2.24.0)
+      rubocop (~> 1.33)
     rubocop-rake (0.6.0)
       rubocop (~> 1.0)
-    rubocop-rspec (2.16.0)
-      rubocop (~> 1.33)
-    ruby-progressbar (1.11.0)
+    rubocop-rspec (2.25.0)
+      rubocop (~> 1.40)
+      rubocop-capybara (~> 2.17)
+      rubocop-factory_bot (~> 2.22)
+    ruby-progressbar (1.13.0)
     ruby-terraform (1.7.0.pre.18)
       immutable-struct (~> 2.4)
       lino (~> 3.0)
     ruby2_keywords (0.0.5)
     ruby2ruby (2.5.0)
       ruby_parser (~> 3.1)
       sexp_processor (~> 4.6)
+    ruby_git_crypt (0.1.0.pre.2)
+      immutable-struct (~> 2.4)
+      lino (~> 3.0)
     ruby_gpg2 (0.10.0)
       lino (~> 3.0)
-    ruby_parser (3.19.2)
+    ruby_parser (3.20.3)
       sexp_processor (~> 4.16)
     rubyzip (2.3.2)
     sawyer (0.9.2)
       addressable (>= 2.3.5)
       faraday (>= 0.17.3, < 3)
     semantic (1.6.1)
-    sexp_processor (4.16.1)
+    sexp_processor (4.17.0)
     shikashi (0.6.0)
       evalhook (>= 0.6.0)
       getsource (>= 0.1.0)
     sshkey (2.0.0)
-    tzinfo (2.0.5)
+    tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.3.0)
-    vault (0.17.0)
+    unicode-display_width (2.5.0)
+    vault (0.18.1)
       aws-sigv4
 
 PLATFORMS
   arm64-darwin-21
+  arm64-darwin-22
+  x86_64-darwin-19
+  x86_64-darwin-21
   x86_64-linux
 
 DEPENDENCIES
@@ -166,6 +206,8 @@ DEPENDENCIES
   httparty
   rake
   rake_circle_ci
+  rake_git
+  rake_git_crypt
   rake_github
   rake_gpg
   rake_ssh

Rakefile

@@ -3,6 +3,8 @@
 require 'confidante'
 require 'git'
 require 'rake_circle_ci'
+require 'rake_git'
+require 'rake_git_crypt'
 require 'rake_github'
 require 'rake_gpg'
 require 'rake_ssh'
@@ -39,9 +41,32 @@ RakeTerraform.define_installation_tasks(
   version: '1.3.1'
 )
 
+RakeGitCrypt.define_standard_tasks(
+  namespace: :git_crypt,
+
+  provision_secrets_task_name: :'secrets:provision',
+  destroy_secrets_task_name: :'secrets:destroy',
+
+  install_commit_task_name: :'git:commit',
+  uninstall_commit_task_name: :'git:commit',
+
+  gpg_user_key_paths: %w[
+    config/gpg
+    config/secrets/ci/gpg.public
+  ]
+)
+
+namespace :git do
+  RakeGit.define_commit_task(
+    argument_names: [:message]
+  ) do |t, args|
+    t.message = args.message
+  end
+end
+
 namespace :encryption do
   namespace :directory do
-    desc 'Ensure CI secrets directory exists'
+    desc 'Ensure CI secrets directory exists.'
     task :ensure do
       FileUtils.mkdir_p('config/secrets/ci')
     end
@@ -92,13 +117,24 @@ namespace :secrets do
     end
   end
 
-  desc 'Regenerate all secrets'
-  task regenerate: %w[
+  desc 'Generate all generatable secrets.'
+  task generate: %w[
     directory:ensure
     encryption:passphrase:generate
     keys:deploy:generate
     keys:secrets:generate
   ]
+
+  desc 'Provision all secrets.'
+  task provision: [:generate]
+
+  desc 'Delete all secrets.'
+  task :destroy do
+    rm_rf 'config/secrets'
+  end
+
+  desc 'Rotate all secrets.'
+  task rotate: [:'git_crypt:reinstall']
 end
 
 RakeCircleCI.define_project_tasks(