deps(deps): bump github.com/getsops/sops/v3 from 3.11.0 to 3.12.1

[dependabot]

Bumps github.com/getsops/sops/v3 from 3.11.0 to 3.12.1.

Release notes

Sourced from github.com/getsops/sops/v3's releases.

v3.12.1

Installation

To install sops, download one of the pre-built binaries provided for your platform from the artifacts attached to this release.

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/getsops/sops/releases/download/v3.12.1/sops-v3.12.1.linux.amd64
Move the binary in to your PATH
mv sops-v3.12.1.linux.amd64 /usr/local/bin/sops
Make the binary executable
chmod +x /usr/local/bin/sops

Verify checksums file signature

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate and signature
curl -LO https://github.com/getsops/sops/releases/download/v3.12.1/sops-v3.12.1.checksums.txt
curl -LO https://github.com/getsops/sops/releases/download/v3.12.1/sops-v3.12.1.checksums.pem
curl -LO https://github.com/getsops/sops/releases/download/v3.12.1/sops-v3.12.1.checksums.sig
Verify the checksums file
cosign verify-blob sops-v3.12.1.checksums.txt 
--certificate sops-v3.12.1.checksums.pem 
--signature sops-v3.12.1.checksums.sig 
--certificate-identity-regexp=https://github.com/getsops 
--certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature:

# Verify the binary using the checksums file
sha256sum -c sops-v3.12.1.checksums.txt --ignore-missing

Verify artifact provenance

The SLSA provenance of the binaries, packages, and SBOMs can be found within the artifacts associated with this release. It is presented through an in-toto link metadata file named sops-v3.12.1.intoto.jsonl. To verify the provenance of an artifact, you can utilize the slsa-verifier tool:

</tr></table> 

... (truncated)

Changelog

Sourced from github.com/getsops/sops/v3's changelog.

3.12.1

This is a re-release of 3.12.0 with no code changes.

Due to a failure during the 3.12.0 release, and the commit for the 3.12.0 release already being cached by the Go infrastructure, we need to bump the version to properly get a release out. (We did learn this from a similar incident with the 3.10.0 release.)

3.12.0

Features:

• Add support for HuaweiCloud KMS (#2001).
• GCP KMS: Add SOPS_GCP_KMS_CLIENT_TYPE environment variable support to select between gRPC and REST clients (#1973).
• Age: support hybrid post-quantum identities (#2033).
• Age: pass SOPS_AGE_RECIPIENT environment variable to SOPS_AGE_KEY_CMD (#2045).
• Age: add SOPS_AGE_SSH_PRIVATE_KEY_CMD environment variable (#2070).

Improvements:

• Dependency updates (#1967, #1971, #1978, #1986, #1988, #1991, #1993, #2002, #2004, #2007, #2012, #2018, #2024, #2029, #2037, #2043, #2047, #2050, #2059, #2074, #2078).
• Fix mistakes in --help output (#1975, #1963).
• Improve documentation (#1997).
• Unset user's GNUPGHOME environment variable for tests (#2052).
• Use age's plugin.NewTerminalUI() instead of vendoring the code (#2034).
• Remove dead code during YAML loading (#2072).
• Build release with Go 1.26 (#2071).

Bugfixes:

• Add --decryption-order flag to exec-env, exec-file, and publish commands. The subcommand code was using the flags, but it wasn't declared (#1965).
• Fix AWS KMS encryption context not being passed when config is pre-loaded (#2021).
• Fix recursive publish (#2019).
• Set quota project to API project in GCP KMS (#1697).
• DotEnv store now properly reports missing metadata (#2055).
• AWS KMS: allow role splitting without hard-coded aws partition (#2042).

... (truncated)

Commits

• af0168d Merge pull request #2080 from felixfontein/release-3.12.1
• 670b327 Prepare 3.12.1 release.
• 7686958 Pin cosign to the latest 2.x.y release.
• 7be1473 Merge pull request #2077 from felixfontein/release-3.12.0
• 84e1a7b Bump version to 3.12.0.
• 6654032 Add changelog for 3.12.0.
• edb9bf1 Merge pull request #2078 from getsops/dependabot/go_modules/filippo.io/edward...
• 56e44e2 build(deps): Bump filippo.io/edwards25519 from 1.1.0 to 1.1.1
• 961af9b Merge pull request #2071 from felixfontein/go1.26
• e6c0de2 Add Go 1.26 to CI; use for release.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)