Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Unfortunately, the SOPS project is in some sort of a limbo state and there has been quite a long period with limited maintenance and unclear position from Mozilla. Despite the project being accepted into the CNCF, it's still unclear what will happen with it going forward.
I'm not sure about project_id being a sensitive value. Account IDs are not officially considered sensitive in AWS circles, but most people still treat them that way. I checked mine in before for the only GCP thing I ever did, https://github.com/iangrunt/multi-cloud-terragrunt-filesystem/blob/main/gcp/sre-projects/project-delta/project.hcl. This would be considered a "root module" (it's not) where that would be a private repo anyways, so checking in account IDs would be fine. That being said, it is still possible to write root modules and use the context of your pipelines to get these kinds of values more safely.
Apart from a few exceptions (like ansible for example, which supports native encryption), we moved away from encrypted secrets in git repos and use external things, depending on the platform (like parameter store / secrets manager for AWS or keyvault for Azure - both of these do track changes, btw), so I haven't looked for quite a while. Back in ye olden days we used https://github.com/AGWA/git-crypt which worked quite nicely, but the key management is cumbersome and it's based on GPG, which in itself is a bit of a light redish flag these days.