security: SOPS_AGE_KEY の build ログ漏洩修正 + age 鍵 rekey

Dockerfile: ENV SOPS_AGE_KEY=... を削除し ARG のみに。ENV 経由だと
ビルドログとイメージレイヤー履歴に値が焼き込まれてしまうため。
ARG は RUN のシェル環境変数として自動公開されるので sops は引き続き動作。

.sops.yaml + secrets: 旧鍵を破棄し dev/prod 用に新規 age 鍵を発行、
secrets を新鍵で再暗号化。

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: aster-void

.sops.yaml

@@ -1,8 +1,11 @@
-keys:
-  - &project age1gsn5pg5pkk89zsukc94gqwlu7zyrep0prm7pwc787tcegapgmvgqzeq64c
+_:
+  keys:
+    - &dev age1npjpcsp6rd7jf3652cnek0yj8kwxr36yukgv6jykfrv0vlpkw4nq5snp2s
+    - &prod age1yxtlssfn7kjarthk5jyxph55yp2d8ar7tmzy6cvm5mck7kyzrsnsj6hmw4
 
 creation_rules:
   - path_regex: secrets\.(dev|prod)\.yaml$
     key_groups:
       - age:
-          - *project
+          - *dev
+          - *prod

Dockerfile

@@ -20,11 +20,10 @@ RUN bun install --frozen-lockfile
 COPY . .
 RUN bun run prepare
 
-# Build with sops secrets
+# SOPS_AGE_KEY: ARG only (no ENV) — ENV bakes the value into image history and build logs.
 ARG SOPS_AGE_KEY
 ARG SECRETS_FILE=secrets.prod.yaml
-ENV SOPS_AGE_KEY=${SOPS_AGE_KEY}
-RUN sops exec-env ${SECRETS_FILE} 'bun run build'
+RUN sops exec-env "$SECRETS_FILE" 'bun run build'
 
 FROM base AS executor
 WORKDIR /app

secrets.dev.yaml

@@ -16,14 +16,23 @@ GITHUB_CLIENT_SECRET: ""
 PUBLIC_SHOW_DEV_BANNER: ENC[AES256_GCM,data:JL5dRkg=,iv:5hiMfw/jJJRSLyHDV1jhdi1kW7NaN38ToDTJjmzv8pQ=,tag:IqQzEPVrhAxcXI+UXpq2eg==,type:str]
 sops:
     age:
-        - recipient: age1gsn5pg5pkk89zsukc94gqwlu7zyrep0prm7pwc787tcegapgmvgqzeq64c
+        - recipient: age1npjpcsp6rd7jf3652cnek0yj8kwxr36yukgv6jykfrv0vlpkw4nq5snp2s
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZ0NjbVpFbVJ5TS8xSlNW
-            a0hmOXRrQ2xpYkVJWHhVRm9lODRTUldxeTE0CnRGemp4dEZKV29JbjhPL2RVa3lG
-            WGNTdE9RYmZ0L1BQRjQyQ1dwU0x3dlkKLS0tIFc4NXE4ZFRhYmFtWlR2M3lpWVV1
-            Y2M0Q3NYeFBVTjZKOFNIS0x6dnRPUEEKCt8q9U5HaLS0Mm2JNmODlECAYjN8nn+1
-            zlbwhcAUqbhFd8HteSbp8jTgp14PUuig/c2c3JDOmgQfiITZaxLayQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoVDNLZVh1Y21OWnVrQ0JV
+            V3VYM0xtRWJrTU00L2daY1A5VFIrM1ZaQVhBCkxQUGFPQzZ5ZmU0QnZKYTFidnQx
+            eXFZZVQ4ZFZPdVRWdnpDK2pUUlRrYncKLS0tIGtxWmUrQ25TakpENUJ5ZzBOd2tC
+            VW1melRsZ3dMTHR6ZE93dm9JSjdhQVUKLdPeJOrWUEcV1SQLBAd22ijAoFYgFhgY
+            4gYMBsa+nT6nb+/0sAKdes5HQHe/nYPbe1iuq/NINKJLrV1g3VKShQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yxtlssfn7kjarthk5jyxph55yp2d8ar7tmzy6cvm5mck7kyzrsnsj6hmw4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnTXIxTGxBNlJpWk05SWg0
+            N2ZKT0lSaU1kU1AxM1o5V0RTSitVZjE5SkNFCm5EQ0tCNG5BVkVlKzRWaG9aL29X
+            dzM5YXA1eUdwY3JnUXlabEowVW5XZlUKLS0tIG04YUMrUHgzRGFPRlNwQWk5bWly
+            S2RXU0N6K3NaK1hVZXRzZWJ5bEpBNW8KlxFm+4quPo2Zk2qMnK5FaxMcgbXgDloe
+            28SfxVFH6CIKLhz+XNA8bqSn1uwspePNBtwwyNUnmChbHMft5aWCZw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-12-25T07:13:10Z"
     mac: ENC[AES256_GCM,data:dMmT+ETtHZD5UDoeZkgbwq/KFkzk84IBqMpIjqGf+TnjCP3CPqCMXI8kUMqu0oDgMREyHFulg2jaOyM6AJi3ijoLREz91jLrFyuPob2hz2N+pG3StBv05gdwiEixVLt57EKQ8YNMoYaeCVG68aGoSs5qxB6sweiVmfnZLALO6Yw=,iv:HMl7nMLCmfLEIRNi6j2k0FcT+F/qvram1PAK/wA24TU=,tag:pPDWrQhryRouksHAHsWL6g==,type:str]

secrets.prod.yaml

@@ -13,14 +13,23 @@ CLOUDFLARE_API_TOKEN: ENC[AES256_GCM,data:G1mLIuB0vbB6r2arvlxwy5bMmRRYi4p+EQC1Jq
 PUBLIC_SHOW_DEV_BANNER: ENC[AES256_GCM,data:7We5Qg==,iv:wDk1hniVqw6QIh2k8uWeo0RqGwql7MJH7bv5B+LLEtM=,tag:3p46YbNP7HIEzxZ6pNBQ1g==,type:str]
 sops:
     age:
-        - recipient: age1gsn5pg5pkk89zsukc94gqwlu7zyrep0prm7pwc787tcegapgmvgqzeq64c
+        - recipient: age1npjpcsp6rd7jf3652cnek0yj8kwxr36yukgv6jykfrv0vlpkw4nq5snp2s
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRWovR2lYZjk5UzQ0Y2Ri
-            QXAxam5LaEY2S3hFREVEUHJzdDNQbCs2T3hnCkprMDNlamZPQmhvTXh1SUdOUHNX
-            OEhTYWlLMVdsaVRuUDdPRVZvRmc3VkEKLS0tIGlOK1JScmJtQVJPWXErZkc2VVNR
-            NHZSdEp1WGc4S2ppK1ZKcDZnU0JRQmMKJj4n6DBAozt2DTlYFIhd1jWWLGMYalAM
-            +Txthl+D2hQNSITfK7jzVXIhk4z3g2ahNXscRmgrU9u4V0Jj6Gzz/g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwb2NRbWtvd3Y5RkdHSUZN
+            YVE5aHFkRlV3Qzl3dXZONXF2RE9DaDVHRXpvCmZ6cis5N290NWFnbWgyWENnQm1S
+            SVk0TjlqQzFIMUR3M24xNlJXZy92TzgKLS0tIHRkaTZrbFN2T0pDVG1kRUU2alp4
+            ZklUSkVEVXFLMGMzSnQ5ODlPS0M3aEUKGVzjwNtKHgQ+unSL6eE6ZjQWKGKiL2SY
+            2ahOSYUwM2V4kpGKZK5GfOSct0T9tQeEHx8Vs0fpla0RLtBd92R6uQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yxtlssfn7kjarthk5jyxph55yp2d8ar7tmzy6cvm5mck7kyzrsnsj6hmw4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQlVTVmh0ZlJ5d09qRU9N
+            Ym1neTB5NDZ1N0tuQjR3RVJBN3R0Ykd0bnprCnhqSGlRUThPUTVwVmc3M2VUNlJS
+            VWtnWTlvUlJYaWhQYjBNeVEyMEp3aU0KLS0tIFFJMm5OSFpyQ2UwdDN1Wk1iMURu
+            dkpGc0E5TllENzAxbWxEeU1VYmdiUGcKL2iQoVETAdYQNqPnzPc9Iwh5fVzwbIkb
+            h/H7rb/ekOJHWSyeUJeH1D/O5PICUN3bfpu7q3EdL0O9o1sN7O6fyQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-12-24T15:07:19Z"
     mac: ENC[AES256_GCM,data:+f8qInhzG3mqaKSGPORLCJ42LeNyfSTtisyz3FURV68uogxSFo0m4sxwkDBQMAUdlhBFzYYIBq0y6gI7C8sk3yxpUjdOgvXj8UhACRpthRe71IxiAcG0VssyQv6oV2+0amLE/rUlTUeSkXq+aT/9zPn5698MPm7M2yQw5gf0jFE=,iv:pHXF12m/vqVpJvURSlzkH33zxZl/pOyV+7Kbettb+IM=,tag:/uLx/ZQiKEocfV1/T7CUDQ==,type:str]