sylr · sylr · Sep 5, 2025 · Jul 25, 2025
diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml
@@ -14,9 +14,9 @@ jobs:
       attestations: write
     strategy:
       matrix:
-        go: ["1.23"]
+        go: ["1.25"]
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
       with:
         fetch-depth: 0
         filter: tree:0
@@ -33,7 +33,7 @@ jobs:
           ${{ runner.os }}-go-
 
     - name: Set up Go ${{ matrix.go }}
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
       with:
         go-version: ${{ matrix.go }}
         cache: false
@@ -49,7 +49,7 @@ jobs:
       run: make go-mod-verify
 
     - name: Lint
-      uses: golangci/golangci-lint-action@v6
+      uses: golangci/golangci-lint-action@v8
       with:
         args: --timeout=10m
         skip-cache: true
@@ -64,7 +64,7 @@ jobs:
       run: |
         make docker-buildx-build
 
-    - uses: actions/attest-build-provenance@v1
+    - uses: actions/attest-build-provenance@v2
       with:
         subject-path: |
           dist/*-darwin-amd64*

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -14,7 +14,7 @@ jobs:
       packages: write
       attestations: write
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
       with:
         fetch-depth: 0
         filter: tree:0
@@ -31,9 +31,9 @@ jobs:
           ${{ runner.os }}-go-
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
       with:
-        go-version: "1.23"
+        go-version: "1.25"
         check-latest: true
         cache: false
       id: go
@@ -64,7 +64,7 @@ jobs:
     - name: Checksums
       run: make crossbuild-checksums
 
-    - uses: actions/attest-build-provenance@v1
+    - uses: actions/attest-build-provenance@v2
       with:
         subject-path: |
           dist/*
@@ -86,8 +86,7 @@ jobs:
         jq -r '."image.name" | split(":"; null)[0] | ("image="+.)' < .buildx-metadata.json >> "$GITHUB_OUTPUT"
         jq -r '."containerimage.digest" | ("digest="+.)' < .buildx-metadata.json >> "$GITHUB_OUTPUT"
 
-    - uses: actions/attest-build-provenance@v1
+    - uses: actions/attest-build-provenance@v2
       with:
         subject-name: ${{ steps.docker-build.outputs.image }}
         subject-digest: ${{ steps.docker-build.outputs.digest }}
-
diff --git a/.golangci.yml b/.golangci.yml
@@ -1,3 +1,18 @@
-issues:
-  exclude:
-  - composite
+version: "2"
+linters:
+  settings:
+    govet:
+      disable:
+      - composites
+    errcheck:
+      exclude-functions:
+      - fmt.Fprintf
+      - (io.Closer).Close
+      - (*os.File).Close
+      - (*sylr.dev/yaml/v3.Encoder).Close
+  exclusions:
+    rules:
+    - linters:
+      - staticcheck
+      path: cmd/.*/.*\.go
+      text: "ST1005:"
diff --git a/go.mod b/go.mod
@@ -1,19 +1,21 @@
 module sylr.dev/yage/v2
 
-go 1.22
+go 1.23.0
+
+toolchain go1.25.1
 
 require (
 	filippo.io/age v1.2.1
-	github.com/spf13/cobra v1.8.1
-	golang.org/x/crypto v0.32.0
-	golang.org/x/term v0.28.0
+	github.com/spf13/cobra v1.9.1
+	golang.org/x/crypto v0.40.0
+	golang.org/x/term v0.33.0
 	sylr.dev/yaml/age/v3 v3.0.0-20221203153010-eb6b46db8d90
-	sylr.dev/yaml/v3 v3.0.0-20220527135632-500fddf2b049
+	sylr.dev/yaml/v3 v3.0.0-20250402092439-6b2768c4dfde
 )
 
 require (
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	golang.org/x/sys v0.29.0 // indirect
+	github.com/spf13/pflag v1.0.7 // indirect
+	golang.org/x/sys v0.34.0 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -4,7 +4,7 @@ filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
 filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
-github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -21,21 +21,22 @@ github.com/smartystreets/assertions v1.2.0 h1:42S6lae5dvLc7BrLu/0ugRtcFVjoJNMC/N
 github.com/smartystreets/assertions v1.2.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=
 github.com/smartystreets/goconvey v1.7.2 h1:9RBaZCeXEQ3UselpuwUQHltGVXvdwm6cv1hgR6gDIPg=
 github.com/smartystreets/goconvey v1.7.2/go.mod h1:Vw0tHAZW6lzCRk3xgdin6fKYcG+G3Pg9vgXWeJpQFMM=
-github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
-github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
-golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
-golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M=
+github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
+golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
+golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
+golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg=
+golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 sylr.dev/yaml/age/v3 v3.0.0-20221203153010-eb6b46db8d90 h1:m6tG0qH6xGIEMPIAgDCBb+GtRZVjkAh54ncls6SnXsQ=
 sylr.dev/yaml/age/v3 v3.0.0-20221203153010-eb6b46db8d90/go.mod h1:HhKNGjkt9lNS4jF16MEcvbfdNtssNFeZQ3dBWku2y6w=
-sylr.dev/yaml/v3 v3.0.0-20220527135632-500fddf2b049 h1:YPPgk82gEmgUGbtTpTokBrnWnpCbHGqzwggHNrOlw40=
-sylr.dev/yaml/v3 v3.0.0-20220527135632-500fddf2b049/go.mod h1:4Zku0VUqOuAOvzh8sDnNBOWxgBFIbfHfWtGZI+Qjwx4=
+sylr.dev/yaml/v3 v3.0.0-20250402092439-6b2768c4dfde h1:RH1Bb/QZT037KRlYNQuhPEvIMvIK7Etcktzb0We4+4w=
+sylr.dev/yaml/v3 v3.0.0-20250402092439-6b2768c4dfde/go.mod h1:4Zku0VUqOuAOvzh8sDnNBOWxgBFIbfHfWtGZI+Qjwx4=
diff --git a/utils/input.go b/utils/input.go
@@ -37,7 +37,9 @@ func ReadPassphrase(prompt string) ([]byte, error) {
 		}
 		in, out = os.Stdin, os.Stderr
 	}
-	fmt.Fprintf(out, "%s ", prompt)
+	if _, err := fmt.Fprintf(out, "%s ", prompt); err != nil {
+		return nil, fmt.Errorf("failed to write prompt to output: %w", err)
+	}
 	// Use CRLF to work around an apparent bug in WSL2's handling of CONOUT$.
 	// Only when running a Windows binary from WSL2, the cursor would not go
 	// back to the start of the line with a simple LF. Honestly, it's impressive