vst · vst · Jan 10, 2026 · Dec 25, 2025 · Jan 10, 2026 · Jan 10, 2026
diff --git a/.github/workflows/check-static.yaml b/.github/workflows/check-static.yaml
@@ -0,0 +1,16 @@
+name: "Check Static Build"
+
+on:
+  workflow_dispatch:
+
+jobs:
+  check:
+    runs-on: "ubuntu-latest"
+
+    steps:
+      - name: "Checkout Codebase"
+        uses: "actions/checkout@v6"
+
+      - name: "Build Static Executable"
+        run: |
+          bash ./build-static.sh
diff --git a/.github/workflows/check.yaml → .github/workflows/check-verify.yaml b/.github/workflows/check.yaml → .github/workflows/check-verify.yaml
@@ -1,4 +1,4 @@
-name: "Check, Test and Build Codebase"
+name: "Check, Lint, Test and Build Codebase"
 
 on:
   pull_request:
@@ -10,14 +10,18 @@ jobs:
 
     steps:
       - name: "Checkout Codebase"
-        uses: "actions/checkout@v5"
+        uses: "actions/checkout@v6"
 
       - name: "Install Nix"
-        uses: "DeterminateSystems/nix-installer-action@v20"
+        uses: "DeterminateSystems/nix-installer-action@v21"
 
-      - name: "Check, Test and Build"
+      - name: "Prepare CI devShell"
         run: |
-          nix develop --command bash -c "cabal update --ignore-project && cabal dev-test-build"
+          nix develop .#ci --command true
+
+      - name: "Verify Codebase"
+        run: |
+          nix develop .#ci --command cabal verify
 
       - name: "Build Docker Image"
         run: |

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,20 +20,24 @@ jobs:
 
       - name: "Checkout Codebase"
         if: "${{ steps.release.outputs.release_created }}"
-        uses: "actions/checkout@v5"
+        uses: "actions/checkout@v6"
+        with:
+          fetch-depth: 0
 
       - name: "Install Nix"
         if: "${{ steps.release.outputs.release_created }}"
-        uses: "DeterminateSystems/nix-installer-action@v20"
+        uses: "DeterminateSystems/nix-installer-action@v21"
 
-      - name: "Build Statically Compiled Executable"
+      - name: "Build Static Executable"
+        id: "build_static"
         if: "${{ steps.release.outputs.release_created }}"
         run: |
-          nix develop --command bash build-static.sh
+          bash ./build-static.sh | tee /tmp/build.log
+          echo "executable=$(tail -n1 /tmp/build.log)" >> $GITHUB_OUTPUT
 
       - name: "Upload Release Artifact"
         if: "${{ steps.release.outputs.release_created }}"
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
         run: |
-          gh release upload "${{ steps.release.outputs.tag_name }}" /tmp/opsops-static-linux-x86_64
+          gh release upload "${{ steps.release.outputs.tag_name }}" "${{ steps.build_static.outputs.executable }}"
diff --git a/.gitignore b/.gitignore
@@ -1,8 +1,11 @@
 *.cabal
 *~
 /.direnv
+/.envrc
+/.stack-work
 /dist
 /dist-newstyle
 /result
+/stack.yaml.lock
 /tmp
 spec.yaml
diff --git a/.prettierignore b/.prettierignore
@@ -1,4 +1,4 @@
+CHANGELOG.md
+LICENSE.md
 dist-newstyle/
 dist/
-nix/
-*.md
diff --git a/.prettierrc.json b/.prettierrc.json
@@ -1,9 +1,16 @@
 {
   "tabWidth": 2,
+  "printWidth": 120,
   "singleQuote": false,
   "trailingComma": "es5",
-  "printWidth": 120,
   "overrides": [
+    {
+      "files": "*.md",
+      "options": {
+        "printWidth": 80,
+        "proseWrap": "always"
+      }
+    },
     {
       "files": "package.yaml",
       "options": {

diff --git a/.stan.toml b/.stan.toml
@@ -0,0 +1,8 @@
+# Big tuples
+# Using tuples of big size (>= 4) can decrease code readability
+# In several places Stack uses 4-tuples and in one place Stack uses a
+# 5-tuple.
+[[check]]
+id = "STAN-0302"
+scope = "all"
+type = "Exclude"
diff --git a/.taplo.toml b/.taplo.toml
@@ -0,0 +1,25 @@
+#:schema taplo://taplo.toml
+
+include = ["*.toml"]
+exclude = []
+
+[formatting]
+
+align_entries = false         # Align entries vertically. Entries that have table headers, comments, or blank lines between them are not aligned.(default false)
+align_comments = true         # Align consecutive comments after entries and items vertically. This applies to comments that are after entries or array items.(default true)
+array_trailing_comma = true   # Put trailing commas for multiline arrays.(default true)
+array_auto_expand = true      # Automatically expand arrays to multiple lines (default true)
+array_auto_collapse = false   # Automatically collapse arrays if they fit in one line.(default true)
+compact_arrays = true         # Omit whitespace padding inside single-line arrays.(default true)
+compact_inline_tables = false # Omit whitespace padding inside inline tables.(default false)
+inline_table_expand = true    # Expand values (e.g. arrays) inside inline tables.(default true)
+compact_entries = false       # Omit whitespace around =. (default false)
+column_width = 80             # Target maximum column width after which arrays are expanded into new lines.(default 80)
+indent_tables = false         # Indent subtables if they come in order(default false)
+indent_entries = false        # Indent entries under tables.(default false)
+indent_string = "  "          # Indentation to use, should be tabs or spaces but technically could be anything. 2 spaces (" ")
+trailing_newline = true       # Add trailing newline to the source. (default true)
+reorder_keys = false          # Alphabetically reorder keys that are not separated by blank lines. (default false)
+reorder_arrays = false        # Alphabetically reorder array values that are not separated by blank lines. (default false)
+allowed_blank_lines = 1       # The maximum amount of consecutive blank lines allowed. (default 2)
+crlf = false                  # Use CRLF line endings. (default false)
diff --git a/README.md b/README.md
@@ -5,17 +5,15 @@
 ![GitHub last commit (branch)](https://img.shields.io/github/last-commit/vst/opsops/main)
 ![GitHub License](https://img.shields.io/github/license/vst/opsops)
 
-`opsops` is a command-line application to generate clear [SOPS]
-secrets from a given specification and generate [sops-nix] snippets
-for it.
+`opsops` is a command-line application to generate clear [SOPS] secrets from a
+given specification and generate [sops-nix] snippets for it.
 
-The specification is a YAML/JSON file representing a tree-like
-structure where terminal nodes represent how the clear secrets will be
-generated, and internal nodes represent the "path" to the clear
-secret.
+The specification is a YAML/JSON file representing a tree-like structure where
+terminal nodes represent how the clear secrets will be generated, and internal
+nodes represent the "path" to the clear secret.
 
-Currently, system processes, scripts and 1password field reference
-URIs are supported:
+Currently, system processes, scripts and 1password field reference URIs are
+supported:
 
 ```yaml
 secrets:
@@ -29,7 +27,7 @@ secrets:
     token:
       type: "script"
       value:
-        content: "printf \"%s\" \"$(gh auth token)\""
+        content: 'printf "%s" "$(gh auth token)"'
   example.com:
     password:
       type: "script"
@@ -59,6 +57,7 @@ secrets:
 ```
 
 <!--toc:start-->
+
 - [opsops: SOPS(-Nix) Goodies](#opsops-sops-nix-goodies)
   - [Installation](#installation)
   - [Usage](#usage)
@@ -68,14 +67,15 @@ secrets:
     - [Create Snippet for `sops-nix`](#create-snippet-for-sops-nix)
   - [Development](#development)
   - [License](#license)
+
 <!--toc:end-->
 
 ## Installation
 
 > [!WARNING]
 >
-> If 1Password is used, 1Password CLI application (`op`) must be on
-> `PATH` when running `opsops`.
+> If 1Password is used, 1Password CLI application (`op`) must be on `PATH` when
+> running `opsops`.
 
 Install `opsops` into your Nix profile:
 
@@ -117,7 +117,7 @@ secrets:
     token:
       type: "script"
       value:
-        content: "printf \"%s\" \"$(gh auth token)\""
+        content: 'printf "%s" "$(gh auth token)"'
   example.com:
     password:
       type: "script"
@@ -145,6 +145,7 @@ secrets:
         account: "IPAEPH0JI3REE8FICHOOVU4CHA"
         uri: "op://Devops/OokahCuZ4fo8ahphie1aiFa0ei/API Tokens/write-only"
 ```
+
 </details>
 
 ### See Canonical Specification
@@ -210,21 +211,22 @@ secrets:
       type: process
       value:
         arguments:
-        - --hip
-        - hop
+          - --hip
+          - hop
         command: zamazingo
         environment: {}
         strip: both
         trailingNewline: crlf
 ```
+
 </details>
 
 ### Render Clear Secrets
 
 > [!WARNING]
 >
-> If 1Password is used, 1Password CLI application (`op`) should be
-> authenticated first:
+> If 1Password is used, 1Password CLI application (`op`) should be authenticated
+> first:
 >
 > ```sh
 > eval $(op signin -f [--account <ACCOUNT>])
@@ -251,12 +253,13 @@ dockerhub:
 influxdb:
   token: mu9aephabeadi7zi8goo9peYo8yae7ge
 ```
+
 </details>
 
 ### Create Snippet for `sops-nix`
 
-To create snippet for `sops-nix` that can be copied/pasted inside the
-`sops-nix` module configuration:
+To create snippet for `sops-nix` that can be copied/pasted inside the `sops-nix`
+module configuration:
 
 ```sh
 opsops snippet sops-nix --input opsops.yaml
@@ -272,6 +275,7 @@ opsops snippet sops-nix --input opsops.yaml
 "influxdb/token" = {};
 "zamazingo/secret" = {};
 ```
+
 </details
 
 ... or with some prefix:
@@ -290,6 +294,7 @@ opsops snippet sops-nix --input opsops.yaml --prefix my_namespace
 "my_namespace/influxdb/token" = { key = "influxdb/token"; };
 "my_namespace/zamazingo/secret" = { key = "zamazingo/secret"; };
 ```
+
 </details>
 
 ## Development
@@ -307,7 +312,12 @@ hpack &&
     direnv reload &&
     fourmolu -i app/ src/ test/ &&
     prettier --write . &&
-    find . -iname "*.nix" -print0 | xargs --null nixpkgs-fmt &&
+    find . -iname "*.nix" -print0 | xargs --null nixfmt &&
+    statix check &&
+    find . -iname "*.sh" -print0 | xargs --null shfmt -w &&
+    find . -iname "*.sh" -print0 | xargs --null shellcheck &&
+    taplo lint &&
+    taplo format &&
     hlint app/ src/ test/ &&
     cabal build -O0 &&
     cabal run -O0 opsops -- --version &&
@@ -318,7 +328,7 @@ hpack &&
 To check and build:
 
 ```sh
-cabal dev-test-build [-c]
+cabal verify [-c]
 ```
 
 ## License

diff --git a/build-static.sh b/build-static.sh
@@ -1,22 +1,21 @@
 #!/usr/bin/env bash
 
 ## NOTE: Things would be much easier if we could use Nix, but we can
-## not (or I find it rather tedious). So, we have to use Docker.
-##
-## Also, `cabal install` does not work with
-## `--enable-executable-static` flag. So, we have to use `cabal build`
-## instead. Finally, `cabal build` does not work with
-## `--enable-executable-stripping`, hence the `strip` command usage.
+## not (or I find it rather tedious). So, we have to use Docker and
+## Haskell Stack to build our static binary.
+
+## Executable name:
+EXECUTABLE_NAME="$(yq ".executables | keys | .[0]" package.yaml)"
+
+## Stackage resolver:
+STACKAGE_RESOLVER="$(yq ".resolver" stack.yaml)"
 
 ## GHC version:
-GHC_VERSION="9.8.4"
+GHC_VERSION="$(curl -s "https://www.stackage.org/${STACKAGE_RESOLVER}" | grep -oP 'ghc-\K[0-9.]+' | head -n1)"
 
 ## Docker image:
 DOCKER_IMAGE="quay.io/benz0li/ghc-musl:${GHC_VERSION}"
 
-## Executable name:
-EXECUTABLE_NAME="opsops"
-
 ## Final executable name:
 FINAL_EXECUTABLE_NAME="${EXECUTABLE_NAME}-static-$(uname --kernel-name | tr '[:upper:]' '[:lower:]')-$(uname --machine)"
 
@@ -26,43 +25,34 @@ FINAL_EXECUTABLE_PATH="/tmp/${FINAL_EXECUTABLE_NAME}"
 ## Docker container name:
 CONTAINER_NAME="static-builder-for-${EXECUTABLE_NAME}"
 
-## Create/update .cabal file:
-hpack
-
-## Cleanup first:
-cabal clean
-cabal v1-clean
-
-## First, pin all packages as per Nix:
-cabal freeze
-
 ## Run the Docker container:
 docker run -i --detach -v "$(pwd):/app" --name "${CONTAINER_NAME}" "${DOCKER_IMAGE}" /bin/bash
 
 ## Whitelist codebase directory for Git queries:
 docker exec "${CONTAINER_NAME}" git config --global --add safe.directory /app
 
-## Update cabal database:
-docker exec "${CONTAINER_NAME}" cabal update
+## Cleanup inside the container:
+docker exec -w "/app" "${CONTAINER_NAME}" cabal clean
+docker exec -w "/app" "${CONTAINER_NAME}" cabal v1-clean
+docker exec -w "/app" "${CONTAINER_NAME}" stack clean --full
 
 ## Build the static binary:
-docker exec -w "/app" "${CONTAINER_NAME}" cabal build --enable-executable-static
+docker exec -w "/app" "${CONTAINER_NAME}" stack build
 
-## Get the path to the executable:
-BUILD_PATH="$(docker exec -w "/app" "${CONTAINER_NAME}" cabal list-bin "${EXECUTABLE_NAME}")"
+## Install the static binary to our local-bin-path (/tmp):
+docker exec -w "/app" "${CONTAINER_NAME}" stack install
 
-## Strip debugging symbols:
-docker exec "${CONTAINER_NAME}" strip "${BUILD_PATH}"
-
-## Copy the binary to the host:
-docker cp "${CONTAINER_NAME}:${BUILD_PATH}" "${FINAL_EXECUTABLE_PATH}"
+## Install upx:
+docker exec -w "/app" "${CONTAINER_NAME}" apk add upx
 
 ## Compress the executable:
-upx "${FINAL_EXECUTABLE_PATH}"
+docker exec -w "/app" "${CONTAINER_NAME}" upx "/tmp/${EXECUTABLE_NAME}"
+
+## Copy the binary to the host:
+docker cp "${CONTAINER_NAME}:/tmp/${EXECUTABLE_NAME}" "${FINAL_EXECUTABLE_PATH}"
 
 ## Cleanup:
-docker exec -w "/app" "${CONTAINER_NAME}" cabal clean
-docker exec -w "/app" "${CONTAINER_NAME}" cabal v1-clean
+docker exec -w "/app" "${CONTAINER_NAME}" stack clean --full
 docker rm -f "${CONTAINER_NAME}"
-rm cabal.project.freeze
 file "${FINAL_EXECUTABLE_PATH}"
+find "${FINAL_EXECUTABLE_PATH}"