[Feature] possible solution for #1071

[johncoopertr]

Humbly submitting this for review for #1071 as a possible solution, thanks for taking a look!

Global updatekeys feature

The --global flag lets you synchronize key groups (and Shamir threshold, if set) across all SOPS‑managed files in a repository based on .sops.yaml creation rules.

What it does

• Walks from the directory containing the config (or .) and inspects files.
• Considers a file only if:
  • It contains SOPS metadata (sops section), and
  • A creation rule matches its path.
• Silently ignores files without metadata or without a matching rule.
• Compares the file’s current key groups (and effective Shamir threshold) to the rule.
• Updates only those files where a difference exists.

Dry run

Use --dry-run with --global to list files that would change without modifying them.

sops updatekeys --global --dry-run

Sample output:

Files that would be updated:
  secrets/app.yaml
  prod/creds.enc.json

Typical usage

# Preview changes
sops updatekeys --global --dry-run

# Apply changes non-interactively
sops updatekeys --global -y

Flags

• --global scan and update all managed files
• --dry-run show pending updates only
• -y / --yes skip per‑file confirmation

Notes

• Errors reading individual files are summarized at the end.
• Unchanged files are skipped quietly.