def _sops_decrypt_impl(ctx):
    output_file = ctx.actions.declare_file(ctx.attr.out)
    
    inputs = [ctx.file.src]
    tools = [ctx.executable.sops_tool]
    env = {}

    if ctx.file.age_key_file:
        inputs.append(ctx.file.age_key_file)
        env["SOPS_AGE_KEY_FILE"] = ctx.file.age_key_file.path

    command = ctx.attr.command.format(
        sops = ctx.executable.sops_tool.path,
        src = ctx.file.src.path,
        out = output_file.path,
    )

    ctx.actions.run_shell(
        outputs = [output_file],
        inputs = inputs,
        tools = tools,
        env = env,
        command = command,
        mnemonic = "SopsDecrypt",
        progress_message = "Processing %s" % ctx.file.src.short_path,
    )

    return [DefaultInfo(files = depset([output_file]))]

_sops_decrypt = rule(
    implementation = _sops_decrypt_impl,
    attrs = {
        "src": attr.label(allow_single_file = True, mandatory = True),
        "out": attr.string(mandatory = True),
        "sops_tool": attr.label(
            executable = True,
            cfg = "exec",
        ),
        "command": attr.string(mandatory = True),
        "age_key_file": attr.label(allow_single_file = True),
    },
)

def sops_decrypt(name, src, out, **kwargs):
    """
    Decrypts a SOPS encrypted file.

    Args:
        name: The name of the target.
        src: The source SOPS encrypted file.
        out: The output decrypted file (usually JSON).
        **kwargs: Additional arguments to pass to the rule.
    """
    _sops_decrypt(
        name = name,
        src = src,
        out = out,
        age_key_file = select({
            "//:ci": None,
            "//conditions:default": "//:key.txt",
        }),
        sops_tool = select({
            "//:ci": "//tools:fake_sops",
            "//conditions:default": "//tools:sops_bin",
        }),
        command = select({
            "//:ci": "{sops} {src} {out}",
            "//conditions:default": "{sops} -d --output-type json {src} > {out}",
        }),
        **kwargs
    )