sops -d prints the entire decrypted file. Most of the time you want exactly one value — and you don’t want it landing in shell history or a temp file. --extract does that.

# secret — print one key from a SOPS-encrypted YAML file.
# Usage: secret CODEBERG_TOKEN [path/to/secrets.enc.yaml]
secret() {
  local key="$1" file="${2:-secrets.enc.yaml}"
  sops -d --extract "[\"${key}\"]" "$file"
}

Use it inline so the plaintext never touches disk and an env var still wins:

TOKEN="${TOKEN:-$(secret CODEBERG_TOKEN)}"
curl -H "Authorization: token $TOKEN" https://codeberg.org/api/v1/user

For nested keys, extend the path: --extract '["db"]["password"]'.