Log Message:
sops: Update to 3.9.3

Changes:
3.9.3
-----
Improvements:
* Dependency updates
* Add ``persist-credentials: false`` to checkouts in GitHub workflows

Bugfixes:
* GnuPG: do not incorrectly trim fingerprint in presence of exclamation marks
  for specific subkey selection

3.9.2
-----
Improvements:
* Dependency updates
* Update compiled Protobuf definitions
* Remove unused variables and simplify conditional

Bugfixes:
* Handle whitespace in Azure Key Vault URLs
* Correctly handle comments during JSON serialization

3.9.1
-----
Improvements:
* Dependency updates
* Clarify naming of the configuration file in the documentation
* Build with Go 1.22
* Specify filename of missing file in error messages
* ``updatekeys`` subcommand: show changes in ``shamir_threshold``

Bugfixes:
* Fix the URL used for determining the latest SOPS version
* ``updatekeys`` subcommand: actually use option
  ``--shamir-secret-sharing-threshold``
* Fix ``--config`` being ignored in subcommands by ``loadConfig``
* Allow ``edit`` subcommand to create files
* Do not encrypt if a key group is empty, or there are no key groups
* Do not ignore config errors when trying to parse a config file

3.9.0
-----
Features:
* Add ``--mac-only-encrypted`` to compute MAC only over values which end up
  encrypted
* Allow configuration of indentation for YAML and JSON stores
* Introduce a ``--pristine`` flag to ``sops exec-env``
* Allow to pass multiple paths to ``sops updatekeys``
* Allow to override ``fileName`` with different value
* Sort masterkeys according to ``--decryption-order``
* Add separate subcommands for encryption, decryption, rotating, editing,
  and setting values
* Add ``filestatus`` command
* Add command ``unset``
* Merge key for key groups and make keys unique
* Support using comments to select parts to encrypt

Deprecations:
* Deprecate the ``--background`` option to ``exec-env`` and ``exec-file``

Improvements:
* Warn/fail if the wrong number of arguments is provided
* Warn if more than one command is used
* Dependency updates
* Build with Go 1.21
* Polish the ``sops help`` output a bit
* Create a constant for the ``sops`` metadata key

Bug fixes:
* Respect ``aws_profile`` from keygroup config
* Fix a bug where not having a config results in a panic
* Consolidate Flatten/Unflatten pre/post processing
* INI and DotEnv stores: ``shamir_threshold`` is an integer
* Make check whether file contains invalid keys for encryption dependent on
  output store
* Do not panic if ``updatekeys`` is used with a config that has no creation
  rules defined
* ``exec-file``: if ``--filename`` is used, use the provided filename
  without random suffix
* Do not use DotEnv store for ``exec-env``, but specialized environment
  serializing code
* Decryption: do not fail if no matching ``creation_rule`` is present in
  config file