ggshield
ggshield copied to clipboard
GitGuardian
Fix scanning-released CI job
The problem
When pushing commits to the main branch, the CI used to update the gitguardian/ggshield:latest Docker image with the content of main. The scanning-released job would then scan the code merged in main using the GitHub action, which uses the gitguardian/ggshield:latest Docker image, therefore indirectly testing the image.
Our Docker images have changed since then: gitguardian/ggshield:latest now contains the code for the latest ggshield release, so it's only updated when a new version of ggshield is tagged. The image containing the content of the main branch is gitguardian/ggshield:unstable. This sometimes causes problems because our ggshield configuration file can contain configuration keys the current release of ggshield does not understand, causing the scan to not do what we want it to do.
This happened recently with the configuration file format change (see https://github.com/GitGuardian/ggshield/runs/7425018269?check_suite_focus=true).
What to do
What we want to do here is dog-food the gitguardian/ggshield:unstable Docker image. If this cannot be done with our GitHub action (I don't think it is), then the job should use the Docker image directly and run ggshield scan ci using it.
The job should also be renamed to something like scan-using-unstable-docker-image.
