From b9bbd7c329042b130e85503267b1e1a4fb3ec2ac Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Mon, 22 Mar 2021 14:31:58 -0400
Subject: [PATCH] Just cannot use exit_codes, it is too new a feature

---
 .gitlab-ci.yml              | 18 +++++-------------
 ci-tools/vulnerability-scan |  9 +++++----
 2 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index e0f606d9..d92b5037 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,19 +10,11 @@ unit-tests:
 
 vulnerability-scan:
   stage: "test"
-  allow_failure:
-    # https://docs.gitlab.com/ee/ci/yaml/README.html#allow_failureexit_codes
-    exit_codes:
-      # Allow *some* exit codes through without treating them as
-      # pipeline-failing conditions.
-      # https://github.com/flyingcircusio/vulnix/blob/master/doc/vulnix.1.md
-
-      # All found errors are whitelisted
-      - 1
-      # Vulnerabilities found, but still, please don't halt the build.
-      - 2
-
-
+  # It would be nice to target this a bit more specifically.  If we upgrade to
+  # a newer GitLab (13.11?) then we can select exit codes that are allowed.
+  # For now we're stuck with true/false though.
+  # https://whetstone.privatestorage.io/help/ci/yaml/README.md#allow_failure
+  allow_failure: true
   script:
     - "ci-tools/vulnerability-scan security-report.txt"
   artifacts:
diff --git a/ci-tools/vulnerability-scan b/ci-tools/vulnerability-scan
index 04058db1..94cfd3f8 100755
--- a/ci-tools/vulnerability-scan
+++ b/ci-tools/vulnerability-scan
@@ -26,14 +26,15 @@ if morph_result=$(morph build morph/grid/testing/grid.nix 2>&1); then
   ln -s "$object" scan-target
 else
   echo "$morph_result"
-  # Signal to the GitLab CI configuration this is a non-recoverable failure.
+
+  # exit status 0-3 reserved for vulnix result.
   exit 4
 fi
 '
 
 # vulnix exits with an error status if there are vulnerabilities.  We told
 # GitLab to allow this by setting `allow_failure` to true in the GitLab CI
-# config.
-set +e
+# config.  vulnix exit status indicates what vulnix thinks happened.  If we
+# upgrade to a newer GitLab then we can make GitLab pipeline behavior vary
+# based on this.
 nix-shell -p vulnix --run 'vulnix ./scan-target/' | tee "$OUTPUT"
-exit $?
-- 
GitLab