Just cannot use exit_codes, it is too new a feature

.gitlab-ci.yml

@@ -10,19 +10,11 @@ unit-tests:
 
 vulnerability-scan:
   stage: "test"
-  allow_failure:
-    # https://docs.gitlab.com/ee/ci/yaml/README.html#allow_failureexit_codes
-    exit_codes:
-      # Allow *some* exit codes through without treating them as
-      # pipeline-failing conditions.
-      # https://github.com/flyingcircusio/vulnix/blob/master/doc/vulnix.1.md
-
-      # All found errors are whitelisted
-      - 1
-      # Vulnerabilities found, but still, please don't halt the build.
-      - 2
-
-
+  # It would be nice to target this a bit more specifically.  If we upgrade to
+  # a newer GitLab (13.11?) then we can select exit codes that are allowed.
+  # For now we're stuck with true/false though.
+  # https://whetstone.privatestorage.io/help/ci/yaml/README.md#allow_failure
+  allow_failure: true
   script:
     - "ci-tools/vulnerability-scan security-report.txt"
   artifacts:

ci-tools/vulnerability-scan

@@ -26,14 +26,15 @@ if morph_result=$(morph build morph/grid/testing/grid.nix 2>&1); then
   ln -s "$object" scan-target
 else
   echo "$morph_result"
-  # Signal to the GitLab CI configuration this is a non-recoverable failure.
+
+  # exit status 0-3 reserved for vulnix result.
   exit 4
 fi
 '
 
 # vulnix exits with an error status if there are vulnerabilities.  We told
 # GitLab to allow this by setting `allow_failure` to true in the GitLab CI
-# config.
-set +e
+# config.  vulnix exit status indicates what vulnix thinks happened.  If we
+# upgrade to a newer GitLab then we can make GitLab pipeline behavior vary
+# based on this.
 nix-shell -p vulnix --run 'vulnix ./scan-target/' | tee "$OUTPUT"
-exit $?