Merge pull request #970 from GitGuardian/agateau/ignore-git-config

Fix parsing patches when the diff.noprefix git config option is set

changelog.d/20240927_093833_aurelien.gateau_ignore_git_config.md

@@ -0,0 +1,3 @@
+### Fixed
+
+- Fixed a case where ggshield commit parser could fail because of the local git configuration.

docker/actions-iac-entrypoint.sh

@@ -1,15 +1,4 @@
 #!/usr/bin/env bash
 set -euo pipefail
-# AUTOGENERATED FILE, DO NOT EDIT!
-# This file has been generated by the `action-entrypoint-generator` script
-# defined in `scripts/action-entrypoint-generator`. To make changes to this
-# file, modify the script and rerun it.
-
-
-# Mark the current directory as safe. If we don't do this, git commands fail
-# because the source in $PWD is owned by a different user than our `app` user.
-git config --global --add safe.directory "$PWD"
-
-
 args=("$@")
-ggshield iac scan ci ${args[@]}
+exec /app/docker/entrypoint.sh ggshield iac scan ci ${args[@]}

docker/actions-sca-entrypoint.sh

@@ -1,15 +1,4 @@
 #!/usr/bin/env bash
 set -euo pipefail
-# AUTOGENERATED FILE, DO NOT EDIT!
-# This file has been generated by the `action-entrypoint-generator` script
-# defined in `scripts/action-entrypoint-generator`. To make changes to this
-# file, modify the script and rerun it.
-
-
-# Mark the current directory as safe. If we don't do this, git commands fail
-# because the source in $PWD is owned by a different user than our `app` user.
-git config --global --add safe.directory "$PWD"
-
-
 args=("$@")
-ggshield sca scan ci -v ${args[@]}
+exec /app/docker/entrypoint.sh ggshield sca scan ci -v ${args[@]}

docker/actions-secret-entrypoint.sh

@@ -1,15 +1,4 @@
 #!/usr/bin/env bash
 set -euo pipefail
-# AUTOGENERATED FILE, DO NOT EDIT!
-# This file has been generated by the `action-entrypoint-generator` script
-# defined in `scripts/action-entrypoint-generator`. To make changes to this
-# file, modify the script and rerun it.
-
-
-# Mark the current directory as safe. If we don't do this, git commands fail
-# because the source in $PWD is owned by a different user than our `app` user.
-git config --global --add safe.directory "$PWD"
-
-
 args=("$@")
-ggshield secret scan -v ${args[@]} ci
+exec /app/docker/entrypoint.sh ggshield secret scan -v ${args[@]} ci

docker/entrypoint.sh

@@ -1,8 +1,12 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
+export GG_GIT_CONFIG=/tmp/ggshield-git-config
+
 # Mark the current directory as safe. If we don't do this, git commands fail
 # because the source in $PWD is owned by a different user than our `app` user.
-git config --global --add safe.directory "$PWD"
+#
+# We use our own git config because ggshield ignores the global git configuration file.
+git config --file "$GG_GIT_CONFIG" --add safe.directory "$PWD"
 
 exec "$@"

ggshield/utils/git_shell.py

@@ -189,7 +189,12 @@ def git(
 ) -> str:
     """Calls git with the given arguments, returns stdout as a string"""
     env = os.environ.copy()
+    # Ensure git messages are in English
     env["LANG"] = "C"
+    # Ensure git behavior is not affected by the user git configuration, but give us a
+    # way to set some configuration (useful for safe.directory)
+    env["GIT_CONFIG_GLOBAL"] = os.getenv("GG_GIT_CONFIG", "")
+    env["GIT_CONFIG_SYSTEM"] = ""
 
     if cwd is None:
         cwd = Path.cwd()

tests/conftest.py

@@ -75,18 +75,6 @@ def is_windows():
 """
 
 
-@pytest.fixture(scope="session", autouse=True)
-def isolated_git():
-    """
-    Don't use any of the existing Git config
-
-    NOTE: As the fixture is scoped to the session we don't have to restore the
-        original values.
-    """
-    os.environ["GIT_CONFIG_GLOBAL"] = ""
-    os.environ["GIT_CONFIG_SYSTEM"] = ""
-
-
 @pytest.fixture(autouse=True)
 def do_not_use_real_user_dirs(monkeypatch, tmp_path):
     """