Update GitGuardian/ggshield action to v1.51.0#348
Merged
Conversation
Removed the prepare job and its associated steps from the release workflow.
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.50.4→v1.51.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
GitGuardian/ggshield (GitGuardian/ggshield)
v1.51.0: 1.51.0Compare Source
Added
ggshield auth login --method oobfor browser-less environments (SSH sessions, headless servers). Prints the authorization URL, lets you open it on another device, and exchanges the code you paste back into the terminal. Uses the OAuth out-of-band sentinel (urn:ietf:wg:oauth:2.0:oob) — requires a server that supports it.Detection of MCP servers installed with Claude plugins or Claude.ai
Add Codex support to
ggshield secret scan ai-hookandggshield install -t codex. (thanks to trickyfalcon)Detect MCP servers installed with Cursor plugins or Cursor extensions.
Release binaries published to GitHub Releases now ship with GitHub Artifact Attestations, providing signed SLSA build provenance. Users can verify a downloaded asset with
gh attestation verify <file> --repo GitGuardian/ggshield, and tool managers such as mise (via the aqua backend) will verify automatically at install time.ggshield plugin install/update/statusnow discover and pull plugins from the GitGuardian instance the user is authenticated against, replacing the hard-coded GitHub release URL. Streaming download + sigstore bundle proxying happen via/v1/endpoints/plugins/<reference>/{download,signature}. Requires the matching backend feature.New
vscodealias to "copilot" for hook installation.ggshield api-statusnow displays the workspace ID associated with the current token, in both text and JSON output.Changed
Successful API key checks are now cached on disk for 5 minutes.
ggshield plugin listnow renders the install source from the manifest verbatim (platform,local file,url,github release,github artifact) instead oflocal/pip. Plugins installed without a manifest still fall back topip(entry-point only) oron-disk.AI hooks naively try to detect file read by shell commands.
Fixed
Fixed plugin signature verification in PyInstaller-based packages by bundling sigstore's embedded TUF trust roots.
Fixed
uv tool install ggshieldresolution by requiring sigstore 4, avoiding sigstore 3's transitive pre-release dependency onbetterproto.The documentation of the
ai discovercommand.Skip OS keyring access at startup when
GITGUARDIAN_API_KEYis set in the environment (or in a.envfile). This avoids redundant keychain unlock prompts on systems using multiple ggshield intances.Scans no longer fail on a single transient network glitch. ggshield retries connection errors (e.g.
ConnectionResetError) and 502/503/504 responses with bounded exponential backoff (~15 s budget with jitter).ggshield secret scan pre-receiveuses a minimal retry policy instead so it stays inside GitHub Enterprise Server's fixed 5 s pre-receive hook timeout.Fixed AI hooks support for Copilot CLI.
(AI hooks): the command that leaked a secret is now shown in the notification message.
MCP configuration parsing improved for VSCode, Copilot CLI and Codex.
Plugin installs and updates now enable the canonical
ggshield.pluginsentry point instead of the wheel package name, migrating any pre-existing alias row (and preserving itsauto_updatesetting), and local plugin wheels extract into the active runtime cache so mixed root/admin and user executions do not silently lose registered commands.ggshield now prunes stale extracted plugin wheel caches during plugin load and removes a plugin's extracted cache on uninstall, preventing old wheel versions from accumulating in the cache directory.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.