Removing hardcoded options in GHA docker run and providing output configuration

[kellydunn]

Description:

When using the trufflesecurity/trufflehog Github Action, there's currently no way to configure --fail, in the Github action itself, as it is hardcoded in action.yml here.

Additionally, it's helpful to be able to take the very useful output of trufflehog and process it in our own actions so we can aggregate the data to our observability tools. To enable this, this PR also provides an output block that enables developers to reference Trufflehog output in their actions via ${{ steps.trufflehog.outputs.results }}

This way, developers can run the github action like so:

      - name: Run Trufflehog
        id: trufflehog
        uses: trufflesecurity/trufflehog@main
        with:
          base: <base>
          head: <head>
          no_fail: "true"
          extra_args: "--json --results=verified,unknown"
          
      - name: Use Output
        id: use-output
        run: |
          echo ${{ steps.trufflehog.outputs.results }} | jq -s | ./bin/script

Update: This PR now also includes a more explicit mounting of ${{ github.workspace }} to the docker container, as before the relative path being mounted to /tmp wouldn't pick up any changes when providing commit ranges to the scan.

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

[CLAassistant]

All committers have signed the CLA.

[kashifkhan0771]

Hi @kellydunn Thanks for submitting the PR. Can you please sign the CLA.

[nabeelalam]

Hey @kellydunn, thanks for this! This definitely looks like a really useful feature for workflows integrating this action.

One question, particularly about the removal of the --fail argument. Does this change alter the expected behavior of the workflow, i.e. fail and exit with a 183 code if a secret is detected (ref)? If so, this may impact any setups that rely on this failure behavior as a guardrail.

Would it make sense to make this behavior configurable, i.e. fail by default, unless explicitly disabled?

[kellydunn]

Hello! And fair question! I could see how this might impact workflows that rely on default fail behavior; explicitly opt-ing out of --fail seems reasonable. I'll take a swing at providing a GHA input control similar to base and head parameters in the workflow.

[kellydunn]

@nabeelalam, just pushed up 6d2c6cc. We've tested this with our setup, and we can confirm that by default this will preserve the behavior of exiting with 183 unless a user explicitly provides a no_fail value in their workflow action. Lmk what you think.

[kellydunn]

@nabeelalam Checking in here, anything else you'd like to see? Mind giving the updates a review?