fix: ensure --allow-self-signed works when placed before subcommand

The cli() function needs to accept the allow_self_signed parameter
to handle the case where --allow-self-signed is placed before the
subcommand (e.g., 'ggshield --allow-self-signed api-status').

Without this, the callback can't update the config at that stage
because ctx.obj is None, breaking backward compatibility.

Added test to verify both placements work:
- ggshield api-status --allow-self-signed ✓
- ggshield --allow-self-signed api-status ✓

Issue: SCRT-5952

Author: guischguardian

ggshield/__main__.py

@@ -81,6 +81,7 @@ def exit_code(ctx: click.Context, exit_code: int, **kwargs: Any) -> int:
 def cli(
     ctx: click.Context,
     *,
+    allow_self_signed: Optional[bool],
     insecure: Optional[bool],
     config_path: Optional[Path],
     **kwargs: Any,
@@ -100,8 +101,8 @@ def cli(
     # Update SSL verification settings in the config
     # TODO: this should be reworked: if a command which writes the config is called with
     # --insecure, the config will contain `insecure: true`.
-    if insecure:
-        user_config.insecure = insecure
+    if insecure or allow_self_signed:
+        user_config.insecure = True
 
     ctx_obj.config._dotenv_vars = load_dot_env()
 

tests/unit/cmd/test_status.py

@@ -135,6 +135,25 @@ def test_ssl_verify(cli_fs_runner, verify):
         assert kwargs["session"].verify == verify
 
 
+@pytest.mark.parametrize(
+    "cmd",
+    [
+        ["api-status", "--allow-self-signed"],
+        ["--allow-self-signed", "api-status"],
+    ],
+)
+def test_allow_self_signed_backward_compatibility(cli_fs_runner, cmd):
+    """
+    GIVEN the deprecated --allow-self-signed flag
+    WHEN it's placed before or after the subcommand
+    THEN SSL verification is disabled in both cases (backward compatibility)
+    """
+    with mock.patch("ggshield.core.client.GGClient") as client_mock:
+        cli_fs_runner.invoke(cli, cmd)
+        _, kwargs = client_mock.call_args
+        assert kwargs["session"].verify is False
+
+
 @pytest.mark.parametrize("command", ["api-status", "quota"])
 def test_instance_option(cli_fs_runner, command):
     """