Merge branch 'origin/main' into 'next-release/main'

docs/docs/20-usage/75-project-settings.md

@@ -40,9 +40,16 @@ Only server admins can set this option. If you are not a server admin this optio
 
 :::
 
-## Only inject netrc credentials into trusted containers
+## Only inject netrc credentials into trusted clone plugins
 
-Cloning pipeline step may need git credentials. They are injected via netrc. By default, they're only injected if this option is enabled, the repo is trusted ([see above](#trusted)) or the image is a trusted clone image. If you uncheck the option, git credentials will be injected into any container in clone step.
+The clone step may require git credentials (e.g. for private repos) which are injected via `netrc`.
+
+By default, they are only injected into trusted clone plugins listed in the env var `WOODPECKER_PLUGINS_TRUSTED_CLONE`.
+If this option is disabled, the git credentials are injected into every clone plugin, regardless of whether it is trusted or not.
+
+:::note
+This option has no effect on steps other than the clone step.
+:::
 
 ## Project visibility
 

docs/plugins/woodpecker-plugins/plugins.json

@@ -32,7 +32,7 @@
     },
     {
       "name": "Prettier",
-      "docs": "https://raw.githubusercontent.com/woodpecker-ci/plugin-prettier/main/docs.md",
+      "docs": "https://codeberg.org/woodpecker-plugins/prettier/raw/branch/main/docs.md",
       "verified": true
     },
     {

docs/versioned_docs/version-1.0/20-usage/71-project-settings.md

@@ -33,9 +33,16 @@ Only server admins can set this option. If you are not a server admin this optio
 
 :::
 
-### Only inject netrc credentials into trusted containers
+### Only inject netrc credentials into trusted clone plugins
 
-Cloning pipeline step may need git credentials. They are injected via netrc. By default, they're only injected if this option is enabled, the repo is trusted ([see above](#trusted)) or the image is a trusted clone image. If you uncheck the option, git credentials will be injected into any container in clone step.
+The clone step may require git credentials (e.g. for private repos) which are injected via `netrc`.
+
+By default, they are only injected into trusted clone plugins listed in the env var `WOODPECKER_PLUGINS_TRUSTED_CLONE`.
+If this option is disabled, the git credentials are injected into every clone plugin, regardless of whether it is trusted or not.
+
+:::note
+This option has no effect on steps other than the clone step.
+:::
 
 ## Project visibility
 

docs/versioned_docs/version-2.5/20-usage/75-project-settings.md

@@ -40,9 +40,16 @@ Only server admins can set this option. If you are not a server admin this optio
 
 :::
 
-## Only inject netrc credentials into trusted containers
+## Only inject netrc credentials into trusted clone plugins
 
-Cloning pipeline step may need git credentials. They are injected via netrc. By default, they're only injected if this option is enabled, the repo is trusted ([see above](#trusted)) or the image is a trusted clone image. If you uncheck the option, git credentials will be injected into any container in clone step.
+The clone step may require git credentials (e.g. for private repos) which are injected via `netrc`.
+
+By default, they are only injected into trusted clone plugins listed in the env var `WOODPECKER_PLUGINS_TRUSTED_CLONE`.
+If this option is disabled, the git credentials are injected into every clone plugin, regardless of whether it is trusted or not.
+
+:::note
+This option has no effect on steps other than the clone step.
+:::
 
 ## Project visibility
 

docs/versioned_docs/version-2.6/20-usage/75-project-settings.md

@@ -40,9 +40,16 @@ Only server admins can set this option. If you are not a server admin this optio
 
 :::
 
-## Only inject netrc credentials into trusted containers
+## Only inject netrc credentials into trusted clone plugins
 
-Cloning pipeline step may need git credentials. They are injected via netrc. By default, they're only injected if this option is enabled, the repo is trusted ([see above](#trusted)) or the image is a trusted clone image. If you uncheck the option, git credentials will be injected into any container in clone step.
+The clone step may require git credentials (e.g. for private repos) which are injected via `netrc`.
+
+By default, they are only injected into trusted clone plugins listed in the env var `WOODPECKER_PLUGINS_TRUSTED_CLONE`.
+If this option is disabled, the git credentials are injected into every clone plugin, regardless of whether it is trusted or not.
+
+:::note
+This option has no effect on steps other than the clone step.
+:::
 
 ## Project visibility
 

docs/versioned_docs/version-2.7/20-usage/75-project-settings.md

@@ -40,9 +40,16 @@ Only server admins can set this option. If you are not a server admin this optio
 
 :::
 
-## Only inject netrc credentials into trusted containers
+## Only inject netrc credentials into trusted clone plugins
 
-Cloning pipeline step may need git credentials. They are injected via netrc. By default, they're only injected if this option is enabled, the repo is trusted ([see above](#trusted)) or the image is a trusted clone image. If you uncheck the option, git credentials will be injected into any container in clone step.
+The clone step may require git credentials (e.g. for private repos) which are injected via `netrc`.
+
+By default, they are only injected into trusted clone plugins listed in the env var `WOODPECKER_PLUGINS_TRUSTED_CLONE`.
+If this option is disabled, the git credentials are injected into every clone plugin, regardless of whether it is trusted or not.
+
+:::note
+This option has no effect on steps other than the clone step.
+:::
 
 ## Project visibility
 

pipeline/frontend/yaml/linter/schema/.woodpecker/test-step.yaml

@@ -38,15 +38,6 @@ steps:
     commands:
       - go test
 
-  secrets:
-    image: docker
-    commands:
-      - echo $DOCKER_USERNAME
-      - echo $DOCKER_PASSWORD
-    secrets:
-      - docker_username
-      - docker_prod_password
-
   detached:
     image: redis
     detach: true

pipeline/frontend/yaml/linter/schema/schema.json

@@ -286,9 +286,6 @@
         "directory": {
           "$ref": "#/definitions/step_directory"
         },
-        "secrets": {
-          "$ref": "#/definitions/step_secrets"
-        },
         "when": {
           "$ref": "#/definitions/step_when"
         },
@@ -616,14 +613,6 @@
         "type": ["boolean", "string", "number", "array", "object"]
       }
     },
-    "step_secrets": {
-      "description": "Pass secrets to a pipeline step at runtime. Read more: https://woodpecker-ci.org/docs/usage/secrets",
-      "type": "array",
-      "items": {
-        "type": "string"
-      },
-      "minLength": 1
-    },
     "step_settings": {
       "description": "Change the settings of your plugin. Read more: https://woodpecker-ci.org/docs/usage/plugins/overview",
       "type": "object",
@@ -845,9 +834,6 @@
         "directory": {
           "$ref": "#/definitions/step_directory"
         },
-        "secrets": {
-          "$ref": "#/definitions/step_secrets"
-        },
         "settings": {
           "$ref": "#/definitions/step_settings"
         },

web/src/assets/locales/en.json

@@ -93,8 +93,8 @@
           "desc": "Every pipeline needs to be approved before being executed."
         },
         "netrc_only_trusted": {
-          "netrc_only_trusted": "Only inject netrc credentials into trusted containers",
+          "netrc_only_trusted": "Only inject netrc credentials into trusted clone plugins",
-          "desc": "Only inject netrc credentials into trusted containers (recommended)."
+          "desc": "If enabled, git netrc credentials are only available for trusted clone plugins set in `WOODPECKER_PLUGINS_TRUSTED_CLONE`. Otherwise, all clone plugins can use the netrc credentials. This option has no effect on non-clone steps."
         },
         "trusted": {
           "trusted": "Trusted",