mirrors/woodpecker
1
0
Fork 0
mirror of https://github.com/woodpecker-ci/woodpecker.git synced 2024-11-12 12:15:00 +00:00
Code Issues Projects Releases Wiki Activity

Warn if using secrets/env with plugin (#4027)

Browse source
This commit is contained in:
qwerty287 2024-08-15 07:40:14 +02:00 committed by GitHub
parent b8c1d68eb1
commit 289f530b2b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 11 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
docs/docs/20-usage/51-plugins/51-overview.md
View file

@ -50,9 +50,10 @@ steps:
Plugins are just pipeline steps. They share the build workspace, mounted as a volume, and therefore have access to your source tree.
While normal steps are all about arbitrary code execution, plugins should only allow the functions intended by the plugin author.
So there are a few limitations, like the workspace base is always mounted at `/woodpecker`, but the working directory is dynamically adjusted accordingly. So as user of a plugin you should not have to care about this.
Also instead of using environment variables the plugin should only care about one prefixed with `PLUGIN_` witch are the internal representation of the **settings** ([read more](./20-creating-plugins.md)).
That's why there are a few limitations. The workspace base is always mounted at `/woodpecker`, but the working directory is dynamically
adjusted accordingly, as user of a plugin you should not have to care about this. Also, you cannot use the plugin together with `commands`
or `entrypoint` which will fail. Using `secrets` or `environment` is possible, but in this case, the plugin is internally not treated as plugin
anymore. The container then cannot access secrets with plugin filter anymore and the containers won't be privileged without explicit definition.
## Finding Plugins

5
pipeline/frontend/yaml/linter/linter.go
View file

@ -143,7 +143,10 @@ func (l *Linter) lintSettings(config *WorkflowConfig, c *types.Container, field
return newLinterError("Cannot configure both entrypoint and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), false)
}
if len(c.Environment) != 0 {
return newLinterError("Cannot configure both environment and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), false)
return newLinterError("Should not configure both environment and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), true)
}
if len(c.Secrets.Secrets) != 0 {
return newLinterError("Should not configure both secrets and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), true)
}
return nil
}

2
pipeline/frontend/yaml/linter/linter_test.go
View file

@ -163,7 +163,7 @@ func TestLintErrors(t *testing.T) {
},
{
from: "steps: { build: { image: golang, settings: { test: 'true' }, environment: [ 'TEST=true' ] } }",
want: "Cannot configure both environment and settings",
want: "Should not configure both environment and settings",
},
{
from: "{pipeline: { build: { image: golang, settings: { test: 'true' } } }, when: { branch: main, event: push } }",

3
pipeline/frontend/yaml/linter/schema/schema.json
View file

@ -448,9 +448,6 @@
"directory": {
"$ref": "#/definitions/step_directory"
},
"secrets": {
"$ref": "#/definitions/step_secrets"
},
"settings": {
"$ref": "#/definitions/step_settings"
},

3
pipeline/frontend/yaml/types/container.go
View file

@ -124,7 +124,8 @@ func (c *ContainerList) UnmarshalYAML(value *yaml.Node) error {
func (c *Container) IsPlugin() bool {
return len(c.Commands) == 0 &&
len(c.Entrypoint) == 0 &&
len(c.Environment) == 0
len(c.Environment) == 0 &&
len(c.Secrets.Secrets) == 0
}
func (c *Container) IsTrustedCloneImage() bool {