mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2025-01-10 17:45:36 +00:00
Warn if using secrets/env with plugin (#4027)
This commit is contained in:
parent
b8c1d68eb1
commit
289f530b2b
5 changed files with 11 additions and 9 deletions
|
@ -50,9 +50,10 @@ steps:
|
||||||
Plugins are just pipeline steps. They share the build workspace, mounted as a volume, and therefore have access to your source tree.
|
Plugins are just pipeline steps. They share the build workspace, mounted as a volume, and therefore have access to your source tree.
|
||||||
While normal steps are all about arbitrary code execution, plugins should only allow the functions intended by the plugin author.
|
While normal steps are all about arbitrary code execution, plugins should only allow the functions intended by the plugin author.
|
||||||
|
|
||||||
So there are a few limitations, like the workspace base is always mounted at `/woodpecker`, but the working directory is dynamically adjusted accordingly. So as user of a plugin you should not have to care about this.
|
That's why there are a few limitations. The workspace base is always mounted at `/woodpecker`, but the working directory is dynamically
|
||||||
|
adjusted accordingly, as user of a plugin you should not have to care about this. Also, you cannot use the plugin together with `commands`
|
||||||
Also instead of using environment variables the plugin should only care about one prefixed with `PLUGIN_` witch are the internal representation of the **settings** ([read more](./20-creating-plugins.md)).
|
or `entrypoint` which will fail. Using `secrets` or `environment` is possible, but in this case, the plugin is internally not treated as plugin
|
||||||
|
anymore. The container then cannot access secrets with plugin filter anymore and the containers won't be privileged without explicit definition.
|
||||||
|
|
||||||
## Finding Plugins
|
## Finding Plugins
|
||||||
|
|
||||||
|
|
|
@ -143,7 +143,10 @@ func (l *Linter) lintSettings(config *WorkflowConfig, c *types.Container, field
|
||||||
return newLinterError("Cannot configure both entrypoint and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), false)
|
return newLinterError("Cannot configure both entrypoint and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), false)
|
||||||
}
|
}
|
||||||
if len(c.Environment) != 0 {
|
if len(c.Environment) != 0 {
|
||||||
return newLinterError("Cannot configure both environment and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), false)
|
return newLinterError("Should not configure both environment and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), true)
|
||||||
|
}
|
||||||
|
if len(c.Secrets.Secrets) != 0 {
|
||||||
|
return newLinterError("Should not configure both secrets and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), true)
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -163,7 +163,7 @@ func TestLintErrors(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
from: "steps: { build: { image: golang, settings: { test: 'true' }, environment: [ 'TEST=true' ] } }",
|
from: "steps: { build: { image: golang, settings: { test: 'true' }, environment: [ 'TEST=true' ] } }",
|
||||||
want: "Cannot configure both environment and settings",
|
want: "Should not configure both environment and settings",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
from: "{pipeline: { build: { image: golang, settings: { test: 'true' } } }, when: { branch: main, event: push } }",
|
from: "{pipeline: { build: { image: golang, settings: { test: 'true' } } }, when: { branch: main, event: push } }",
|
||||||
|
|
|
@ -448,9 +448,6 @@
|
||||||
"directory": {
|
"directory": {
|
||||||
"$ref": "#/definitions/step_directory"
|
"$ref": "#/definitions/step_directory"
|
||||||
},
|
},
|
||||||
"secrets": {
|
|
||||||
"$ref": "#/definitions/step_secrets"
|
|
||||||
},
|
|
||||||
"settings": {
|
"settings": {
|
||||||
"$ref": "#/definitions/step_settings"
|
"$ref": "#/definitions/step_settings"
|
||||||
},
|
},
|
||||||
|
|
|
@ -124,7 +124,8 @@ func (c *ContainerList) UnmarshalYAML(value *yaml.Node) error {
|
||||||
func (c *Container) IsPlugin() bool {
|
func (c *Container) IsPlugin() bool {
|
||||||
return len(c.Commands) == 0 &&
|
return len(c.Commands) == 0 &&
|
||||||
len(c.Entrypoint) == 0 &&
|
len(c.Entrypoint) == 0 &&
|
||||||
len(c.Environment) == 0
|
len(c.Environment) == 0 &&
|
||||||
|
len(c.Secrets.Secrets) == 0
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Container) IsTrustedCloneImage() bool {
|
func (c *Container) IsTrustedCloneImage() bool {
|
||||||
|
|
Loading…
Reference in a new issue