mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-11-13 20:51:41 +00:00
Warn if using secrets/env with plugin (#4027)
This commit is contained in:
parent
b8c1d68eb1
commit
289f530b2b
5 changed files with 11 additions and 9 deletions
|
@ -50,9 +50,10 @@ steps:
|
|||
Plugins are just pipeline steps. They share the build workspace, mounted as a volume, and therefore have access to your source tree.
|
||||
While normal steps are all about arbitrary code execution, plugins should only allow the functions intended by the plugin author.
|
||||
|
||||
So there are a few limitations, like the workspace base is always mounted at `/woodpecker`, but the working directory is dynamically adjusted accordingly. So as user of a plugin you should not have to care about this.
|
||||
|
||||
Also instead of using environment variables the plugin should only care about one prefixed with `PLUGIN_` witch are the internal representation of the **settings** ([read more](./20-creating-plugins.md)).
|
||||
That's why there are a few limitations. The workspace base is always mounted at `/woodpecker`, but the working directory is dynamically
|
||||
adjusted accordingly, as user of a plugin you should not have to care about this. Also, you cannot use the plugin together with `commands`
|
||||
or `entrypoint` which will fail. Using `secrets` or `environment` is possible, but in this case, the plugin is internally not treated as plugin
|
||||
anymore. The container then cannot access secrets with plugin filter anymore and the containers won't be privileged without explicit definition.
|
||||
|
||||
## Finding Plugins
|
||||
|
||||
|
|
|
@ -143,7 +143,10 @@ func (l *Linter) lintSettings(config *WorkflowConfig, c *types.Container, field
|
|||
return newLinterError("Cannot configure both entrypoint and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), false)
|
||||
}
|
||||
if len(c.Environment) != 0 {
|
||||
return newLinterError("Cannot configure both environment and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), false)
|
||||
return newLinterError("Should not configure both environment and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), true)
|
||||
}
|
||||
if len(c.Secrets.Secrets) != 0 {
|
||||
return newLinterError("Should not configure both secrets and settings", config.File, fmt.Sprintf("%s.%s", field, c.Name), true)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -163,7 +163,7 @@ func TestLintErrors(t *testing.T) {
|
|||
},
|
||||
{
|
||||
from: "steps: { build: { image: golang, settings: { test: 'true' }, environment: [ 'TEST=true' ] } }",
|
||||
want: "Cannot configure both environment and settings",
|
||||
want: "Should not configure both environment and settings",
|
||||
},
|
||||
{
|
||||
from: "{pipeline: { build: { image: golang, settings: { test: 'true' } } }, when: { branch: main, event: push } }",
|
||||
|
|
|
@ -448,9 +448,6 @@
|
|||
"directory": {
|
||||
"$ref": "#/definitions/step_directory"
|
||||
},
|
||||
"secrets": {
|
||||
"$ref": "#/definitions/step_secrets"
|
||||
},
|
||||
"settings": {
|
||||
"$ref": "#/definitions/step_settings"
|
||||
},
|
||||
|
|
|
@ -124,7 +124,8 @@ func (c *ContainerList) UnmarshalYAML(value *yaml.Node) error {
|
|||
func (c *Container) IsPlugin() bool {
|
||||
return len(c.Commands) == 0 &&
|
||||
len(c.Entrypoint) == 0 &&
|
||||
len(c.Environment) == 0
|
||||
len(c.Environment) == 0 &&
|
||||
len(c.Secrets.Secrets) == 0
|
||||
}
|
||||
|
||||
func (c *Container) IsTrustedCloneImage() bool {
|
||||
|
|
Loading…
Reference in a new issue