From 9402e4b582d68eafdd10829caa04964f52df8e41 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Sat, 21 Dec 2024 11:52:28 +0100
Subject: [PATCH 1/2] fix(deps): update module github.com/cenkalti/backoff/v4
 to v5 (#4601)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: qwerty287 <qwerty287@posteo.de>
Co-authored-by: qwerty287 <80460567+qwerty287@users.noreply.github.com>
---
 agent/rpc/client_grpc.go | 3 +--
 go.mod                   | 2 +-
 go.sum                   | 2 ++
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/agent/rpc/client_grpc.go b/agent/rpc/client_grpc.go
index 74114f8dc..7ebe9e04d 100644
--- a/agent/rpc/client_grpc.go
+++ b/agent/rpc/client_grpc.go
@@ -20,7 +20,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/cenkalti/backoff/v4"
+	"github.com/cenkalti/backoff/v5"
 	"github.com/rs/zerolog/log"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
@@ -68,7 +68,6 @@ func (c *client) Close() error {
 
 func (c *client) newBackOff() backoff.BackOff {
 	b := backoff.NewExponentialBackOff()
-	b.MaxElapsedTime = 0
 	b.MaxInterval = 10 * time.Second          //nolint:mnd
 	b.InitialInterval = 10 * time.Millisecond //nolint:mnd
 	return b
diff --git a/go.mod b/go.mod
index fee93dee0..fcd7e9f3a 100644
--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/6543/logfile-open v1.2.1
 	github.com/adrg/xdg v0.5.3
 	github.com/bmatcuk/doublestar/v4 v4.7.1
-	github.com/cenkalti/backoff/v4 v4.3.0
+	github.com/cenkalti/backoff/v5 v5.0.0
 	github.com/charmbracelet/huh v0.6.0
 	github.com/charmbracelet/huh/spinner v0.0.0-20240327025511-ec643317aa10
 	github.com/distribution/reference v0.6.0
diff --git a/go.sum b/go.sum
index a3a27fceb..8c5298e8a 100644
--- a/go.sum
+++ b/go.sum
@@ -52,6 +52,8 @@ github.com/catppuccin/go v0.2.0 h1:ktBeIrIP42b/8FGiScP9sgrWOss3lw0Z5SktRoithGA=
 github.com/catppuccin/go v0.2.0/go.mod h1:8IHJuMGaUUjQM82qBrGNBv7LFq6JI3NnQCF6MOlZjpc=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cenkalti/backoff/v5 v5.0.0 h1:4ziwFuaVJicDO1ah1Nz1aXXV1caM28PFgf1V5TTFXew=
+github.com/cenkalti/backoff/v5 v5.0.0/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/charmbracelet/bubbles v0.20.0 h1:jSZu6qD8cRQ6k9OMfR1WlM+ruM8fkPWkHvQWD9LIutE=

From e6aa0d839ac68a9b0618a105a6056db125d116f5 Mon Sep 17 00:00:00 2001
From: Patrick Schratz <patrick.schratz@gmail.com>
Date: Sat, 21 Dec 2024 11:52:56 +0100
Subject: [PATCH 2/2] Add rolling semver tags, remove `latest` tag (#4600)

Co-authored-by: qwerty287 <80460567+qwerty287@users.noreply.github.com>
---
 .woodpecker/docker.yaml                       | 18 ++++++----------
 docker-compose.example.yaml                   |  4 ++--
 .../10-docker-compose.md                      | 21 ++++++++++++-------
 docs/src/pages/migrations.md                  |  5 +++++
 4 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/.woodpecker/docker.yaml b/.woodpecker/docker.yaml
index 16fbee026..0363b4693 100644
--- a/.woodpecker/docker.yaml
+++ b/.woodpecker/docker.yaml
@@ -197,8 +197,7 @@ steps:
       repo: *publish_repos_server
       dockerfile: docker/Dockerfile.server.multiarch
       platforms: *platforms_server
-      # remove 'latest' on older version branches to avoid accidental downgrade
-      tag: [latest, '${CI_COMMIT_TAG}']
+      tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}']
       logins: *publish_logins
     when: &when-release
       event: tag
@@ -211,8 +210,7 @@ steps:
       repo: *publish_repos_server
       dockerfile: docker/Dockerfile.server.alpine.multiarch
       platforms: *platforms_alpine
-      # remove 'latest-alpine' on older version branches to avoid accidental downgrade
-      tag: [latest-alpine, '${CI_COMMIT_TAG}-alpine']
+      tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine']
       logins: *publish_logins
     when: *when-release
 
@@ -292,8 +290,7 @@ steps:
       repo: *publish_repos_agent
       dockerfile: docker/Dockerfile.agent.multiarch
       platforms: *platforms_release
-      # remove 'latest' on older version branches to avoid accidental downgrade
-      tag: [latest, '${CI_COMMIT_TAG}']
+      tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}', '${CI_COMMIT_TAG}']
       logins: *publish_logins
       build_args: *build_args
     when: *when-release
@@ -309,8 +306,7 @@ steps:
       repo: *publish_repos_agent
       dockerfile: docker/Dockerfile.agent.alpine.multiarch
       platforms: *platforms_alpine
-      # remove 'latest-alpine' on older version branches to avoid accidental downgrade
-      tag: [latest-alpine, '${CI_COMMIT_TAG}-alpine']
+      tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine']
       logins: *publish_logins
       build_args: *build_args
     when: *when-release
@@ -388,8 +384,7 @@ steps:
       repo: *publish_repos_cli
       dockerfile: docker/Dockerfile.cli.multiarch
       platforms: *platforms_release
-      # remove 'latest' on older version branches to avoid accidental downgrade
-      tag: [latest, '${CI_COMMIT_TAG}']
+      tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}', '${CI_COMMIT_TAG}']
       logins: *publish_logins
       build_args: *build_args
     when: *when-release
@@ -405,8 +400,7 @@ steps:
       repo: *publish_repos_cli
       dockerfile: docker/Dockerfile.cli.alpine.multiarch
       platforms: *platforms_alpine
-      # remove 'latest-alpine' on older version branches to avoid accidental downgrade
-      tag: [latest-alpine, '${CI_COMMIT_TAG}-alpine']
+      tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine']
       logins: *publish_logins
       build_args: *build_args
     when: *when-release
diff --git a/docker-compose.example.yaml b/docker-compose.example.yaml
index 6ce862d79..f54121f7f 100644
--- a/docker-compose.example.yaml
+++ b/docker-compose.example.yaml
@@ -2,7 +2,7 @@ version: '3'
 
 services:
   woodpecker-server:
-    image: woodpeckerci/woodpecker-server:latest
+    image: woodpeckerci/woodpecker-server:v3
     ports:
       - 8000:8000
     networks:
@@ -21,7 +21,7 @@ services:
     depends_on:
       woodpecker-server:
         condition: service_healthy
-    image: woodpeckerci/woodpecker-agent:latest
+    image: woodpeckerci/woodpecker-agent:v3
     networks:
       - woodpecker
     volumes:
diff --git a/docs/docs/30-administration/05-deployment-methods/10-docker-compose.md b/docs/docs/30-administration/05-deployment-methods/10-docker-compose.md
index a00353d3a..a9d59c9d7 100644
--- a/docs/docs/30-administration/05-deployment-methods/10-docker-compose.md
+++ b/docs/docs/30-administration/05-deployment-methods/10-docker-compose.md
@@ -115,21 +115,26 @@ The server and agents use a shared secret to authenticate communication. This sh
 
 Image variants:
 
-- The `latest` image is the latest stable release
 - The `vX.X.X` images are stable releases
-- The `vX.X` images are based on the current release branch (e.g. `release/v1.0`) and can be used to get bugfixes asap
+- The `vX.X` images are based on the current release branch (e.g. `release/v1.0`) and can be used to get bug fixes asap
+- The `vX` same as `vX.X` variant but also includes feature releases
 - The `next` images are based on the current `main` branch
 
+:::note
+The `latest` tag is not available on purpose (and has been dropped with the 3.x release) to prevent accidental major version upgrades.
+Hence, users are forced to specify a fixed or rolling tag, omitting the tag identifier (which equals to pulling `latest` implicitly) won't work.
+:::
+
 ```bash
 # server
-docker pull woodpeckerci/woodpecker-server:latest
-docker pull woodpeckerci/woodpecker-server:latest-alpine
+docker pull woodpeckerci/woodpecker-server:v3
+docker pull woodpeckerci/woodpecker-server:v3-alpine
 
 # agent
-docker pull woodpeckerci/woodpecker-agent:latest
-docker pull woodpeckerci/woodpecker-agent:latest-alpine
+docker pull woodpeckerci/woodpecker-agent:v3
+docker pull woodpeckerci/woodpecker-agent:v3-alpine
 
 # cli
-docker pull woodpeckerci/woodpecker-cli:latest
-docker pull woodpeckerci/woodpecker-cli:latest-alpine
+docker pull woodpeckerci/woodpecker-cli:v3
+docker pull woodpeckerci/woodpecker-cli:v3-alpine
 ```
diff --git a/docs/src/pages/migrations.md b/docs/src/pages/migrations.md
index 86588173c..cc210585f 100644
--- a/docs/src/pages/migrations.md
+++ b/docs/src/pages/migrations.md
@@ -135,6 +135,11 @@ The following restructuring was done to achieve a more consistent grouping:
 
 ### Admin-facing migrations
 
+#### Image tags
+
+- The `latest` tag has been dropped to avoid accidental major version upgrades.
+  A dedicated semver tag specification must be used, i.e., either a fixed version (like `v3.0.0`) or a rolling tag (e.g. `v3.0` or `v3`).
+
 - Previously, some (official) plugins were granted the `privileged` option by default to allow simplified usage.
   To streamline this process and enhance security transparency, no plugin is granted the `privileged` options by default anymore.
   To allow the use of these plugins in >= 3.0, they must be set explicitly through `WOODPECKER_PLUGINS_PRIVILEGED` on the admin side.