Allow admins to specify priviledged plugins by name **and tag** (#4075)

previous the tags where ignored, now we respect them if set

docs/docs/30-administration/10-server-config.md

@@ -354,6 +354,8 @@ a user can log into Woodpecker, without re-authentication.
 
 Docker images to run in privileged mode. Only change if you are sure what you do!
 
+You should specify the tag of your images too, as this enforces exact matches.
+
 ### WOODPECKER_PLUGINS_TRUSTED_CLONE
 
 > Defaults are defined in [shared/constant/constant.go](https://github.com/woodpecker-ci/woodpecker/blob/main/shared/constant/constant.go)

docs/docs/91-migrations.md

@@ -5,7 +5,7 @@ Some versions need some changes to the server configuration or the pipeline conf
 ## `next`
 
 - `WOODPECKER_DEFAULT_CLONE_IMAGE` got depricated use `WOODPECKER_DEFAULT_CLONE_PLUGIN`
-- Check trusted-clone-plugins by image name and tag (if tag is set)
+- Check trusted-clone- and priviledged-plugins by image name and tag (if tag is set)
 - Remove `plugins/docker`, `plugins/gcr` and `plugins/ecr` from the default list of privileged plugins ([modify the list via config if needed](./30-administration/10-server-config.md#woodpecker_escalate)).
 - Secret filters for plugins now check against tag if specified
 - Removed `WOODPECKER_DEV_OAUTH_HOST` and `WOODPECKER_DEV_GITEA_OAUTH_URL` use `WOODPECKER_EXPERT_FORGE_OAUTH_HOST`

pipeline/frontend/yaml/compiler/convert.go

@@ -138,7 +138,7 @@ func (c *Compiler) createProcess(container *yaml_types.Container, stepType backe
 		environment[requested] = secretValue
 	}
 
-	if utils.MatchImage(container.Image, c.escalated...) && container.IsPlugin() {
+	if utils.MatchImageDynamic(container.Image, c.escalated...) && container.IsPlugin() {
 		privileged = true
 	}