From 711044096c84a2749a357aa41913da4f4c5bd342 Mon Sep 17 00:00:00 2001 From: pat-s Date: Wed, 25 Dec 2024 09:37:44 +0100 Subject: [PATCH] rephrase --- docs/docs/20-usage/75-project-settings.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/docs/docs/20-usage/75-project-settings.md b/docs/docs/20-usage/75-project-settings.md index b87b3011d..c086adc24 100644 --- a/docs/docs/20-usage/75-project-settings.md +++ b/docs/docs/20-usage/75-project-settings.md @@ -41,11 +41,19 @@ Only server admins can set this option. If you are not a server admin this optio ## Custom trusted clone plugins -The clone step may require Git credentials (e.g. for private repos) which are injected via `netrc`. +During the clone process, Git credentials (e.g., for private repositories) may be required. +These credentials are provided via [`netrc`](https://everything.curl.dev/usingcurl/netrc.html). -They are only injected into trusted plugins listed in the env var `WOODPECKER_PLUGINS_TRUSTED_CLONE` or in this repo setting. +These credentials are injected only into trusted plugins specified in the (admin) environment variable `WOODPECKER_PLUGINS_TRUSTED_CLONE` or declared in this repository-level setting. -This allows you to use a trusted plugin for in the clone section or as a step to pull or push using your git credentials. +With these credentials, it’s possible to perform any Git operations, including pushing changes back to the repo. +To prevent unauthorized access or misuse, a plugin whitelist is required—either on the instance level or the repository level. +Without an explicit whitelist, a malicious contributor could exploit a custom clone plugin in a Pull Request to reveal or transfer these credentials during the clone step. + +:::info +This setting does not affect subsequent steps, nor does it allow direct pushes to the repository. +To enable pushing changes, you can inject Git credentials as a secret or use a dedicated plugin, such as [appleboy/drone-git-push](https://woodpecker-ci.org/plugins/Git%20Push). +::: ## Project visibility