Merge branch 'origin/main' into 'next-release/main'

.woodpecker/docker.yaml

@@ -212,7 +212,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: woodpeckerci/woodpecker-agent
-      dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless
+      dockerfile: docker/Dockerfile.agent.alpine.multiarch
       platforms: *platforms_preview
       tag: pull_${CI_COMMIT_PULL_REQUEST}-alpine
       build_args: *build_args
@@ -226,7 +226,7 @@ steps:
     settings:
       dry_run: true
       repo: woodpeckerci/woodpecker-agent
-      dockerfile: docker/Dockerfile.agent.multiarch.rootless
+      dockerfile: docker/Dockerfile.agent.multiarch
       platforms: *platforms_preview
       tag: pull_${CI_COMMIT_PULL_REQUEST}
       build_args: *build_args
@@ -241,7 +241,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_agent
-      dockerfile: docker/Dockerfile.agent.multiarch.rootless
+      dockerfile: docker/Dockerfile.agent.multiarch
       platforms: *platforms_release
       tag: [next, 'next-${CI_COMMIT_SHA:0:10}']
       logins: *publish_logins
@@ -260,7 +260,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_agent
-      dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless
+      dockerfile: docker/Dockerfile.agent.alpine.multiarch
       platforms: *platforms_alpine
       tag: [next-alpine, 'next-${CI_COMMIT_SHA:0:10}-alpine']
       logins: *publish_logins
@@ -276,7 +276,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_agent
-      dockerfile: docker/Dockerfile.agent.multiarch.rootless
+      dockerfile: docker/Dockerfile.agent.multiarch
       platforms: *platforms_release
       tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}', '${CI_COMMIT_TAG}']
       logins: *publish_logins
@@ -292,7 +292,7 @@ steps:
     image: *buildx_plugin
     settings:
       repo: *publish_repos_agent
-      dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless
+      dockerfile: docker/Dockerfile.agent.alpine.multiarch
       platforms: *platforms_alpine
       tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine']
       logins: *publish_logins

cmd/server/openapi/docs.go

@@ -5144,10 +5144,6 @@ const docTemplate = `{
                 "config_file": {
                     "type": "string"
                 },
-                "gated": {
-                    "description": "TODO: deprecated in favor of RequireApproval =\u003e Remove in next major release",
-                    "type": "boolean"
-                },
                 "netrc_trusted": {
                     "type": "array",
                     "items": {

docker/Dockerfile.agent.alpine.multiarch

@@ -10,7 +10,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 FROM docker.io/alpine:3.21
 
 RUN apk add -U --no-cache ca-certificates && \
-  adduser -u 1000 -g 1000 woodpecker && \
+  adduser -u 1000 -g 1000 woodpecker -D && \
   mkdir -p /etc/woodpecker && \
   chown -R woodpecker:woodpecker /etc/woodpecker
 
@@ -21,7 +21,5 @@ EXPOSE 3000
 
 COPY --from=build /src/dist/woodpecker-agent /bin/
 
-USER woodpecker
-
 HEALTHCHECK CMD ["/bin/woodpecker-agent", "ping"]
 ENTRYPOINT ["/bin/woodpecker-agent"]

docker/Dockerfile.agent.multiarch

@@ -26,7 +26,5 @@ COPY --from=build /etc/woodpecker /etc
 COPY --from=build /etc/passwd /etc/passwd
 COPY --from=build /etc/group /etc/group
 
-USER woodpecker
-
 HEALTHCHECK CMD ["/bin/woodpecker-agent", "ping"]
 ENTRYPOINT ["/bin/woodpecker-agent"]

docker/Dockerfile.cli.alpine.multiarch.rootless

@@ -12,7 +12,7 @@ FROM docker.io/alpine:3.21
 WORKDIR /woodpecker
 
 RUN apk add -U --no-cache ca-certificates && \
-  adduser -u 1000 -g 1000 woodpecker
+  adduser -u 1000 -g 1000 -D woodpecker
 
 ENV GODEBUG=netdns=go
 ENV WOODPECKER_DISABLE_UPDATE_CHECK=true

docker/Dockerfile.server.alpine.multiarch.rootless

@@ -2,7 +2,7 @@ FROM docker.io/alpine:3.21
 
 ARG TARGETOS TARGETARCH
 RUN apk add -U --no-cache ca-certificates && \
-  adduser -u 1000 -g 1000 woodpecker && \
+  adduser -u 1000 -g 1000 woodpecker -D && \
   mkdir -p /var/lib/woodpecker && \
   chown -R woodpecker:woodpecker /var/lib/woodpecker
 

docs/docs/20-usage/40-secrets.md

@@ -104,7 +104,7 @@ Create the secret using default settings.
 The secret will be available to all images in your pipeline, and will be available to all `push`, `tag`, and `deployment` events (not `pull_request` events).
 
 ```bash
-woodpecker-cli secret add \
+woodpecker-cli repo secret add \
   --repository octocat/hello-world \
   --name aws_access_key_id \
   --value <value>
@@ -115,7 +115,7 @@ Create the secret and limit it to a single image:
 ```diff
  woodpecker-cli secret add \
    --repository octocat/hello-world \
-+  --image plugins/s3 \
++  --image woodpeckerci/plugin-s3 \
    --name aws_access_key_id \
    --value <value>
 ```
@@ -123,10 +123,10 @@ Create the secret and limit it to a single image:
 Create the secrets and limit it to a set of images:
 
 ```diff
- woodpecker-cli secret add \
+ woodpecker-cli repo secret add \
    --repository octocat/hello-world \
-+  --image plugins/s3 \
-+  --image woodpeckerci/plugin-ecs \
++  --image woodpeckerci/plugin-s3 \
++  --image woodpeckerci/plugin-docker-buildx \
    --name aws_access_key_id \
    --value <value>
 ```
@@ -134,9 +134,9 @@ Create the secrets and limit it to a set of images:
 Create the secret and enable it for multiple hook events:
 
 ```diff
- woodpecker-cli secret add \
+ woodpecker-cli repo secret add \
    --repository octocat/hello-world \
-   --image plugins/s3 \
+   --image woodpeckerci/plugin-s3 \
 +  --event pull_request \
 +  --event push \
 +  --event tag \
@@ -149,7 +149,7 @@ This method is recommended for loading secrets from a file, as it ensures that n
 Here’s an example:
 
 ```diff
- woodpecker-cli secret add \
+ woodpecker-cli repo secret add \
    -repository octocat/hello-world \
    -name ssh_key \
 +  -value @/root/ssh/id_rsa

docs/docs/30-administration/04-image-variants.md

@@ -8,7 +8,7 @@ This was done to prevent accidental major version upgrades.
 - `vX.Y.Z`: SemVer tags for specific releases, no entrypoint shell (scratch image)
   - `vX.Y`
   - `vX`
-- `vX.Y.Z-alpine`: SemVer tags for specific releases, based on Alpine, rootless (as of v3.0).
+- `vX.Y.Z-alpine`: SemVer tags for specific releases, based on Alpine, rootless for Server and CLI (as of v3.0).
   - `vX.Y-alpine`
   - `vX-alpine`
 - `next`: Built from the `main` branch

docs/docs/92-development/07-guides.md

@@ -55,7 +55,7 @@ You can try to use the `build-server` rule instead, however this one fails for s
 make build-agent
 
 ### build the image
-docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.agent.multiarch.rootless --push .
+docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.agent.multiarch --push .
 ```
 
 ### CLI

docs/src/pages/migrations.md

@@ -176,66 +176,15 @@ The following restructuring was done to achieve a more consistent grouping:
 
 #### Rootless images
 
-All Woodpecker images now use a non-privileged user (`woodpecker`) by default.
+The `server` and `cli` images now use a non-privileged user (`woodpecker`) by default.
 If you have volume mounts attached to containers, you might need to update the ownership of these directories from `root` to `woodpecker`.
 
-## User migrations
-
-- `gated` has been replaced by `require-approval`
-- Removed built-in environment variables:
-  - `CI_COMMIT_URL` use `CI_PIPELINE_FORGE_URL`
-  - `CI_STEP_FINISHED` as empty during execution
-  - `CI_PIPELINE_FINISHED` as empty during execution
-  - `CI_PIPELINE_STATUS` was always `success`
-  - `CI_STEP_STATUS` was always `success`
-  - `CI_REPO_SCM` was always `git`
-- Set `/woodpecker` as default workdir for the **woodpecker-cli** container
-- Secret filters for plugins now check against tag if specified
-- Compatibility mode of deprecated `pipeline:`, `platform:` and `branches:` pipeline config options are now removed and pipeline will now fail if still in use.
-- Removed `steps.[name].group` in favor of `steps.[name].depends_on` (see [workflow syntax](/docs/usage/workflow-syntax#depends_on) to learn how to set dependencies)
-- Pipelines without a config file will now be skipped instead of failing
-- Removed `includes` and `excludes` support from **event** filter
-- Removed upper-casing all secret env vars, instead, the value of the `secrets` property is used. [Read more](/docs/usage/secrets#usage)
-- Removed alternative names for secrets, use `environment` with `from_secret`
-- Removed `environment` filter, use `when.evaluate`
-- Removed `WOODPECKER_WEBHOOK_HOST` in favor of `WOODPECKER_EXPERT_WEBHOOK_HOST`
-- Renamed `start_time`, `end_time`, `created_at`, `started_at`, `finished_at` and `reviewed_at` JSON fields to `started`, `finished`, `created`, `started`, `finished`, `reviewed`
-- JSON field `trusted` on repo model was changed from boolean to object
-- Update all webhooks by pressing the "Repair all" button in the admin settings as the webhook token claims have changed
-- Crons now use standard Linux syntax without seconds
-- Removed old API routes: `registry/` -> `registries`, `/authorize/token`
-- Replaced `registry` command with `repo registry` in cli
-- Deprecated `secrets`, use `environment` with `from_secret`
-- Empty string environment variables are not set
-- CLI commands got restructured to provide a simplified structure:
-  - `woodpecker-cli secret [add|rm|...] --global` is now `woodpecker-cli admin secret [add|rm|...]`
-  - `woodpecker-cli user` is now `woodpecker-cli admin user`
-  - `woodpecker-cli log-level` is now `woodpecker-cli admin log-level`
-  - `woodpecker-cli secret [add|rm|...] --organization` is now `woodpecker-cli org secret [add|rm|...]`
-  - `woodpecker-cli deploy` is now `woodpecker-cli pipeline deploy`
-  - `woodpecker-cli log` is now `woodpecker-cli pipeline log`
-  - `woodpecker-cli cron` is now `woodpecker-cli repo cron`
-  - `woodpecker-cli secret [add|rm|...] --repository` is now `woodpecker-cli repo secret [add|rm|...]`
-  - `woodpecker-cli pipeline logs` is now `woodpecker-cli pipeline log show`
-  - `woodpecker-cli [registry|secret|...] info` is now `woodpecker-cli [registry|secret|...] show`
-
-## Admin migrations
-
-- Deprecate `WOODPECKER_LOG_XORM` and `WOODPECKER_LOG_XORM_SQL` use `"WOODPECKER_DATABASE_LOG` and `"WOODPECKER_DATABASE_LOG_SQL`
-- Deprecate `WOODPECKER_FILTER_LABELS` use `WOODPECKER_AGENT_LABELS`
-- Move docker resource limit settings from server into agent configuration
-- Rename server environment variable `WOODPECKER_ESCALATE` to `WOODPECKER_PLUGINS_PRIVILEGED`
-- All default privileged plugins (like `woodpeckerci/plugin-docker-buildx`) were removed. Please carefully [re-add those plugins](/docs/next/administration/server-config#woodpecker_plugins_privileged) you trust and rely on.
-- `WOODPECKER_DEFAULT_CLONE_IMAGE` got deprecated use `WOODPECKER_DEFAULT_CLONE_PLUGIN`
-- Check trusted-clone- and privileged-plugins by image name and tag (if tag is set)
-- Removed `WOODPECKER_DEV_OAUTH_HOST` and `WOODPECKER_DEV_GITEA_OAUTH_URL` use `WOODPECKER_EXPERT_FORGE_OAUTH_HOST`
-- Removed `WOODPECKER_ROOT_PATH` and `WOODPECKER_ROOT_URL` config variables. Use `WOODPECKER_HOST` with a path instead
-- Removed implicitly defined `regcred` image pull secret name. Set it explicitly via `WOODPECKER_BACKEND_K8S_PULL_SECRET_NAMES`
-- Removed slice definition for env vars
-- Migrated to rfc9421 for webhook signatures
-- Replaced `configs` object by `netrc` in external configuration APIs
-
-- Upgrading from 1.x versions to 3.x is disallowed, upgrading to 2.x first is required to ensure proper DB migrations
+:::note
+The agent image must remain rootful by default to be able to mount the Docker socket when Woodpecker is used with the `docker` backend.
+The helm chart will start to use a non-privileged user by utilizing `securityContext`.
+Running a completely rootless agent with the `docker` backend may be possible by using a rootless docker daemon.
+However, this requires more work and is currently not supported.
+:::
 
 ## 2.7.2
 

go.mod

@@ -56,7 +56,7 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0
 	github.com/yaronf/httpsign v0.3.2
 	github.com/zalando/go-keyring v0.2.6
-	gitlab.com/gitlab-org/api/client-go v0.118.0
+	gitlab.com/gitlab-org/api/client-go v0.119.0
 	go.uber.org/multierr v1.11.0
 	golang.org/x/crypto v0.32.0
 	golang.org/x/net v0.34.0
@@ -65,7 +65,7 @@ require (
 	golang.org/x/term v0.28.0
 	golang.org/x/text v0.21.0
 	google.golang.org/grpc v1.69.2
-	google.golang.org/protobuf v1.36.1
+	google.golang.org/protobuf v1.36.2
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.32.0
 	k8s.io/apimachinery v0.32.0
@@ -197,7 +197,7 @@ require (
 	golang.org/x/arch v0.8.0 // indirect
 	golang.org/x/mod v0.22.0 // indirect
 	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/time v0.7.0 // indirect
+	golang.org/x/time v0.8.0 // indirect
 	golang.org/x/tools v0.27.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 // indirect

go.sum

@@ -555,8 +555,8 @@ github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8u
 github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI=
 github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
 github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0=
-gitlab.com/gitlab-org/api/client-go v0.118.0 h1:qHIEw+XHt+2xuk4iZGW8fc6t+gTLAGEmTA5Bzp/brxs=
-gitlab.com/gitlab-org/api/client-go v0.118.0/go.mod h1:E+X2dndIYDuUfKVP0C3jhkWvTSE00BkLbCsXTY3edDo=
+gitlab.com/gitlab-org/api/client-go v0.119.0 h1:YBZyx9XUTtEDBBYtY36cZWz6JmT7om/8HPSk37IS95g=
+gitlab.com/gitlab-org/api/client-go v0.119.0/go.mod h1:ygHmS3AU3TpvK+AC6DYO1QuAxLlv6yxYK+/Votr/WFQ=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8=
 go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY=
@@ -693,8 +693,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
-golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
+golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
@@ -730,8 +730,8 @@ google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQ
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk=
-google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.2 h1:R8FeyR1/eLmkutZOM5CWghmo5itiG9z0ktFlTVLuTmU=
+google.golang.org/protobuf v1.36.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=

server/api/repo.go

@@ -258,9 +258,6 @@ func PatchRepo(c *gin.Context) {
 			c.String(http.StatusBadRequest, "Invalid require-approval setting")
 			return
 		}
-	} else if in.IsGated != nil {
-		c.String(http.StatusBadRequest, "'gated' option has been removed, use 'require-approval' in >= 3.0")
-		return
 	}
 	if in.Timeout != nil {
 		repo.Timeout = *in.Timeout

server/model/repo.go

@@ -128,7 +128,6 @@ func (r *Repo) Update(from *Repo) {
 // RepoPatch represents a repository patch object.
 type RepoPatch struct {
 	Config                       *string                    `json:"config_file,omitempty"`
-	IsGated                      *bool                      `json:"gated,omitempty"` // TODO: deprecated in favor of RequireApproval => Remove in next major release
 	RequireApproval              *string                    `json:"require_approval,omitempty"`
 	Timeout                      *int64                     `json:"timeout,omitempty"`
 	Visibility                   *string                    `json:"visibility,omitempty"`

web/package.json

@@ -39,7 +39,6 @@
     "semver": "^7.6.3",
     "simple-icons": "^14.1.0",
     "tailwindcss": "^3.4.17",
-    "textlint": "^14.4.2",
     "vue": "^3.5.13",
     "vue-i18n": "^11.0.1",
     "vue-router": "^4.5.0"