Merge branch 'main' into fix/ci-commit-branch

2025-03-02 18:11:01 +00:00 · 2024-12-09 11:25:12 +01:00 · 2024-12-09 11:25:12 +01:00 · cd96c4e441
commit cd96c4e441
parent 80ed91ff70 33e1c788f4
26 changed files with 1442 additions and 1093 deletions
--- a/.woodpecker/docker.yaml
+++ b/.woodpecker/docker.yaml
@ -2,7 +2,7 @@ variables:
  - &golang_image 'docker.io/golang:1.23'
  - &node_image 'docker.io/node:23-alpine'
  - &xgo_image 'docker.io/techknowlogick/xgo:go-1.23.x'
-  - &buildx_plugin 'docker.io/woodpeckerci/plugin-docker-buildx:5.0.0'
+  - &buildx_plugin 'docker.io/woodpeckerci/plugin-docker-buildx:5.1.0'
  - &platforms_release 'linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/386,linux/amd64,linux/ppc64le,linux/riscv64,linux/s390x,freebsd/arm64,freebsd/amd64,openbsd/arm64,openbsd/amd64'
  - &platforms_server 'linux/arm/v7,linux/arm64/v8,linux/amd64,linux/ppc64le,linux/riscv64'
  - &platforms_preview 'linux/amd64'
--- a/.woodpecker/docs.yaml
+++ b/.woodpecker/docs.yaml
@ -1,7 +1,7 @@
 variables:
  - &golang_image 'docker.io/golang:1.23'
  - &node_image 'docker.io/node:23-alpine'
-  - &alpine_image 'docker.io/alpine:3.20'
+  - &alpine_image 'docker.io/alpine:3.21'
  - path: &when_path
      - 'docs/**'
      - '.woodpecker/docs.yaml'
--- a/.woodpecker/links.yaml
+++ b/.woodpecker/links.yaml
@ -0,0 +1,31 @@
+when:
+  - event: cron
+    cron: links
+
+steps:
+  - name: links
+    image: docker.io/lycheeverse/lychee:0.15.1
+    failure: ignore
+    depends_on: []
+    commands:
+      - lychee pipeline/frontend/yaml/linter/schema/schema.json > links.md
+      - lychee --exclude localhost docs/docs/ >> links.md
+      - lychee --exclude localhost docs/src/pages/ >> links.md
+      - echo -e "\nLast checked:$(date)" >> links.md
+
+  - name: Update issue
+    image: docker.io/alpine:3.21
+    depends_on: links
+    environment:
+      GITHUB_TOKEN:
+        from_secret: github_token
+    commands:
+      - apk add -q --no-cache jq curl
+      - export ISSUE_NUMBER=4514
+      - export DESCRIPTION=$(cat links.md)
+      - |
+        curl -X PATCH \
+          -H "Authorization: token $GITHUB_TOKEN" \
+          -H "Accept: application/vnd.github.v3+json" \
+          https://api.github.com/repos/${CI_REPO}/issues/$ISSUE_NUMBER \
+          -d "$(jq -n --arg body "$DESCRIPTION" '{body: $body}')"
--- a/.woodpecker/release-helper.yaml
+++ b/.woodpecker/release-helper.yaml
@ -1,6 +1,6 @@
 steps:
  - name: release-helper
-    image: docker.io/woodpeckerci/plugin-ready-release-go:3.0.0
+    image: docker.io/woodpeckerci/plugin-ready-release-go:3.1.0
    settings:
      release_branch: ${CI_COMMIT_BRANCH}
      forge_type: github
--- a/.woodpecker/securityscan.yaml
+++ b/.woodpecker/securityscan.yaml
@ -1,5 +1,5 @@
 when:
-  - event: [pull_request, cron]
+  - event: [pull_request]
  - event: push
    branch:
      - ${CI_REPO_DEFAULT_BRANCH}
--- a/.woodpecker/static.yaml
+++ b/.woodpecker/static.yaml
@ -19,15 +19,7 @@ steps:
      - tree --gitignore -I 012_columns_rename_procs_to_steps.go -I versioned_docs -I '*opensource.svg'| pnpx cspell lint --no-progress stdin

  - name: prettier
-    image: docker.io/woodpeckerci/plugin-prettier:0.2.0
+    image: docker.io/woodpeckerci/plugin-prettier:1.0.0
    depends_on: []
    settings:
      version: 3.3.3
-
-  - name: links
-    image: docker.io/lycheeverse/lychee:0.15.1
-    depends_on: []
-    commands:
-      - lychee pipeline/frontend/yaml/linter/schema/schema.json
-      - lychee --user-agent "curl/8.4.0" --exclude localhost docs/docs/
-      - lychee --user-agent "curl/8.4.0" --exclude localhost docs/src/pages/
--- a/.woodpecker/test.yaml
+++ b/.woodpecker/test.yaml
@ -36,7 +36,7 @@ steps:
    environment:
      WOODPECKER_DISABLE_UPDATE_CHECK: true
      WOODPECKER_LINT_STRICT: true
-      WOODPECKER_PLUGINS_PRIVILEGED: 'docker.io/woodpeckerci/plugin-docker-buildx:5.0.0'
+      WOODPECKER_PLUGINS_PRIVILEGED: 'docker.io/woodpeckerci/plugin-docker-buildx'
    when:
      - event: pull_request
        path:
--- a/docker/Dockerfile.agent.alpine.multiarch
+++ b/docker/Dockerfile.agent.alpine.multiarch
@ -7,7 +7,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg \
    make build-agent

-FROM docker.io/alpine:3.20
+FROM docker.io/alpine:3.21
 RUN apk add -U --no-cache ca-certificates
 ENV GODEBUG=netdns=go
 # Internal setting do NOT change! Signals that woodpecker is running inside a container
--- a/docker/Dockerfile.cli.alpine.multiarch
+++ b/docker/Dockerfile.cli.alpine.multiarch
@ -7,7 +7,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg \
    make build-cli

-FROM docker.io/alpine:3.20
+FROM docker.io/alpine:3.21
 WORKDIR /woodpecker

 RUN apk add -U --no-cache ca-certificates
--- a/docker/Dockerfile.server.alpine.multiarch
+++ b/docker/Dockerfile.server.alpine.multiarch
@ -1,4 +1,4 @@
-FROM docker.io/alpine:3.20
+FROM docker.io/alpine:3.21

 ARG TARGETOS TARGETARCH
 RUN apk add -U --no-cache ca-certificates
--- a/docs/babel.config.js
+++ b/docs/babel.config.js
@ -1,3 +0,0 @@
-module.exports = {
-  presets: [require.resolve('@docusaurus/core/lib/babel/preset')],
-};
--- a/docs/docs/30-administration/22-backends/10-docker.md
+++ b/docs/docs/30-administration/22-backends/10-docker.md
@ -18,6 +18,25 @@ FROM woodpeckerci/woodpecker-server:latest-alpine
 RUN apk add -U --no-cache docker-credential-ecr-login
 ```

+## Step specific configuration
+
+### Run user
+
+By default the docker backend starts the step container without the `--user` flag. This means the step container will use the default user of the container. To change this behavior you can set the `user` backend option to the preferred user/group:
+
+```yaml
+steps:
+  - name: example
+    image: alpine
+    commands:
+      - whoami
+    backend_options:
+      docker:
+        user: 65534:65534
+```
+
+The syntax is the same as the [docker run](https://docs.docker.com/engine/reference/run/#user) `--user` flag.
+
 ## Image cleanup

 The agent **will not** automatically remove images from the host. This task should be managed by the host system. For example, you can use a cron job to periodically do clean-up tasks for the CI runner.
--- a/docs/docs/30-administration/22-backends/40-kubernetes.md
+++ b/docs/docs/30-administration/22-backends/40-kubernetes.md
@ -12,7 +12,7 @@ In addition to [registries specified in the UI](../../20-usage/41-registries.md)

 Place these Secrets in namespace defined by `WOODPECKER_BACKEND_K8S_NAMESPACE` and provide the Secret names to Agents via `WOODPECKER_BACKEND_K8S_PULL_SECRET_NAMES`.

-## Job specific configuration
+## Step specific configuration

 ### Resources

@ -67,7 +67,7 @@ To give steps access to the Kubernetes API via service account, take a look at [

 ### Node selector

-`nodeSelector` specifies the labels which are used to select the node on which the job will be executed.
+`nodeSelector` specifies the labels which are used to select the node on which the step will be executed.

 Labels defined here will be appended to a list which already contains `"kubernetes.io/arch"`.
 By default `"kubernetes.io/arch"` is inferred from the agents' platform. One can override it by setting that label in the `nodeSelector` section of the `backend_options`.
--- a/docs/docusaurus.config.ts
+++ b/docs/docusaurus.config.ts
@ -3,7 +3,7 @@ import type { Config } from '@docusaurus/types';
 import type * as Preset from '@docusaurus/preset-classic';
 import * as path from 'path';

-const config: Config = {
+const config = {
  title: 'Woodpecker CI',
  tagline: 'Woodpecker is a simple, yet powerful CI/CD engine with great extensibility.',
  url: 'https://woodpecker-ci.org',
@ -248,7 +248,7 @@ const config: Config = {
              label: '2.8.x',
            },
            '2.7': {
-              label: '2.7.x',
+              label: '2.7.x 💀',
              banner: 'unmaintained',
            },
            '2.6': {
@ -265,8 +265,6 @@ const config: Config = {
          blogTitle: 'Blog',
          blogDescription: 'A blog for release announcements, turorials...',
          onInlineAuthors: 'ignore',
-          // postsPerPage: 'ALL',
-          // blogSidebarCount: 0,
        },
        theme: {
          customCss: require.resolve('./src/css/custom.css'),
@ -291,19 +289,12 @@ const config: Config = {
      },
    ],
  ],
-  webpack: {
-    jsLoader: (isServer) => ({
-      loader: require.resolve('esbuild-loader'),
-      options: {
-        loader: 'tsx',
-        target: isServer ? 'node12' : 'es2017',
-        supported: { 'dynamic-import': false },
-      },
-    }),
-  },
  markdown: {
    format: 'detect',
  },
-};
+  future: {
+    experimental_faster: true,
+  },
+} satisfies Config;

 export default config;
--- a/docs/package.json
+++ b/docs/package.json
@ -15,19 +15,15 @@
  },
  "dependencies": {
    "@docusaurus/core": "^3.6.3",
+    "@docusaurus/faster": "^3.6.3",
    "@docusaurus/plugin-content-blog": "^3.6.3",
    "@docusaurus/preset-classic": "^3.6.3",
    "@easyops-cn/docusaurus-search-local": "^0.46.0",
-    "@mdx-js/react": "^3.1.0",
-    "@svgr/webpack": "^8.1.0",
    "clsx": "^2.1.1",
-    "esbuild-loader": "^4.2.2",
-    "file-loader": "^6.2.0",
    "prism-react-renderer": "^2.4.0",
    "react": "^18.3.1",
    "react-dom": "^18.3.1",
-    "redocusaurus": "^2.2.0",
-    "url-loader": "^4.1.1"
+    "redocusaurus": "^2.2.0"
  },
  "browserslist": {
    "production": [
@ -46,16 +42,9 @@
    "@docusaurus/tsconfig": "3.6.3",
    "@docusaurus/types": "^3.6.3",
    "@types/node": "^22.9.3",
-    "@types/react": "^18.3.12",
+    "@types/react": "^18.3.1",
    "@types/react-helmet": "^6.1.11",
    "@types/react-router-dom": "^5.3.3",
    "typescript": "^5.7.2"
-  },
-  "pnpm": {
-    "overrides": {
-      "got": "^14.0.0",
-      "path-to-regexp": "^3.3.0",
-      "cookie": "^1.0.0"
-    }
  }
 }
--- a/docs/plugins/woodpecker-plugins/package.json
+++ b/docs/plugins/woodpecker-plugins/package.json
@ -23,8 +23,8 @@
    "typescript": "^5.7.2"
  },
  "peerDependencies": {
-    "react": "^17.0.2 || ^18.0.0",
-    "react-dom": "^17.0.2 || ^18.0.0"
+    "react": "^17.0.2 || ^18.0.0 || ^19.0.0",
+    "react-dom": "^17.0.2 || ^18.0.0 || ^19.0.0"
  },
  "dependencies": {
    "fuse.js": "^7.0.0",
--- a/docs/pnpm-lock.yaml
+++ b/docs/pnpm-lock.yaml
--- a/go.mod
+++ b/go.mod
@ -2,7 +2,7 @@ module go.woodpecker-ci.org/woodpecker/v2

 go 1.22.7

-toolchain go1.23.3
+toolchain go1.23.4

 require (
 	al.essio.dev/pkg/shellescape v1.5.1
@ -56,19 +56,19 @@ require (
 	github.com/swaggo/gin-swagger v1.6.0
 	github.com/swaggo/swag v1.16.4
 	github.com/urfave/cli-docs/v3 v3.0.0-alpha6
-	github.com/urfave/cli/v3 v3.0.0-alpha9.10
+	github.com/urfave/cli/v3 v3.0.0-beta1
 	github.com/xanzy/go-gitlab v0.114.0
 	github.com/xeipuuv/gojsonschema v1.2.0
 	github.com/yaronf/httpsign v0.3.1
 	github.com/zalando/go-keyring v0.2.6
 	go.uber.org/multierr v1.11.0
-	golang.org/x/crypto v0.29.0
-	golang.org/x/net v0.31.0
+	golang.org/x/crypto v0.30.0
+	golang.org/x/net v0.32.0
 	golang.org/x/oauth2 v0.24.0
-	golang.org/x/sync v0.9.0
-	golang.org/x/term v0.26.0
-	golang.org/x/text v0.20.0
-	google.golang.org/grpc v1.68.0
+	golang.org/x/sync v0.10.0
+	golang.org/x/term v0.27.0
+	golang.org/x/text v0.21.0
+	google.golang.org/grpc v1.68.1
 	google.golang.org/protobuf v1.35.2
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.31.3
@ -209,7 +209,7 @@ require (
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/arch v0.8.0 // indirect
 	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/sys v0.27.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/time v0.6.0 // indirect
 	golang.org/x/tools v0.27.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect
--- a/go.sum
+++ b/go.sum
@ -545,8 +545,8 @@ github.com/urfave/cli-docs/v3 v3.0.0-alpha6 h1:w/l/N0xw1rO/aHRIGXJ0lDwwYFOzilup1
 github.com/urfave/cli-docs/v3 v3.0.0-alpha6/go.mod h1:p7Z4lg8FSTrPB9GTaNyTrK3ygffHZcK3w0cU2VE+mzU=
 github.com/urfave/cli/v2 v2.3.0 h1:qph92Y649prgesehzOrQjdWyxFOp/QVM+6imKHad91M=
 github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
-github.com/urfave/cli/v3 v3.0.0-alpha9.10 h1:whPwidq9cUh18NBqzSR8N3tts8NiQDsTmt9s7AyX85c=
-github.com/urfave/cli/v3 v3.0.0-alpha9.10/go.mod h1:FnIeEMYu+ko8zP1F9Ypr3xkZMIDqW3DR92yUtY39q1Y=
+github.com/urfave/cli/v3 v3.0.0-beta1 h1:6DTaaUarcM0wX7qj5Hcvs+5Dm3dyUTBbEwIWAjcw9Zg=
+github.com/urfave/cli/v3 v3.0.0-beta1/go.mod h1:FnIeEMYu+ko8zP1F9Ypr3xkZMIDqW3DR92yUtY39q1Y=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xanzy/go-gitlab v0.114.0 h1:0wQr/KBckwrZPfEMjRqpUz0HmsKKON9UhCYv9KDy19M=
@ -623,8 +623,8 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
-golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
+golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY=
+golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
@ -647,8 +647,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
-golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
+golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
+golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
 golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
 golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -656,8 +656,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
-golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -692,14 +692,14 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
-golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
-golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@ -707,8 +707,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
-golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
 golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -738,8 +738,8 @@ google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:
 google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
-google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0=
-google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA=
+google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0=
+google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
--- a/pipeline/backend/docker/backend_options.go
+++ b/pipeline/backend/docker/backend_options.go
@ -0,0 +1,21 @@
+package docker
+
+import (
+	"github.com/mitchellh/mapstructure"
+
+	backend "go.woodpecker-ci.org/woodpecker/v2/pipeline/backend/types"
+)
+
+// BackendOptions defines all the advanced options for the docker backend.
+type BackendOptions struct {
+	User string `mapstructure:"user"`
+}
+
+func parseBackendOptions(step *backend.Step) (BackendOptions, error) {
+	var result BackendOptions
+	if step == nil || step.BackendOptions == nil {
+		return result, nil
+	}
+	err := mapstructure.Decode(step.BackendOptions[EngineName], &result)
+	return result, err
+}
--- a/pipeline/backend/docker/backend_options_test.go
+++ b/pipeline/backend/docker/backend_options_test.go
@ -0,0 +1,56 @@
+package docker
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	backend "go.woodpecker-ci.org/woodpecker/v2/pipeline/backend/types"
+)
+
+func Test_parseBackendOptions(t *testing.T) {
+	tests := []struct {
+		name    string
+		step    *backend.Step
+		want    BackendOptions
+		wantErr bool
+	}{
+		{
+			name: "nil options",
+			step: &backend.Step{BackendOptions: nil},
+			want: BackendOptions{},
+		},
+		{
+			name: "empty options",
+			step: &backend.Step{BackendOptions: map[string]any{}},
+			want: BackendOptions{},
+		},
+		{
+			name: "with user option",
+			step: &backend.Step{BackendOptions: map[string]any{
+				"docker": map[string]any{
+					"user": "1000:1000",
+				},
+			}},
+			want: BackendOptions{User: "1000:1000"},
+		},
+		{
+			name:    "invalid backend options",
+			step:    &backend.Step{BackendOptions: map[string]any{"docker": "invalid"}},
+			want:    BackendOptions{},
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := parseBackendOptions(tt.step)
+			if tt.wantErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/pipeline/backend/docker/convert.go
+++ b/pipeline/backend/docker/convert.go
@ -31,7 +31,7 @@ import (
 const minVolumeComponents = 2

 // returns a container configuration.
-func (e *docker) toConfig(step *types.Step) *container.Config {
+func (e *docker) toConfig(step *types.Step, options BackendOptions) *container.Config {
 	e.windowsPathPatch(step)

 	config := &container.Config{
@ -44,6 +44,7 @@ func (e *docker) toConfig(step *types.Step) *container.Config {
 		AttachStdout: true,
 		AttachStderr: true,
 		Volumes:      toVol(step.Volumes),
+		User:         options.User,
 	}
 	configEnv := make(map[string]string)
 	maps.Copy(configEnv, step.Environment)
--- a/pipeline/backend/docker/convert_test.go
+++ b/pipeline/backend/docker/convert_test.go
@ -131,7 +131,7 @@ func TestToContainerName(t *testing.T) {

 func TestStepToConfig(t *testing.T) {
 	// StepTypeCommands
-	conf := testEngine.toConfig(testCmdStep)
+	conf := testEngine.toConfig(testCmdStep, BackendOptions{})
 	if assert.NotNil(t, conf) {
 		assert.EqualValues(t, []string{"/bin/sh", "-c", "echo $CI_SCRIPT | base64 -d | /bin/sh -e"}, conf.Entrypoint)
 		assert.Nil(t, conf.Cmd)
@ -139,7 +139,7 @@ func TestStepToConfig(t *testing.T) {
 	}

 	// StepTypePlugin
-	conf = testEngine.toConfig(testPluginStep)
+	conf = testEngine.toConfig(testPluginStep, BackendOptions{})
 	if assert.NotNil(t, conf) {
 		assert.Nil(t, conf.Cmd)
 		assert.EqualValues(t, testPluginStep.UUID, conf.Labels["wp_uuid"])
@ -174,7 +174,7 @@ func TestToConfigSmall(t *testing.T) {
 		Name:     "test",
 		UUID:     "09238932",
 		Commands: []string{"go test"},
-	})
+	}, BackendOptions{})

 	assert.NotNil(t, conf)
 	sort.Strings(conf.Env)
@ -233,7 +233,7 @@ func TestToConfigFull(t *testing.T) {
 		AuthConfig:    backend.Auth{Username: "user", Password: "123456"},
 		NetworkMode:   "bridge",
 		Ports:         []backend.Port{{Number: 21}, {Number: 22}},
-	})
+	}, BackendOptions{})

 	assert.NotNil(t, conf)
 	sort.Strings(conf.Env)
@ -286,7 +286,7 @@ func TestToWindowsConfig(t *testing.T) {
 		AuthConfig:  backend.Auth{Username: "user", Password: "123456"},
 		NetworkMode: "nat",
 		Ports:       []backend.Port{{Number: 21}, {Number: 22}},
-	})
+	}, BackendOptions{})

 	assert.NotNil(t, conf)
 	sort.Strings(conf.Env)
--- a/pipeline/backend/docker/docker.go
+++ b/pipeline/backend/docker/docker.go
@ -46,6 +46,7 @@ type docker struct {
 }

 const (
+	EngineName          = "docker"
 	networkDriverNAT    = "nat"
 	networkDriverBridge = "bridge"
 	volumeDriver        = "local"
@ -59,7 +60,7 @@ func New() backend.Backend {
 }

 func (e *docker) Name() string {
-	return "docker"
+	return EngineName
 }

 func (e *docker) IsAvailable(ctx context.Context) bool {
@ -170,9 +171,14 @@ func (e *docker) SetupWorkflow(ctx context.Context, conf *backend.Config, taskUU
 }

 func (e *docker) StartStep(ctx context.Context, step *backend.Step, taskUUID string) error {
+	options, err := parseBackendOptions(step)
+	if err != nil {
+		log.Error().Err(err).Msg("could not parse backend options")
+	}
+
 	log.Trace().Str("taskUUID", taskUUID).Msgf("start step %s", step.Name)

-	config := e.toConfig(step)
+	config := e.toConfig(step, options)
 	hostConfig := toHostConfig(step, &e.config)
 	containerName := toContainerName(step)

@ -204,7 +210,7 @@ func (e *docker) StartStep(ctx context.Context, step *backend.Step, taskUUID str
 	// add default volumes to the host configuration
 	hostConfig.Binds = utils.DeduplicateStrings(append(hostConfig.Binds, e.config.volumes...))

-	_, err := e.client.ContainerCreate(ctx, config, hostConfig, nil, nil, containerName)
+	_, err = e.client.ContainerCreate(ctx, config, hostConfig, nil, nil, containerName)
 	if client.IsErrNotFound(err) {
 		// automatically pull and try to re-create the image if the
 		// failure is caused because the image does not exist.
--- a/pipeline/backend/kubernetes/backend_options.go
+++ b/pipeline/backend/kubernetes/backend_options.go
@ -86,7 +86,7 @@ const (

 func parseBackendOptions(step *backend.Step) (BackendOptions, error) {
 	var result BackendOptions
-	if step.BackendOptions == nil {
+	if step == nil || step.BackendOptions == nil {
 		return result, nil
 	}
 	err := mapstructure.Decode(step.BackendOptions[EngineName], &result)
--- a/pipeline/backend/kubernetes/backend_options_test.go
+++ b/pipeline/backend/kubernetes/backend_options_test.go
@ -9,97 +9,122 @@ import (
 )

 func Test_parseBackendOptions(t *testing.T) {
-	got, err := parseBackendOptions(&backend.Step{BackendOptions: nil})
-	assert.NoError(t, err)
-	assert.Equal(t, BackendOptions{}, got)
-	got, err = parseBackendOptions(&backend.Step{BackendOptions: map[string]any{}})
-	assert.NoError(t, err)
-	assert.Equal(t, BackendOptions{}, got)
-	got, err = parseBackendOptions(&backend.Step{
-		BackendOptions: map[string]any{
-			"kubernetes": map[string]any{
-				"nodeSelector":       map[string]string{"storage": "ssd"},
-				"serviceAccountName": "wp-svc-acc",
-				"labels":             map[string]string{"app": "test"},
-				"annotations":        map[string]string{"apps.kubernetes.io/pod-index": "0"},
-				"tolerations": []map[string]any{
-					{"key": "net-port", "value": "100Mbit", "effect": TaintEffectNoSchedule},
-				},
-				"resources": map[string]any{
-					"requests": map[string]string{"memory": "128Mi", "cpu": "1000m"},
-					"limits":   map[string]string{"memory": "256Mi", "cpu": "2"},
-				},
-				"securityContext": map[string]any{
-					"privileged":   newBool(true),
-					"runAsNonRoot": newBool(true),
-					"runAsUser":    newInt64(101),
-					"runAsGroup":   newInt64(101),
-					"fsGroup":      newInt64(101),
-					"seccompProfile": map[string]any{
-						"type":             "Localhost",
-						"localhostProfile": "profiles/audit.json",
-					},
-					"apparmorProfile": map[string]any{
-						"type":             "Localhost",
-						"localhostProfile": "k8s-apparmor-example-deny-write",
-					},
-				},
-				"secrets": []map[string]any{
-					{
-						"name": "aws",
-						"key":  "access-key",
-						"target": map[string]any{
-							"env": "AWS_SECRET_ACCESS_KEY",
+	tests := []struct {
+		name    string
+		step    *backend.Step
+		want    BackendOptions
+		wantErr bool
+	}{
+		{
+			name: "nil options",
+			step: &backend.Step{BackendOptions: nil},
+			want: BackendOptions{},
+		},
+		{
+			name: "empty options",
+			step: &backend.Step{BackendOptions: map[string]any{}},
+			want: BackendOptions{},
+		},
+		{
+			name: "full k8s options",
+			step: &backend.Step{
+				BackendOptions: map[string]any{
+					"kubernetes": map[string]any{
+						"nodeSelector":       map[string]string{"storage": "ssd"},
+						"serviceAccountName": "wp-svc-acc",
+						"labels":             map[string]string{"app": "test"},
+						"annotations":        map[string]string{"apps.kubernetes.io/pod-index": "0"},
+						"tolerations": []map[string]any{
+							{"key": "net-port", "value": "100Mbit", "effect": TaintEffectNoSchedule},
 						},
-					},
-					{
-						"name": "reg-cred",
-						"key":  ".dockerconfigjson",
-						"target": map[string]any{
-							"file": "~/.docker/config.json",
+						"resources": map[string]any{
+							"requests": map[string]string{"memory": "128Mi", "cpu": "1000m"},
+							"limits":   map[string]string{"memory": "256Mi", "cpu": "2"},
+						},
+						"securityContext": map[string]any{
+							"privileged":   newBool(true),
+							"runAsNonRoot": newBool(true),
+							"runAsUser":    newInt64(101),
+							"runAsGroup":   newInt64(101),
+							"fsGroup":      newInt64(101),
+							"seccompProfile": map[string]any{
+								"type":             "Localhost",
+								"localhostProfile": "profiles/audit.json",
+							},
+							"apparmorProfile": map[string]any{
+								"type":             "Localhost",
+								"localhostProfile": "k8s-apparmor-example-deny-write",
+							},
+						},
+						"secrets": []map[string]any{
+							{
+								"name": "aws",
+								"key":  "access-key",
+								"target": map[string]any{
+									"env": "AWS_SECRET_ACCESS_KEY",
+								},
+							},
+							{
+								"name": "reg-cred",
+								"key":  ".dockerconfigjson",
+								"target": map[string]any{
+									"file": "~/.docker/config.json",
+								},
+							},
 						},
 					},
 				},
 			},
-		},
-	})
-	assert.NoError(t, err)
-	assert.Equal(t, BackendOptions{
-		NodeSelector:       map[string]string{"storage": "ssd"},
-		ServiceAccountName: "wp-svc-acc",
-		Labels:             map[string]string{"app": "test"},
-		Annotations:        map[string]string{"apps.kubernetes.io/pod-index": "0"},
-		Tolerations:        []Toleration{{Key: "net-port", Value: "100Mbit", Effect: TaintEffectNoSchedule}},
-		Resources: Resources{
-			Requests: map[string]string{"memory": "128Mi", "cpu": "1000m"},
-			Limits:   map[string]string{"memory": "256Mi", "cpu": "2"},
-		},
-		SecurityContext: &SecurityContext{
-			Privileged:   newBool(true),
-			RunAsNonRoot: newBool(true),
-			RunAsUser:    newInt64(101),
-			RunAsGroup:   newInt64(101),
-			FSGroup:      newInt64(101),
-			SeccompProfile: &SecProfile{
-				Type:             "Localhost",
-				LocalhostProfile: "profiles/audit.json",
-			},
-			ApparmorProfile: &SecProfile{
-				Type:             "Localhost",
-				LocalhostProfile: "k8s-apparmor-example-deny-write",
+			want: BackendOptions{
+				NodeSelector:       map[string]string{"storage": "ssd"},
+				ServiceAccountName: "wp-svc-acc",
+				Labels:             map[string]string{"app": "test"},
+				Annotations:        map[string]string{"apps.kubernetes.io/pod-index": "0"},
+				Tolerations:        []Toleration{{Key: "net-port", Value: "100Mbit", Effect: TaintEffectNoSchedule}},
+				Resources: Resources{
+					Requests: map[string]string{"memory": "128Mi", "cpu": "1000m"},
+					Limits:   map[string]string{"memory": "256Mi", "cpu": "2"},
+				},
+				SecurityContext: &SecurityContext{
+					Privileged:   newBool(true),
+					RunAsNonRoot: newBool(true),
+					RunAsUser:    newInt64(101),
+					RunAsGroup:   newInt64(101),
+					FSGroup:      newInt64(101),
+					SeccompProfile: &SecProfile{
+						Type:             "Localhost",
+						LocalhostProfile: "profiles/audit.json",
+					},
+					ApparmorProfile: &SecProfile{
+						Type:             "Localhost",
+						LocalhostProfile: "k8s-apparmor-example-deny-write",
+					},
+				},
+				Secrets: []SecretRef{
+					{
+						Name:   "aws",
+						Key:    "access-key",
+						Target: SecretTarget{Env: "AWS_SECRET_ACCESS_KEY"},
+					},
+					{
+						Name:   "reg-cred",
+						Key:    ".dockerconfigjson",
+						Target: SecretTarget{File: "~/.docker/config.json"},
+					},
+				},
 			},
 		},
-		Secrets: []SecretRef{
-			{
-				Name:   "aws",
-				Key:    "access-key",
-				Target: SecretTarget{Env: "AWS_SECRET_ACCESS_KEY"},
-			},
-			{
-				Name:   "reg-cred",
-				Key:    ".dockerconfigjson",
-				Target: SecretTarget{File: "~/.docker/config.json"},
-			},
-		},
-	}, got)
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := parseBackendOptions(tt.step)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			assert.NoError(t, err)
+			assert.Equal(t, tt.want, got)
+		})
+	}
 }