Allow to set custom trusted clone plugins #4352
Conversation
qwerty287
added
enhancement
|
Deployment of preview was successful: https://woodpecker-ci-woodpecker-pr-4352.surge.sh |
|
How is that different to |
|
You can now set it per repo as well. |
did not checked the code jet - but ony an instance admin should be able to change it |
|
one question (idea) that comes into my mind: why not add the config into TrustedConfiguration ? |
Repeating it doesnt help. Can we keep the discussion in the issue? You never responded to #2601 (comment) |
|
Why the instance admin? This is about per-repo/per-user credentials, so the repo admins should decide how they are used. |
Co-authored-by: Thomas Anderson <[email protected]>
| if c.securityTrustedPipeline || (container.IsPlugin() && container.IsTrustedCloneImage(c.trustedClonePlugins)) { | ||
| for k, v := range c.cloneEnv { | ||
| step.Environment[k] = v | ||
| } | ||
| } |
There was a problem hiding this comment.
This will prevent users from cloning / fetching tags etc afterwards which is currently a feature we support.
In general if we go this path we should consider allowing to pass the netrc credentials to all plugins that are listed in NetRCTrusted / NetRCTrustedPlugins IMO. Related to security I can't see an issue as the repo admins sets this for their own credentials. Worst case they could only mess with their own credentials.
Use cases:
- clone using custom plugin in
clonesection - clone later on
- used
skip_cloneas user had to do other tasks before cloning - wants to clone again to get other parts afterwards (fetch tags, sub-modules)
- used
- wants to push changes
closes #2601