Disallow to set arbitrary environments for plugins #3909
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3909 +/- ##
==========================================
- Coverage 27.40% 26.84% -0.57%
==========================================
Files 386 393 +7
Lines 26539 27411 +872
==========================================
+ Hits 7273 7358 +85
- Misses 18599 19352 +753
- Partials 667 701 +34 ☔ View full report in Codecov by Sentry. |
6543
commented
Jul 14, 2024
6543
commented
Jul 14, 2024
xoxys
reviewed
Jul 14, 2024
Co-authored-by: Robert Kaussow <xoxys@rknet.org>
6543
added
the
breaking
lafriks
approved these changes
Jul 14, 2024
|
ok I did go throug all the documentation and using The plugin documentation is a bit lacking and can be improved. but based on our consensus to count changes of features we never have documented as non breaking, this is non breaking! 🎉 |
6543
removed
the
breaking
qwerty287
changed the title
3 tasks
6543
pushed a commit
that referenced
this pull request
Jul 18, 2024
## [2.7.0](https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.7.0) - 2024-07-18 ### 🔒 Security - Add blocklist of environment variables who could alter execution of plugins [[#3934](#3934)] - Make sure plugins only mount the workspace base in a predefinde location [[#3933](#3933)] - Disallow to set arbitrary environments for plugins [[#3909](#3909)] - Use proper oauth state [[#3847](#3847)] - Enhance token checking [[#3842](#3842)] - Bump github.com/hashicorp/go-retryablehttp v0.7.5 -> v0.7.7 [[#3834](#3834)] ### ✨ Features - Gracefully shutdown server [[#3896](#3896)] - Gracefully shutdown agent [[#3895](#3895)] - Convert urls in logs to links [[#3904](#3904)] - Allow login using multiple forges [[#3822](#3822)] - Global and organization registries [[#1672](#1672)] - Cli get repo from git remote [[#3830](#3830)] - Add api for forges [[#3733](#3733)] ### 📈 Enhancement - Cli fix pipeline logs [[#3913](#3913)] - Migrate to github.com/urfave/cli/v3 [[#2951](#2951)] - Allow to change the working directory also for plugins and services [[#3914](#3914)] - Remove `unplugin-icons` [[#3809](#3809)] - Release windows binaries as zip file [[#3906](#3906)] - Convert to openapi 3.0 [[#3897](#3897)] - Enhance pipeline list [[#3898](#3898)] - Add user registries UI [[#3888](#3888)] - Sort users by login [[#3891](#3891)] - Exclude dummy backend in production [[#3877](#3877)] - Fix deploy task env [[#3878](#3878)] - Get default branch and show message in pipeline list [[#3867](#3867)] - Add timestamp for last work done by agent [[#3844](#3844)] - Adjust logger types [[#3859](#3859)] - Cleanup state reporting [[#3850](#3850)] - Unify DB tables/columns [[#3806](#3806)] - Let webhook pass on pipeline parsing error [[#3829](#3829)] - Exclude mocks from release build [[#3831](#3831)] - K8s secrets reference from step [[#3655](#3655)] ### 🐛 Bug Fixes - Handle empty repositories in gitea when listing PRs [[#3925](#3925)] - Update alpine package dep for docker images [[#3917](#3917)] - Don't report error if agent was terminated gracefully [[#3894](#3894)] - Let agents continuously report their health [[#3893](#3893)] - Ignore warnings for cli exec [[#3868](#3868)] - Correct favicon states [[#3832](#3832)] - Cleanup of the login flow and tests [[#3810](#3810)] - Fix newlines in logs [[#3808](#3808)] - Fix authentication error handling [[#3807](#3807)] ### 📚 Documentation - Streamline docs for new users [[#3803](#3803)] - Add mastodon verification [[#3843](#3843)] - chore(deps): update docs npm deps non-major [[#3837](#3837)] - fix(deps): update docs npm deps non-major [[#3824](#3824)] - Add openSUSE package [[#3800](#3800)] - chore(deps): update docs npm deps non-major [[#3798](#3798)] - Add "Docker Tags" Plugin [[#3796](#3796)] - chore(deps): update dependency marked to v13 [[#3792](#3792)] - chore: fix some comments [[#3788](#3788)] ### Misc - chore(deps): update web npm deps non-major [[#3930](#3930)] - chore(deps): update dependency vitest to v2 [[#3905](#3905)] - fix(deps): update module github.com/google/go-github/v62 to v63 [[#3910](#3910)] - chore(deps): update docker.io/woodpeckerci/plugin-docker-buildx docker tag to v4.1.0 [[#3908](#3908)] - Update plugin-git and add renovate trigger [[#3901](#3901)] - chore(deps): update docker.io/mstruebing/editorconfig-checker docker tag to v3.0.3 [[#3903](#3903)] - fix(deps): update golang-packages [[#3875](#3875)] - chore(deps): lock file maintenance [[#3876](#3876)] - [pre-commit.ci] pre-commit autoupdate [[#3862](#3862)] - Add dummy backend [[#3820](#3820)] - chore(deps): update dependency replace-in-file to v8 [[#3852](#3852)] - Update forgejo sdk [[#3840](#3840)] - chore(deps): lock file maintenance [[#3838](#3838)] - Allow to set dist dir using env var [[#3814](#3814)] - chore(deps): lock file maintenance [[#3805](#3805)] - chore(deps): update docker.io/lycheeverse/lychee docker tag to v0.15.1 [[#3797](#3797)]
6543
added a commit
that referenced
this pull request
Jul 18, 2024
|
FWIW, this broke my pipeline, do you have suggestions on how to migrate this to a working configuration? merge-docker-image-arm:
depends_on: [build-docker-image-arm]
when:
- evaluate: 'platform == "linux/aarch64" && UBUNTU_IMAGE == "ubuntu:22.04" && CI_PIPELINE_EVENT == "tag"'
image: plugins/manifest
failure: ignore
environment: &docker_manifest_env
# Legacy env var to prevent the plugin from throwing an error
# when converting an empty string to a number
PULLREQUEST_DRONE_PULL_REQUEST: 0
settings: &docker_manifest_settings_tag
<<: *docker_credentials
target: "something"
template: "something:${CI_COMMIT_TAG}-ARCH"
tags:
- latest
- ${CI_COMMIT_TAG}
platforms:
- linux/amd64
- linux/arm64 |
|
uh that should land in our compatibitity layer instead! I'll send a pull and you can use that and drop your workaround @wez for now make your repo gated if it do face public contributions |
If you encounter an similar issue, or something related, please open a new issue and only link this pull :)locking now |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
also split the different step types in our json schema to lint accordingly