woodpecker-ci · jenrik · Jan 24, 2025 · Jan 28, 2025 · Jan 28, 2025 · Jan 28, 2025
diff --git a/cmd/agent/core/agent.go b/cmd/agent/core/agent.go
@@ -40,6 +40,7 @@ import (
 
 	"go.woodpecker-ci.org/woodpecker/v3/agent"
 	agent_rpc "go.woodpecker-ci.org/woodpecker/v3/agent/rpc"
+	"go.woodpecker-ci.org/woodpecker/v3/pipeline"
 	"go.woodpecker-ci.org/woodpecker/v3/pipeline/backend"
 	"go.woodpecker-ci.org/woodpecker/v3/pipeline/backend/types"
 	"go.woodpecker-ci.org/woodpecker/v3/pipeline/rpc"
@@ -251,6 +252,9 @@ func run(ctx context.Context, c *cli.Command, backends []types.Backend) error {
 		"backend":  backendEngine.Name(),
 		"repo":     "*", // allow all repos by default
 	}
+	for _, label := range pipeline.InternalLabels {
+		labels[label] = "*"
+	}
 	// ... and let it overwrite by custom ones
 	maps.Copy(labels, customLabels)
 

diff --git a/cmd/agent/core/agent_test.go b/cmd/agent/core/agent_test.go
@@ -56,8 +56,8 @@ func TestStringSliceAddToMap(t *testing.T) {
 			name:     "empty string in slice",
 			sl:       []string{"foo=bar", "", "baz=qux"},
 			m:        make(map[string]string),
-			expected: map[string]string{},
-			err:      true,
+			expected: map[string]string{"foo": "bar", "baz": "qux"},
+			err:      false,
 		},
 	}
 

diff --git a/docs/src/pages/migrations.md b/docs/src/pages/migrations.md
@@ -4,7 +4,7 @@ To enhance the usability of Woodpecker and meet evolving security standards, occ
 
 ## `next`
 
-- No changes
+- (Kubernetes) Deprecated `step` label on pod in favor of new namespaced label `woodpecker-ci.org/step`. The `step` label will be removed in a future update.
 
 ## 3.0.0
 

diff --git a/pipeline/backend/kubernetes/pod.go b/pipeline/backend/kubernetes/pod.go
@@ -17,6 +17,7 @@ package kubernetes
 import (
 	"context"
 	"fmt"
+	"go.woodpecker-ci.org/woodpecker/v3/pipeline"
 	"maps"
 	"strings"
 
@@ -31,9 +32,12 @@ import (
 )
 
 const (
-	StepLabel            = "step"
-	podPrefix            = "wp-"
-	defaultFSGroup int64 = 1000
+	// StepLabelLegacy is the legacy label name from before the introduction of the woodpecker-ci.org namespace.
+	// This will be removed in the future.
+	StepLabelLegacy       = "step"
+	StepLabel             = "woodpecker-ci.org/step"
+	podPrefix             = "wp-"
+	defaultFSGroup  int64 = 1000
 )
 
 func mkPod(step *types.Step, config *config, podName, goos string, options BackendOptions) (*v1.Pod, error) {
@@ -100,21 +104,35 @@ func podLabels(step *types.Step, config *config, options BackendOptions) (map[st
 	var err error
 	labels := make(map[string]string)
 
+	for k, v := range step.WorkflowLabels {
+		// Only copy user labels if allowed by agent config.
+		// Internal labels are filtered on the server-side.
+		if config.PodLabelsAllowFromStep || strings.HasPrefix(k, pipeline.InternalLabelPrefix) {
+			labels[k] = v
+		}
+	}
+
 	if len(options.Labels) > 0 {
 		if config.PodLabelsAllowFromStep {
 			log.Trace().Msgf("using labels from the backend options: %v", options.Labels)
+			// TODO should we filter out label with internal prefix?
 			maps.Copy(labels, options.Labels)
 		} else {
 			log.Debug().Msg("Pod labels were defined in backend options, but its using disallowed by instance configuration")
 		}
 	}
 	if len(config.PodLabels) > 0 {
 		log.Trace().Msgf("using labels from the configuration: %v", config.PodLabels)
+		// TODO should we filter out label with internal prefix?
 		maps.Copy(labels, config.PodLabels)
 	}
 	if step.Type == types.StepTypeService {
 		labels[ServiceLabel], _ = serviceName(step)
 	}
+	labels[StepLabelLegacy], err = stepLabel(step)
+	if err != nil {
+		return labels, err
+	}
 	labels[StepLabel], err = stepLabel(step)
 	if err != nil {
 		return labels, err

diff --git a/pipeline/backend/kubernetes/pod_test.go b/pipeline/backend/kubernetes/pod_test.go
@@ -72,7 +72,8 @@ func TestTinyPod(t *testing.T) {
 			"namespace": "woodpecker",
 			"creationTimestamp": null,
 			"labels": {
-				"step": "build-via-gradle"
+				"step": "build-via-gradle",
+				"woodpecker-ci.org/step": "build-via-gradle"
 			}
 		},
 		"spec": {
@@ -153,7 +154,8 @@ func TestFullPod(t *testing.T) {
 			"labels": {
 				"app": "test",
 				"part-of": "woodpecker-ci",
-				"step": "go-test"
+				"step": "go-test",
+				"woodpecker-ci.org/step": "go-test"
 			},
 			"annotations": {
 				"apps.kubernetes.io/pod-index": "0",
@@ -447,7 +449,8 @@ func TestScratchPod(t *testing.T) {
 			"namespace": "woodpecker",
 			"creationTimestamp": null,
 			"labels": {
-				"step": "curl-google"
+				"step": "curl-google",
+				"woodpecker-ci.org/step": "curl-google"
 			}
 		},
 		"spec": {
@@ -492,7 +495,8 @@ func TestSecrets(t *testing.T) {
 			"namespace": "woodpecker",
 			"creationTimestamp": null,
 			"labels": {
-				"step": "test-secrets"
+				"step": "test-secrets",
+				"woodpecker-ci.org/step": "test-secrets"
 			}
 		},
 		"spec": {

diff --git a/pipeline/backend/kubernetes/secrets.go b/pipeline/backend/kubernetes/secrets.go
@@ -18,6 +18,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"go.woodpecker-ci.org/woodpecker/v3/pipeline"
 	"strings"
 
 	"github.com/distribution/reference"
@@ -210,7 +211,7 @@ func mkRegistrySecret(step *types.Step, config *config) (*v1.Secret, error) {
 		return nil, err
 	}
 
-	labels, err := registrySecretLabels(step)
+	labels, err := registrySecretLabels(step, config)
 	if err != nil {
 		return nil, err
 	}
@@ -251,13 +252,25 @@ func registrySecretName(step *types.Step) (string, error) {
 	return podName(step)
 }
 
-func registrySecretLabels(step *types.Step) (map[string]string, error) {
+func registrySecretLabels(step *types.Step, config *config) (map[string]string, error) {
 	var err error
 	labels := make(map[string]string)
 
+	for k, v := range step.WorkflowLabels {
+		// Only copy user labels if allowed by agent config.
+		// Internal labels are filtered on the server-side.
+		if config.PodLabelsAllowFromStep || strings.HasPrefix(k, pipeline.InternalLabelPrefix) {
+			labels[k] = v
+		}
+	}
+
 	if step.Type == types.StepTypeService {
 		labels[ServiceLabel], _ = serviceName(step)
 	}
+	labels[StepLabelLegacy], err = stepLabel(step)
+	if err != nil {
+		return labels, err
+	}
 	labels[StepLabel], err = stepLabel(step)
 	if err != nil {
 		return labels, err

diff --git a/pipeline/backend/kubernetes/secrets_test.go b/pipeline/backend/kubernetes/secrets_test.go
@@ -212,7 +212,8 @@ func TestRegistrySecret(t *testing.T) {
 			"namespace": "woodpecker",
 			"creationTimestamp": null,
 			"labels": {
-				"step": "go-test"
+				"step": "go-test",
+				"woodpecker-ci.org/step": "go-test"
 			}
 		},
 		"type": "kubernetes.io/dockerconfigjson",

diff --git a/pipeline/backend/types/step.go b/pipeline/backend/types/step.go
@@ -42,6 +42,7 @@ type Step struct {
 	NetworkMode    string            `json:"network_mode,omitempty"`
 	Ports          []Port            `json:"ports,omitempty"`
 	BackendOptions map[string]any    `json:"backend_options,omitempty"`
+	WorkflowLabels map[string]string `json:"workflow_labels,omitempty"`
 }
 
 // StepType identifies the type of step.

diff --git a/pipeline/const.go b/pipeline/const.go
@@ -20,4 +20,14 @@ const (
 	// Store no more than 1mb in a log-line as 4mb is the limit of a grpc message
 	// and log-lines needs to be parsed by the browsers later on.
 	MaxLogLineLength int = 1 * 1024 * 1024 // 1mb
+
+	InternalLabelPrefix string = "woodpecker-ci.org"
+	LabelForgeRemoteID  string = InternalLabelPrefix + "/forge-id"
+	LabelRepoForgeID    string = InternalLabelPrefix + "/repo-forge-id"
+	LabelRepoID         string = InternalLabelPrefix + "/repo-id"
+	LabelRepoName       string = InternalLabelPrefix + "/repo-name"
+	LabelBranch         string = InternalLabelPrefix + "/branch"
+	LabelOrgID          string = InternalLabelPrefix + "/org-id"
 )
+
+var InternalLabels = []string{LabelForgeRemoteID, LabelRepoForgeID, LabelRepoID, LabelRepoName, LabelBranch, LabelOrgID}
diff --git a/pipeline/frontend/yaml/compiler/compiler.go b/pipeline/frontend/yaml/compiler/compiler.go
@@ -170,7 +170,7 @@ func (c *Compiler) Compile(conf *yaml_types.Workflow) (*backend_types.Config, er
 		for k, v := range c.cloneEnv {
 			container.Environment[k] = v
 		}
-		step, err := c.createProcess(container, backend_types.StepTypeClone)
+		step, err := c.createProcess(container, conf, backend_types.StepTypeClone)
 		if err != nil {
 			return nil, err
 		}
@@ -189,7 +189,7 @@ func (c *Compiler) Compile(conf *yaml_types.Workflow) (*backend_types.Config, er
 
 			stage := new(backend_types.Stage)
 
-			step, err := c.createProcess(container, backend_types.StepTypeClone)
+			step, err := c.createProcess(container, conf, backend_types.StepTypeClone)
 			if err != nil {
 				return nil, err
 			}
@@ -218,7 +218,7 @@ func (c *Compiler) Compile(conf *yaml_types.Workflow) (*backend_types.Config, er
 				return nil, err
 			}
 
-			step, err := c.createProcess(container, backend_types.StepTypeService)
+			step, err := c.createProcess(container, conf, backend_types.StepTypeService)
 			if err != nil {
 				return nil, err
 			}
@@ -246,7 +246,7 @@ func (c *Compiler) Compile(conf *yaml_types.Workflow) (*backend_types.Config, er
 		if container.IsPlugin() {
 			stepType = backend_types.StepTypePlugin
 		}
-		step, err := c.createProcess(container, stepType)
+		step, err := c.createProcess(container, conf, stepType)
 		if err != nil {
 			return nil, err
 		}

diff --git a/pipeline/frontend/yaml/compiler/convert.go b/pipeline/frontend/yaml/compiler/convert.go
@@ -37,7 +37,7 @@ const (
 	DefaultWorkspaceBase = pluginWorkspaceBase
 )
 
-func (c *Compiler) createProcess(container *yaml_types.Container, stepType backend_types.StepType) (*backend_types.Step, error) {
+func (c *Compiler) createProcess(container *yaml_types.Container, workflow *yaml_types.Workflow, stepType backend_types.StepType) (*backend_types.Step, error) {
 	var (
 		uuid = ulid.Make()
 
@@ -181,6 +181,7 @@ func (c *Compiler) createProcess(container *yaml_types.Container, stepType backe
 		NetworkMode:    networkMode,
 		Ports:          ports,
 		BackendOptions: container.BackendOptions,
+		WorkflowLabels: workflow.Labels,
 	}, nil
 }
 

diff --git a/server/pipeline/stepbuilder/stepBuilder.go b/server/pipeline/stepbuilder/stepBuilder.go
@@ -17,8 +17,10 @@ package stepbuilder
 
 import (
 	"fmt"
+	"go.woodpecker-ci.org/woodpecker/v3/pipeline"
 	"maps"
 	"path/filepath"
+	"strconv"
 	"strings"
 
 	"github.com/oklog/ulid/v2"
@@ -194,6 +196,27 @@ func (b *StepBuilder) genItemForWorkflow(workflow *model.Workflow, axis matrix.A
 		maps.Copy(item.Labels, b.DefaultLabels)
 	}
 
+	// "woodpecker-ci.org" namespace is reserved for internal use
+	for key := range item.Labels {
+		if strings.HasPrefix(key, pipeline.InternalLabelPrefix) {
+			log.Debug().Str("forge", b.Forge.Name()).Str("repo", b.Repo.FullName).Str("label", key).Msg("dropped pipeline label with reserved prefix woodpecker-ci.org")
+			delete(item.Labels, key)
+		}
+	}
+
+	item.Labels[pipeline.LabelForgeRemoteID] = b.Forge.Name()
+	item.Labels[pipeline.LabelRepoForgeID] = string(b.Repo.ForgeRemoteID)
+	item.Labels[pipeline.LabelRepoID] = strconv.FormatInt(b.Repo.ID, 10)
+	item.Labels[pipeline.LabelRepoName] = b.Repo.Name
+	item.Labels[pipeline.LabelBranch] = b.Repo.Branch
+	item.Labels[pipeline.LabelOrgID] = strconv.FormatInt(b.Repo.OrgID, 10)
+
+	for stageI := range item.Config.Stages {
+		for stepI := range item.Config.Stages[stageI].Steps {
+			item.Config.Stages[stageI].Steps[stepI].WorkflowLabels = item.Labels
+		}
+	}
+
 	return item, errorsAndWarnings
 }