Git clone fails due to trusted protection for netrc

[s00500]

Component

server, agent

Describe the bug

Seems like the normal clone step fails on next-101e684059 when the repo is not trusted due to the "Only inject netrc credentials into trusted containers" option that is now set by default

Is that a bug or am I doing something wrong ?

System Info

next-101e684059

Additional context

My CLone config:

clone:
  git:
    image: woodpeckerci/plugin-git
    settings:
      tags: true
    when:
      event: tag

Validations

• [X] Read the Contributing Guidelines.
• [X] Read the docs.
• [X] Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• [X] Checked that the bug isn't fixed in the next version already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]
• [X] Check that this is a concrete bug. For Q&A join our Discord Chat Server or the Matrix room.

[lafriks]

it should work if you have woodpeckerci/plugin-git set as trusted images and you are not using commands:

[6543]

well there is an edgecase: if you did set your gitea to always need login, you have to set WOODPECKER_AUTHENTICATE_PUBLIC_REPOS=true for the server

[s00500]

Oh alright, can you point me to how I do setup trusted images ?

[zc-devs]

A faced this issue a long before 101e684059 with config below:

clone:
  git:
    image: woodpeckerci/plugin-git
    settings:
      partial: false
      depth: 2

Just disabled Only inject netrc credentials into trusted containers. And as I remember without custom settings it worked as expected.

can you point me to how I do setup trusted images ?

Me too.

[lafriks]

If you have not set it yourself by default this one should be trusted

[zc-devs]

Didn't do anything special...

Woodpecker next-556607b525, Kubernetes backend, private repo in Gitea.

Only inject netrc credentials into trusted containers = On

clone:
  git:
    image: woodpeckerci/plugin-git
    settings:
      partial: false
      depth: 2

+ git init -b main
Initialized empty Git repository in /woodpecker/src/gitea.example.com/user/repo/.git/
+ git remote add origin https://gitea.example.com/user/repo.git
+ git fetch --no-tags --depth=2 origin +main:
fatal: could not read Username for 'https://gitea.example.com': No such device or address
exit status 128

wp-agent-log.txt

My bad, without settings doesn't work too: Only inject netrc credentials into trusted containers = On

clone:
  git:
    image: woodpeckerci/plugin-git

+ git init -b main
Initialized empty Git repository in /woodpecker/src/gitea.example.com/user/repo/.git/
+ git remote add origin https://gitea.example.com/user/repo.git
+ git fetch --no-tags --depth=2 origin +main:
fatal: could not read Username for 'https://gitea.example.com': No such device or address
exit status 128

Without special clone directives (using default clone step) works: Only inject netrc credentials into trusted containers = On

+ git init -b main
Initialized empty Git repository in /woodpecker/src/gitea.example.com/user/repo/.git/
+ git remote add origin https://gitea.example.com/user/repo.git
+ git fetch --no-tags --depth=1 --filter=tree:0 origin +refs/heads/main:
From https://gitea.example.com/user/repo
 * branch            main       -> FETCH_HEAD
 * [new branch]      main       -> origin/main
+ git reset --hard -q 9cf746c3bf1af06f537ea80c920c700cd8d48dc1
+ git submodule update --init --recursive
+ git lfs fetch
fetch: Fetching reference refs/heads/main
+ git lfs checkout

With disabled flag: Only inject netrc credentials into trusted containers = Off

clone:
  git:
    image: woodpeckerci/plugin-git
    settings:
      partial: false
      depth: 2

+ git init -b main
Initialized empty Git repository in /woodpecker/src/gitea.example.com/user/repo/.git/
+ git remote add origin https://gitea.example.com/user/repo.git
+ git fetch --no-tags --depth=2 origin +main:
From https://gitea.example.com/user/repo
 * branch            main       -> FETCH_HEAD
 * [new branch]      main       -> origin/main
+ git reset --hard -q b17d1a229b712f8ca0d9740eba730ed83e332d88
+ git submodule update --init --recursive
+ git lfs fetch
fetch: Fetching reference refs/heads/main
+ git lfs checkout

[pat-s]

I am seeing a similar issue in one of our pipelines atm which could be related but could also be a different one:

When having a second .yaml file which has a depends_on on a previous one, the clone step fails with fatal: could not read Username for. Yet when running the identical pipeline without the depends_on directly without changing anything else, the clone step succeeds.

Only inject netrc credentials into trusted containers is OFF for the repo.

next-7e708874

[6543]

https://github.com/woodpecker-ci/woodpecker/blob/b616a822a068ef81aa47c6d1857524388ab23f6a/pipeline/frontend/yaml/compiler/compiler.go#L193-L198

I cant find an issue by digging throug the code :/

[anbraten]

I guess this part is a bit to strick. Currently you would need to use docker.io/woodpeckerci/plugin-git:2.0.3 as image name.

func (c *Container) IsTrustedCloneImage() bool {
+   return c.IsPlugin() && slices.Contains(constant.TrustedCloneImages, c.Image)
}

We could use some kind of normalize function for c.Image to be more flexible doing things like:

• woodpeckerci/plugin-git:2.0.3 => docker.io/woodpeckerci/plugin-git:2.0.3
• woodpeckerci/plugin-git => docker.io/woodpeckerci/plugin-git:latest

And maybe ignore tags in general.

cc @6543