Pass Netrc to normal steps with clone image

woodpecker-ci / woodpecker

Woodpecker is a simple, yet powerful CI/CD engine with great extensibility.

https://woodpecker-ci.org

Apache License 2.0

4.07k stars 353 forks source link

Pass Netrc to normal steps with clone image #1975

Closed anbraten closed 1 year ago

anbraten commented 1 year ago

Instead of having a separate clone steps list we could simply pass netrc to normal steps with a trusted clone image. This way a user could re-use the clone / git image in the middle of his pipeline and we could consider dropping the extra clone section just leaving the skip_clone keyword

https://github.com/woodpecker-ci/woodpecker/blob/f2c33a0d89bbfb211b49277a9b4a7bc9ce90291e/pipeline/frontend/yaml/compiler/compiler.go#L162

- clone:
-    image: woodpeckerci/plugin-git:2.0.3
steps:
  debug:
    image: busybox
    commands:
      - echo something important
+  clone:
+    image: woodpeckerci/plugin-git:2.0.3
  build:
    # ...

6543 commented 1 year ago

this will break the auto detection if a default clone should be added, and I'm not aware of a better impl, option

anbraten commented 1 year ago

Couldn't we always add a clone step and if a user wants to customize it he has to set skip_clone: true?

6543 commented 1 year ago

Well that would work ... I'm personaly in fafour of keeping it seperated, i dont see any upside in merging it. I would rather make an option to expizite insert netrc and make like a secret

6543 commented 1 year ago

I realy wont want to see that people just let inject there netrc into anything ...

They mostly are aware if they create a token, what the impakt is if it got stolen

But tell me how many pople know how netrc works and what an attacker can do with it if it gets extracted

anbraten commented 1 year ago

My suggestion is to just inject it into the clone plugin (so a step with the image=clone and no commands) not into normal steps.

6543 commented 1 year ago

also clone would not run before services anymore ... so if services do depend on it ... they will fail and would have to add there own clone

anbraten commented 1 year ago

No, the normal clone would normally still be there. Its just about passing the Netrc to the clone plugin in the step list. This way I can clone other branches and tags later again. I might just open the PR to make it clear to you.

6543 commented 1 year ago

☝️ ok :)

lonix1 commented 1 year ago

My use case, originally asked on discord:

Is it possible to move the clone step into the pipeline itself? I tried various ways and syntax, e.g.

#clone      # <-----
steps:
  clone:    # <-----
    git:
      image: woodpeckerci/plugin-git:2.0.3
  build:
    # ...

Someone will ask "why?"... Because 1) it's more understandable, and 2) more importantly, so I can include a "debug" step as the first in the pipeline:

steps:
  debug:                                      # <-----
    image: busybox
    commands:
      - echo '$${CI_REPO_OWNER} = '"${CI_REPO_OWNER}"
      - echo something important
      - echo something else
      - echo something else
      - echo etc...
  clone:
    git:
      image: woodpeckerci/plugin-git:2.0.3
  build:
    # ...