qwerty287
commented
1 month ago This is not directly related to the CLI, but to some dependency.
Is it possible for you to use a custom binary so we can find out which func returns this error?
Closed bjodah closed 1 month ago
qwerty287
commented
1 month ago This is not directly related to the CLI, but to some dependency.
Is it possible for you to use a custom binary so we can find out which func returns this error?
bjodah
commented
1 month ago Yes, I figured, I ran strings on the binary and grepped for 'dbus-launch' and that confirmed its presence in the binary. Yes, I can run a custom binary for troubleshooting.
anbraten
commented
1 month ago The cli tries to use the keychain in case you do not provide a token via --token or WOODPECKER_TOKEN
qwerty287
commented
1 month ago Why don't we allow to include the token in the config json?
anbraten
commented
1 month ago Using a keychain seems a common pattern to securely store tokens instead of having them in the plain config file. We could have a look at improving the error message a bit.
qwerty287
commented
1 month ago Yes, and supporting it is a good idea, but we could use a fallback to the plain json file with a warning.
xoxys
commented
1 month ago I'm against an insecure fallback to the config file. If users really want to bypass the keyring they can just pass the token as env var or cli flag.
rmi1974
commented
1 month ago The cli tries to use the keychain in case you do not provide a token via --token or WOODPECKER_TOKEN
I'm against an insecure fallback to the config file. If users really want to bypass the keyring they can just pass the token as env var or cli flag.
No, that doesn't even work anymore with more recent woodpecker releases. It seems this change (part of 2.5.0 release) broke the command line logic, now requiring a json config file being present, regardless if valid command line arguments ("--server", "--token") or ENV vars have been passed to the app.
Hence I'm using an older alpine image v2.4.1 which just works fine and suits my needs (being truly CLI and no host contamination).
I'm using the ENV var way of config. The token is injected via docker secret since I don't want to expose plain text secrets in docker files. I override the docker entry point with custom script code to inject WOODPECKER_TOKEN via env var sourcing.
Generally, requiring the user to use keyring app makes the tool unsuitable for any truly headless/cli/scripted/automated operation. Even if user interaction is only required once in the "setup" phase (until the token is renewed). My own (not so exotic) use case is having everything running automated/scripted in containers (woodpecker server, agent, cli). No host contamination.
Regards
xoxys
commented
1 month ago Generally, requiring the user to use keyring app makes the tool unsuitable for any truly headless/cli/scripted/automated operation.
Fully agree on that. There should be a way to bypass it (env var or flag) and we need to fix it if thats broken now.
bjodah
commented
1 month ago @rmi1974 experience matches my own: I first tried using the tool without any json-config file, but I couldn't get it to work, so I resorted to trying to use the config. I'm also trying to use this in a "headless"-setting (a docker-compose file).
wez
commented
1 month ago FWIW, I found that going back to 2.3.0's CLI is usable. v2.4.1 mentioned in the comment above has the same issue with the unavoidable keychain call.
$ docker run --rm -it woodpeckerci/woodpecker-cli:v2.3.0-alpine --server $WOODPECKER_SERVER --token $WOODPECKER_TOKEN user ls
Component
cli
Describe the bug
this is from running on a alpine 3.19.1 machine.
Steps to reproduce
Expected behavior
Not relying on dbus-launch? It feels like a heavy dependency for a cli utility, no?
System Info
Additional context
I did search org:woodpecker-ci on github for any dbus-launch reference, and found none, so I guess this is pulled in by some dependency?
Validations
nextversion already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]