Closed bjodah closed 1 month ago
This is not directly related to the CLI, but to some dependency.
Is it possible for you to use a custom binary so we can find out which func returns this error?
Yes, I figured, I ran strings
on the binary and grepped for 'dbus-launch' and that confirmed its presence in the binary. Yes, I can run a custom binary for troubleshooting.
The cli tries to use the keychain in case you do not provide a token via --token
or WOODPECKER_TOKEN
Why don't we allow to include the token in the config json?
Using a keychain seems a common pattern to securely store tokens instead of having them in the plain config file. We could have a look at improving the error message a bit.
Yes, and supporting it is a good idea, but we could use a fallback to the plain json file with a warning.
I'm against an insecure fallback to the config file. If users really want to bypass the keyring they can just pass the token as env var or cli flag.
The cli tries to use the keychain in case you do not provide a token via --token or WOODPECKER_TOKEN
I'm against an insecure fallback to the config file. If users really want to bypass the keyring they can just pass the token as env var or cli flag.
No, that doesn't even work anymore with more recent woodpecker releases. It seems this change (part of 2.5.0 release) broke the command line logic, now requiring a json config file being present, regardless if valid command line arguments ("--server", "--token") or ENV vars have been passed to the app.
Hence I'm using an older alpine image v2.4.1 which just works fine and suits my needs (being truly CLI and no host contamination).
I'm using the ENV var way of config. The token is injected via docker secret since I don't want to expose plain text secrets in docker files. I override the docker entry point with custom script code to inject WOODPECKER_TOKEN via env var sourcing.
Generally, requiring the user to use keyring app makes the tool unsuitable for any truly headless/cli/scripted/automated operation. Even if user interaction is only required once in the "setup" phase (until the token is renewed). My own (not so exotic) use case is having everything running automated/scripted in containers (woodpecker server, agent, cli). No host contamination.
Regards
Generally, requiring the user to use keyring app makes the tool unsuitable for any truly headless/cli/scripted/automated operation.
Fully agree on that. There should be a way to bypass it (env var or flag) and we need to fix it if thats broken now.
@rmi1974 experience matches my own: I first tried using the tool without any json-config file, but I couldn't get it to work, so I resorted to trying to use the config. I'm also trying to use this in a "headless"-setting (a docker-compose file).
FWIW, I found that going back to 2.3.0's CLI is usable. v2.4.1 mentioned in the comment above has the same issue with the unavoidable keychain call.
$ docker run --rm -it woodpeckerci/woodpecker-cli:v2.3.0-alpine --server $WOODPECKER_SERVER --token $WOODPECKER_TOKEN user ls
Component
cli
Describe the bug
this is from running on a alpine 3.19.1 machine.
Steps to reproduce
Expected behavior
Not relying on dbus-launch? It feels like a heavy dependency for a cli utility, no?
System Info
Additional context
I did search org:woodpecker-ci on github for any dbus-launch reference, and found none, so I guess this is pulled in by some dependency?
Validations
next
version already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]