Adding (third-party) plugins to the index

[anbraten]

For the beginning there will be only "official" plugins on the index / list under https://woodpecker-ci.org/plugins. The question that came up in #451 is how third-party plugins should be added and how they need to be managed to provide some kind of liability.

[anbraten]

Suggestion: The two orgs approach

• org:woodpecker-ci holds all "official plugins" - they could get a verified badge in the index
• org:woodpecker-plugins holds all other third-party / not so official plugins and we could put a warning / hint to the index saying that the user of such a plugin has to make sure that he can / will trust the author

I still like the approach of having users to apply to list their plugin as that allows us to remove them in case someone reports them or if they are just outdated / not working for a long time. Having listed third-party plugins in one org (woodpecker-plugins) keeps the community closer together IMO and allows us a bit of control while we still could grant the users full-access to their repos.

[jolheiser]

For reference, this is how drone seems to populate their index. https://github.com/drone/drone-plugin-index

For the record, I don't love it.

---

I would like to have something in between their approach and the suggestion above. I think it may be hard to get people to "give" their repo to the plugin org. Many devs (I think) are going to be hesitant to hand power of the repo over to us, even if we give them write access to it.

I think instead we should let them keep their repo in their own namespace, but still have a process where they need to PR a request to add it to the index that we would need to approve.

Perhaps an annual/quarterly/etc review of the index as well.

---

Also as part of this, we should promote a specific topic and then offer a link to a GH search of that topic. That way users can easily look across GH (or other forges 😉 ) for plugins.

This would essentially end up being three "levels"

1. Plugins in our organization, maintained by us
2. Plugins that are PRed into the index, somewhat "vetted" by us
3. The topic search, which is "unofficial" plugins, but allows the user to judge for themselves

[anbraten]

For reference, this is how drone seems to populate their index. https://github.com/drone/drone-plugin-index

What I like about our current approach by #451 over the way of the drone-plugin-index is the automatic docs gathering. That reduces active maintenance by the Woodpecker maintainers drastically and allow the plugin owners to get updates live much quicker.

Also as part of this, we should promote a specific topic and then offer a link to a GH search of that topic. That way users can < > easily look across GH (or other forges wink ) for plugins.

We already started something similar in #320

This would essentially end up being three "levels"

1. Plugins in our organization, maintained by us
2. Plugins that are PRed into the index, somewhat "vetted" by us
3. The topic search, which is "unofficial" plugins, but allows the user to judge for themselves

Nice idea. We could add a note to the plugin index describing how to apply for the index (hosted under woodpecker-plugins org) or that not-listed plugins can be found under the topic xyz with a link.

[jolheiser]

What I like about our current approach by #451 over the way of the drone-plugin-index is the automatic docs gathering. That reduces active maintenance by the Woodpecker maintainers drastically and allow the plugin owners to get updates live much quicker.

I agree with this, it would be much nicer to allow a bit more autonomous function by plugin maintainers (even within our own org).

We should cache the info so as to not hit the GH API every time a page is loaded, but I think it's easily doable and much easier to maintain than their hard-coded index.

[jolheiser]

Also to clarify

Plugins that are PRed into the index, somewhat "vetted" by us

What I meant by this wasn't to make people give up their repo to our plugin org. I meant something more akin to an "awesome list" where people need to PR their project into a list that we could then use to grab info from the GH API.

I still think that asking people to give over their repo (regardless of us promising to give them write access) isn't ideal.
I think there's middleground, rather than making them PR their docs we could just have them PR their namespace/repo and we could gather their docs/topics using the API.
This still allows us some gateway control, but doesn't force them to give away their repo. If we need to remove them from the "vetted" list, we simply remove them from our list.

[anbraten]

So there will be 3 levels:

• official plugins as they are needed or really important to woodpecker like the git or (escalated) docker plugin
• plugins listed in the index with documentation
• plugins not listed in the index or totally unknown to the woodpecker team / community

Suggestion

• The first ones are already covered by #451
• For the second part we could add an issue template and add users who wants their plugin to be on the index to open an issue to get an repo under woodpecker-plugins. The repo would need to at least have a docs.yml, but could also contain the whole plugin source.
• For the last part we can add a link to this topic to the index and name it Explore more community plugins ...

Example for community plugin index: https://github.com/flathub/flathub/wiki/App-Submission