Linter: respect tags for linting of global privileged plugins (woodpe…

…cker-ci#4083) https://ci.woodpecker-ci.org/repos/8981/pipeline/162/4 should have shown an lit error but it did not. this fix it a followup of woodpecker-ci#4053
6543-forks · Sep 4, 2024 · 6b746e3 · 6b746e3
1 parent 432f49c
commit 6b746e3
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/pipeline/frontend/yaml/linter/linter.go b/pipeline/frontend/yaml/linter/linter.go
@@ -24,6 +24,7 @@ import (
 	errorTypes "go.woodpecker-ci.org/woodpecker/v2/pipeline/errors/types"
 	"go.woodpecker-ci.org/woodpecker/v2/pipeline/frontend/yaml/linter/schema"
 	"go.woodpecker-ci.org/woodpecker/v2/pipeline/frontend/yaml/types"
+	"go.woodpecker-ci.org/woodpecker/v2/pipeline/frontend/yaml/utils"
 )
 
 // A Linter lints a pipeline configuration.
@@ -132,6 +133,22 @@ func (l *Linter) lintImage(config *WorkflowConfig, c *types.Container, area stri
 	return nil
 }
 
+func (l *Linter) lintPrivilegedPlugins(config *WorkflowConfig, c *types.Container, area string) error {
+	// lint for conflicts of https://github.com/woodpecker-ci/woodpecker/pull/3918
+	if utils.MatchImage(c.Image, "plugins/docker", "plugins/gcr", "plugins/ecr", "woodpeckerci/plugin-docker-buildx") {
+		msg := fmt.Sprintf("Cannot use once by default privileged plugin '%s', if needed add it too WOODPECKER_PLUGINS_PRIVILEGED", c.Image)
+		// check first if user did not add them back
+		if l.privilegedPlugins != nil && !utils.MatchImageDynamic(c.Image, *l.privilegedPlugins...) {
+			return newLinterError(msg, config.File, fmt.Sprintf("%s.%s", area, c.Name), false)
+		} else if l.privilegedPlugins == nil {
+			// if linter has no info of current privileged plugins, it's just a warning
+			return newLinterError(msg, config.File, fmt.Sprintf("%s.%s", area, c.Name), true)
+		}
+	}
+
+	return nil
+}
+
 func (l *Linter) lintSettings(config *WorkflowConfig, c *types.Container, field string) error {
 	if len(c.Settings) == 0 {
 		return nil

diff --git a/pipeline/frontend/yaml/linter/linter_test.go b/pipeline/frontend/yaml/linter/linter_test.go
@@ -165,6 +165,18 @@ func TestLintErrors(t *testing.T) {
 			from: "steps: { build: { image: golang, settings: { test: 'true' }, environment: [ 'TEST=true' ] } }",
 			want: "Should not configure both environment and settings",
 		},
+		{
+			from: "{pipeline: { build: { image: golang, settings: { test: 'true' } } }, when: { branch: main, event: push } }",
+			want: "Additional property pipeline is not allowed",
+		},
+		{
+			from: "{steps: { build: { image: plugins/docker, settings: { test: 'true' } } }, when: { branch: main, event: push } } }",
+			want: "Cannot use once by default privileged plugin 'plugins/docker', if needed add it too WOODPECKER_PLUGINS_PRIVILEGED",
+		},
+		{
+			from: "{steps: { build: { image: golang, settings: { test: 'true' } } }, when: { branch: main, event: push }, clone: { git: { image: some-other/plugin-git:v1.1.0 } } }",
+			want: "Specified clone image does not match allow list, netrc will not be injected",
+		},
 	}
 
 	for _, test := range testdata {