Add external secret extension implementation

[mofr93]

Add external secret extension support

Adds support for fetching secrets from an external HTTP service, mirroring the existing config service extension pattern (WOODPECKER_CONFIG_EXTENSION_ENDPOINT).

New environment variables

• WOODPECKER_SECRET_EXTENSION_ENDPOINT - URL of the external secret service
• WOODPECKER_SECRET_EXTENSION_NETRC - Send netrc if needed

Per-repo override

Repos can set their own secret_extension_endpoint

How it works

The external service receives a signed POST request with {repo, pipeline, netrc} and returns []*model.Secret. Requests use the same ed25519-signed HTTP client and WOODPECKER_EXTENSIONS_ALLOWED_HOSTS allowlist as the config extension.

• 200 OK — use returned secrets
• 204 No Content — no external secrets (DB secrets still used if not exclusive)

When not exclusive, DB and external secrets are merged, with external secrets overriding DB secrets by name.

closes #929

[woodpecker-bot]

Surge PR preview deployment succeeded. View it at https://woodpecker-ci-woodpecker-pr-6252.surge.sh

[qwerty287]

Thanks! Please check out the tests and linters ;)

I also don't think we need the exclusive setting here. This is only required for the config because you can then move that fully to the extension. But as we always have the DB, it's fine to always query the secrets from there as well I think.

[mofr93]

Okay, that sounds fine. I will update the PR. Thanks

[6543]

also have a look at https://woodpecker-ci.org/docs/next/usage/extensions and add a documentation for it :)

location of this docs is at https://github.com/woodpecker-ci/woodpecker/tree/main/docs/docs/20-usage/72-extensions

[mofr93]

Hey guys, Changes made to accommodate your requests. Also streamlined more with the registry extension. docs etc. :)

[qwerty287]

Thanks! Some more points, now with a more detailed look at the code.

[qwerty287]

Sorry that I have more and more to add…

In the meantime I also updated the example extension to align with this: woodpecker-ci/example-extensions#97

[qwerty287]

Besides those two points it looks good for me now. Thanks again :)

[qwerty287]

Sorry again 🙈

I'm adapting your combined_test.go for the registry extension and found more.

(If you get tired of fixing this just say then I can do it as well…)

[6543]

we had some renames to make the extention feature more clear, could you please resolve the conflict :)

[codecov]

Codecov Report

❌ Patch coverage is 47.42268% with 51 lines in your changes missing coverage. Please review.
✅ Project coverage is 33.85%. Comparing base (b9ba31e) to head (59224d4).

Files with missing lines	Patch %	Lines
server/services/secret/combined.go	45.00%	32 Missing and 1 partial ⚠️
server/api/repo.go	0.00%	6 Missing ⚠️
server/services/manager.go	0.00%	5 Missing ⚠️
server/services/setup.go	0.00%	4 Missing ⚠️
server/services/secret/http.go	85.00%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6252      +/-   ##
==========================================
+ Coverage   33.80%   33.85%   +0.04%     
==========================================
  Files         420      422       +2     
  Lines       28333    28425      +92     
==========================================
+ Hits         9578     9622      +44     
- Misses      17862    17908      +46     
- Partials      893      895       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.