From 6e113e79411fc71adf9e5ad43bcb9f34fc56be80 Mon Sep 17 00:00:00 2001 From: Aidan Coyle Date: Sat, 11 Apr 2026 01:47:51 -0500 Subject: [PATCH 1/3] Fix erroneous linter error for plugin privileges Currently if you use one of the plugins from the list that were formerly privileged by default and you explicitly configure that step with `privileged: true` you still get a linter error prompting you to add those to WOODPECKER_PLUGINS_PRIVILEGED. As far as I can tell this error message is incorrect because WOODPECKER_PLUGINS_PRIVILEGED is just a way to make certain images function the same as `privileged: true` by default. --- pipeline/frontend/yaml/linter/linter.go | 6 ++++++ pipeline/frontend/yaml/linter/linter_test.go | 3 +++ 2 files changed, 9 insertions(+) diff --git a/pipeline/frontend/yaml/linter/linter.go b/pipeline/frontend/yaml/linter/linter.go index 81b88c967cc..1aa115964c3 100644 --- a/pipeline/frontend/yaml/linter/linter.go +++ b/pipeline/frontend/yaml/linter/linter.go @@ -206,6 +206,12 @@ func (l *Linter) lintPrivilegedPlugins(config *WorkflowConfig, c *types.Containe // lint for conflicts of https://github.com/woodpecker-ci/woodpecker/pull/3918 if utils.MatchImage(c.Image, "plugins/docker", "plugins/gcr", "plugins/ecr", "woodpeckerci/plugin-docker-buildx") { msg := fmt.Sprintf("The formerly privileged plugin `%s` is no longer privileged by default, if required, add it to `WOODPECKER_PLUGINS_PRIVILEGED`", c.Image) + + // if the plugin is specifically configured as privileged then we don't need to warn that it isn't privileged by default + if c.Privileged { + return nil + } + // check first if user did not add them back if l.privilegedPlugins != nil && !utils.MatchImageDynamic(c.Image, *l.privilegedPlugins...) { return newLinterError(msg, config.File, fmt.Sprintf("%s.%s", area, c.Name), false) diff --git a/pipeline/frontend/yaml/linter/linter_test.go b/pipeline/frontend/yaml/linter/linter_test.go index 33e9c7ad4eb..534280be8f7 100644 --- a/pipeline/frontend/yaml/linter/linter_test.go +++ b/pipeline/frontend/yaml/linter/linter_test.go @@ -88,6 +88,9 @@ steps: <<: *base-step image: golang:latest `, + }, { + Title: "explicitly privileged container", + Data: "{steps: { build: { image: plugins/docker, privileged: true, settings: { test: 'true' } } }, when: { branch: main, event: push } } }", }} for _, testd := range testdatas { From da599ee58468a7064425b0ac0e03afb2bc7b178c Mon Sep 17 00:00:00 2001 From: Aidan Coyle Date: Sat, 11 Apr 2026 08:00:53 -0500 Subject: [PATCH 2/3] Move check --- pipeline/frontend/yaml/linter/linter.go | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/pipeline/frontend/yaml/linter/linter.go b/pipeline/frontend/yaml/linter/linter.go index 1aa115964c3..da14394ee20 100644 --- a/pipeline/frontend/yaml/linter/linter.go +++ b/pipeline/frontend/yaml/linter/linter.go @@ -204,14 +204,9 @@ func (l *Linter) lintImage(config *WorkflowConfig, c *types.Container, area stri func (l *Linter) lintPrivilegedPlugins(config *WorkflowConfig, c *types.Container, area string) error { // lint for conflicts of https://github.com/woodpecker-ci/woodpecker/pull/3918 - if utils.MatchImage(c.Image, "plugins/docker", "plugins/gcr", "plugins/ecr", "woodpeckerci/plugin-docker-buildx") { + if utils.MatchImage(c.Image, "plugins/docker", "plugins/gcr", "plugins/ecr", "woodpeckerci/plugin-docker-buildx") && !c.Privileged { msg := fmt.Sprintf("The formerly privileged plugin `%s` is no longer privileged by default, if required, add it to `WOODPECKER_PLUGINS_PRIVILEGED`", c.Image) - // if the plugin is specifically configured as privileged then we don't need to warn that it isn't privileged by default - if c.Privileged { - return nil - } - // check first if user did not add them back if l.privilegedPlugins != nil && !utils.MatchImageDynamic(c.Image, *l.privilegedPlugins...) { return newLinterError(msg, config.File, fmt.Sprintf("%s.%s", area, c.Name), false) From c685395624c885ba03f0efda130b7739f20692ee Mon Sep 17 00:00:00 2001 From: Aidan Coyle Date: Sat, 11 Apr 2026 08:01:56 -0500 Subject: [PATCH 3/3] Remove stray newline --- pipeline/frontend/yaml/linter/linter.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pipeline/frontend/yaml/linter/linter.go b/pipeline/frontend/yaml/linter/linter.go index da14394ee20..3673bedab1c 100644 --- a/pipeline/frontend/yaml/linter/linter.go +++ b/pipeline/frontend/yaml/linter/linter.go @@ -206,7 +206,6 @@ func (l *Linter) lintPrivilegedPlugins(config *WorkflowConfig, c *types.Containe // lint for conflicts of https://github.com/woodpecker-ci/woodpecker/pull/3918 if utils.MatchImage(c.Image, "plugins/docker", "plugins/gcr", "plugins/ecr", "woodpeckerci/plugin-docker-buildx") && !c.Privileged { msg := fmt.Sprintf("The formerly privileged plugin `%s` is no longer privileged by default, if required, add it to `WOODPECKER_PLUGINS_PRIVILEGED`", c.Image) - // check first if user did not add them back if l.privilegedPlugins != nil && !utils.MatchImageDynamic(c.Image, *l.privilegedPlugins...) { return newLinterError(msg, config.File, fmt.Sprintf("%s.%s", area, c.Name), false)