Injecting netrc credentials into non-trusted containers does not work

[pat-s]

Component

agent

Describe the bug

By default netrc credentials (i.e. git credentials) are not injected into builds unless

• the repo is set to trusted (which can only be done by admins)
• "Only inject netrc credentials into trusted containers" is unchecked

However, the latter does not work as executing a "git push" back to the checked out repo does not work when the option is unchecked.
It only works if the repo is set to "trusted" - which cannot be enabled by a normal user.

Showcasing this in an example repo is hard as normal users cannot open the settings of a repo.
I've tested this multiple times in an example repo toggling different options on and off and running a simple git push at the end (after a dummy modification).

Also I think the current docs are wrong

Cloning pipeline step may need git credentials. They are injected via netrc. By default, they're only injected if this option is enabled, the repo is trusted (see above) or the image is a trusted clone image. If you uncheck the option, git credentials will be injected into any container in clone step.

I think it should read as:

"By default, they're only injected if this option is enabled and the repo is trusted - or if the "inject" option is unchecked."

Also "git credentials will be injected into any container in clone step" -> should probably be "into any container in addition to the 'clone' step".

System Info

`next-8629a418f8`

Additional context

No response

Validations

• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Checked that the bug isn't fixed in the next version already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]
• Check that this is a concrete bug. For Q&A join our Discord Chat Server or the Matrix room.

[pat-s]

Diving deeper, I think the issue is that the "Only inject netrc credentials into trusted containers" option actually is limited to "trusted pipelines" or "trusted plugins" and "trusted clone images" but never applies to arbitrary steps and/or images..

woodpecker/pipeline/frontend/yaml/compiler/compiler.go

Lines 189 to 194 in 05f96ab

	// only inject netrc if it's a trusted repo or a trusted plugin
	if !c.netrcOnlyTrusted || c.trustedPipeline || (container.IsPlugin() && container.IsTrustedCloneImage()) {
	for k, v := range c.cloneEnv {
	step.Environment[k] = v
	}
	}

Should the restriction to "trusted plugins" and "trusted clone images" be removed? I don't see why only these should be whitelisted if the repo owner actively deactivated the "Only inject netrc credentials into trusted containers" option.
Also if, then the option should read differently and or inform the user that there is a follow-p condition to be met.

[pat-s]

It might be that there only a minor modification to the if-clause needed (see PR) which currently prevents the injection into untrusted containers.

[6543]

As of now this is intentional and by default it should stay so, so enabling this behaviour a 'normal' repo admin should not be able to change only instance admins ...

[pat-s]

Closing as not planned -> description in UI updated in #4342.