Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement repo level, user level and global environment variables support #3723

Open
wants to merge 27 commits into
base: main
Choose a base branch
from

Conversation

dvjn
Copy link
Contributor

@dvjn dvjn commented May 26, 2024

What?

  • Add support for variables at user, org, repo and admin level which will be exposed to the pipelines.
  • This is similar to secrets, but they will not be limited to specific events and plugins and will not be masked.

Why?

  • There are use cases when we need to set some org level or repo level variables, which need not be a secret.
  • A workaround is to use secrets, but then it masks the variable from all the output which is annoying sometimes.

@dvjn
Copy link
Contributor Author

dvjn commented May 26, 2024

Hi @6543 @anbraten @qwerty287 I have done initial UI changes for this, please review the proposal and screenshots and let me know if I should continue working on this and implement the rest.

Screenshots:

Repo Settings:
repo settings

User Settings:
user settings

Admin Settings:
admin settings

Add Variable Screen:
add variable

@anbraten
Copy link
Member

anbraten commented May 26, 2024

As variables are not secret anyways there was a suggestion somewhere to have a special config file like .woodpecker/config.yaml in the repo which can be used for such settings. This would be quite handy as it would also allow to use those variables in the cli exec command as well and allows easy copies of that config to other woodpecker instances etc. Should those variables then be shown in the UI as well as read-only or should only the config file be the source of them? What do you think?

@qwerty287
Copy link
Contributor

should only the config file be the source of them

I'd prefer this way, but it's not that easy to have a good way to implement this at org/global level.

@zc-devs
Copy link
Contributor

zc-devs commented May 28, 2024

JFYI, how it is implemented in Gitea.

@dvjn
Copy link
Contributor Author

dvjn commented May 30, 2024

As variables are not secret anyways there was a suggestion somewhere to have a special config file like .woodpecker/config.yaml in the repo which can be used for such settings.

I think this is not as useful as it seems, since you can already use variables in a workflow file. This config.yaml approach is mainly beneficial when you need these variables in multiple workflows within the same repository.
However, the most important use-cases of this PR, in my opinion, are: first, the ability to manage global variables using the admin UI, and second, the capability to share variables across repositories under an organization or user.

FYI, the solution I'm proposing is heavily inspired by Gitea.

@zc-devs zc-devs mentioned this pull request Jun 6, 2024
3 tasks
@dvjn
Copy link
Contributor Author

dvjn commented Jun 16, 2024

@anbraten @qwerty287 @zc-devs
Do let me know your final thoughts on this and let me know if I should move forward with implementing it.

@dvjn
Copy link
Contributor Author

dvjn commented Jun 16, 2024

I can also add agent variables to address #3311

@zc-devs
Copy link
Contributor

zc-devs commented Jun 16, 2024

your final thoughts

I like the idea.

if I should move forward with implementing it

I am not a right guy :) Let's hear from maintainers.

I can also add agent variables

That would be great!

@qwerty287
Copy link
Contributor

Yes, the way you proposed would be fine for me.

However, you write "Fixes #3661" in the desc which is not correct (I believe there's an issue about your thing too). #3661 is about workflow-level vars and this should definitely be defined in the yaml.

@dvjn
Copy link
Contributor Author

dvjn commented Jun 16, 2024

However, you write "Fixes #3661" in the desc which is not correct (I believe there's an issue about your thing too). #3661 is about workflow-level vars and this should definitely be defined in the yaml.

My bad, will remove that issue from the description.

@itsTurnip
Copy link

I'm really interested in this PR. Keep moving! Thanks for your work.

@dvjn dvjn force-pushed the implement-environments branch 3 times, most recently from 6954073 to 31082b2 Compare August 3, 2024 20:33
@dvjn dvjn marked this pull request as ready for review August 4, 2024 13:33
@dvjn
Copy link
Contributor Author

dvjn commented Aug 4, 2024

I have completed the code changes in the server and web frontend. This means the feature is now in a fully usable state.
The docs and cli changes are still pending. Planning to do those after an initial round of code review.

It would be great if someone could review the code.

Summary of Changes:

  • Duplicated code for secrets (removing events and images).
  • Added support for from_variable and variables (similar to from_secret and secrets) in pipeline config.
  • Added new table in database variables, with migrations.
  • Copied some secrets test cases and used for variables.

@qwerty287 qwerty287 added the feature add new functionality label Aug 4, 2024
@qwerty287 qwerty287 added this to the 3.0.0 milestone Aug 4, 2024
@dvjn dvjn force-pushed the implement-environments branch 2 times, most recently from 94119dd to 380e9e5 Compare August 4, 2024 17:31
@lafriks
Copy link
Contributor

lafriks commented Aug 4, 2024

Wasn't there an idea to drop secrets section from step? Maybe let's do not add variables section and keep only one way to use them with from_variable?

@dvjn
Copy link
Contributor Author

dvjn commented Aug 5, 2024

Wasn't there an idea to drop secrets section from step?

I am not aware of it. If it is just an idea without a proper discussion, maybe let's not act on that?

Maybe let's do not add variables section and keep only one way to use them with from_variable?

I have kept feature parity with secrets, to not cause confusion. If we want to remove it, wouldn't it be better to remove both secrets and variables together in a separate PR.

Just my thoughts, let me know if we still want to remove it.

@zc-devs
Copy link
Contributor

zc-devs commented Aug 5, 2024

If I set some variable
333869343-cacbe4cd-f92a-4fcb-8287-8972ea97df60
and run pipeline

skip_clone: true
steps:
  glob-vars:
    image: alpine
    commands:
      - echo $$COMPANY

what would I see in steps (UI) logs?


Maybe add build_pr_images label?

@dvjn
Copy link
Contributor Author

dvjn commented Aug 5, 2024

what would I see in steps (UI) logs?

It would be empty as you haven't explicitly added those variables in your step either by using variables or from_variable.

@zc-devs
Copy link
Contributor

zc-devs commented Aug 5, 2024

As this is not a secret value, it doesn't make sense to restrict this values by a step (to me). Like you mentioned

they will not be limited to specific events and plugins and will not be masked

So, I would expect it to be printed without explicitly added those variables in your step.
In case if I want to map "global" var to different name in a step, I can use from_variable.

@dvjn
Copy link
Contributor Author

dvjn commented Aug 5, 2024

@zc-devs

That is a good point. That would make this feature much easier to use.

Although, I feel that this kind of implicit behaviour might cause some confusion. It won't always be obvious where an environment variable is coming from.

Also, it could be confusing for a user who has push permissions on a repo, but cannot change the repo settings. This kind of user won't be able to view where the variables are automatically getting set from.

@zc-devs
Copy link
Contributor

zc-devs commented Aug 5, 2024

much easier to use

That is what I meant 👍

It won't always be obvious where an environment variable is coming from.
user won't be able to view where the variables are automatically getting set from.

From Server or Agent 😄 I can say that about all those variables, that comes from Agent/Server :) (example)

@dvjn
Copy link
Contributor Author

dvjn commented Aug 5, 2024

I understand your point, but I'm still afraid of adding this new implicit behavior.

Can we get another opinion if that's okay?

@dvjn
Copy link
Contributor Author

dvjn commented Aug 7, 2024

Hi maintainers, it would be great to get a review from y'all.

dvjn and others added 3 commits September 2, 2024 00:46
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: 6543 <6543@obermui.de>
@dvjn dvjn requested a review from 6543 September 2, 2024 20:16
@6543
Copy link
Member

6543 commented Nov 14, 2024

uh damed i got requested but it fall under my todo list :?

@6543
Copy link
Member

6543 commented Nov 14, 2024

Review process:

  • docs
  • pipeline engine
  • api
  • server datastore
  • cli
  • webui

@6543
Copy link
Member

6543 commented Nov 14, 2024

NOTE: write into docs that it is case-sensitive

@6543
Copy link
Member

6543 commented Nov 20, 2024

TODO:

@6543
Copy link
Member

6543 commented Nov 20, 2024

@dvjn using secrets as template is fine ... but there are a lot of copy-paste errors :/

@pat-s
Copy link
Contributor

pat-s commented Nov 24, 2024

It would be empty as you haven't explicitly added those variables in your step either by using variables or from_variable.

If that would be the case, most of the implementation would be meaningless as then one could simply use secrets, as already mentioned.

The real value of this PR IMO lies in the possibility to (easily) set global/org-wide variables which are not sensitive. Without having to repeat them within the YAML again.
For every variable there could/should be an informative log line telling that this variable has been set by a global/org-wide one.

Also, I am not sure if "variables" is the best wording if the values are mapped as env vars in the end. Then, it could directly be named "Environment". This might avoid confusion if there is a difference between a "variable" and an "env var".

@pat-s pat-s modified the milestones: 3.0.0, 3.x.x Nov 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature add new functionality
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants