Allow untrusted repo to still drop network for steps (#5820)

as it is an undocumented feature this might change / move into a more generalized backend network option at some point ... but i think we could at least support it as proposed in this patch meanwhile
2026-02-13 21:00:00 +00:00 · 2025-12-09 16:57:44 +01:00
parent 13df0da5c4
commit 93cba04b36
1 changed files with 5 additions and 1 deletions
--- a/pipeline/frontend/yaml/linter/linter.go
+++ b/pipeline/frontend/yaml/linter/linter.go
@@ -28,6 +28,10 @@ import (
 	"go.woodpecker-ci.org/woodpecker/v3/shared/constant"
 )

+// networkModeNone is a const we use to check to allow to drop network completely
+// this should be exempt from privileged action as it makes the container even more unprivileged.
+const networkModeNone = "none"
+
 // A Linter lints a pipeline configuration.
 type Linter struct {
 	trusted             TrustedConfiguration
@@ -265,7 +269,7 @@ func (l *Linter) lintTrusted(config *WorkflowConfig, c *types.Container, area st
 		if len(c.ExtraHosts) != 0 {
 			errors = append(errors, "Insufficient trust level to use `extra_hosts`")
 		}
-		if len(c.NetworkMode) != 0 {
+		if len(c.NetworkMode) != 0 && c.NetworkMode != networkModeNone {
 			errors = append(errors, "Insufficient trust level to use `network_mode`")
 		}
 	}