Add 3.13 docs (#5939)

Co-authored-by: 6543 <6543@obermui.de>

docs/versioned_docs/version-3.13/20-usage/20-workflow-syntax.md

@@ -393,7 +393,7 @@ when:
 #### `path`
 
 :::info
-Path conditions are applied only to **push** and **pull_request** events. This feature is currently available for all forges except Bitbucket Cloud.
+Path conditions are applied only to **push** and **pull_request** events.
 :::
 
 Execute a step only on a pipeline with certain files being changed:

docs/versioned_docs/version-3.13/20-usage/72-extensions/40-configuration-extension.md

@@ -0,0 +1,160 @@
+# Configuration extension
+
+The configuration extension can be used to modify or generate Woodpeckers pipeline configurations. You can configure an HTTP endpoint in the repository settings in the extensions tab.
+
+Using such an extension can be useful if you want to:
+
+<!-- cSpell:words templating,Starlark,Jsonnet -->
+
+- Preprocess the original configuration file with something like Go templating
+- Convert custom attributes to Woodpecker attributes
+- Add defaults to the configuration like default steps
+- Convert configuration files from a totally different format like Gitlab CI config, Starlark, Jsonnet, ...
+- Centralize configuration for multiple repositories in one place
+
+## Security
+
+:::warning
+As Woodpecker will pass private information like tokens and will execute the returned configuration, it is extremely important to secure the external extension. Therefore Woodpecker signs every request. Read more about it in the [security section](./index.md#security).
+:::
+
+## Global configuration
+
+In addition to the ability to configure the extension per repository, you can also configure a global endpoint in the Woodpecker server configuration. This can be useful if you want to use the extension for all repositories. Be careful if
+you share your Woodpecker server with others as they will also use your configuration extension.
+
+The global configuration will be called before the repository specific configuration extension if both are configured.
+
+```ini title="Server"
+WOODPECKER_CONFIG_SERVICE_ENDPOINT=https://example.com/ciconfig
+```
+
+## How it works
+
+When a pipeline is triggered Woodpecker will fetch the pipeline configuration from the repository, then make a HTTP POST request to the configured extension with a JSON payload containing some data like the repository, pipeline information and the current config files retrieved from the repository. The extension can then send back modified or even new pipeline configurations following Woodpeckers official yaml format that should be used.
+
+### Request
+
+The extension receives an HTTP POST request with the following JSON payload:
+
+```ts
+class Request {
+  repo: Repo;
+  pipeline: Pipeline;
+  netrc: Netrc;
+  configuration: {
+    name: string; // filename of the configuration file
+    data: string; // content of the configuration file
+  }[];
+}
+```
+
+Checkout the following models for more information:
+
+- [repo model](https://github.com/woodpecker-ci/woodpecker/blob/main/server/model/repo.go)
+- [pipeline model](https://github.com/woodpecker-ci/woodpecker/blob/main/server/model/pipeline.go)
+- [netrc model](https://github.com/woodpecker-ci/woodpecker/blob/main/server/model/netrc.go)
+
+:::tip
+The `netrc` data is pretty powerful as it contains credentials to access the repository. You can use this to clone the repository or even use the forge (Github or Gitlab, ...) API to get more information about the repository.
+:::
+
+Example request:
+
+```json
+{
+  "repo": {
+    "id": 100,
+    "uid": "",
+    "user_id": 0,
+    "namespace": "",
+    "name": "woodpecker-test-pipeline",
+    "slug": "",
+    "scm": "git",
+    "git_http_url": "",
+    "git_ssh_url": "",
+    "link": "",
+    "default_branch": "",
+    "private": true,
+    "visibility": "private",
+    "active": true,
+    "config": "",
+    "trusted": false,
+    "protected": false,
+    "ignore_forks": false,
+    "ignore_pulls": false,
+    "cancel_pulls": false,
+    "timeout": 60,
+    "counter": 0,
+    "synced": 0,
+    "created": 0,
+    "updated": 0,
+    "version": 0
+  },
+  "pipeline": {
+    "author": "myUser",
+    "author_avatar": "https://myforge.com/avatars/d6b3f7787a685fcdf2a44e2c685c7e03",
+    "author_email": "my@email.com",
+    "branch": "main",
+    "changed_files": ["some-filename.txt"],
+    "commit": "2fff90f8d288a4640e90f05049fe30e61a14fd50",
+    "created_at": 0,
+    "deploy_to": "",
+    "enqueued_at": 0,
+    "error": "",
+    "event": "push",
+    "finished_at": 0,
+    "id": 0,
+    "link_url": "https://myforge.com/myUser/woodpecker-testpipe/commit/2fff90f8d288a4640e90f05049fe30e61a14fd50",
+    "message": "test old config\n",
+    "number": 0,
+    "parent": 0,
+    "ref": "refs/heads/main",
+    "refspec": "",
+    "clone_url": "",
+    "reviewed_at": 0,
+    "reviewed_by": "",
+    "sender": "myUser",
+    "signed": false,
+    "started_at": 0,
+    "status": "",
+    "timestamp": 1645962783,
+    "title": "",
+    "updated_at": 0,
+    "verified": false
+  },
+  "configs": [
+    {
+      "name": ".woodpecker.yaml",
+      "data": "steps:\n  - name: backend\n    image: alpine\n    commands:\n      - echo \"Hello there from Repo (.woodpecker.yaml)\"\n"
+    }
+  ]
+}
+```
+
+### Response
+
+The extension should respond with a JSON payload containing the new configuration files in Woodpecker's official YAML format.
+If the extension wants to keep the existing configuration files, it can respond with HTTP status `204 No Content`.
+
+```ts
+class Response {
+  configs: {
+    name: string; // filename of the configuration file
+    data: string; // content of the configuration file
+  }[];
+}
+```
+
+Example response:
+
+```json
+{
+  "configs": [
+    {
+      "name": "central-override",
+      "data": "steps:\n  - name: backend\n    image: alpine\n    commands:\n      - echo \"Hello there from ConfigAPI\"\n"
+    }
+  ]
+}
+```

docs/versioned_docs/version-3.13/20-usage/72-extensions/_category_.yaml

@@ -0,0 +1,7 @@
+label: 'Extensions'
+# position: 3
+collapsible: true
+collapsed: true
+link:
+  type: 'doc'
+  id: 'index'

docs/versioned_docs/version-3.13/20-usage/72-extensions/index.md

@@ -0,0 +1,34 @@
+# Extensions
+
+Woodpecker allows you to replace internal logic with external extensions by using pre-defined http endpoints.
+
+There is currently one type of extension available:
+
+- [Configuration extension](./40-configuration-extension.md) to modify or generate pipeline configurations on the fly.
+
+## Security
+
+:::warning
+You need to trust the extensions as they are receiving private information like secrets and tokens and might return harmful
+data like malicious pipeline configurations that could be executed.
+:::
+
+To prevent your extensions from such attacks, Woodpecker is signing all HTTP requests using [HTTP signatures](https://tools.ietf.org/html/draft-cavage-http-signatures). Woodpecker therefore uses a public-private ed25519 key pair.
+To verify the requests your extension has to verify the signature of all request using the public key with some library like [httpsign](https://github.com/yaronf/httpsign).
+You can get the public Woodpecker key by opening `http://my-woodpecker.tld/api/signature/public-key` or by visiting the Woodpecker UI, going to you repo settings and opening the extensions page.
+
+## Example extensions
+
+A simplistic service providing endpoints for a config and secrets extension can be found here: [https://github.com/woodpecker-ci/example-extensions](https://github.com/woodpecker-ci/example-extensions)
+
+## Configuration
+
+To prevent extensions from calling local services by default only external hosts / ip-addresses are allowed. You can change this behavior by setting the `WOODPECKER_EXTENSIONS_ALLOWED_HOSTS` environment variable. You can use a comma separated list of:
+
+- Built-in networks:
+  - `loopback`: 127.0.0.0/8 for IPv4 and ::1/128 for IPv6, localhost is included.
+  - `private`: RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7). Also called LAN/Intranet.
+  - `external`: A valid non-private unicast IP, you can access all hosts on public internet.
+  - `*`: All hosts are allowed.
+- CIDR list: `1.2.3.0/8` for IPv4 and `2001:db8::/32` for IPv6
+- (Wildcard) hosts: `example.com`, `*.example.com`, `192.168.100.*`

docs/versioned_docs/version-3.13/20-usage/80-badges.md

@@ -15,4 +15,10 @@ The status badge displays the status for the latest build to your default branch
 +<scheme>://<hostname>/api/badges/<repo-id>/status.svg?branch=<branch>
 ```
 
-Please note status badges do not include pull request results, since the status of a pull request does not provide an accurate representation of your repository state.
+By default status badges do not include pull request results, since the status of a pull request does not provide an accurate representation of your repository state.
+If you'd like to respect other or further events, you can add the `events` query parameter, otherwise the badge represents only the state of the last push event:
+
+```diff
+-<scheme>://<hostname>/api/badges/<repo-id>/status.svg
++<scheme>://<hostname>/api/badges/<repo-id>/status.svg?events=manual,cron
+```

docs/versioned_docs/version-3.13/30-administration/05-installation/20-helm-chart.md

@@ -3,26 +3,10 @@
 Woodpecker provides a [Helm chart](https://github.com/woodpecker-ci/helm) for Kubernetes environments:
 
 ```bash
-helm install woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker
+helm install woodpecker oci://ghcr.io/woodpecker-ci/helm/woodpecker --version <VERSION>
 ```
 
-## Configuration
-
-To fetch all configurable options with detailed comments:
-
-```bash
-helm show values oci://ghcr.io/woodpecker-ci/helm/woodpecker > values.yaml
-```
-
-Install using custom values:
-
-```bash
-helm install woodpecker \
-  oci://ghcr.io/woodpecker-ci/helm/woodpecker \
-  -f values.yaml
-```
-
-### Metrics
+## Metrics
 
 To enable metrics gathering, set the following in values.yml:
 

docs/versioned_docs/version-3.13/30-administration/10-configuration/10-server.md

@@ -1071,6 +1071,15 @@ Specify a configuration service endpoint, see [Configuration Extension](#externa
 
 ---
 
+### EXTENSIONS_ALLOWED_HOSTS
+
+- Name: `WOODPECKER_EXTENSIONS_ALLOWED_HOSTS`
+- Default: `external`
+
+Comma-separated list of hosts that are allowed to be contacted by extensions. Possible values are `loopback`, `private`, `external`, `*` or CIDR list.
+
+---
+
 ### FORGE_TIMEOUT
 
 - Name: `WOODPECKER_FORGE_TIMEOUT`
@@ -1112,7 +1121,11 @@ Disable version check in admin web UI.
 - Name: `WOODPECKER_LOG_STORE`
 - Default: `database`
 
-Where to store logs. Possible values: `database` or `file`.
+Where to store logs. Possible values:
+
+- `database`: stores the logs in the database
+- `file`: stores logs in JSON files on the files system
+- `addon`: uses an [addon](./100-addons.md#log) to store logs
 
 ---
 
@@ -1121,7 +1134,10 @@ Where to store logs. Possible values: `database` or `file`.
 - Name: `WOODPECKER_LOG_STORE_FILE_PATH`
 - Default: none
 
-Directory to store logs in if [`WOODPECKER_LOG_STORE`](#log_store) is `file`.
+If [`WOODPECKER_LOG_STORE`](#log_store) is:
+
+- `file`: Directory to store logs in
+- `addon`: The path to the addon executable
 
 ---
 

docs/versioned_docs/version-3.13/30-administration/10-configuration/100-addons.md

@@ -0,0 +1,42 @@
+# Addons
+
+Addons can be used to extend the Woodpecker server. Currently, they can be used for forges and the log service.
+
+:::warning
+Addon forges are still experimental. Their implementation can change and break at any time.
+:::
+
+:::danger
+You must trust the author of the addon forge you are using. They may have access to authentication codes and other potentially sensitive information.
+:::
+
+## Usage
+
+To use an addon forge, download the correct addon version.
+
+### Forge
+
+Use this in your `.env`:
+
+```ini
+WOODPECKER_ADDON_FORGE=/path/to/your/addon/forge/file
+```
+
+In case you run Woodpecker as container, you probably want to mount the addon binary to `/opt/addons/`.
+
+#### List of addon forges
+
+- [Radicle](https://radicle.xyz/): Open source, peer-to-peer code collaboration stack built on Git. Radicle addon for Woodpecker CI can be found at [this repo](https://explorer.radicle.gr/nodes/seed.radicle.gr/rad:z39Cf1XzrvCLRZZJRUZnx9D1fj5ws).
+
+### Log
+
+Use this in your `.env`:
+
+```ini
+WOODPECKER_LOG_STORE=addon
+WOODPECKER_LOG_STORE_FILE_PATH=/path/to/your/addon/forge/file
+```
+
+## Developing addon forges
+
+See [Addons](../../92-development/100-addons.md).

docs/versioned_docs/version-3.13/30-administration/10-configuration/11-backends/20-kubernetes.md

@@ -145,6 +145,100 @@ steps:
             value: 'value1'
             effect: 'NoSchedule'
             tolerationSeconds: 3600
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+                - matchExpressions:
+                    - key: topology.kubernetes.io/zone
+                      operator: In
+                      values:
+                        - eu-central-1a
+                        - eu-central-1b
+```
+
+### Affinity
+
+Kubernetes [affinity and anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) rules allow you to constrain which nodes your pods can be scheduled on based on node labels, or co-locate/spread pods relative to other pods.
+
+You can configure affinity at two levels:
+
+1. **Per-step via `backend_options.kubernetes.affinity`** (shown in example above) - requires agent configuration to allow it
+2. **Agent-wide via `WOODPECKER_BACKEND_K8S_POD_AFFINITY`** - applies to all pods unless overridden
+
+#### Agent-wide affinity
+
+To apply affinity rules to all workflow pods, configure the agent with YAML-formatted affinity:
+
+```yaml
+WOODPECKER_BACKEND_K8S_POD_AFFINITY: |
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: node-role.kubernetes.io/worker
+              operator: In
+              values:
+                - "true"
+```
+
+By default, per-step affinity settings are **not allowed** for security reasons. To enable them:
+
+```bash
+WOODPECKER_BACKEND_K8S_POD_AFFINITY_ALLOW_FROM_STEP: true
+```
+
+:::warning
+Enabling `WOODPECKER_BACKEND_K8S_POD_AFFINITY_ALLOW_FROM_STEP` in multi-tenant environments allows pipeline authors to control pod placement, which may have security or resource isolation implications.
+:::
+
+When per-step affinity is allowed and specified, it **replaces** the agent-wide affinity entirely (not merged).
+
+#### Example: agent affinity for co-location
+
+This example configures all workflow pods within a workflow to be co-located on the same node, while requiring other workflows run on different nodes.
+
+It uses `matchLabelKeys` to dynamically match pods with the same `woodpecker-ci.org/task-uuid`, and `mismatchLabelKeys` to separating pods with different task UUIDs:
+
+```yaml
+WOODPECKER_BACKEND_K8S_POD_AFFINITY: |
+  podAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector: {}
+      matchLabelKeys:
+        - woodpecker-ci.org/task-uuid
+      topologyKey: "kubernetes.io/hostname"
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector: {}
+      mismatchLabelKeys:
+      - woodpecker-ci.org/task-uuid
+      topologyKey: "kubernetes.io/hostname"
+```
+
+:::note
+The `matchLabelKeys` and `mismatchLabelKeys` features require Kubernetes v1.29+ (alpha with feature gate `MatchLabelKeysInPodAffinity`) or v1.33+ (beta, enabled by default). These fields allow the Kubernetes API server to dynamically populate label selectors at pod creation time, eliminating the need to hardcode values like `$(WOODPECKER_TASK_UUID)`.
+:::
+
+#### Example: Node affinity for GPU workloads
+
+Ensure a step runs only on GPU-enabled nodes:
+
+```yaml
+steps:
+  - name: train-model
+    image: tensorflow/tensorflow:latest-gpu
+    backend_options:
+      kubernetes:
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+                - matchExpressions:
+                    - key: accelerator
+                      operator: In
+                      values:
+                        - nvidia-tesla-v100
 ```
 
 ### Volumes
@@ -153,7 +247,7 @@ To mount volumes a PersistentVolume (PV) and PersistentVolumeClaim (PVC) are nee
 
 Persistent volumes must be created manually. Use the Kubernetes [Persistent Volumes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) documentation as a reference.
 
-_If your PVC is not highly available or NFS-based, you may also need to integrate affinity settings to ensure that your steps are executed on the correct node._
+_If your PVC is not highly available or NFS-based, use the `affinity` settings (documented above) to ensure that your steps are executed on the correct node._
 
 NOTE: If you plan to use this volume in more than one workflow concurrently, make sure you have configured the PVC in `RWX` mode. Keep in mind that this feature must be supported by the used CSI driver:
 
@@ -304,6 +398,36 @@ It configures the address of the Kubernetes API server to connect to.
 
 If running the agent within Kubernetes, this will already be set and you don't have to add it manually.
 
+### Headless services
+
+For each workflow run a [headless services](https://kubernetes.io/docs/concepts/services-networking/service/#headless-services) is created,
+and all steps asigned the subdomain that matches the headless service, so any step can reach other steps via DNS by using the step name as hostname.
+
+Using the headless services, the step pod is connected to directly, so any port on the other step pods can be reached.
+
+This is useful for some use-cases, like test-containers in a docker-in-docker setup, where the step needs to connect to many ports on the docker host service.
+
+```yaml
+steps:
+  - name: test
+    image: docker:cli # use 'docker:<major-version>-cli' or similar in production
+    environment:
+      DOCKER_HOST: 'tcp://docker:2376'
+      DOCKER_CERT_PATH: '/woodpecker/dind-certs/client'
+      DOCKER_TLS_VERIFY: '1'
+    commands:
+      - docker run hello-world
+
+  - name: docker
+    image: docker:dind # use 'docker:<major-version>-dind' or similar in production
+    detached: true
+    privileged: true
+    environment:
+      DOCKER_TLS_CERTDIR: /woodpecker/dind-certs
+```
+
+If ports are defined on a service, then woodpecker will create a normal service for the pod, which use hosts override using the services cluster IP.
+
 ## Environment variables
 
 These env vars can be set in the `env:` sections of the agent.

docs/versioned_docs/version-3.13/30-administration/10-configuration/12-forges/11-overview.md

@@ -11,6 +11,8 @@
 | Event: Deploy¹                                                                                                         | :white_check_mark:     | :x:                  | :x:                      | :x:                    | :x:                          | :x:                                                |
 | [Event: Pull-Request-Metadata](../../../20-usage/50-environment.md#pull_request_metadata-specific-event-reason-values) | :white_check_mark:     | :white_check_mark:   | :white_check_mark:       | :white_check_mark:     | :x:                          | :x:                                                |
 | [Multiple workflows](../../../20-usage/25-workflows.md)                                                                | :white_check_mark:     | :white_check_mark:   | :white_check_mark:       | :white_check_mark:     | :white_check_mark:           | :white_check_mark:                                 |
-| [when.path filter](../../../20-usage/20-workflow-syntax.md#path)                                                       | :white_check_mark:     | :white_check_mark:   | :white_check_mark:       | :white_check_mark:     | :x:                          | :white_check_mark:                                 |
+| [when.path filter](../../../20-usage/20-workflow-syntax.md#path)                                                       | :white_check_mark:     | :white_check_mark:   | :white_check_mark:       | :white_check_mark:     | :white_check_mark:           | :white_check_mark:                                 |
 
 ¹ The deployment event can be triggered for all forges from Woodpecker directly. However, only GitHub can trigger them using webhooks.
+
+In addition to this, Woodpecker supports [addon forges](../100-addons.md) if the forge you are using does not meet the [Woodpecker requirements](../../../92-development/02-core-ideas.md#forges) or your setup is too specific to be included in the Woodpecker core.

docs/versioned_docs/version-3.13/30-administration/10-configuration/30-agent.md

@@ -155,7 +155,8 @@ Configures the number of parallel workflows.
 
 Configures custom labels for the agent, to let workflows filter by it.
 Use a list of key-value pairs like `key=value,second-key=*`. `*` can be used as a wildcard.
-By default, agents provide three additional labels `platform=os/arch`, `hostname=my-agent` and `repo=*` which can be overwritten if needed.
+If you use `!` as key prefix it is mandatory for the workflow to have that label set (without !) set and matched.
+By default, agents provide four additional labels `platform=os/arch`, `hostname=my-agent`, `backend=my-backend` and `repo=*` which can be overwritten if needed.
 To learn how labels work, check out the [pipeline syntax page](../../20-usage/20-workflow-syntax.md#labels).
 
 ---

docs/versioned_docs/version-3.13/40-cli.md

@@ -36,23 +36,23 @@ woodpecker-cli [GLOBAL OPTIONS] [command [COMMAND OPTIONS]] [ARGUMENTS...]
 
 **--config, -c**="": path to config file
 
-**--disable-update-check**: disable update check
+**--disable-update-check**: disable update check (default: false)
 
 **--log-file**="": Output destination for logs. 'stdout' and 'stderr' can be used as special keywords. (default: stderr)
 
 **--log-level**="": set logging level (default: info)
 
-**--nocolor**: disable colored debug output, only has effect if pretty output is set too
+**--nocolor**: disable colored debug output, only has effect if pretty output is set too (default: false)
 
-**--pretty**: enable pretty-printed debug output
+**--pretty**: enable pretty-printed debug output (default: true)
 
 **--server, -s**="": server address
 
-**--skip-verify**: skip ssl verification
+**--skip-verify**: skip ssl verification (default: false)
 
 **--socks-proxy**="": socks proxy address
 
-**--socks-proxy-off**: socks proxy ignored
+**--socks-proxy-off**: socks proxy ignored (default: false)
 
 **--token, -t**="": server auth token
 
@@ -75,9 +75,7 @@ manage organizations
 
 list organizations
 
-**--format**="": format output (deprecated) (default: {{ .Name }} 
-Organization ID: {{ .ID }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Name }} \x1b[0m\nOrganization ID: {{ .ID }}\n)
 
 ### registry
 
@@ -103,19 +101,13 @@ remove a registry
 
 list registries
 
-**--format**="": format output (deprecated) (default: {{ .Address }} 
-Username: {{ .Username }}
-Email: {{ .Email }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Address }} \x1b[0m\nUsername: {{ .Username }}\nEmail: {{ .Email }}\n)
 
 #### show
 
 show registry information
 
-**--format**="": format output (deprecated) (default: {{ .Address }} 
-Username: {{ .Username }}
-Email: {{ .Email }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Address }} \x1b[0m\nUsername: {{ .Username }}\nEmail: {{ .Email }}\n)
 
 **--hostname**="": registry hostname (default: docker.io)
 
@@ -139,9 +131,9 @@ manage global secrets
 
 add a secret
 
-**--event**="": secret limited to these events (default: [])
+**--event**="": secret limited to these events
 
-**--image**="": secret limited to these images (default: [])
+**--image**="": secret limited to these images
 
 **--name**="": secret name
 
@@ -157,27 +149,13 @@ remove a secret
 
 list secrets
 
-**--format**="": format output (deprecated) (default: {{ .Name }} 
-Events: {{ list .Events }}
-{{- if .Images }}
-Images: {{ list .Images }}
-{{- else }}
-Images: <any>
-{{- end }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Name }} \x1b[0m\nEvents: {{ list .Events }}\n{{- if .Images }}\nImages: {{ list .Images }}\n{{- else }}\nImages: <any>\n{{- end }}\n)
 
 #### show
 
 show secret information
 
-**--format**="": format output (deprecated) (default: {{ .Name }} 
-Events: {{ list .Events }}
-{{- if .Images }}
-Images: {{ list .Images }}
-{{- else }}
-Images: <any>
-{{- end }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Name }} \x1b[0m\nEvents: {{ list .Events }}\n{{- if .Images }}\nImages: {{ list .Images }}\n{{- else }}\nImages: <any>\n{{- end }}\n)
 
 **--name**="": secret name
 
@@ -185,9 +163,9 @@ Images: <any>
 
 update a secret
 
-**--event**="": secret limited to these events (default: [])
+**--event**="": secret limited to these events
 
-**--image**="": secret limited to these images (default: [])
+**--image**="": secret limited to these images
 
 **--name**="": secret name
 
@@ -215,8 +193,7 @@ remove a user
 
 show user information
 
-**--format**="": format output (default: User: {{ .Login }}
-Email: {{ .Email }})
+**--format**="": format output (default: User: {{ .Login }}\nEmail: {{ .Email }})
 
 ## exec
 
@@ -228,7 +205,7 @@ execute a local pipeline
 
 **--backend-docker-host**="": path to docker socket or url to the docker server
 
-**--backend-docker-ipv6**: backend docker enable IPV6
+**--backend-docker-ipv6**: backend docker enable IPV6 (default: false)
 
 **--backend-docker-limit-cpu-quota**="": impose a cpu quota (default: 0)
 
@@ -244,7 +221,7 @@ execute a local pipeline
 
 **--backend-docker-network**="": backend docker network
 
-**--backend-docker-tls-verify**: enable or disable TLS verification for connecting to docker server
+**--backend-docker-tls-verify**: enable or disable TLS verification for connecting to docker server (default: true)
 
 **--backend-docker-volumes**="": backend docker volumes (comma separated)
 
@@ -254,39 +231,43 @@ execute a local pipeline
 
 **--backend-https-proxy**="": if set, pass the environment variable down as "HTTPS_PROXY" to steps
 
-**--backend-k8s-allow-native-secrets**: whether to allow existing Kubernetes secrets to be referenced from steps
+**--backend-k8s-allow-native-secrets**: whether to allow existing Kubernetes secrets to be referenced from steps (default: false)
 
 **--backend-k8s-namespace**="": backend k8s namespace, if used with WOODPECKER_BACKEND_K8S_NAMESPACE_PER_ORGANIZATION, this will be the prefix for the namespace appended with the organization name. (default: woodpecker)
 
-**--backend-k8s-namespace-per-org**: Whether to enable namespace segregation per organization feature. When enabled, Woodpecker will create the Kubernetes resources to separated Kubernetes namespaces per Woodpecker organization.
+**--backend-k8s-namespace-per-org**: Whether to enable namespace segregation per organization feature. When enabled, Woodpecker will create the Kubernetes resources to separated Kubernetes namespaces per Woodpecker organization. (default: false)
+
+**--backend-k8s-pod-affinity**="": backend k8s Agent-wide worker pod affinity, in YAML format
+
+**--backend-k8s-pod-affinity-allow-from-step**: whether to allow using affinity from step's backend options (default: false)
 
 **--backend-k8s-pod-annotations**="": backend k8s additional Agent-wide worker pod annotations
 
-**--backend-k8s-pod-annotations-allow-from-step**: whether to allow using annotations from step's backend options
+**--backend-k8s-pod-annotations-allow-from-step**: whether to allow using annotations from step's backend options (default: false)
 
-**--backend-k8s-pod-image-pull-secret-names**="": backend k8s pull secret names for private registries (default: [])
+**--backend-k8s-pod-image-pull-secret-names**="": backend k8s pull secret names for private registries
 
 **--backend-k8s-pod-labels**="": backend k8s additional Agent-wide worker pod labels
 
-**--backend-k8s-pod-labels-allow-from-step**: whether to allow using labels from step's backend options
+**--backend-k8s-pod-labels-allow-from-step**: whether to allow using labels from step's backend options (default: false)
 
 **--backend-k8s-pod-node-selector**="": backend k8s Agent-wide worker pod node selector
 
 **--backend-k8s-pod-tolerations**="": backend k8s Agent-wide worker pod tolerations
 
-**--backend-k8s-pod-tolerations-allow-from-step**: whether to allow using tolerations from step's backend options
+**--backend-k8s-pod-tolerations-allow-from-step**: whether to allow using tolerations from step's backend options (default: true)
 
 **--backend-k8s-priority-class**="": which kubernetes priority class to assign to created job pods
 
-**--backend-k8s-secctx-nonroot**: `run as non root` Kubernetes security context option
+**--backend-k8s-secctx-nonroot**: `run as non root` Kubernetes security context option (default: false)
 
 **--backend-k8s-storage-class**="": backend k8s storage class
 
-**--backend-k8s-storage-rwx**: backend k8s storage access mode, should ReadWriteMany (RWX) instead of ReadWriteOnce (RWO) be used? (default: true)
+**--backend-k8s-storage-rwx**: backend k8s storage access mode, should ReadWriteMany (RWX) instead of ReadWriteOnce (RWO) be used? (default: true) (default: true)
 
 **--backend-k8s-volume-size**="": backend k8s volume size (default 10G) (default: 10G)
 
-**--backend-local-temp-dir**="": set a different temp dir to clone workflows into (default: /tmp)
+**--backend-local-temp-dir**="": set a different temp dir to clone workflows into (default: system temporary directory)
 
 **--backend-no-proxy**="": if set, pass the environment variable down as "NO_PROXY" to steps
 
@@ -300,7 +281,7 @@ execute a local pipeline
 
 **--commit-message**="": Set the metadata environment variable "CI_COMMIT_MESSAGE".
 
-**--commit-pull-labels**="": Set the metadata environment variable "CI_COMMIT_PULL_REQUEST_LABELS". (default: [])
+**--commit-pull-labels**="": Set the metadata environment variable "CI_COMMIT_PULL_REQUEST_LABELS".
 
 **--commit-pull-milestone**="": Set the metadata environment variable "CI_COMMIT_PULL_REQUEST_MILESTONE".
 
@@ -308,17 +289,17 @@ execute a local pipeline
 
 **--commit-refspec**="": Set the metadata environment variable "CI_COMMIT_REFSPEC".
 
-**--commit-release-is-pre**: Set the metadata environment variable "CI_COMMIT_PRERELEASE".
+**--commit-release-is-pre**: Set the metadata environment variable "CI_COMMIT_PRERELEASE". (default: false)
 
 **--commit-sha**="": Set the metadata environment variable "CI_COMMIT_SHA".
 
-**--env**="": Set the metadata environment variable "CI_ENV". (default: [])
+**--env**="": Set the metadata environment variable "CI_ENV".
 
 **--forge-type**="": Set the metadata environment variable "CI_FORGE_TYPE".
 
 **--forge-url**="": Set the metadata environment variable "CI_FORGE_URL".
 
-**--local**: run from local directory
+**--local**: run from local directory (default: true)
 
 **--metadata-file**="": path to pipeline metadata file (normally downloaded from UI). Parameters can be adjusted by applying additional cli flags
 
@@ -328,7 +309,7 @@ execute a local pipeline
 
 **--netrc-username**="": 
 
-**--network**="": external networks (default: [])
+**--network**="": external networks
 
 **--pipeline-changed-files**="": Set the metadata environment variable "CI_PIPELINE_FILES", either json formatted list of strings, or comma separated string list.
 
@@ -348,7 +329,7 @@ execute a local pipeline
 
 **--pipeline-url**="": Set the metadata environment variable "CI_PIPELINE_FORGE_URL".
 
-**--plugins-privileged**="": Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none (default: [])
+**--plugins-privileged**="": Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none
 
 **--prev-commit-author-avatar**="": Set the metadata environment variable "CI_PREV_COMMIT_AUTHOR_AVATAR".
 
@@ -398,17 +379,17 @@ execute a local pipeline
 
 **--repo-remote-id**="": Set the metadata environment variable "CI_REPO_REMOTE_ID".
 
-**--repo-trusted-network**: Set the metadata environment variable "CI_REPO_TRUSTED_NETWORK".
+**--repo-trusted-network**: Set the metadata environment variable "CI_REPO_TRUSTED_NETWORK". (default: false)
 
-**--repo-trusted-security**: Set the metadata environment variable "CI_REPO_TRUSTED_SECURITY".
+**--repo-trusted-security**: Set the metadata environment variable "CI_REPO_TRUSTED_SECURITY". (default: false)
 
-**--repo-trusted-volumes**: Set the metadata environment variable "CI_REPO_TRUSTED_VOLUMES".
+**--repo-trusted-volumes**: Set the metadata environment variable "CI_REPO_TRUSTED_VOLUMES". (default: false)
 
 **--repo-url**="": Set the metadata environment variable "CI_REPO_URL".
 
-**--secrets**="": map of secrets, ex. 'secret="val",secret2="value2"' (default: map[])
+**--secrets**="": map of secrets, ex. 'secret="val",secret2="value2"'
 
-**--secrets**="": path to yaml file with secrets map
+**--secrets-file**="": path to yaml file with secrets map
 
 **--system-host**="": Set the metadata environment variable "CI_SYSTEM_HOST".
 
@@ -420,7 +401,7 @@ execute a local pipeline
 
 **--timeout**="": pipeline timeout (default: 1h0m0s)
 
-**--volumes**="": pipeline volumes (default: [])
+**--volumes**="": pipeline volumes
 
 **--workflow-name**="": Set the metadata environment variable "CI_WORKFLOW_NAME".
 
@@ -434,18 +415,17 @@ execute a local pipeline
 
 show information about the current user
 
-**--format**="": format output (deprecated) (default: User: {{ .Login }}
-Email: {{ .Email }})
+**--format**="": format output (deprecated) (default: User: {{ .Login }}\nEmail: {{ .Email }})
 
 ## lint
 
 lint a pipeline configuration file
 
-**--plugins-privileged**="": allow plugins to run in privileged mode, if set empty, there is no (default: [])
+**--plugins-privileged**="": allow plugins to run in privileged mode, if set empty, there is no
 
-**--plugins-trusted-clone**="": plugins that are trusted to handle Git credentials in cloning steps (default: [docker.io/woodpeckerci/plugin-git:2.6.5 docker.io/woodpeckerci/plugin-git quay.io/woodpeckerci/plugin-git])
+**--plugins-trusted-clone**="": plugins that are trusted to handle Git credentials in cloning steps (default: "docker.io/woodpeckerci/plugin-git:2.7.0", "docker.io/woodpeckerci/plugin-git", "quay.io/woodpeckerci/plugin-git")
 
-**--strict**: treat warnings as errors
+**--strict**: treat warnings as errors (default: false)
 
 ## org
 
@@ -479,10 +459,7 @@ remove a registry
 
 list registries
 
-**--format**="": format output (deprecated) (default: {{ .Address }} 
-Username: {{ .Username }}
-Email: {{ .Email }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Address }} \x1b[0m\nUsername: {{ .Username }}\nEmail: {{ .Email }}\n)
 
 **--organization, --org**="": organization id or full name (e.g. 123 or octocat)
 
@@ -490,10 +467,7 @@ Email: {{ .Email }}
 
 show registry information
 
-**--format**="": format output (deprecated) (default: {{ .Address }} 
-Username: {{ .Username }}
-Email: {{ .Email }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Address }} \x1b[0m\nUsername: {{ .Username }}\nEmail: {{ .Email }}\n)
 
 **--hostname**="": registry hostname (default: docker.io)
 
@@ -519,9 +493,9 @@ manage secrets
 
 add a secret
 
-**--event**="": secret limited to these events (default: [])
+**--event**="": secret limited to these events
 
-**--image**="": secret limited to these images (default: [])
+**--image**="": secret limited to these images
 
 **--name**="": secret name
 
@@ -541,14 +515,7 @@ remove a secret
 
 list secrets
 
-**--format**="": format output (deprecated) (default: {{ .Name }} 
-Events: {{ list .Events }}
-{{- if .Images }}
-Images: {{ list .Images }}
-{{- else }}
-Images: <any>
-{{- end }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Name }} \x1b[0m\nEvents: {{ list .Events }}\n{{- if .Images }}\nImages: {{ list .Images }}\n{{- else }}\nImages: <any>\n{{- end }}\n)
 
 **--organization, --org**="": organization id or full name (e.g. 123 or octocat)
 
@@ -556,14 +523,7 @@ Images: <any>
 
 show secret information
 
-**--format**="": format output (deprecated) (default: {{ .Name }} 
-Events: {{ list .Events }}
-{{- if .Images }}
-Images: {{ list .Images }}
-{{- else }}
-Images: <any>
-{{- end }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Name }} \x1b[0m\nEvents: {{ list .Events }}\n{{- if .Images }}\nImages: {{ list .Images }}\n{{- else }}\nImages: <any>\n{{- end }}\n)
 
 **--name**="": secret name
 
@@ -573,9 +533,9 @@ Images: <any>
 
 update a secret
 
-**--event**="": limit secret to these event (default: [])
+**--event**="": limit secret to these event
 
-**--image**="": limit secret to these image (default: [])
+**--image**="": limit secret to these image
 
 **--name**="": secret name
 
@@ -599,9 +559,9 @@ create new pipeline
 
 **--output**="": output format (default: table)
 
-**--output-no-headers**: don't print headers
+**--output-no-headers**: don't print headers (default: false)
 
-**--var**="": key=value (default: [])
+**--var**="": key=value
 
 ### decline
 
@@ -615,17 +575,9 @@ trigger a pipeline with the 'deployment' event
 
 **--event**="": event filter (default: push)
 
-**--format**="": format output (default: Number: {{ .Number }}
-Status: {{ .Status }}
-Commit: {{ .Commit }}
-Branch: {{ .Branch }}
-Ref: {{ .Ref }}
-Message: {{ .Message }}
-Author: {{ .Author }}
-Target: {{ .Deploy }}
-)
+**--format**="": format output (default: Number: {{ .Number }}\nStatus: {{ .Status }}\nCommit: {{ .Commit }}\nBranch: {{ .Branch }}\nRef: {{ .Ref }}\nMessage: {{ .Message }}\nAuthor: {{ .Author }}\nTarget: {{ .Deploy }}\n)
 
-**--param, -p**="": custom parameters to inject into the step environment. Format: KEY=value (default: [])
+**--param, -p**="": custom parameters to inject into the step environment. Format: KEY=value
 
 **--status**="": status filter (default: success)
 
@@ -637,15 +589,15 @@ show latest pipeline information
 
 **--output**="": output format (default: table)
 
-**--output-no-headers**: don't print headers
+**--output-no-headers**: don't print headers (default: false)
 
 ### ls
 
 show pipeline history
 
-**--after**="": only return pipelines after this date (RFC3339) (default: 0001-01-01 00:00:00 +0000 UTC)
+**--after**="": only return pipelines after this date (RFC3339)
 
-**--before**="": only return pipelines before this date (RFC3339) (default: 0001-01-01 00:00:00 +0000 UTC)
+**--before**="": only return pipelines before this date (RFC3339)
 
 **--branch**="": branch filter
 
@@ -655,7 +607,7 @@ show pipeline history
 
 **--output**="": output format (default: table)
 
-**--output-no-headers**: don't print headers
+**--output-no-headers**: don't print headers (default: false)
 
 **--status**="": status filter
 
@@ -675,37 +627,25 @@ show pipeline logs
 
 show pipeline steps
 
-**--format**="": format output (default: {{ .workflow.Name }} > {{ .step.Name }} (#{{ .step.PID }}):
-Step: {{ .step.Name }}
-Started: {{ .step.Started }}
-Stopped: {{ .step.Stopped }}
-Type: {{ .step.Type }}
-State: {{ .step.State }}
-)
+**--format**="": format output (default: \x1b[33m{{ .workflow.Name }} > {{ .step.Name }} (#{{ .step.PID }}):\x1b[0m\nStep: {{ .step.Name }}\nStarted: {{ .step.Started }}\nStopped: {{ .step.Stopped }}\nType: {{ .step.Type }}\nState: {{ .step.State }}\n)
 
 ### purge
 
 purge pipelines
 
-**--dry-run**: disable non-read api calls
+**--branch**="": remove pipelines of this branch only
+
+**--dry-run**: disable non-read api calls (default: false)
 
 **--keep-min**="": minimum number of pipelines to keep (default: 10)
 
-**--older-than**="": remove pipelines older than the specified time limit
+**--older-than**="": remove pipelines older than the specified time limit (default: 0s)
 
 ### queue
 
 show pipeline queue
 
-**--format**="": format output (default: {{ .FullName }} #{{ .Number }} 
-Status: {{ .Status }}
-Event: {{ .Event }}
-Commit: {{ .Commit }}
-Branch: {{ .Branch }}
-Ref: {{ .Ref }}
-Author: {{ .Author }} {{ if .Email }}<{{.Email}}>{{ end }}
-Message: {{ .Message }}
-)
+**--format**="": format output (default: \x1b[33m{{ .FullName }} #{{ .Number }} \x1b[0m\nStatus: {{ .Status }}\nEvent: {{ .Event }}\nCommit: {{ .Commit }}\nBranch: {{ .Branch }}\nRef: {{ .Ref }}\nAuthor: {{ .Author }} {{ if .Email }}<{{.Email}}>{{ end }}\nMessage: {{ .Message }}\n)
 
 ### show
 
@@ -713,13 +653,13 @@ show pipeline information
 
 **--output**="": output format (default: table)
 
-**--output-no-headers**: don't print headers
+**--output-no-headers**: don't print headers (default: false)
 
 ### start
 
 start a pipeline
 
-**--param, -p**="": custom parameters to inject into the step environment. Format: KEY=value (default: [])
+**--param, -p**="": custom parameters to inject into the step environment. Format: KEY=value
 
 ### stop
 
@@ -747,12 +687,7 @@ add a cron job
 
 **--branch**="": cron branch
 
-**--format**="": format output (deprecated) (default: {{ .Name }} 
-ID: {{ .ID }}
-Branch: {{ .Branch }}
-Schedule: {{ .Schedule }}
-NextExec: {{ .NextExec }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Name }} \x1b[0m\nID: {{ .ID }}\nBranch: {{ .Branch }}\nSchedule: {{ .Schedule }}\nNextExec: {{ .NextExec }}\n)
 
 **--name**="": cron name
 
@@ -772,12 +707,7 @@ remove a cron job
 
 list cron jobs
 
-**--format**="": format output (deprecated) (default: {{ .Name }} 
-ID: {{ .ID }}
-Branch: {{ .Branch }}
-Schedule: {{ .Schedule }}
-NextExec: {{ .NextExec }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Name }} \x1b[0m\nID: {{ .ID }}\nBranch: {{ .Branch }}\nSchedule: {{ .Schedule }}\nNextExec: {{ .NextExec }}\n)
 
 **--repository, --repo**="": repository id or full name (e.g. 134 or octocat/hello-world)
 
@@ -785,12 +715,7 @@ NextExec: {{ .NextExec }}
 
 show cron job information
 
-**--format**="": format output (deprecated) (default: {{ .Name }} 
-ID: {{ .ID }}
-Branch: {{ .Branch }}
-Schedule: {{ .Schedule }}
-NextExec: {{ .NextExec }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Name }} \x1b[0m\nID: {{ .ID }}\nBranch: {{ .Branch }}\nSchedule: {{ .Schedule }}\nNextExec: {{ .NextExec }}\n)
 
 **--id**="": cron id
 
@@ -802,12 +727,7 @@ update a cron job
 
 **--branch**="": cron branch
 
-**--format**="": format output (deprecated) (default: {{ .Name }} 
-ID: {{ .ID }}
-Branch: {{ .Branch }}
-Schedule: {{ .Schedule }}
-NextExec: {{ .NextExec }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Name }} \x1b[0m\nID: {{ .ID }}\nBranch: {{ .Branch }}\nSchedule: {{ .Schedule }}\nNextExec: {{ .NextExec }}\n)
 
 **--id**="": cron id
 
@@ -821,7 +741,7 @@ NextExec: {{ .NextExec }}
 
 list all repos
 
-**--all**: query all repos, including inactive ones
+**--all**: query all repos, including inactive ones (default: false)
 
 **--format**="": format output (deprecated)
 
@@ -829,7 +749,7 @@ list all repos
 
 **--output**="": output format (default: table)
 
-**--output-no-headers**: don't print headers
+**--output-no-headers**: don't print headers (default: false)
 
 ### registry
 
@@ -859,10 +779,7 @@ remove a registry
 
 list registries
 
-**--format**="": format output (deprecated) (default: {{ .Address }} 
-Username: {{ .Username }}
-Email: {{ .Email }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Address }} \x1b[0m\nUsername: {{ .Username }}\nEmail: {{ .Email }}\n)
 
 **--repository, --repo**="": repository id or full name (e.g. 134 or octocat/hello-world)
 
@@ -870,10 +787,7 @@ Email: {{ .Email }}
 
 show registry information
 
-**--format**="": format output (deprecated) (default: {{ .Address }} 
-Username: {{ .Username }}
-Email: {{ .Email }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Address }} \x1b[0m\nUsername: {{ .Username }}\nEmail: {{ .Email }}\n)
 
 **--hostname**="": registry hostname (default: docker.io)
 
@@ -907,9 +821,9 @@ manage secrets
 
 add a secret
 
-**--event**="": limit secret to these events (default: [])
+**--event**="": limit secret to these events
 
-**--image**="": limit secret to these images (default: [])
+**--image**="": limit secret to these images
 
 **--name**="": secret name
 
@@ -929,14 +843,7 @@ remove a secret
 
 list secrets
 
-**--format**="": format output (deprecated) (default: {{ .Name }} 
-Events: {{ list .Events }}
-{{- if .Images }}
-Images: {{ list .Images }}
-{{- else }}
-Images: <any>
-{{- end }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Name }} \x1b[0m\nEvents: {{ list .Events }}\n{{- if .Images }}\nImages: {{ list .Images }}\n{{- else }}\nImages: <any>\n{{- end }}\n)
 
 **--repository, --repo**="": repository id or full name (e.g. 134 or octocat/hello-world)
 
@@ -944,14 +851,7 @@ Images: <any>
 
 show secret information
 
-**--format**="": format output (deprecated) (default: {{ .Name }} 
-Events: {{ list .Events }}
-{{- if .Images }}
-Images: {{ list .Images }}
-{{- else }}
-Images: <any>
-{{- end }}
-)
+**--format**="": format output (deprecated) (default: \x1b[33m{{ .Name }} \x1b[0m\nEvents: {{ list .Events }}\n{{- if .Images }}\nImages: {{ list .Images }}\n{{- else }}\nImages: <any>\n{{- end }}\n)
 
 **--name**="": secret name
 
@@ -961,9 +861,9 @@ Images: <any>
 
 update a secret
 
-**--event**="": limit secret to these events (default: [])
+**--event**="": limit secret to these events
 
-**--image**="": limit secret to these images (default: [])
+**--image**="": limit secret to these images
 
 **--name**="": secret name
 
@@ -977,13 +877,13 @@ show repository information
 
 **--output**="": output format (default: table)
 
-**--output-no-headers**: don't print headers
+**--output-no-headers**: don't print headers (default: false)
 
 ### sync
 
 synchronize the repository list
 
-**--format**="": format output (default: {{ .FullName }} (id: {{ .ID }}, forgeRemoteID: {{ .ForgeRemoteID }}, isActive: {{ .IsActive }}))
+**--format**="": format output (default: \x1b[33m{{ .FullName }}\x1b[0m (id: {{ .ID }}, forgeRemoteID: {{ .ForgeRemoteID }}, isActive: {{ .IsActive }}))
 
 ### update
 
@@ -997,9 +897,13 @@ update a repository
 
 **--timeout**="": repository timeout (default: 0s)
 
-**--trusted**: repository is trusted
+**--trusted-network**: repository is network trusted (default: false)
 
-**--unsafe**: allow unsafe operations
+**--trusted-security**: repository is security trusted (default: false)
+
+**--trusted-volumes**: repository is volumes trusted (default: false)
+
+**--unsafe**: allow unsafe operations (default: false)
 
 **--visibility**="": repository visibility
 
@@ -1015,4 +919,4 @@ setup the woodpecker-cli for the first time
 
 update the woodpecker-cli to the latest version
 
-**--force**: force update even if the latest version is already installed
+**--force**: force update even if the latest version is already installed (default: false)

docs/versioned_docs/version-3.13/92-development/01-getting-started.md

@@ -20,7 +20,7 @@ Start Woodpecker in Gitpod by clicking on the following badge. You can log in wi
 
 ### Install Go
 
-Install Golang (>=1.20) as described by [this guide](https://go.dev/doc/install).
+Install Golang as described by [this guide](https://go.dev/doc/install).
 
 ### Install make
 
@@ -34,7 +34,7 @@ Install make on:
 
 ### Install Node.js & `pnpm`
 
-Install [Node.js (>=20)](https://nodejs.org/en/download/package-manager) if you want to build Woodpecker's UI or documentation.
+Install [Node.js](https://nodejs.org/en/download/package-manager) if you want to build Woodpecker's UI or documentation.
 
 For dependency installation (`node_modules`) of UI and documentation of Woodpecker the package manager pnpm is used.
 [This guide](https://pnpm.io/installation) describes the installation of `pnpm`.

docs/versioned_docs/version-3.13/92-development/02-core-ideas.md

@@ -8,7 +8,7 @@
 ## Addons and extensions
 
 If you are wondering whether your contribution will be accepted to be merged in the Woodpecker core, or whether it's better to write an
-[addon forge](../30-administration/10-configuration/12-forges/100-addon.md), [extension](../30-administration/10-configuration/10-server.md#external-configuration-api) or an
+[addon](../30-administration/10-configuration/100-addons.md), [extension](../30-administration/10-configuration/10-server.md#external-configuration-api) or an
 [external custom backend](../30-administration/10-configuration/11-backends/50-custom.md), please check these points:
 
 - Is your change very specific to your setup and unlikely to be used by anyone else?

docs/versioned_docs/version-3.13/92-development/10-packaging.md

@@ -0,0 +1,18 @@
+# Packaging
+
+If you repackage it, we encourage to build from source, which requires internet connection.
+
+For offline builds, we also offer a tarball with all vendored dependencies and a pre-built web UI
+on the [release page](https://github.com/woodpecker-ci/woodpecker/releases).
+
+## Distribute web UI in own directory
+
+If you do not want to embed the web UI in the binary, you can compile a custom root path for the web UI into the binary.
+
+Add `external_web` to the tags and use the build flag `-X go.woodpecker-ci.org/woodpecker/v3/web.webUIRoot=/some/path` to set a custom path.
+
+Example: <!-- cspell:ignore webui -->
+
+```sh
+go build -tags 'external_web' -ldflags '-s -w -extldflags "-static" -X go.woodpecker-ci.org/woodpecker/v3/version.Version=3.12.0 -X go.woodpecker-ci.org/woodpecker/v3/web.webUIRoot=/nix/store/maaajlp8h5gy9zyjgfhaipzj07qnnmrl-woodpecker-WebUI-3.12.0' -o dist/woodpecker-server go.woodpecker-ci.org/woodpecker/v3/cmd/server
+```

docs/versioned_docs/version-3.13/92-development/100-addons.md

@@ -1,34 +1,16 @@
-# Custom
+# Addons
 
-If the forge you are using does not meet the [Woodpecker requirements](../../../92-development/02-core-ideas.md#forges) or your setup is too specific to be included in the Woodpecker core, you can write an addon forge.
+The Woodpecker server supports addons for forges and the log store.
 
 :::warning
-Addon forges are still experimental. Their implementation can change and break at any time.
+Addons are still experimental. Their implementation can change and break at any time.
 :::
 
-:::danger
-You must trust the author of the addon forge you are using. They may have access to authentication codes and other potentially sensitive information.
-:::
-
-## Usage
-
-To use an addon forge, download the correct addon version. Then, you can add the following to your configuration:
-
-```ini
-WOODPECKER_ADDON_FORGE=/path/to/your/addon/forge/file
-```
-
-In case you run Woodpecker as container, you probably want to mount the addon binary to `/opt/addons/`.
-
-### Bug reports
+## Bug reports
 
 If you experience bugs, please check which component has the issue. If it's the addon, **do not raise an issue in the main repository**, but rather use the separate addon repositories. To check which component is responsible for the bug, look at the logs. Logs from addons are marked with a special field `addon` containing their addon file name.
 
-## List of addon forges
-
-- [Radicle](https://radicle.xyz/): Open source, peer-to-peer code collaboration stack built on Git. Radicle addon for Woodpecker CI can be found at [this repo](https://explorer.radicle.gr/nodes/seed.radicle.gr/rad:z39Cf1XzrvCLRZZJRUZnx9D1fj5ws).
-
-## Creating addon forges
+## Creating addons
 
 Addons use RPC to communicate to the server and are implemented using the [`go-plugin` library](https://github.com/hashicorp/go-plugin).
 
@@ -38,7 +20,7 @@ This example will use the Go language.
 
 Directly import Woodpecker's Go packages (`go.woodpecker-ci.org/woodpecker/v3`) and use the interfaces and types defined there.
 
-In the `main` function, just call `"go.woodpecker-ci.org/woodpecker/v3/server/forge/addon".Serve` with a `"go.woodpecker-ci.org/woodpecker/v3/server/forge".Forge` as argument.
+In the `main` function, just call the `Serve` method in the corresponding [addon package](#addon-types) with the service as argument.
 This will take care of connecting the addon forge to the server.
 
 :::note
@@ -47,6 +29,8 @@ It is not possible to access global variables from Woodpecker, for example the s
 
 ### Example structure
 
+This is an example for a forge addon.
+
 ```go
 package main
 
@@ -68,3 +52,10 @@ type config struct {
 
 // `config` must implement `"go.woodpecker-ci.org/woodpecker/v3/server/forge".Forge`. You must directly use Woodpecker's packages - see imports above.
 ```
+
+### Addon types
+
+| Type      | Addon package                                                 | Service interface                                                 |
+| --------- | ------------------------------------------------------------- | ----------------------------------------------------------------- |
+| Forge     | `go.woodpecker-ci.org/woodpecker/v3/server/forge/addon`       | `"go.woodpecker-ci.org/woodpecker/v3/server/forge".Forge`         |
+| Log store | `go.woodpecker-ci.org/woodpecker/v3/server/service/log/addon` | `"go.woodpecker-ci.org/woodpecker/v3/server/service/log".Service` |

docs/versions.json

@@ -1 +1 @@
-["3.12", "3.11", "3.10", "2.8"]
+["3.13", "3.12", "3.11", "2.8"]