From d2ea85e55fbf86c316ddb93251a26244883f8497 Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Wed, 10 Sep 2025 00:33:53 +0200
Subject: [PATCH] fix: allow spaces in `WOODPECKER_PLUGINS_PRIVILEGED` (#5494)

---
 cli/admin/secret/secret_add.go       |  6 ++++++
 cli/admin/secret/secret_set.go       |  6 ++++++
 cli/exec/flags.go                    | 15 ++++++++++++++
 cli/lint/lint.go                     |  6 ++++++
 cli/org/secret/secret_add.go         |  6 ++++++
 cli/org/secret/secret_set.go         |  6 ++++++
 cli/pipeline/create.go               |  3 +++
 cli/pipeline/deploy/deploy.go        |  3 +++
 cli/pipeline/start.go                |  3 +++
 cli/repo/secret/secret_add.go        |  6 ++++++
 cli/repo/secret/secret_set.go        |  6 ++++++
 cmd/agent/core/flags.go              |  3 +++
 cmd/server/flags.go                  | 30 ++++++++++++++++++++++++++++
 pipeline/backend/kubernetes/flags.go |  3 +++
 14 files changed, 102 insertions(+)

diff --git a/cli/admin/secret/secret_add.go b/cli/admin/secret/secret_add.go
index 91190c9b47..88c17b9219 100644
--- a/cli/admin/secret/secret_add.go
+++ b/cli/admin/secret/secret_add.go
@@ -41,10 +41,16 @@ var secretCreateCmd = &cli.Command{
 		&cli.StringSliceFlag{
 			Name:  "event",
 			Usage: "secret limited to these events",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 		&cli.StringSliceFlag{
 			Name:  "image",
 			Usage: "secret limited to these images",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 	},
 }
diff --git a/cli/admin/secret/secret_set.go b/cli/admin/secret/secret_set.go
index 768131a906..afed1e7021 100644
--- a/cli/admin/secret/secret_set.go
+++ b/cli/admin/secret/secret_set.go
@@ -41,10 +41,16 @@ var secretUpdateCmd = &cli.Command{
 		&cli.StringSliceFlag{
 			Name:  "event",
 			Usage: "secret limited to these events",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 		&cli.StringSliceFlag{
 			Name:  "image",
 			Usage: "secret limited to these images",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 	},
 }
diff --git a/cli/exec/flags.go b/cli/exec/flags.go
index c9013ee677..31ab7778e3 100644
--- a/cli/exec/flags.go
+++ b/cli/exec/flags.go
@@ -47,16 +47,25 @@ var flags = []cli.Flag{
 		Sources: cli.EnvVars("WOODPECKER_VOLUMES"),
 		Name:    "volumes",
 		Usage:   "pipeline volumes",
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.StringSliceFlag{
 		Sources: cli.EnvVars("WOODPECKER_NETWORKS"),
 		Name:    "network",
 		Usage:   "external networks",
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.StringSliceFlag{
 		Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"),
 		Name:    "plugins-privileged",
 		Usage:   "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none",
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.StringFlag{
 		Sources: cli.EnvVars("WOODPECKER_BACKEND"),
@@ -289,6 +298,9 @@ var flags = []cli.Flag{
 		Sources: cli.EnvVars("CI_COMMIT_PULL_REQUEST_LABELS"),
 		Name:    "commit-pull-labels",
 		Usage:   "Set the metadata environment variable \"CI_COMMIT_PULL_REQUEST_LABELS\".",
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.StringFlag{
 		Sources: cli.EnvVars("CI_COMMIT_PULL_REQUEST_MILESTONE"),
@@ -399,6 +411,9 @@ var flags = []cli.Flag{
 		Sources: cli.EnvVars("CI_ENV"),
 		Name:    "env",
 		Usage:   "Set the metadata environment variable \"CI_ENV\".",
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.StringFlag{
 		Sources: cli.EnvVars("CI_FORGE_TYPE"),
diff --git a/cli/lint/lint.go b/cli/lint/lint.go
index 832a508bda..62ae901142 100644
--- a/cli/lint/lint.go
+++ b/cli/lint/lint.go
@@ -41,12 +41,18 @@ var Command = &cli.Command{
 			Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"),
 			Name:    "plugins-privileged",
 			Usage:   "allow plugins to run in privileged mode, if set empty, there is no",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 		&cli.StringSliceFlag{
 			Sources: cli.EnvVars("WOODPECKER_PLUGINS_TRUSTED_CLONE"),
 			Name:    "plugins-trusted-clone",
 			Usage:   "plugins that are trusted to handle Git credentials in cloning steps",
 			Value:   constant.TrustedClonePlugins,
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 		&cli.BoolFlag{
 			Sources: cli.EnvVars("WOODPECKER_LINT_STRICT"),
diff --git a/cli/org/secret/secret_add.go b/cli/org/secret/secret_add.go
index a0a83ef80d..b137272e74 100644
--- a/cli/org/secret/secret_add.go
+++ b/cli/org/secret/secret_add.go
@@ -44,10 +44,16 @@ var secretCreateCmd = &cli.Command{
 		&cli.StringSliceFlag{
 			Name:  "event",
 			Usage: "secret limited to these events",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 		&cli.StringSliceFlag{
 			Name:  "image",
 			Usage: "secret limited to these images",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 	},
 }
diff --git a/cli/org/secret/secret_set.go b/cli/org/secret/secret_set.go
index cb784c3167..30e7c40d41 100644
--- a/cli/org/secret/secret_set.go
+++ b/cli/org/secret/secret_set.go
@@ -44,10 +44,16 @@ var secretUpdateCmd = &cli.Command{
 		&cli.StringSliceFlag{
 			Name:  "event",
 			Usage: "limit secret to these event",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 		&cli.StringSliceFlag{
 			Name:  "image",
 			Usage: "limit secret to these image",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 	},
 }
diff --git a/cli/pipeline/create.go b/cli/pipeline/create.go
index b317d4b3c4..de8fec46f7 100644
--- a/cli/pipeline/create.go
+++ b/cli/pipeline/create.go
@@ -39,6 +39,9 @@ var pipelineCreateCmd = &cli.Command{
 		&cli.StringSliceFlag{
 			Name:  "var",
 			Usage: "key=value",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 	}...),
 }
diff --git a/cli/pipeline/deploy/deploy.go b/cli/pipeline/deploy/deploy.go
index f83f7cc28b..b20469c8d8 100644
--- a/cli/pipeline/deploy/deploy.go
+++ b/cli/pipeline/deploy/deploy.go
@@ -54,6 +54,9 @@ var Command = &cli.Command{
 			Name:    "param",
 			Aliases: []string{"p"},
 			Usage:   "custom parameters to inject into the step environment. Format: KEY=value",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 	},
 }
diff --git a/cli/pipeline/start.go b/cli/pipeline/start.go
index 694295fae3..f052017701 100644
--- a/cli/pipeline/start.go
+++ b/cli/pipeline/start.go
@@ -36,6 +36,9 @@ var pipelineStartCmd = &cli.Command{
 			Name:    "param",
 			Aliases: []string{"p"},
 			Usage:   "custom parameters to inject into the step environment. Format: KEY=value",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 	},
 }
diff --git a/cli/repo/secret/secret_add.go b/cli/repo/secret/secret_add.go
index fb6e213832..28f0921bcd 100644
--- a/cli/repo/secret/secret_add.go
+++ b/cli/repo/secret/secret_add.go
@@ -44,10 +44,16 @@ var secretCreateCmd = &cli.Command{
 		&cli.StringSliceFlag{
 			Name:  "event",
 			Usage: "limit secret to these events",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 		&cli.StringSliceFlag{
 			Name:  "image",
 			Usage: "limit secret to these images",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 	},
 }
diff --git a/cli/repo/secret/secret_set.go b/cli/repo/secret/secret_set.go
index b284735270..8a1589385f 100644
--- a/cli/repo/secret/secret_set.go
+++ b/cli/repo/secret/secret_set.go
@@ -44,10 +44,16 @@ var secretUpdateCmd = &cli.Command{
 		&cli.StringSliceFlag{
 			Name:  "event",
 			Usage: "limit secret to these events",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 		&cli.StringSliceFlag{
 			Name:  "image",
 			Usage: "limit secret to these images",
+			Config: cli.StringConfig{
+				TrimSpace: true,
+			},
 		},
 	},
 }
diff --git a/cmd/agent/core/flags.go b/cmd/agent/core/flags.go
index 40dbefc506..2ef646380a 100644
--- a/cmd/agent/core/flags.go
+++ b/cmd/agent/core/flags.go
@@ -67,6 +67,9 @@ var flags = []cli.Flag{
 		Name:    "labels",
 		Aliases: []string{"filter"}, // remove in v4.x
 		Usage:   "List of labels to filter tasks on. An agent must be assigned every tag listed in a task to be selected.",
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.IntFlag{
 		Sources: cli.EnvVars("WOODPECKER_MAX_WORKFLOWS", "WOODPECKER_MAX_PROCS"), // cspell:words PROCS
diff --git a/cmd/server/flags.go b/cmd/server/flags.go
index 750405be65..05d8b25cc0 100644
--- a/cmd/server/flags.go
+++ b/cmd/server/flags.go
@@ -126,16 +126,25 @@ var flags = append([]cli.Flag{
 		Sources: cli.EnvVars("WOODPECKER_ADMIN"),
 		Name:    "admin",
 		Usage:   "list of admin users",
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.StringSliceFlag{
 		Sources: cli.EnvVars("WOODPECKER_ORGS"),
 		Name:    "orgs",
 		Usage:   "list of approved organizations",
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.StringSliceFlag{
 		Sources: cli.EnvVars("WOODPECKER_REPO_OWNERS"),
 		Name:    "repo-owners",
 		Usage:   "Repositories by those owners will be allowed to be used in woodpecker",
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.BoolFlag{
 		Sources: cli.EnvVars("WOODPECKER_OPEN"),
@@ -164,6 +173,9 @@ var flags = append([]cli.Flag{
 		Name:    "default-cancel-previous-pipeline-events",
 		Usage:   "List of event names that will be canceled when a new pipeline for the same context (tag, branch) is created.",
 		Value:   []string{"push", "pull_request"},
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.StringFlag{
 		Sources: cli.EnvVars("WOODPECKER_DEFAULT_CLONE_PLUGIN", "WOODPECKER_DEFAULT_CLONE_IMAGE"),
@@ -188,6 +200,9 @@ var flags = append([]cli.Flag{
 		Sources: cli.EnvVars("WOODPECKER_DEFAULT_WORKFLOW_LABELS"),
 		Name:    "default-workflow-labels",
 		Usage:   "The default label filter to set for workflows that has no label filter set. By default workflows will be allowed to run on any agent, if not specified in the workflow.",
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.DurationFlag{
 		Sources: cli.EnvVars("WOODPECKER_SESSION_EXPIRES"),
@@ -199,16 +214,25 @@ var flags = append([]cli.Flag{
 		Sources: cli.EnvVars("WOODPECKER_PLUGINS_PRIVILEGED"),
 		Name:    "plugins-privileged",
 		Usage:   "Allow plugins to run in privileged mode, if environment variable is defined but empty there will be none",
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.StringSliceFlag{
 		Sources: cli.EnvVars("WOODPECKER_PLUGINS_TRUSTED_CLONE"),
 		Name:    "plugins-trusted-clone",
 		Usage:   "Plugins which are trusted to handle Git credentials in clone steps",
 		Value:   constant.TrustedClonePlugins,
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.StringSliceFlag{
 		Sources: cli.EnvVars("WOODPECKER_VOLUME"),
 		Name:    "volume",
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.StringFlag{
 		Sources: cli.EnvVars("WOODPECKER_DOCKER_CONFIG"),
@@ -217,10 +241,16 @@ var flags = append([]cli.Flag{
 	&cli.StringSliceFlag{
 		Sources: cli.EnvVars("WOODPECKER_ENVIRONMENT"),
 		Name:    "environment",
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.StringSliceFlag{
 		Sources: cli.EnvVars("WOODPECKER_NETWORK"),
 		Name:    "network",
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.StringFlag{
 		Sources: cli.NewValueSourceChain(
diff --git a/pipeline/backend/kubernetes/flags.go b/pipeline/backend/kubernetes/flags.go
index f91d771613..f6b290fdc6 100644
--- a/pipeline/backend/kubernetes/flags.go
+++ b/pipeline/backend/kubernetes/flags.go
@@ -100,6 +100,9 @@ var Flags = []cli.Flag{
 		Sources: cli.EnvVars("WOODPECKER_BACKEND_K8S_PULL_SECRET_NAMES"),
 		Name:    "backend-k8s-pod-image-pull-secret-names",
 		Usage:   "backend k8s pull secret names for private registries",
+		Config: cli.StringConfig{
+			TrimSpace: true,
+		},
 	},
 	&cli.BoolFlag{
 		Sources: cli.EnvVars("WOODPECKER_BACKEND_K8S_ALLOW_NATIVE_SECRETS"),