'Trusted' toggle needed for multi-ARCH (qemu) builds but not shown to non admins

CI/CD Crow CI
1

The issue stated in the title may be a shortcoming of Crow’s GUI but also very well a misunderstanding on my side. I appreciate help in any case.

I am trying to do a multiarch (arm/amd) build, but figured I had insufficient privileges to do so:

"Schema Errorbuild-acme-dns:steps.build-push

Insufficient security privileges. To allow, check the ‘security’ option in the ‘Privileges & Security’ repository settings."

The issue wasn’t resolved after created a dedicated token on the codefloe side. From what I found I need to trust multiarch builds explicitly on the crow side, too as QEMU needs additional privileges. After switching to a dedicated ARM I did not have the issue anymore which at least confirms my codefloe token is scoped correctly.

I only had one coffee and may not have the sharpest eyes, but I looked several times to find the extra checkbox for that additional ‘trusted’ flag in Crow’s UI. Is it possible granting this is only available to Crow admins?

At least I would:

  • in the error message: highlight that this an additional check on Crow’s side, not codefloe.
  • tell people that this admin level if that was the case.
  • possible add recommendations about multiarch builds somewhere to the docs or even on the agents tab
2

I was able to fix this using the latest crow ansible plugin: Available Plugins | Crow CI . I guess the issue was caused by a woodpecker plugin I thought was compatible and up to date. I can very much recommend the crow ansible plugins.

3

Only the Crow buildx plugin is allowlisted to run privileged - other plugins attempting this will error. This plugin is the recommended way to build multi-arch images in Crow CI.

Non-admin users in Crow cannot change the security settings in a repo, so the error message is a bit misleading and assumes you’re admin and are able to do so.

4

I consider this solved, even though it’s not the reason in the first place to have an allowlist, it has the nice effect of forcing the user to use the best and most up-to-date plugin available for the job.

Struggled to find the ‘mark-as-resolved’ in here.

5

Hasn’t been enabled for this category until now :slight_smile: