Add docs for v3.6 release (#5154)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

docs/versioned_docs/version-3.3/20-usage/40-secrets.md

@@ -1,156 +0,0 @@
-# Secrets
-
-Woodpecker provides the ability to store named variables in a central secret store.
-These secrets can be passed securely to individual pipeline steps using the `from_secret` keyword.
-
-Three different levels of secrets are available.
-The following list shows the priority of these.
-If a secret is defined in multiple levels, the following precedence applies: Repository secrets > Organization secrets > Global secrets.
-
-1. **Repository secrets**: Available to all pipelines of a repository.
-1. **Organization secrets**: Available to all pipelines of an organization.
-1. **Global secrets**: Can only be set by instance admins.
-   Global secret are available to all pipelines of the **entire** Woodpecker instance and should therefore be used with caution.
-
-:::tip
-In addition to the native secret integration, external secret providers can be utilized by interacting with them directly within pipeline steps.
-Access to these providers can be configured using Woodpecker secrets, enabling the retrieval of secrets from the respective external sources.
-:::
-
-:::warning
-Woodpecker can mask secrets from its native secret store, but it cannot apply the same protection to external secrets. As a result, these external secrets may be exposed in the pipeline logs.
-:::
-
-## Usage
-
-You can set a setting or environment value from Woodpecker secrets using the `from_secret` syntax.
-
-The example below passes a secret called `secret_token` which will be stored in an environment variable named `TOKEN_ENV`:
-
-```diff
- steps:
-   - name: 'step name'
-     image: registry/repo/image:tag
-     commands:
-+      - echo "The secret is $TOKEN_ENV"
-+    environment:
-+      TOKEN_ENV:
-+        from_secret: secret_token
-```
-
-The same syntax can be used to pass secrets to (plugin) settings.
-A secret named `secret_token` is assigned to the setting `TOKEN`, which will then be available in the plugin as environment variable `PLUGIN_TOKEN` (see [plugins](./51-plugins/20-creating-plugins.md#settings) for details).
-`PLUGIN_TOKEN` is then internally consumed by the plugin itself and will be honored during execution.
-
-```diff
- steps:
-   - name: 'step name'
-     image: registry/repo/image:tag
-+    settings:
-+      TOKEN:
-+        from_secret: secret_token
-```
-
-### Note about parameter pre-processing
-
-Please note that parameter expressions undergo pre-processing, meaning they are evaluated before the pipeline starts.
-If secrets are to be used in expressions, they must be properly escaped (using `$$`) to ensure correct handling.
-
-```diff
- steps:
-   - name: docker
-     image: docker
-     commands:
--      - echo ${TOKEN_ENV}
-+      - echo $${TOKEN_ENV}
-     environment:
-       TOKEN_ENV:
-         from_secret: secret_token
-```
-
-### Use in Pull Requests events
-
-By default, secrets are not exposed to pull requests.
-However, you can change this behavior by creating the secret and enabling the `pull_request` event type.
-This can be configured either through the UI or via the CLI, as demonstrated below.
-
-:::warning
-Be cautious when exposing secrets to pull requests.
-If your repository is public and initiates pull request runs without requiring approval, your secrets may be at risk.
-Malicious actors could potentially exploit this to expose or transmit your secrets to an external location.
-:::
-
-## Plugins filter
-
-To prevent abusing your secrets from malicious usage, you can limit a secret to a list of plugins.
-If enabled they are not available to any other plugin (steps without user-defined commands).
-Plugins have the advantage that they cannot run arbitrary commands, hence they cannot be used to expose secrets (in contrast to arbitrary steps).
-
-:::note
-If you specify a tag, the filter will honor it.
-However, if the same image appears multiple times in the list, the least privileged entry takes precedence.
-For example, an image without a tag will permit all tags, even if another entry with a pinned tag is included.
-:::
-
-![plugins filter](./secrets-plugins-filter.png)
-
-## Adding Secrets
-
-Secrets can be added through the UI or via the CLI.
-
-### CLI Examples
-
-Create the secret using default settings.
-The secret will be available to all images in your pipeline, and will be available to all `push`, `tag`, and `deployment` events (not `pull_request` events).
-
-```bash
-woodpecker-cli repo secret add \
-  --repository octocat/hello-world \
-  --name aws_access_key_id \
-  --value <value>
-```
-
-Create the secret and limit it to a single image:
-
-```diff
- woodpecker-cli secret add \
-   --repository octocat/hello-world \
-+  --image woodpeckerci/plugin-s3 \
-   --name aws_access_key_id \
-   --value <value>
-```
-
-Create the secrets and limit it to a set of images:
-
-```diff
- woodpecker-cli repo secret add \
-   --repository octocat/hello-world \
-+  --image woodpeckerci/plugin-s3 \
-+  --image woodpeckerci/plugin-docker-buildx \
-   --name aws_access_key_id \
-   --value <value>
-```
-
-Create the secret and enable it for multiple hook events:
-
-```diff
- woodpecker-cli repo secret add \
-   --repository octocat/hello-world \
-   --image woodpeckerci/plugin-s3 \
-+  --event pull_request \
-+  --event push \
-+  --event tag \
-   --name aws_access_key_id \
-   --value <value>
-```
-
-Secrets can be loaded from a file using the `@` syntax.
-This method is recommended for loading secrets from a file, as it ensures that newlines are preserved (this is for example important for SSH keys).
-Here’s an example:
-
-```diff
- woodpecker-cli repo secret add \
-   -repository octocat/hello-world \
-   -name ssh_key \
-+  -value @/root/ssh/id_rsa
-```

docs/versioned_docs/version-3.6/20-usage/15-terminology/index.md

@@ -24,6 +24,7 @@
 - **Dependency**: [Workflows][Workflow] can depend on each other, and if possible, they are executed in parallel.
 - **Status**: Status refers to the outcome of a step or [workflow][Workflow] after it has been executed, determined by the internal command exit code. At the end of a [workflow][Workflow], its status is sent to the [forge][Forge].
 - **Service extension**: Some parts of Woodpecker internal services like secrets storage or config fetcher can be replaced through service extensions.
+- **Task**: A task is a [workflow][Workflow] that's currently waiting for its execution in the task queue.
 
 ## Woodpecker architecture
 

docs/versioned_docs/version-3.6/20-usage/20-workflow-syntax.md

@@ -510,6 +510,15 @@ For more details check the [service docs](./60-services.md#detachment).
 
 Using `directory`, you can set a subdirectory of your repository or an absolute path inside the Docker container in which your commands will run.
 
+### `backend_options`
+
+With `backend_options` you can define options that are specific to the respective backend that is used to execute the steps. For example, you can specify the user and/or group used in a Docker container or you can specify the service account for Kubernetes.
+
+Further details can be found in the documentation of the used backend:
+
+- [Docker](../30-administration/10-configuration/11-backends/10-docker.md#step-specific-configuration)
+- [Kubernetes](../30-administration/10-configuration/11-backends/20-kubernetes.md#step-specific-configuration)
+
 ## `services`
 
 Woodpecker can provide service containers. They can for example be used to run databases or cache containers during the execution of workflow.
@@ -594,12 +603,16 @@ For more details check the [matrix build docs](./30-matrix-workflows.md).
 
 ## `labels`
 
-You can set labels for your workflow to select an agent to execute the workflow on. An agent will pick up and run a workflow when **every** label assigned to it matches the agents labels.
+You can define labels for your workflow in order to select an agent to execute the workflow. An agent takes up a workflow and executes it if **every** label assigned to it matches the label of the agent.
 
-To set additional agent labels, check the [agent configuration options](../30-administration/10-configuration/30-agent.md#woodpecker_agent_labels). Agents will have at least four default labels: `platform=agent-os/agent-arch`, `hostname=my-agent`, `backend=docker` (type of the agent backend) and `repo=*`. Agents can use a `*` as a wildcard for a label. For example `repo=*` will match every repo.
+To specify additional agent labels, check the [Agent configuration options](../30-administration/10-configuration/30-agent.md#agent_labels). The agents have at least four default labels: `platform=agent-os/agent-arch`, `hostname=my-agent`, `backend=docker` (type of agent backend) and `repo=*`. Agents can use an `*` as a placeholder for a label. For example, `repo=*` matches any repo.
 
-Workflow labels with an empty value will be ignored.
-By default, each workflow has at least the `repo=your-user/your-repo-name` label. If you have set the [platform attribute](#platform) for your workflow it will have a label like `platform=your-os/your-arch` as well.
+Workflow labels with an empty value are ignored.
+By default, each workflow has at least the label `repo=your-user/your-repo-name`. If you have set the [platform attribute](#platform) for your workflow, it will also have a label such as `platform=your-os/your-arch`.
+
+:::warning
+Labels with the `woodpecker-ci.org` prefix are managed by Woodpecker and can not be set as part of the pipeline definition.
+:::
 
 You can add additional labels as a key value map:
 
@@ -642,9 +655,9 @@ For more details and examples check the [Advanced usage docs](./90-advanced-usag
 
 ## `clone`
 
-Woodpecker automatically configures a default clone step if not explicitly defined. When using the `local` backend, the [plugin-git](https://github.com/woodpecker-ci/plugin-git) binary must be on your `$PATH` for the default clone step to work. If not, you can still write a manual clone step.
+Woodpecker automatically configures a default clone step if it is not explicitly defined. If you are using the `local` backend, the [plugin-git](https://github.com/woodpecker-ci/plugin-git) binary must be in your `$PATH` for the default clone step to work. If this is not the case, you can still write a manual clone step.
 
-You can manually configure the clone step in your workflow for customization:
+You can manually configure the clone step in your workflow to customize it:
 
 ```diff
 +clone:
@@ -659,7 +672,7 @@ You can manually configure the clone step in your workflow for customization:
        - go test
 ```
 
-Example configuration to override depth:
+Example configuration to override the depth:
 
 ```diff
  clone:
@@ -680,7 +693,7 @@ Example configuration to use a custom clone plugin:
 
 ### Git Submodules
 
-To use the credentials that cloned the repository to clone it's submodules, update `.gitmodules` to use `https` instead of `git`:
+To use the credentials used to clone the repository to clone its submodules, update `.gitmodules` to use `https` instead of `git`:
 
 ```diff
  [submodule "my-module"]
@@ -706,6 +719,10 @@ steps:
 
 ## `skip_clone`
 
+:::warning
+The default clone step is executed as `root` to ensure that the workspace directory can be accessed by any user (`0777`). This is necessary to allow rootless step containers to write to the workspace directory. If a rootless step container is used with `skip_clone`, the user must ensure a suitable workspace directory that can be accessed by the unprivileged container use, e.g. `/tmp`.
+:::
+
 By default Woodpecker is automatically adding a clone step. This clone step can be configured by the [clone](#clone) property. If you do not need a `clone` step at all you can skip it using:
 
 ```yaml

docs/versioned_docs/version-3.6/20-usage/40-secrets.md

@@ -0,0 +1,148 @@
+# Secrets
+
+Woodpecker provides the ability to store named variables in a central secret store.
+These secrets can be securely passed on to individual pipeline steps using the keyword `from_secret`.
+
+There are three different levels of secrets available. If a secret is defined in multiple levels, the following order of priority applies (last wins):
+
+1. **Repository secrets**: Available for all pipelines of a repository.
+1. **Organization secrets**: Available for all pipelines of an organization.
+1. **Global secrets**: Can only be set by instance administrators.
+   Global secrets are available for all pipelines of the **entire** Woodpecker instance and should therefore be used with caution.
+
+In addition to the native integration of secrets, external providers of secrets can also be used by interacting with them directly within pipeline steps. Access to these providers can be configured with Woodpecker secrets, which enables the retrieval of secrets from the respective external sources.
+
+:::warning
+Woodpecker can mask secrets from its own secrets store, but it cannot apply the same protection to external secrets. As a result, these external secrets can be exposed in the pipeline logs.
+:::
+
+## Usage
+
+You can set a setting or environment value from Woodpecker secrets by using the `from_secret` syntax.
+
+The following example passes a secret called `secret_token` which is stored in an environment variable called `TOKEN_ENV`:
+
+```diff
+ steps:
+   - name: 'step name'
+     image: registry/repo/image:tag
+     commands:
++      - echo "The secret is $TOKEN_ENV"
++    environment:
++      TOKEN_ENV:
++        from_secret: secret_token
+```
+
+The same syntax can be used to pass secrets to (plugin) settings.
+A secret called `secret_token` is assigned to the setting `TOKEN`, which is then available in the plugin as the environment variable `PLUGIN_TOKEN` (see [plugins](./51-plugins/20-creating-plugins.md#settings) for details).
+`PLUGIN_TOKEN` is then used internally by the plugin itself and taken into account during execution.
+
+```diff
+ steps:
+   - name: 'step name'
+     image: registry/repo/image:tag
++    settings:
++      TOKEN:
++        from_secret: secret_token
+```
+
+### Escape secrets
+
+Please note that parameter expressions are preprocessed, i.e. they are evaluated before the pipeline starts.
+If secrets are to be used in expressions, they must be properly escaped (with `$$`) to ensure correct processing.
+
+```diff
+ steps:
+   - name: docker
+     image: docker
+     commands:
+-      - echo ${TOKEN_ENV}
++      - echo $${TOKEN_ENV}
+     environment:
+       TOKEN_ENV:
+         from_secret: secret_token
+```
+
+### Events filter
+
+By default, secrets are not exposed to pull requests.
+However, you can change this behavior by creating the secret and enabling the `pull_request` event type.
+This can be configured either via the UI or via the CLI.
+
+:::warning
+Be careful when exposing secrets for pull requests.
+If your repository is public and accepts pull requests from everyone, your secrets may be at risk.
+Malicious actors could take advantage of this to expose your secrets or transfer them to an external location.
+:::
+
+### Plugins filter
+
+To prevent your secrets from being misused by malicious users, you can restrict a secret to a list of plugins.
+If enabled, they are not available to any other plugins.
+Plugins have the advantage that they cannot execute arbitrary commands and therefore cannot reveal secrets.
+
+:::tip
+If you specify a tag, the filter will take it into account.
+However, if the same image appears several times in the list, the least privileged entry will take precedence.
+For example, an image without a tag will allow all tags, even if it contains another entry with a tag attached.
+:::
+
+![plugins filter](./secrets-plugins-filter.png)
+
+## CLI
+
+In addition to the UI, secrets can also be managed using the CLI.
+
+Create the secret with the default settings.
+The secret is available for all images in your pipeline and for all `push`, `tag` and `deployment` events (not for `pull_request` events).
+
+```bash
+woodpecker-cli repo secret add \
+  --repository octocat/hello-world \
+  --name aws_access_key_id \
+  --value <value>
+```
+
+Create the secret and limit it to a single image:
+
+```diff
+ woodpecker-cli secret add \
+   --repository octocat/hello-world \
++  --image woodpeckerci/plugin-s3 \
+   --name aws_access_key_id \
+   --value <value>
+```
+
+Create the secrets and limit it to a set of images:
+
+```diff
+ woodpecker-cli repo secret add \
+   --repository octocat/hello-world \
++  --image woodpeckerci/plugin-s3 \
++  --image woodpeckerci/plugin-docker-buildx \
+   --name aws_access_key_id \
+   --value <value>
+```
+
+Create the secret and enable it for multiple hook events:
+
+```diff
+ woodpecker-cli repo secret add \
+   --repository octocat/hello-world \
+   --image woodpeckerci/plugin-s3 \
++  --event pull_request \
++  --event push \
++  --event tag \
+   --name aws_access_key_id \
+   --value <value>
+```
+
+Secrets can be loaded from a file using the syntax `@`.
+This method is recommended for loading secrets from a file, as it ensures that line breaks are preserved (this is important for SSH keys, for example):
+
+```diff
+ woodpecker-cli repo secret add \
+   -repository octocat/hello-world \
+   -name ssh_key \
++  -value @/root/ssh/id_rsa
+```

docs/versioned_docs/version-3.6/20-usage/41-registries.md

@@ -37,7 +37,7 @@ Example registry hostname matching logic:
 
 ## Global registry support
 
-To make a private registry globally available, check the [server configuration docs](../30-administration/10-configuration/10-server.md#woodpecker_docker_config).
+To make a private registry globally available, check the [server configuration docs](../30-administration/10-configuration/10-server.md#docker_config).
 
 ## GCR registry support
 

docs/versioned_docs/version-3.6/20-usage/70-volumes.md

@@ -19,6 +19,8 @@ Volumes are only available to trusted repositories and for security reasons shou
 +      - /var/run/docker.sock:/var/run/docker.sock
 ```
 
+If you use the Docker backend, you can also use named volumes like `some_volume_name:/var/run/volume`.
+
 Please note that Woodpecker mounts volumes on the host machine. This means you must use absolute paths when you configure volumes. Attempting to use relative paths will result in an error.
 
 ```diff

docs/versioned_docs/version-3.6/30-administration/00-general.md

@@ -9,7 +9,7 @@ The **agent** executes the [workflows](../20-usage/15-terminology/index.md) via
 The **autoscaler** allows spinning up new VMs on a cloud provider of choice to process pending builds. After the builds finished, the VMs are destroyed again (after a short transition time).
 
 :::tip
-You can add more agents to increase the number of parallel workflows or set the agent's [`WOODPECKER_MAX_WORKFLOWS=1`](./10-configuration/30-agent.md#woodpecker_max_workflows) environment variable to increase the number of parallel workflows per agent.
+You can add more agents to increase the number of parallel workflows or set the agent's [`WOODPECKER_MAX_WORKFLOWS=1`](./10-configuration/30-agent.md#max_workflows) environment variable to increase the number of parallel workflows per agent.
 :::
 
 ## Database
@@ -37,7 +37,7 @@ No `latest` tag exists to prevent accidental major version upgrades. Either use
 
 Images are pushed to DockerHub and Quay.
 
-- woodpecker-server ([DockerHub](https://hub.docker.com/r/docker/woodpeckerci/woodpecker-server) or [Quay](https://quay.io/repository/woodpeckerci/woodpecker-server))
-- woodpecker-agent ([DockerHub](https://hub.docker.com/r/docker/woodpeckerci/woodpecker-agent) or [Quay](https://quay.io/repository/woodpeckerci/woodpecker-agent))
-- woodpecker-cli ([DockerHub](https://hub.docker.com/r/docker/woodpeckerci/woodpecker-cli) or [Quay](https://quay.io/repository/woodpeckerci/woodpecker-cli))
-- woodpecker-autoscaler ([DockerHub](https://hub.docker.com/r/docker/woodpeckerci/autoscaler))
+- woodpecker-server ([DockerHub](https://hub.docker.com/r/woodpeckerci/woodpecker-server) or [Quay](https://quay.io/repository/woodpeckerci/woodpecker-server))
+- woodpecker-agent ([DockerHub](https://hub.docker.com/r/woodpeckerci/woodpecker-agent) or [Quay](https://quay.io/repository/woodpeckerci/woodpecker-agent))
+- woodpecker-cli ([DockerHub](https://hub.docker.com/r/woodpeckerci/woodpecker-cli) or [Quay](https://quay.io/repository/woodpeckerci/woodpecker-cli))
+- woodpecker-autoscaler ([DockerHub](https://hub.docker.com/r/woodpeckerci/autoscaler))

docs/versioned_docs/version-3.6/30-administration/05-installation/30-packages.md

@@ -8,12 +8,14 @@
 The pre-built packages are available on the [GitHub releases](https://github.com/woodpecker-ci/woodpecker/releases/latest) page. The packages can be installed using the package manager of your distribution.
 
 ```Shell
-# Debian/Ubuntu
-curl -L https://github.com/woodpecker-ci/woodpecker/releases/download/${RELEASE_VERSION}/woodpecker_${RELEASE_VERSION}_amd64.deb -o woodpecker-server.deb
-sudo apt --fix-broken install ./woodpecker-server.deb
+RELEASE_VERSION=$(curl -s https://api.github.com/repos/woodpecker-ci/woodpecker/releases/latest | grep -Po '"tag_name":\s"v\K[^"]+')
 
-# CentOS/RHEL
-sudo dnf install https://github.com/woodpecker-ci/woodpecker/releases/download/${RELEASE_VERSION}/woodpecker_${RELEASE_VERSION}_amd64.rpm
+# Debian/Ubuntu (x86_64)
+curl -fLOOO "https://github.com/woodpecker-ci/woodpecker/releases/download/v${RELEASE_VERSION}/woodpecker-{server,agent,cli}_${RELEASE_VERSION}_amd64.deb"
+sudo apt --fix-broken install ./woodpecker-{server,agent,cli}_${RELEASE_VERSION}_amd64.deb
+
+# CentOS/RHEL (x86_64)
+sudo dnf install https://github.com/woodpecker-ci/woodpecker/releases/download/v${RELEASE_VERSION}/woodpecker-{server,agent,cli}-${RELEASE_VERSION}.x86_64.rpm
 ```
 
 The package installation will create a systemd service file for the Woodpecker server and agent along with an example environment file. To configure the server, copy the example environment file `/etc/woodpecker/woodpecker-server.env.example` to `/etc/woodpecker/woodpecker-server.env` and adjust the values.
@@ -113,21 +115,18 @@ in
   # This automatically sets up certificates via let's encrypt
   security.acme.defaults.email = "acme@example.com";
   security.acme.acceptTerms = true;
-  security.acme.certs."${domain}" = { };
 
   # Setting up a nginx proxy that handles tls for us
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
   services.nginx = {
     enable = true;
+    openFirewall = true;
     recommendedTlsSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     virtualHosts."${domain}" = {
       enableACME = true;
       forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://localhost:3007";
-      };
+      locations."/".proxyPass = "http://localhost:3007";
     };
   };
 

docs/versioned_docs/version-3.6/30-administration/10-configuration/10-server.md

@@ -547,64 +547,92 @@ $().ready(function () {
 
 ## Environment variables
 
-### `WOODPECKER_LOG_LEVEL`
+### LOG_LEVEL
 
-> Default: empty
+- Name: `WOODPECKER_LOG_LEVEL`
+- Default: `info`
 
 Configures the logging level. Possible values are `trace`, `debug`, `info`, `warn`, `error`, `fatal`, `panic`, `disabled` and empty.
 
-### `WOODPECKER_LOG_FILE`
+---
 
-> Default: `stderr`
+### LOG_FILE
+
+- Name: `WOODPECKER_LOG_FILE`
+- Default: `stderr`
 
 Output destination for logs.
 'stdout' and 'stderr' can be used as special keywords.
 
-### `WOODPECKER_DATABASE_LOG`
+---
 
-> Default: `false`
+### DATABASE_LOG
+
+- Name: `WOODPECKER_DATABASE_LOG`
+- Default: `false`
 
 Enable logging in database engine (currently xorm).
 
-### `WOODPECKER_DATABASE_LOG_SQL`
+---
 
-> Default: `false`
+### DATABASE_LOG_SQL
+
+- Name: `WOODPECKER_DATABASE_LOG_SQL`
+- Default: `false`
 
 Enable logging of sql commands.
 
-### `WOODPECKER_DATABASE_MAX_CONNECTIONS`
+---
 
-> Default: `100`
+### DATABASE_MAX_CONNECTIONS
+
+- Name: `WOODPECKER_DATABASE_MAX_CONNECTIONS`
+- Default: `100`
 
 Max database connections xorm is allowed create.
 
-### `WOODPECKER_DATABASE_IDLE_CONNECTIONS`
+---
 
-> Default: `2`
+### DATABASE_IDLE_CONNECTIONS
+
+- Name: `WOODPECKER_DATABASE_IDLE_CONNECTIONS`
+- Default: `2`
 
 Amount of database connections xorm will hold open.
 
-### `WOODPECKER_DATABASE_CONNECTION_TIMEOUT`
+---
 
-> Default: `3 Seconds`
+### DATABASE_CONNECTION_TIMEOUT
+
+- Name: `WOODPECKER_DATABASE_CONNECTION_TIMEOUT`
+- Default: `3 Seconds`
 
 Time an active database connection is allowed to stay open.
 
-### `WOODPECKER_DEBUG_PRETTY`
+---
 
-> Default: `false`
+### DEBUG_PRETTY
+
+- Name: `WOODPECKER_DEBUG_PRETTY`
+- Default: `false`
 
 Enable pretty-printed debug output.
 
-### `WOODPECKER_DEBUG_NOCOLOR`
+---
 
-> Default: `true`
+### DEBUG_NOCOLOR
+
+- Name: `WOODPECKER_DEBUG_NOCOLOR`
+- Default: `true`
 
 Disable colored debug output.
 
-### `WOODPECKER_HOST`
+---
 
-> Default: empty
+### HOST
+
+- Name: `WOODPECKER_HOST`
+- Default: none
 
 Server fully qualified URL of the user-facing hostname, port (if not default for HTTP/HTTPS) and path prefix.
 
@@ -614,37 +642,52 @@ Examples:
 - `WOODPECKER_HOST=http://example.org/woodpecker`
 - `WOODPECKER_HOST=http://example.org:1234/woodpecker`
 
-### `WOODPECKER_SERVER_ADDR`
+---
 
-> Default: `:8000`
+### SERVER_ADDR
+
+- Name: `WOODPECKER_SERVER_ADDR`
+- Default: `:8000`
 
 Configures the HTTP listener port.
 
-### `WOODPECKER_SERVER_ADDR_TLS`
+---
 
-> Default: `:443`
+### SERVER_ADDR_TLS
+
+- Name: `WOODPECKER_SERVER_ADDR_TLS`
+- Default: `:443`
 
 Configures the HTTPS listener port when SSL is enabled.
 
-### `WOODPECKER_SERVER_CERT`
+---
 
-> Default: empty
+### SERVER_CERT
+
+- Name: `WOODPECKER_SERVER_CERT`
+- Default: none
 
 Path to an SSL certificate used by the server to accept HTTPS requests.
 
 Example: `WOODPECKER_SERVER_CERT=/path/to/cert.pem`
 
-### `WOODPECKER_SERVER_KEY`
+---
 
-> Default: empty
+### SERVER_KEY
+
+- Name: `WOODPECKER_SERVER_KEY`
+- Default: none
 
 Path to an SSL certificate key used by the server to accept HTTPS requests.
 
 Example: `WOODPECKER_SERVER_KEY=/path/to/key.pem`
 
-### `WOODPECKER_CUSTOM_CSS_FILE`
+---
 
-> Default: empty
+### CUSTOM_CSS_FILE
+
+- Name: `WOODPECKER_CUSTOM_CSS_FILE`
+- Default: none
 
 File path for the server to serve a custom .CSS file, used for customizing the UI.
 Can be used for showing banner messages, logos, or environment-specific hints (a.k.a. white-labeling).
@@ -652,9 +695,12 @@ The file must be UTF-8 encoded, to ensure all special characters are preserved.
 
 Example: `WOODPECKER_CUSTOM_CSS_FILE=/usr/local/www/woodpecker.css`
 
-### `WOODPECKER_CUSTOM_JS_FILE`
+---
 
-> Default: empty
+### CUSTOM_JS_FILE
+
+- Name: `WOODPECKER_CUSTOM_JS_FILE`
+- Default: none
 
 File path for the server to serve a custom .JS file, used for customizing the UI.
 Can be used for showing banner messages, logos, or environment-specific hints (a.k.a. white-labeling).
@@ -662,178 +708,246 @@ The file must be UTF-8 encoded, to ensure all special characters are preserved.
 
 Example: `WOODPECKER_CUSTOM_JS_FILE=/usr/local/www/woodpecker.js`
 
-### `WOODPECKER_GRPC_ADDR`
+---
 
-> Default: `:9000`
+### GRPC_ADDR
+
+- Name: `WOODPECKER_GRPC_ADDR`
+- Default: `:9000`
 
 Configures the gRPC listener port.
 
-### `WOODPECKER_GRPC_SECRET`
+---
 
-> Default: `secret`
+### GRPC_SECRET
+
+- Name: `WOODPECKER_GRPC_SECRET`
+- Default: `secret`
 
 Configures the gRPC JWT secret.
 
-### `WOODPECKER_GRPC_SECRET_FILE`
+---
 
-> Default: empty
+### GRPC_SECRET_FILE
+
+- Name: `WOODPECKER_GRPC_SECRET_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_GRPC_SECRET` from the specified filepath.
 
-### `WOODPECKER_METRICS_SERVER_ADDR`
+---
 
-> Default: empty
+### METRICS_SERVER_ADDR
+
+- Name: `WOODPECKER_METRICS_SERVER_ADDR`
+- Default: none
 
 Configures an unprotected metrics endpoint. An empty value disables the metrics endpoint completely.
 
 Example: `:9001`
 
-### `WOODPECKER_ADMIN`
+---
 
-> Default: empty
+### ADMIN
+
+- Name: `WOODPECKER_ADMIN`
+- Default: none
 
 Comma-separated list of admin accounts.
 
 Example: `WOODPECKER_ADMIN=user1,user2`
 
-### `WOODPECKER_ORGS`
+---
 
-> Default: empty
+### ORGS
+
+- Name: `WOODPECKER_ORGS`
+- Default: none
 
 Comma-separated list of approved organizations.
 
 Example: `org1,org2`
 
-### `WOODPECKER_REPO_OWNERS`
+---
 
-> Default: empty
+### REPO_OWNERS
+
+- Name: `WOODPECKER_REPO_OWNERS`
+- Default: none
 
 Repositories by those owners will be allowed to be used in woodpecker.
 
 Example: `user1,user2`
 
-### `WOODPECKER_OPEN`
+---
 
-> Default: `false`
+### OPEN
+
+- Name: `WOODPECKER_OPEN`
+- Default: `false`
 
 Enable to allow user registration.
 
-### `WOODPECKER_AUTHENTICATE_PUBLIC_REPOS`
+---
 
-> Default: `false`
+### AUTHENTICATE_PUBLIC_REPOS
+
+- Name: `WOODPECKER_AUTHENTICATE_PUBLIC_REPOS`
+- Default: `false`
 
 Always use authentication to clone repositories even if they are public. Needed if the forge requires to always authenticate as used by many companies.
 
-### `WOODPECKER_DEFAULT_ALLOW_PULL_REQUESTS`
+---
 
-> Default: `true`
+### DEFAULT_ALLOW_PULL_REQUESTS
+
+- Name: `WOODPECKER_DEFAULT_ALLOW_PULL_REQUESTS`
+- Default: `true`
 
 The default setting for allowing pull requests on a repo.
 
-### `WOODPECKER_DEFAULT_CANCEL_PREVIOUS_PIPELINE_EVENTS`
+---
 
-> Default: `pull_request, push`
+### DEFAULT_CANCEL_PREVIOUS_PIPELINE_EVENTS
+
+- Name: `WOODPECKER_DEFAULT_CANCEL_PREVIOUS_PIPELINE_EVENTS`
+- Default: `pull_request, push`
 
 List of event names that will be canceled when a new pipeline for the same context (tag, branch) is created.
 
-### `WOODPECKER_DEFAULT_CLONE_PLUGIN`
+---
 
-> Default is defined in [shared/constant/constant.go](https://github.com/woodpecker-ci/woodpecker/blob/main/shared/constant/constant.go)
+### DEFAULT_CLONE_PLUGIN
+
+- Name: `WOODPECKER_DEFAULT_CLONE_PLUGIN`
+- Default: `docker.io/woodpeckerci/plugin-git`
 
 The default docker image to be used when cloning the repo.
 
 It is also added to the trusted clone plugin list.
 
-### `WOODPECKER_DEFAULT_WORKFLOW_LABELS`
+### DEFAULT_WORKFLOW_LABELS
 
-> By default run workflows on any agent if no label conditions are set in workflow definition.
+- Name: `WOODPECKER_DEFAULT_WORKFLOW_LABELS`
+- Default: none
 
 You can specify default label/platform conditions that will be used for agent selection for workflows that does not have labels conditions set.
 
 Example: `platform=linux/amd64,backend=docker`
 
-### `WOODPECKER_DEFAULT_PIPELINE_TIMEOUT`
+### DEFAULT_PIPELINE_TIMEOUT
 
-> 60 (minutes)
+- Name: `WOODPECKER_DEFAULT_PIPELINE_TIMEOUT`
+- Default: 60
 
 The default time for a repo in minutes before a pipeline gets killed
 
-### `WOODPECKER_MAX_PIPELINE_TIMEOUT`
+### MAX_PIPELINE_TIMEOUT
 
-> 120 (minutes)
+- Name: `WOODPECKER_MAX_PIPELINE_TIMEOUT`
+- Default: 120
 
 The maximum time in minutes you can set in the repo settings before a pipeline gets killed
 
-### `WOODPECKER_SESSION_EXPIRES`
+---
 
-> Default: `72h`
+### SESSION_EXPIRES
+
+- Name: `WOODPECKER_SESSION_EXPIRES`
+- Default: `72h`
 
 Configures the session expiration time.
 Context: when someone does log into Woodpecker, a temporary session token is created.
 As long as the session is valid (until it expires or log-out),
 a user can log into Woodpecker, without re-authentication.
 
-### `WOODPECKER_PLUGINS_PRIVILEGED`
+### PLUGINS_PRIVILEGED
+
+- Name: `WOODPECKER_PLUGINS_PRIVILEGED`
+- Default: none
 
 Docker images to run in privileged mode. Only change if you are sure what you do!
 
 You should specify the tag of your images too, as this enforces exact matches.
 
-### WOODPECKER_PLUGINS_TRUSTED_CLONE
+### PLUGINS_TRUSTED_CLONE
 
-> Defaults are defined in [shared/constant/constant.go](https://github.com/woodpecker-ci/woodpecker/blob/main/shared/constant/constant.go)
+- Name: `WOODPECKER_PLUGINS_TRUSTED_CLONE`
+- Default: `docker.io/woodpeckerci/plugin-git,docker.io/woodpeckerci/plugin-git,quay.io/woodpeckerci/plugin-git`
 
 Plugins which are trusted to handle the Git credential info in clone steps.
 If a clone step use an image not in this list, Git credentials will not be injected and users have to use other methods (e.g. secrets) to clone non-public repos.
 
 You should specify the tag of your images too, as this enforces exact matches.
 
-<!--
-### `WOODPECKER_VOLUME`
-> Default: empty
+<!-- ---
+
+### `VOLUME`
+
+- Name: `WOODPECKER_VOLUME`
+- Default: none
 
 Comma-separated list of Docker volumes that are mounted into every pipeline step.
 
-Example: `WOODPECKER_VOLUME=/path/on/host:/path/in/container:rw`|
--->
+Example: `WOODPECKER_VOLUME=/path/on/host:/path/in/container:rw`| -->
 
-### `WOODPECKER_DOCKER_CONFIG`
+---
 
-> Default: empty
+### DOCKER_CONFIG
+
+- Name: `WOODPECKER_DOCKER_CONFIG`
+- Default: none
 
 Configures a specific private registry config for all pipelines.
 
 Example: `WOODPECKER_DOCKER_CONFIG=/home/user/.docker/config.json`
 
-<!--
-### `WOODPECKER_ENVIRONMENT`
-> Default: empty
+---
 
-TODO
+### ENVIRONMENT
 
-### `WOODPECKER_NETWORK`
-> Default: empty
+- Name: `WOODPECKER_ENVIRONMENT`
+- Default: none
+
+If you want specific environment variables to be available in all of your pipelines use the `WOODPECKER_ENVIRONMENT` setting on the Woodpecker server. Note that these can't overwrite any existing, built-in variables.
+
+Example: `WOODPECKER_ENVIRONMENT=first_var:value1,second_var:value2`
+
+<!-- ---
+
+### NETWORK
+
+- Name: `WOODPECKER_NETWORK`
+- Default: none
 
 Comma-separated list of Docker networks that are attached to every pipeline step.
 
-Example: `WOODPECKER_NETWORK=network1,network2`
--->
+Example: `WOODPECKER_NETWORK=network1,network2` -->
 
-### `WOODPECKER_AGENT_SECRET`
+---
 
-> Default: empty
+### AGENT_SECRET
+
+- Name: `WOODPECKER_AGENT_SECRET`
+- Default: none
 
 A shared secret used by server and agents to authenticate communication. A secret can be generated by `openssl rand -hex 32`.
 
-### `WOODPECKER_AGENT_SECRET_FILE`
+---
 
-> Default: empty
+### AGENT_SECRET_FILE
+
+- Name: `WOODPECKER_AGENT_SECRET_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_AGENT_SECRET` from the specified filepath
 
-### `WOODPECKER_DISABLE_USER_AGENT_REGISTRATION`
+---
 
-> Default: false
+### DISABLE_USER_AGENT_REGISTRATION
+
+- Name: `WOODPECKER_DISABLE_USER_AGENT_REGISTRATION`
+- Default: false
 
 By default, users can create new agents for their repos they have admin access to.
 If an instance admin doesn't want this feature enabled, they can disable the API and hide the Web UI elements.
@@ -843,23 +957,32 @@ You should set this option if you have, for example,
 global secrets and don't trust your users to create a rogue agent and pipeline for secret extraction.
 :::
 
-### `WOODPECKER_KEEPALIVE_MIN_TIME`
+---
 
-> Default: empty
+### KEEPALIVE_MIN_TIME
+
+- Name: `WOODPECKER_KEEPALIVE_MIN_TIME`
+- Default: none
 
 Server-side enforcement policy on the minimum amount of time a client should wait before sending a keepalive ping.
 
 Example: `WOODPECKER_KEEPALIVE_MIN_TIME=10s`
 
-### `WOODPECKER_DATABASE_DRIVER`
+---
 
-> Default: `sqlite3`
+### DATABASE_DRIVER
+
+- Name: `WOODPECKER_DATABASE_DRIVER`
+- Default: `sqlite3`
 
 The database driver name. Possible values are `sqlite3`, `mysql` or `postgres`.
 
-### `WOODPECKER_DATABASE_DATASOURCE`
+---
 
-> Default: `woodpecker.sqlite` if not running inside a container, `/var/lib/woodpecker/woodpecker.sqlite` if running inside a container
+### DATABASE_DATASOURCE
+
+- Name: `WOODPECKER_DATABASE_DATASOURCE`
+- Default: `woodpecker.sqlite` if not running inside a container, `/var/lib/woodpecker/woodpecker.sqlite` if running inside a container
 
 The database connection string. The default value is the path of the embedded SQLite database file.
 
@@ -875,34 +998,49 @@ WOODPECKER_DATABASE_DATASOURCE=root:password@tcp(1.2.3.4:3306)/woodpecker?parseT
 WOODPECKER_DATABASE_DATASOURCE=postgres://root:password@1.2.3.4:5432/woodpecker?sslmode=disable
 ```
 
-### `WOODPECKER_DATABASE_DATASOURCE_FILE`
+---
 
-> Default: empty
+### DATABASE_DATASOURCE_FILE
+
+- Name: `WOODPECKER_DATABASE_DATASOURCE_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_DATABASE_DATASOURCE` from the specified filepath
 
-### `WOODPECKER_PROMETHEUS_AUTH_TOKEN`
+---
 
-> Default: empty
+### PROMETHEUS_AUTH_TOKEN
+
+- Name: `WOODPECKER_PROMETHEUS_AUTH_TOKEN`
+- Default: none
 
 Token to secure the Prometheus metrics endpoint.
 Must be set to enable the endpoint.
 
-### `WOODPECKER_PROMETHEUS_AUTH_TOKEN_FILE`
+---
 
-> Default: empty
+### PROMETHEUS_AUTH_TOKEN_FILE
+
+- Name: `WOODPECKER_PROMETHEUS_AUTH_TOKEN_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_PROMETHEUS_AUTH_TOKEN` from the specified filepath
 
-### `WOODPECKER_STATUS_CONTEXT`
+---
 
-> Default: `ci/woodpecker`
+### STATUS_CONTEXT
+
+- Name: `WOODPECKER_STATUS_CONTEXT`
+- Default: `ci/woodpecker`
 
 Context prefix Woodpecker will use to publish status messages to SCM. You probably will only need to change it if you run multiple Woodpecker instances for a single repository.
 
-### `WOODPECKER_STATUS_CONTEXT_FORMAT`
+---
 
-> Default: `{{ .context }}/{{ .event }}/{{ .workflow }}{{if not (eq .axis_id 0)}}/{{.axis_id}}{{end}}`
+### STATUS_CONTEXT_FORMAT
+
+- Name: `WOODPECKER_STATUS_CONTEXT_FORMAT`
+- Default: `{{ .context }}/{{ .event }}/{{ .workflow }}{{if not (eq .axis_id 0)}}/{{.axis_id}}{{end}}`
 
 Template for the status messages published to forges, uses [Go templates](https://pkg.go.dev/text/template) as template language.
 Supported variables:
@@ -915,66 +1053,113 @@ Supported variables:
 
 ---
 
-### `WOODPECKER_CONFIG_SERVICE_ENDPOINT`
+### CONFIG_SERVICE_ENDPOINT
 
-> Default: empty
+- Name: `WOODPECKER_CONFIG_SERVICE_ENDPOINT`
+- Default: none
 
 Specify a configuration service endpoint, see [Configuration Extension](#external-configuration-api)
 
-### `WOODPECKER_FORGE_TIMEOUT`
+---
 
-> Default: 5s
+### FORGE_TIMEOUT
+
+- Name: `WOODPECKER_FORGE_TIMEOUT`
+- Default: 5s
 
 Specify timeout when fetching the Woodpecker configuration from forge. See <https://pkg.go.dev/time#ParseDuration> for syntax reference.
 
-### `WOODPECKER_FORGE_RETRY`
+---
 
-> Default: 3
+### FORGE_RETRY
+
+- Name: `WOODPECKER_FORGE_RETRY`
+- Default: 3
 
 Specify how many retries of fetching the Woodpecker configuration from a forge are done before we fail.
 
-### `WOODPECKER_ENABLE_SWAGGER`
+---
 
-> Default: true
+### ENABLE_SWAGGER
+
+- Name: `WOODPECKER_ENABLE_SWAGGER`
+- Default: true
 
 Enable the Swagger UI for API documentation.
 
-### `WOODPECKER_DISABLE_VERSION_CHECK`
+---
 
-> Default: false
+### DISABLE_VERSION_CHECK
+
+- Name: `WOODPECKER_DISABLE_VERSION_CHECK`
+- Default: false
 
 Disable version check in admin web UI.
 
-### `WOODPECKER_LOG_STORE`
+---
 
-> Default: `database`
+### LOG_STORE
+
+- Name: `WOODPECKER_LOG_STORE`
+- Default: `database`
 
 Where to store logs. Possible values: `database` or `file`.
 
-### `WOODPECKER_LOG_STORE_FILE_PATH`
+---
 
-> Default empty
+### LOG_STORE_FILE_PATH
 
-Directory to store logs in if [`WOODPECKER_LOG_STORE`](#woodpecker_log_store) is `file`.
+- Name: `WOODPECKER_LOG_STORE_FILE_PATH`
+- Default: none
+
+Directory to store logs in if [`WOODPECKER_LOG_STORE`](#log_store) is `file`.
 
 ---
 
-### `WOODPECKER_GITHUB_...`
+### EXPERT_WEBHOOK_HOST
+
+- Name: `WOODPECKER_EXPERT_WEBHOOK_HOST`
+- Default: none
+
+:::warning
+This option is not required in most cases and should only be used if you know what you're doing.
+:::
+
+Fully qualified Woodpecker server URL, called by the webhooks of the forge. Format: `<scheme>://<host>[/<prefix path>]`.
+
+---
+
+### EXPERT_FORGE_OAUTH_HOST
+
+- Name: `WOODPECKER_EXPERT_FORGE_OAUTH_HOST`
+- Default: none
+
+:::warning
+This option is not required in most cases and should only be used if you know what you're doing.
+:::
+
+Fully qualified public forge URL, used if forge url is not a public URL. Format: `<scheme>://<host>[/<prefix path>]`.
+
+---
+
+### GITHUB\_\*
 
 See [GitHub configuration](./12-forges/20-github.md#configuration)
 
-### `WOODPECKER_GITEA_...`
+---
+
+### GITEA\_\*
 
 See [Gitea configuration](./12-forges/30-gitea.md#configuration)
 
-### `WOODPECKER_BITBUCKET_...`
+---
+
+### BITBUCKET\_\*
 
 See [Bitbucket configuration](./12-forges/50-bitbucket.md#configuration)
 
-### `WOODPECKER_GITLAB_...`
+---
+
+### GITLAB\_\*
 
 See [GitLab configuration](./12-forges/40-gitlab.md#configuration)
-
-### `WOODPECKER_ADDON_FORGE`
-
-See [addon forges](./12-forges/100-addon.md).

docs/versioned_docs/version-3.6/30-administration/10-configuration/11-backends/10-docker.md

@@ -8,7 +8,7 @@ This is the original backend used with Woodpecker. The docker backend executes e
 
 ## Private registries
 
-Woodpecker supports [Docker credentials](https://github.com/docker/docker-credential-helpers) to securely store registry credentials. Install your corresponding credential helper and configure it in your Docker config file passed via [`WOODPECKER_DOCKER_CONFIG`](../10-server.md#woodpecker_docker_config).
+Woodpecker supports [Docker credentials](https://github.com/docker/docker-credential-helpers) to securely store registry credentials. Install your corresponding credential helper and configure it in your Docker config file passed via [`WOODPECKER_DOCKER_CONFIG`](../10-server.md#docker_config).
 
 To add your credential helper to the Woodpecker server container you could use the following code to build a custom image:
 
@@ -67,58 +67,83 @@ There is no official support for Podman, but one can try to set the environment
 
 ## Environment variables
 
-### `WOODPECKER_BACKEND_DOCKER_NETWORK`
+### BACKEND_DOCKER_NETWORK
 
-> Default: empty
+- Name: `WOODPECKER_BACKEND_DOCKER_NETWORK`
+- Default: none
 
 Set to the name of an existing network which will be attached to all your pipeline containers (steps). Please be careful as this allows the containers of different pipelines to access each other!
 
-### `WOODPECKER_BACKEND_DOCKER_ENABLE_IPV6`
+---
 
-> Default: `false`
+### BACKEND_DOCKER_ENABLE_IPV6
+
+- Name: `WOODPECKER_BACKEND_DOCKER_ENABLE_IPV6`
+- Default: `false`
 
 Enable IPv6 for the networks used by pipeline containers (steps). Make sure you configured your docker daemon to support IPv6.
 
-### `WOODPECKER_BACKEND_DOCKER_VOLUMES`
+---
 
-> Default: empty
+### BACKEND_DOCKER_VOLUMES
+
+- Name: `WOODPECKER_BACKEND_DOCKER_VOLUMES`
+- Default: none
 
 List of default volumes separated by comma to be mounted to all pipeline containers (steps). For example to use custom CA
 certificates installed on host and host timezone use `/etc/ssl/certs:/etc/ssl/certs:ro,/etc/timezone:/etc/timezone`.
 
-### `WOODPECKER_BACKEND_DOCKER_LIMIT_MEM_SWAP`
+---
 
-> Default: `0`
+### BACKEND_DOCKER_LIMIT_MEM_SWAP
+
+- Name: `WOODPECKER_BACKEND_DOCKER_LIMIT_MEM_SWAP`
+- Default: `0`
 
 The maximum amount of memory a single pipeline container is allowed to swap to disk, configured in bytes. There is no limit if `0`.
 
-### `WOODPECKER_BACKEND_DOCKER_LIMIT_MEM`
+---
 
-> Default: `0`
+### BACKEND_DOCKER_LIMIT_MEM
+
+- Name: `WOODPECKER_BACKEND_DOCKER_LIMIT_MEM`
+- Default: `0`
 
 The maximum amount of memory a single pipeline container can use, configured in bytes. There is no limit if `0`.
 
-### `WOODPECKER_BACKEND_DOCKER_LIMIT_SHM_SIZE`
+---
 
-> Default: `0`
+### BACKEND_DOCKER_LIMIT_SHM_SIZE
+
+- Name: `WOODPECKER_BACKEND_DOCKER_LIMIT_SHM_SIZE`
+- Default: `0`
 
 The maximum amount of memory of `/dev/shm` allowed in bytes. There is no limit if `0`.
 
-### `WOODPECKER_BACKEND_DOCKER_LIMIT_CPU_QUOTA`
+---
 
-> Default: `0`
+### BACKEND_DOCKER_LIMIT_CPU_QUOTA
+
+- Name: `WOODPECKER_BACKEND_DOCKER_LIMIT_CPU_QUOTA`
+- Default: `0`
 
 The number of microseconds per CPU period that the container is limited to before throttled. There is no limit if `0`.
 
-### `WOODPECKER_BACKEND_DOCKER_LIMIT_CPU_SHARES`
+---
 
-> Default: `0`
+### BACKEND_DOCKER_LIMIT_CPU_SHARES
+
+- Name: `WOODPECKER_BACKEND_DOCKER_LIMIT_CPU_SHARES`
+- Default: `0`
 
 The relative weight vs. other containers.
 
-### `WOODPECKER_BACKEND_DOCKER_LIMIT_CPU_SET`
+---
 
-> Default: empty
+### BACKEND_DOCKER_LIMIT_CPU_SET
+
+- Name: `WOODPECKER_BACKEND_DOCKER_LIMIT_CPU_SET`
+- Default: none
 
 Comma-separated list to limit the specific CPUs or cores a pipeline container can use.
 

docs/versioned_docs/version-3.6/30-administration/10-configuration/11-backends/20-kubernetes.md

@@ -6,6 +6,20 @@ toc_max_heading_level: 2
 
 The Kubernetes backend executes steps inside standalone Pods. A temporary PVC is created for the lifetime of the pipeline to transfer files between steps.
 
+## Metadata labels
+
+Woodpecker adds some labels to the pods to provide additional context to the workflow. These labels can be used for various purposes, e.g. for simple debugging or as selectors for network policies.
+
+The following metadata labels are supported:
+
+- `woodpecker-ci.org/forge-id`
+- `woodpecker-ci.org/repo-forge-id`
+- `woodpecker-ci.org/repo-id`
+- `woodpecker-ci.org/repo-name`
+- `woodpecker-ci.org/repo-full-name`
+- `woodpecker-ci.org/branch`
+- `woodpecker-ci.org/org-id`
+
 ## Private registries
 
 In addition to [registries specified in the UI](../../../20-usage/41-registries.md), you may provide [registry credentials in Kubernetes Secrets](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) to pull private container images defined in your pipeline YAML.
@@ -94,7 +108,7 @@ And then overwrite the `nodeSelector` in the `backend_options` section of the st
           kubernetes.io/arch: "${ARCH}"
 ```
 
-You can use [WOODPECKER_BACKEND_K8S_POD_NODE_SELECTOR](#woodpecker_backend_k8s_pod_node_selector) if you want to set the node selector per Agent
+You can use [WOODPECKER_BACKEND_K8S_POD_NODE_SELECTOR](#backend_k8s_pod_node_selector) if you want to set the node selector per Agent
 or [PodNodeSelector](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podnodeselector) admission controller if you want to set the node selector by per-namespace basis.
 
 ### Tolerations
@@ -256,7 +270,7 @@ backend_options:
 ```
 
 In order to enable this configuration you need to set the appropriate environment variables to `true` on the woodpecker agent:
-[WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS_ALLOW_FROM_STEP](#woodpecker_backend_k8s_pod_annotations_allow_from_step) and/or [WOODPECKER_BACKEND_K8S_POD_LABELS_ALLOW_FROM_STEP](#woodpecker_backend_k8s_pod_labels_allow_from_step).
+[WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS_ALLOW_FROM_STEP](#backend_k8s_pod_annotations_allow_from_step) and/or [WOODPECKER_BACKEND_K8S_POD_LABELS_ALLOW_FROM_STEP](#backend_k8s_pod_labels_allow_from_step).
 
 ## Tips and tricks
 
@@ -283,68 +297,101 @@ If running the agent within Kubernetes, this will already be set and you don't h
 
 These env vars can be set in the `env:` sections of the agent.
 
-### `WOODPECKER_BACKEND_K8S_NAMESPACE`
+---
 
-> Default: `woodpecker`
+### BACKEND_K8S_NAMESPACE
+
+- Name: `WOODPECKER_BACKEND_K8S_NAMESPACE`
+- Default: `woodpecker`
 
 The namespace to create worker Pods in.
 
-### `WOODPECKER_BACKEND_K8S_VOLUME_SIZE`
+---
 
-> Default: `10G`
+### BACKEND_K8S_VOLUME_SIZE
+
+- Name: `WOODPECKER_BACKEND_K8S_VOLUME_SIZE`
+- Default: `10G`
 
 The volume size of the pipeline volume.
 
-### `WOODPECKER_BACKEND_K8S_STORAGE_CLASS`
+---
 
-> Default: empty
+### BACKEND_K8S_STORAGE_CLASS
+
+- Name: `WOODPECKER_BACKEND_K8S_STORAGE_CLASS`
+- Default: none
 
 The storage class to use for the pipeline volume.
 
-### `WOODPECKER_BACKEND_K8S_STORAGE_RWX`
+---
 
-> Default: `true`
+### BACKEND_K8S_STORAGE_RWX
+
+- Name: `WOODPECKER_BACKEND_K8S_STORAGE_RWX`
+- Default: `true`
 
 Determines if `RWX` should be used for the pipeline volume's [access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes). If false, `RWO` is used instead.
 
-### `WOODPECKER_BACKEND_K8S_POD_LABELS`
+---
 
-> Default: empty
+### BACKEND_K8S_POD_LABELS
+
+- Name: `WOODPECKER_BACKEND_K8S_POD_LABELS`
+- Default: none
 
 Additional labels to apply to worker Pods. Must be a YAML object, e.g. `{"example.com/test-label":"test-value"}`.
 
-### `WOODPECKER_BACKEND_K8S_POD_LABELS_ALLOW_FROM_STEP`
+---
 
-> Default: `false`
+### BACKEND_K8S_POD_LABELS_ALLOW_FROM_STEP
+
+- Name: `WOODPECKER_BACKEND_K8S_POD_LABELS_ALLOW_FROM_STEP`
+- Default: `false`
 
 Determines if additional Pod labels can be defined from a step's backend options.
 
-### `WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS`
+---
 
-> Default: empty
+### BACKEND_K8S_POD_ANNOTATIONS
+
+- Name: `WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS`
+- Default: none
 
 Additional annotations to apply to worker Pods. Must be a YAML object, e.g. `{"example.com/test-annotation":"test-value"}`.
 
-### `WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS_ALLOW_FROM_STEP`
+---
 
-> Default: `false`
+### BACKEND_K8S_POD_ANNOTATIONS_ALLOW_FROM_STEP
+
+- Name: `WOODPECKER_BACKEND_K8S_POD_ANNOTATIONS_ALLOW_FROM_STEP`
+- Default: `false`
 
 Determines if Pod annotations can be defined from a step's backend options.
 
-### `WOODPECKER_BACKEND_K8S_POD_NODE_SELECTOR`
+---
 
-> Default: empty
+### BACKEND_K8S_POD_NODE_SELECTOR
+
+- Name: `WOODPECKER_BACKEND_K8S_POD_NODE_SELECTOR`
+- Default: none
 
 Additional node selector to apply to worker pods. Must be a YAML object, e.g. `{"topology.kubernetes.io/region":"eu-central-1"}`.
 
-### `WOODPECKER_BACKEND_K8S_SECCTX_NONROOT` <!-- cspell:ignore SECCTX NONROOT -->
+---
 
-> Default: `false`
+### BACKEND_K8S_SECCTX_NONROOT <!-- cspell:ignore SECCTX NONROOT -->
+
+- Name: `WOODPECKER_BACKEND_K8S_SECCTX_NONROOT`
+- Default: `false`
 
 Determines if containers must be required to run as non-root users.
 
-### `WOODPECKER_BACKEND_K8S_PULL_SECRET_NAMES`
+---
 
-> Default: empty
+### BACKEND_K8S_PULL_SECRET_NAMES
+
+- Name: `WOODPECKER_BACKEND_K8S_PULL_SECRET_NAMES`
+- Default: none
 
 Secret names to pull images from private repositories. See, how to [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).

docs/versioned_docs/version-3.6/30-administration/10-configuration/11-backends/30-local.md

@@ -54,8 +54,9 @@ In the context of the local backend, plugins are simply executable binaries, whi
 
 ## Environment variables
 
-### `WOODPECKER_BACKEND_LOCAL_TEMP_DIR`
+### BACKEND_LOCAL_TEMP_DIR
 
-> Default: default temp directory
+- Name: `WOODPECKER_BACKEND_LOCAL_TEMP_DIR`
+- Default: default temp directory
 
 Directory to create folders for workflows.

docs/versioned_docs/version-3.6/30-administration/10-configuration/12-forges/100-addon.md

@@ -41,6 +41,10 @@ Directly import Woodpecker's Go packages (`go.woodpecker-ci.org/woodpecker/v3`)
 In the `main` function, just call `"go.woodpecker-ci.org/woodpecker/v3/server/forge/addon".Serve` with a `"go.woodpecker-ci.org/woodpecker/v3/server/forge".Forge` as argument.
 This will take care of connecting the addon forge to the server.
 
+:::note
+It is not possible to access global variables from Woodpecker, for example the server configuration. You must therefore parse the environment variables in your addon. The reason for this is that the addon runs in a completely separate process.
+:::
+
 ### Example structure
 
 ```go

docs/versioned_docs/version-3.6/30-administration/10-configuration/12-forges/20-github.md

@@ -36,54 +36,81 @@ Use this one for the `WOODPECKER_GITHUB_SECRET` environment variable.
 
 This is a full list of configuration options. Please note that many of these options use default configuration values that should work for the majority of installations.
 
-### `WOODPECKER_GITHUB`
+---
 
-> Default: `false`
+### GITHUB
+
+- Name: `WOODPECKER_GITHUB`
+- Default: `false`
 
 Enables the GitHub driver.
 
-### `WOODPECKER_GITHUB_URL`
+---
 
-> Default: `https://github.com`
+### GITHUB_URL
+
+- Name: `WOODPECKER_GITHUB_URL`
+- Default: `https://github.com`
 
 Configures the GitHub server address.
 
-### `WOODPECKER_GITHUB_CLIENT`
+---
 
-> Default: empty
+### GITHUB_CLIENT
+
+- Name: `WOODPECKER_GITHUB_CLIENT`
+- Default: none
 
 Configures the GitHub OAuth client id to authorize access.
 
-### `WOODPECKER_GITHUB_CLIENT_FILE`
+---
 
-> Default: empty
+### GITHUB_CLIENT_FILE
+
+- Name: `WOODPECKER_GITHUB_CLIENT_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_GITHUB_CLIENT` from the specified filepath.
 
-### `WOODPECKER_GITHUB_SECRET`
+---
 
-> Default: empty
+### GITHUB_SECRET
+
+- Name: `WOODPECKER_GITHUB_SECRET`
+- Default: none
 
 Configures the GitHub OAuth client secret. This is used to authorize access.
 
-### `WOODPECKER_GITHUB_SECRET_FILE`
+---
 
-> Default: empty
+### GITHUB_SECRET_FILE
+
+- Name: `WOODPECKER_GITHUB_SECRET_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_GITHUB_SECRET` from the specified filepath.
 
-### `WOODPECKER_GITHUB_MERGE_REF`
+---
 
-> Default: `true`
+### GITHUB_MERGE_REF
 
-### `WOODPECKER_GITHUB_SKIP_VERIFY`
+- Name: `WOODPECKER_GITHUB_MERGE_REF`
+- Default: `true`
 
-> Default: `false`
+---
+
+### GITHUB_SKIP_VERIFY
+
+- Name: `WOODPECKER_GITHUB_SKIP_VERIFY`
+- Default: `false`
 
 Configure if SSL verification should be skipped.
 
-### `WOODPECKER_GITHUB_PUBLIC_ONLY`
+---
 
-> Default: `false`
+### GITHUB_PUBLIC_ONLY
+
+- Name: `WOODPECKER_GITHUB_PUBLIC_ONLY`
+- Default: `false`
 
 Configures the GitHub OAuth client to only obtain a token that can manage public repositories.

docs/versioned_docs/version-3.6/30-administration/10-configuration/12-forges/30-gitea.md

@@ -54,44 +54,65 @@ Make sure your Gitea configuration allows requesting the API with a fixed page l
 
 This is a full list of configuration options. Please note that many of these options use default configuration values that should work for the majority of installations.
 
-### `WOODPECKER_GITEA`
+---
 
-> Default: `false`
+### GITEA
+
+- Name: `WOODPECKER_GITEA`
+- Default: `false`
 
 Enables the Gitea driver.
 
-### `WOODPECKER_GITEA_URL`
+---
 
-> Default: `https://try.gitea.io`
+### GITEA_URL
+
+- Name: `WOODPECKER_GITEA_URL`
+- Default: `https://try.gitea.io`
 
 Configures the Gitea server address.
 
-### `WOODPECKER_GITEA_CLIENT`
+---
 
-> Default: empty
+### GITEA_CLIENT
+
+- Name: `WOODPECKER_GITEA_CLIENT`
+- Default: none
 
 Configures the Gitea OAuth client id. This is used to authorize access.
 
-### `WOODPECKER_GITEA_CLIENT_FILE`
+---
 
-> Default: empty
+### GITEA_CLIENT_FILE
+
+- Name: `WOODPECKER_GITEA_CLIENT_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_GITEA_CLIENT` from the specified filepath
 
-### `WOODPECKER_GITEA_SECRET`
+---
 
-> Default: empty
+### GITEA_SECRET
+
+- Name: `WOODPECKER_GITEA_SECRET`
+- Default: none
 
 Configures the Gitea OAuth client secret. This is used to authorize access.
 
-### `WOODPECKER_GITEA_SECRET_FILE`
+---
 
-> Default: empty
+### GITEA_SECRET_FILE
+
+- Name: `WOODPECKER_GITEA_SECRET_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_GITEA_SECRET` from the specified filepath
 
-### `WOODPECKER_GITEA_SKIP_VERIFY`
+---
 
-> Default: `false`
+### GITEA_SKIP_VERIFY
+
+- Name: `WOODPECKER_GITEA_SKIP_VERIFY`
+- Default: `false`
 
 Configure if SSL verification should be skipped.

docs/versioned_docs/version-3.6/30-administration/10-configuration/12-forges/35-forgejo.md

@@ -54,44 +54,65 @@ Make sure your Forgejo configuration allows requesting the API with a fixed page
 
 This is a full list of configuration options. Please note that many of these options use default configuration values that should work for the majority of installations.
 
-### `WOODPECKER_FORGEJO`
+---
 
-> Default: `false`
+### FORGEJO
+
+- Name: `WOODPECKER_FORGEJO`
+- Default: `false`
 
 Enables the Forgejo driver.
 
-### `WOODPECKER_FORGEJO_URL`
+---
 
-> Default: `https://next.forgejo.org`
+### FORGEJO_URL
+
+- Name: `WOODPECKER_FORGEJO_URL`
+- Default: `https://next.forgejo.org`
 
 Configures the Forgejo server address.
 
-### `WOODPECKER_FORGEJO_CLIENT`
+---
 
-> Default: empty
+### FORGEJO_CLIENT
+
+- Name: `WOODPECKER_FORGEJO_CLIENT`
+- Default: none
 
 Configures the Forgejo OAuth client id. This is used to authorize access.
 
-### `WOODPECKER_FORGEJO_CLIENT_FILE`
+---
 
-> Default: empty
+### FORGEJO_CLIENT_FILE
+
+- Name: `WOODPECKER_FORGEJO_CLIENT_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_FORGEJO_CLIENT` from the specified filepath
 
-### `WOODPECKER_FORGEJO_SECRET`
+---
 
-> Default: empty
+### FORGEJO_SECRET
+
+- Name: `WOODPECKER_FORGEJO_SECRET`
+- Default: none
 
 Configures the Forgejo OAuth client secret. This is used to authorize access.
 
-### `WOODPECKER_FORGEJO_SECRET_FILE`
+---
 
-> Default: empty
+### FORGEJO_SECRET_FILE
+
+- Name: `WOODPECKER_FORGEJO_SECRET_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_FORGEJO_SECRET` from the specified filepath
 
-### `WOODPECKER_FORGEJO_SKIP_VERIFY`
+---
 
-> Default: `false`
+### FORGEJO_SKIP_VERIFY
+
+- Name: `WOODPECKER_FORGEJO_SKIP_VERIFY`
+- Default: `false`
 
 Configure if SSL verification should be skipped.

docs/versioned_docs/version-3.6/30-administration/10-configuration/12-forges/40-gitlab.md

@@ -25,44 +25,65 @@ If you run the Woodpecker CI server on a private IP (RFC1918) or use a non stand
 
 This is a full list of configuration options. Please note that many of these options use default configuration values that should work for the majority of installations.
 
-### `WOODPECKER_GITLAB`
+---
 
-> Default: `false`
+### GITLAB
+
+- Name: `WOODPECKER_GITLAB`
+- Default: `false`
 
 Enables the GitLab driver.
 
-### `WOODPECKER_GITLAB_URL`
+---
 
-> Default: `https://gitlab.com`
+### GITLAB_URL
+
+- Name: `WOODPECKER_GITLAB_URL`
+- Default: `https://gitlab.com`
 
 Configures the GitLab server address.
 
-### `WOODPECKER_GITLAB_CLIENT`
+---
 
-> Default: empty
+### GITLAB_CLIENT
+
+- Name: `WOODPECKER_GITLAB_CLIENT`
+- Default: none
 
 Configures the GitLab OAuth client id. This is used to authorize access.
 
-### `WOODPECKER_GITLAB_CLIENT_FILE`
+---
 
-> Default: empty
+### GITLAB_CLIENT_FILE
+
+- Name: `WOODPECKER_GITLAB_CLIENT_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_GITLAB_CLIENT` from the specified filepath
 
-### `WOODPECKER_GITLAB_SECRET`
+---
 
-> Default: empty
+### GITLAB_SECRET
+
+- Name: `WOODPECKER_GITLAB_SECRET`
+- Default: none
 
 Configures the GitLab OAuth client secret. This is used to authorize access.
 
-### `WOODPECKER_GITLAB_SECRET_FILE`
+---
 
-> Default: empty
+### GITLAB_SECRET_FILE
+
+- Name: `WOODPECKER_GITLAB_SECRET_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_GITLAB_SECRET` from the specified filepath
 
-### `WOODPECKER_GITLAB_SKIP_VERIFY`
+---
 
-> Default: `false`
+### GITLAB_SKIP_VERIFY
+
+- Name: `WOODPECKER_GITLAB_SKIP_VERIFY`
+- Default: `false`
 
 Configure if SSL verification should be skipped.

docs/versioned_docs/version-3.6/30-administration/10-configuration/12-forges/50-bitbucket.md

@@ -39,33 +39,48 @@ Please also be sure to check the following permissions:
 
 This is a full list of configuration options. Please note that many of these options use default configuration values that should work for the majority of installations.
 
-### `WOODPECKER_BITBUCKET`
+---
 
-> Default: `false`
+### BITBUCKET
+
+- Name: `WOODPECKER_BITBUCKET`
+- Default: `false`
 
 Enables the Bitbucket driver.
 
-### `WOODPECKER_BITBUCKET_CLIENT`
+---
 
-> Default: empty
+### BITBUCKET_CLIENT
+
+- Name: `WOODPECKER_BITBUCKET_CLIENT`
+- Default: none
 
 Configures the Bitbucket OAuth client key. This is used to authorize access.
 
-### `WOODPECKER_BITBUCKET_CLIENT_FILE`
+---
 
-> Default: empty
+### BITBUCKET_CLIENT_FILE
+
+- Name: `WOODPECKER_BITBUCKET_CLIENT_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_BITBUCKET_CLIENT` from the specified filepath
 
-### `WOODPECKER_BITBUCKET_SECRET`
+---
 
-> Default: empty
+### BITBUCKET_SECRET
+
+- Name: `WOODPECKER_BITBUCKET_SECRET`
+- Default: none
 
 Configures the Bitbucket OAuth client secret. This is used to authorize access.
 
-### `WOODPECKER_BITBUCKET_SECRET_FILE`
+---
 
-> Default: empty
+### BITBUCKET_SECRET_FILE
+
+- Name: `WOODPECKER_BITBUCKET_SECRET_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_BITBUCKET_SECRET` from the specified filepath
 

docs/versioned_docs/version-3.6/30-administration/10-configuration/12-forges/60-bitbucket_datacenter.md

@@ -44,56 +44,83 @@ See also [Configure an incoming link](https://confluence.atlassian.com/bitbucket
 
 This is a full list of configuration options. Please note that many of these options use default configuration values that should work for the majority of installations.
 
-### `WOODPECKER_BITBUCKET_DC`
+---
 
-> Default: `false`
+### BITBUCKET_DC
+
+- Name: `WOODPECKER_BITBUCKET_DC`
+- Default: `false`
 
 Enables the Bitbucket Server driver.
 
-### `WOODPECKER_BITBUCKET_DC_URL`
+---
 
-> Default: empty
+### BITBUCKET_DC_URL
+
+- Name: `WOODPECKER_BITBUCKET_DC_URL`
+- Default: none
 
 Configures the Bitbucket Server address.
 
-### `WOODPECKER_BITBUCKET_DC_CLIENT_ID`
+---
 
-> Default: empty
+### BITBUCKET_DC_CLIENT_ID
+
+- Name: `WOODPECKER_BITBUCKET_DC_CLIENT_ID`
+- Default: none
 
 Configures your Bitbucket Server OAUth 2.0 client id.
 
-### `WOODPECKER_BITBUCKET_DC_CLIENT_SECRET`
+---
 
-> Default: empty
+### BITBUCKET_DC_CLIENT_SECRET
+
+- Name: `WOODPECKER_BITBUCKET_DC_CLIENT_SECRET`
+- Default: none
 
 Configures your Bitbucket Server OAUth 2.0 client secret.
 
-### `WOODPECKER_BITBUCKET_DC_GIT_USERNAME`
+---
 
-> Default: empty
+### BITBUCKET_DC_GIT_USERNAME
+
+- Name: `WOODPECKER_BITBUCKET_DC_GIT_USERNAME`
+- Default: none
 
 This username is used to authenticate and clone all private repositories.
 
-### `WOODPECKER_BITBUCKET_DC_GIT_USERNAME_FILE`
+---
 
-> Default: empty
+### BITBUCKET_DC_GIT_USERNAME_FILE
+
+- Name: `WOODPECKER_BITBUCKET_DC_GIT_USERNAME_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_BITBUCKET_DC_GIT_USERNAME` from the specified filepath
 
-### `WOODPECKER_BITBUCKET_DC_GIT_PASSWORD`
+---
 
-> Default: empty
+### BITBUCKET_DC_GIT_PASSWORD
+
+- Name: `WOODPECKER_BITBUCKET_DC_GIT_PASSWORD`
+- Default: none
 
 The password is used to authenticate and clone all private repositories.
 
-### `WOODPECKER_BITBUCKET_DC_GIT_PASSWORD_FILE`
+---
 
-> Default: empty
+### BITBUCKET_DC_GIT_PASSWORD_FILE
+
+- Name: `WOODPECKER_BITBUCKET_DC_GIT_PASSWORD_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_BITBUCKET_DC_GIT_PASSWORD` from the specified filepath
 
-### `WOODPECKER_BITBUCKET_DC_SKIP_VERIFY`
+---
 
-> Default: `false`
+### BITBUCKET_DC_SKIP_VERIFY
+
+- Name: `WOODPECKER_BITBUCKET_DC_SKIP_VERIFY`
+- Default: `false`
 
 Configure if SSL verification should be skipped.

docs/versioned_docs/version-3.6/30-administration/10-configuration/30-agent.md

@@ -58,126 +58,182 @@ To get an _agent token_ you have to register the agent manually in the server us
 
 ## Environment variables
 
-### `WOODPECKER_SERVER`
+### SERVER
 
-> Default: `localhost:9000`
+- Name: `WOODPECKER_SERVER`
+- Default: `localhost:9000`
 
 Configures gRPC address of the server.
 
-### `WOODPECKER_USERNAME`
+---
 
-> Default: `x-oauth-basic`
+### USERNAME
+
+- Name: `WOODPECKER_USERNAME`
+- Default: `x-oauth-basic`
 
 The gRPC username.
 
-### `WOODPECKER_AGENT_SECRET`
+---
 
-> Default: empty
+### AGENT_SECRET
+
+- Name: `WOODPECKER_AGENT_SECRET`
+- Default: none
 
 A shared secret used by server and agents to authenticate communication. A secret can be generated by `openssl rand -hex 32`.
 
-### `WOODPECKER_AGENT_SECRET_FILE`
+---
 
-> Default: empty
+### AGENT_SECRET_FILE
+
+- Name: `WOODPECKER_AGENT_SECRET_FILE`
+- Default: none
 
 Read the value for `WOODPECKER_AGENT_SECRET` from the specified filepath, e.g. `/etc/woodpecker/agent-secret.conf`
 
-### `WOODPECKER_LOG_LEVEL`
+---
 
-> Default: empty
+### LOG_LEVEL
+
+- Name: `WOODPECKER_LOG_LEVEL`
+- Default: `info`
 
 Configures the logging level. Possible values are `trace`, `debug`, `info`, `warn`, `error`, `fatal`, `panic`, `disabled` and empty.
 
-### `WOODPECKER_DEBUG_PRETTY`
+---
 
-> Default: `false`
+### DEBUG_PRETTY
+
+- Name: `WOODPECKER_DEBUG_PRETTY`
+- Default: `false`
 
 Enable pretty-printed debug output.
 
-### `WOODPECKER_DEBUG_NOCOLOR`
+---
 
-> Default: `true`
+### DEBUG_NOCOLOR
+
+- Name: `WOODPECKER_DEBUG_NOCOLOR`
+- Default: `true`
 
 Disable colored debug output.
 
-### `WOODPECKER_HOSTNAME`
+---
 
-> Default: empty
+### HOSTNAME
+
+- Name: `WOODPECKER_HOSTNAME`
+- Default: none
 
 Configures the agent hostname.
 
-### `WOODPECKER_AGENT_CONFIG_FILE`
+---
 
-> Default: `/etc/woodpecker/agent.conf`
+### AGENT_CONFIG_FILE
+
+- Name: `WOODPECKER_AGENT_CONFIG_FILE`
+- Default: `/etc/woodpecker/agent.conf`
 
 Configures the path of the agent config file.
 
-### `WOODPECKER_MAX_WORKFLOWS`
+---
 
-> Default: `1`
+### MAX_WORKFLOWS
+
+- Name: `WOODPECKER_MAX_WORKFLOWS`
+- Default: `1`
 
 Configures the number of parallel workflows.
 
-### `WOODPECKER_AGENT_LABELS`
+---
 
-> Default: empty
+### AGENT_LABELS
+
+- Name: `WOODPECKER_AGENT_LABELS`
+- Default: none
 
 Configures custom labels for the agent, to let workflows filter by it.
 Use a list of key-value pairs like `key=value,second-key=*`. `*` can be used as a wildcard.
 By default, agents provide three additional labels `platform=os/arch`, `hostname=my-agent` and `repo=*` which can be overwritten if needed.
 To learn how labels work, check out the [pipeline syntax page](../../20-usage/20-workflow-syntax.md#labels).
 
-### `WOODPECKER_HEALTHCHECK`
+---
 
-> Default: `true`
+### HEALTHCHECK
+
+- Name: `WOODPECKER_HEALTHCHECK`
+- Default: `true`
 
 Enable healthcheck endpoint.
 
-### `WOODPECKER_HEALTHCHECK_ADDR`
+---
 
-> Default: `:3000`
+### HEALTHCHECK_ADDR
+
+- Name: `WOODPECKER_HEALTHCHECK_ADDR`
+- Default: `:3000`
 
 Configures healthcheck endpoint address.
 
-### `WOODPECKER_KEEPALIVE_TIME`
+---
 
-> Default: empty
+### KEEPALIVE_TIME
+
+- Name: `WOODPECKER_KEEPALIVE_TIME`
+- Default: none
 
 After a duration of this time of no activity, the agent pings the server to check if the transport is still alive.
 
-### `WOODPECKER_KEEPALIVE_TIMEOUT`
+---
 
-> Default: `20s`
+### KEEPALIVE_TIMEOUT
+
+- Name: `WOODPECKER_KEEPALIVE_TIMEOUT`
+- Default: `20s`
 
 After pinging for a keepalive check, the agent waits for a duration of this time before closing the connection if no activity.
 
-### `WOODPECKER_GRPC_SECURE`
+---
 
-> Default: `false`
+### GRPC_SECURE
+
+- Name: `WOODPECKER_GRPC_SECURE`
+- Default: `false`
 
 Configures if the connection to `WOODPECKER_SERVER` should be made using a secure transport.
 
-### `WOODPECKER_GRPC_VERIFY`
+---
 
-> Default: `true`
+### GRPC_VERIFY
+
+- Name: `WOODPECKER_GRPC_VERIFY`
+- Default: `true`
 
 Configures if the gRPC server certificate should be verified, only valid when `WOODPECKER_GRPC_SECURE` is `true`.
 
-### `WOODPECKER_BACKEND`
+---
 
-> Default: `auto-detect`
+### BACKEND
+
+- Name: `WOODPECKER_BACKEND`
+- Default: `auto-detect`
 
 Configures the backend engine to run pipelines on. Possible values are `auto-detect`, `docker`, `local` or `kubernetes`.
 
-### `WOODPECKER_BACKEND_DOCKER_*`
+### BACKEND_DOCKER\_\*
 
 See [Docker backend configuration](./11-backends/10-docker.md#environment-variables)
 
-### `WOODPECKER_BACKEND_K8S_*`
+---
+
+### BACKEND_K8S\_\*
 
 See [Kubernetes backend configuration](./11-backends/20-kubernetes.md#environment-variables)
 
-### `WOODPECKER_BACKEND_LOCAL_*`
+---
+
+### BACKEND_LOCAL\_\*
 
 See [Local backend configuration](./11-backends/30-local.md#environment-variables)
 
@@ -187,14 +243,16 @@ See [Local backend configuration](./11-backends/30-local.md#environment-variable
 Only change these If you know what you do.
 :::
 
-#### `WOODPECKER_CONNECT_RETRY_COUNT`
+#### CONNECT_RETRY_COUNT
 
-> Default: `5`
+- Name: `WOODPECKER_CONNECT_RETRY_COUNT`
+- Default: `5`
 
 Configures number of times agent retries to connect to the server.
 
-#### `WOODPECKER_CONNECT_RETRY_DELAY`
+#### CONNECT_RETRY_DELAY
 
-> Default: `2s`
+- Name: `WOODPECKER_CONNECT_RETRY_DELAY`
+- Default: `2s`
 
 Configures delay between agent connection retries to the server.

docs/versioned_docs/version-3.6/30-administration/10-configuration/40-autoscaler.md

@@ -27,7 +27,7 @@ services:
       - WOODPECKER_MIN_AGENTS=0
       - WOODPECKER_MAX_AGENTS=3
       - WOODPECKER_WORKFLOWS_PER_AGENT=2 # the number of workflows each agent can run at the same time
-      - WOODPECKER_GRPC_ADDR=https://grpc.your-woodpecker-server.tld # the grpc address of your woodpecker server, publicly accessible from the agents
+      - WOODPECKER_GRPC_ADDR=grpc.your-woodpecker-server.tld # the grpc address of your woodpecker server, publicly accessible from the agents. See https://woodpecker-ci.org/docs/administration/configuration/server#caddy for an example of how to expose it. Do not include "https://" in the value.
       - WOODPECKER_GRPC_SECURE=true
       - WOODPECKER_AGENT_ENV= # optional environment variables to pass to the agents
       - WOODPECKER_PROVIDER=hetznercloud # set the provider, you can find all the available ones down below

docs/versioned_docs/version-3.6/40-cli.md

@@ -131,6 +131,8 @@ add a secret
 
 **--image**="": secret limited to these images (default: [])
 
+**--name**="": secret name
+
 **--value**="": secret value
 
 #### rm
@@ -264,7 +266,7 @@ execute a local pipeline
 
 **--backend-k8s-volume-size**="": backend k8s volume size (default 10G) (default: 10G)
 
-**--backend-local-temp-dir**="": set a different temp dir to clone workflows into (default: /tmp)
+**--backend-local-temp-dir**="": set a different temp dir to clone workflows into (default: /var/folders/6m/t779gl5s7fq17_t_59fflg5w0000gn/T/)
 
 **--backend-no-proxy**="": if set, pass the environment variable down as "NO_PROXY" to steps
 
@@ -415,7 +417,7 @@ lint a pipeline configuration file
 
 **--plugins-privileged**="": allow plugins to run in privileged mode, if set empty, there is no (default: [])
 
-**--plugins-trusted-clone**="": plugins that are trusted to handle Git credentials in cloning steps (default: [docker.io/woodpeckerci/plugin-git:2.6.2 docker.io/woodpeckerci/plugin-git quay.io/woodpeckerci/plugin-git])
+**--plugins-trusted-clone**="": plugins that are trusted to handle Git credentials in cloning steps (default: [docker.io/woodpeckerci/plugin-git:2.6.3 docker.io/woodpeckerci/plugin-git quay.io/woodpeckerci/plugin-git])
 
 **--strict**: treat warnings as errors