enforce plugin whitelist for notifications

cmd/drone-build/main.go

@@ -54,6 +54,7 @@ func main() {
 	if err != nil {
 		log.Errorln("Error starting build server pod", err)
 		os.Exit(1)
+		return
 	}
 	ctx.client = client
 	defer client.Destroy()
@@ -65,6 +66,7 @@ func main() {
 		log.Errorln("Error processing .drone.yml file.", err)
 		client.Destroy()
 		os.Exit(1)
+		return
 	}
 
 	var execs []execFunc

pkg/runner/builtin/runner.go

@@ -190,12 +190,14 @@ func (r *Runner) Run(w *queue.Work) error {
 	// the destroy all containers afterward.
 	for i, build := range w.Commit.Builds {
 		work := &work{
-			Repo:   w.Repo,
-			Commit: w.Commit,
-			Keys:   w.Keys,
-			Netrc:  w.Netrc,
-			Yaml:   w.Yaml,
-			Build:  build,
+			Repo:    w.Repo,
+			Commit:  w.Commit,
+			Keys:    w.Keys,
+			Netrc:   w.Netrc,
+			Yaml:    w.Yaml,
+			Build:   build,
+			Env:     w.Env,
+			Plugins: w.Plugins,
 		}
 		in, err := json.Marshal(work)
 		if err != nil {

pkg/yaml/parse.go

@@ -77,10 +77,6 @@ func ParseSingle(raw string, opts *Opts) (*common.Config, error) {
 	if err != nil {
 		return nil, err
 	}
-	err = LintPlugins(conf, opts)
-	if err != nil {
-		return nil, err
-	}
 	// apply rules / transofms
 	transformSetup(conf)
 	transformClone(conf)
@@ -96,6 +92,10 @@ func ParseSingle(raw string, opts *Opts) (*common.Config, error) {
 	if !opts.Privileged {
 		rmPrivileged(conf)
 	}
+	err = LintPlugins(conf, opts)
+	if err != nil {
+		return nil, err
+	}
 	return conf, err
 }