feat: add --trusted-hosts CLI and remote.trusted-hosts config for remote tasks (#2491)

Co-authored-by: Valentin Maerten <maerten.valentin@gmail.com>
2026-06-11 09:51:50 +00:00 · 2025-12-07 12:17:54 +01:00
parent 896d65b21f
commit 72a349b0e9
9 changed files with 316 additions and 7 deletions
--- a/taskfile/reader.go
+++ b/taskfile/reader.go
@@ -3,6 +3,7 @@ package taskfile
 import (
 	"context"
 	"fmt"
+	"net/url"
 	"os"
 	"sync"
 	"time"
@@ -43,6 +44,7 @@ type (
 		insecure            bool
 		download            bool
 		offline             bool
+		trustedHosts        []string
 		tempDir             string
 		cacheExpiryDuration time.Duration
 		debugFunc           DebugFunc
@@ -59,6 +61,7 @@ func NewReader(opts ...ReaderOption) *Reader {
 		insecure:            false,
 		download:            false,
 		offline:             false,
+		trustedHosts:        nil,
 		tempDir:             os.TempDir(),
 		cacheExpiryDuration: 0,
 		debugFunc:           nil,
@@ -119,6 +122,20 @@ func (o *offlineOption) ApplyToReader(r *Reader) {
 	r.offline = o.offline
 }

+// WithTrustedHosts configures the [Reader] with a list of trusted hosts for remote
+// Taskfiles. Hosts in this list will not prompt for user confirmation.
+func WithTrustedHosts(trustedHosts []string) ReaderOption {
+	return &trustedHostsOption{trustedHosts: trustedHosts}
+}
+
+type trustedHostsOption struct {
+	trustedHosts []string
+}
+
+func (o *trustedHostsOption) ApplyToReader(r *Reader) {
+	r.trustedHosts = o.trustedHosts
+}
+
 // WithTempDir sets the temporary directory that will be used by the [Reader].
 // By default, the reader uses [os.TempDir].
 func WithTempDir(tempDir string) ReaderOption {
@@ -206,6 +223,28 @@ func (r *Reader) promptf(format string, a ...any) error {
 	return nil
 }

+// isTrusted checks if a URI's host matches any of the trusted hosts patterns.
+func (r *Reader) isTrusted(uri string) bool {
+	if len(r.trustedHosts) == 0 {
+		return false
+	}
+
+	// Parse the URI to extract the host
+	parsedURL, err := url.Parse(uri)
+	if err != nil {
+		return false
+	}
+	host := parsedURL.Host
+
+	// Check against each trusted pattern (exact match including port if provided)
+	for _, pattern := range r.trustedHosts {
+		if host == pattern {
+			return true
+		}
+	}
+	return false
+}
+
 func (r *Reader) include(ctx context.Context, node Node) error {
 	// Create a new vertex for the Taskfile
 	vertex := &ast.TaskfileVertex{
@@ -459,9 +498,9 @@ func (r *Reader) readRemoteNodeContent(ctx context.Context, node RemoteNode) ([]

 	// If there is no manual checksum pin, run the automatic checks
 	if node.Checksum() == "" {
-		// Prompt the user if required
+		// Prompt the user if required (unless host is trusted)
 		prompt := cache.ChecksumPrompt(checksum)
-		if prompt != "" {
+		if prompt != "" && !r.isTrusted(node.Location()) {
 			if err := func() error {
 				r.promptMutex.Lock()
 				defer r.promptMutex.Unlock()