Allow alter trusted clone plugins and filter them via tag (#4074)

server/config.go

@@ -64,7 +64,8 @@ var Config = struct {
 	Pipeline struct {
 		AuthenticatePublicRepos             bool
 		DefaultCancelPreviousPipelineEvents []model.WebhookEvent
-		DefaultCloneImage                   string
+		DefaultClonePlugin                  string
+		TrustedClonePlugins                 []string
 		Limits                              model.ResourceLimit
 		Volumes                             []string
 		Networks                            []string

server/pipeline/stepbuilder/stepBuilder.go

@@ -143,6 +143,7 @@ func (b *StepBuilder) genItemForWorkflow(workflow *model.Workflow, axis matrix.A
 	errorsAndWarnings = multierr.Append(errorsAndWarnings, linter.New(
 		linter.WithTrusted(b.Repo.IsTrusted),
 		linter.PrivilegedPlugins(server.Config.Pipeline.PrivilegedPlugins),
+		linter.WithTrustedClonePlugins(server.Config.Pipeline.TrustedClonePlugins),
 	).Lint([]*linter.WorkflowConfig{{
 		Workflow:  parsed,
 		File:      workflow.Name,
@@ -281,7 +282,8 @@ func (b *StepBuilder) toInternalRepresentation(parsed *yaml_types.Workflow, envi
 			),
 			b.Repo.IsSCMPrivate || server.Config.Pipeline.AuthenticatePublicRepos,
 		),
-		compiler.WithDefaultCloneImage(server.Config.Pipeline.DefaultCloneImage),
+		compiler.WithDefaultClonePlugin(server.Config.Pipeline.DefaultClonePlugin),
+		compiler.WithTrustedClonePlugins(server.Config.Pipeline.TrustedClonePlugins),
 		compiler.WithRegistry(registries...),
 		compiler.WithSecret(secrets...),
 		compiler.WithPrefix(