1 files changed, 12 insertions, 2 deletions

diff --git a/zuul/executor/server.py b/zuul/executor/server.py
index 2b08d5bc7..4e909491a 100644
--- a/zuul/executor/server.py
+++ b/zuul/executor/server.py
@@ -859,6 +859,7 @@ class AnsibleJob(object):
         self.library_dir = os.path.join(plugin_dir, 'library')
         self.action_dir = os.path.join(plugin_dir, 'action')
         self.action_dir_general = os.path.join(plugin_dir, 'actiongeneral')
+        self.action_dir_trusted = os.path.join(plugin_dir, 'actiontrusted')
         self.callback_dir = os.path.join(plugin_dir, 'callback')
         self.lookup_dir = os.path.join(plugin_dir, 'lookup')
         self.filter_dir = os.path.join(plugin_dir, 'filter')
@@ -2049,13 +2050,22 @@ class AnsibleJob(object):
             # 10s to respond
             config.write('timeout = 30\n')
 
-            # We need at least the general action dir as this overwrites the
-            # command action plugin for log streaming.
+            # We need the general action dir to make the zuul_return plugin
+            # available to every job.
             action_dirs = [self.action_dir_general]
             if not trusted:
+                # Untrusted jobs add the action dir which makes sure localhost
+                # modules are restricted where needed. Further the command
+                # plugin needs to be restricted and also inject zuul_log_id
+                # to make log streaming work.
                 action_dirs.append(self.action_dir)
                 config.write('lookup_plugins = %s\n'
                              % self.lookup_dir)
+            else:
+                # Trusted jobs add the actiontrusted dir which adds the
+                # unrestricted command plugin to inject zuul_log_id to make
+                # log streaming work.
+                action_dirs.append(self.action_dir_trusted)
 
             config.write('action_plugins = %s\n'
                          % ':'.join(action_dirs))