Merge branch 'main' into priority-queue-stable-ordering

Author: chmouel

.github/workflows/container.yaml

@@ -37,6 +37,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -50,13 +52,13 @@ jobs:
         run: |
           set -x
           releaseBranchFormat='release-v'
-          if [[ ${{ github.ref_name }} == ${releaseBranchFormat}* ]]; then
-            tag=v$(echo ${{ github.ref_name }}|sed "s,${releaseBranchFormat},,")
-          elif [[ ${{ github.ref }} == refs/pull/* ]]; then
-            tag=pr-$(echo ${{ github.ref }} | cut -c11-|sed 's,/merge,,')
+          if [[ ${GITHUB_REF_NAME} == ${releaseBranchFormat}* ]]; then
+            tag=v$(echo ${GITHUB_REF_NAME}|sed "s,${releaseBranchFormat},,")
+          elif [[ ${GITHUB_REF} == refs/pull/* ]]; then
+            tag=pr-$(echo ${GITHUB_REF} | cut -c11-|sed 's,/merge,,')
           else
             # Sanitize the tag by replacing invalid characters with hyphens
-            tag=$(echo ${{ github.ref_name }}|sed 's,/merge,,' | sed 's,[/.],-,g')
+            tag=$(echo ${GITHUB_REF_NAME}|sed 's,/merge,,' | sed 's,[/.],-,g')
           fi
           for image in ./cmd/*;do
             ko build -B -t "${tag}" --platform="${{ env.PLATFORMS }}" "${image}"

.github/workflows/e2e.yaml

@@ -41,6 +41,10 @@ jobs:
 
     name: e2e tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
     strategy:
       fail-fast: false
       matrix:
@@ -125,6 +129,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ inputs.target_ref || github.event.pull_request.head.sha || github.sha }}
+          persist-credentials: false
 
       - name: Check user permissions on PRs
         if: github.event_name == 'pull_request_target'
@@ -164,7 +169,7 @@ jobs:
           repo: chmouel/snazy
 
       - name: Install minica
-        run: |
+        run: | # zizmor: ignore[github-env]
           go install github.com/jsha/minica@latest
           echo "${HOME}/go/bin" >> "$GITHUB_PATH"
 
@@ -173,10 +178,13 @@ jobs:
         with:
           repository: openshift-pipelines/startpaac
           path: startpaac
+          persist-credentials: false
 
       - name: Run gosmee for main controller
+        env:
+          PYSMEE_URL: ${{ secrets.PYSMEE_URL }}
         run: |
-          nohup gosmee client --saveDir /tmp/gosmee-replay ${{ secrets.PYSMEE_URL }} "https://${CONTROLLER_DOMAIN_URL}" > /tmp/gosmee-main.log 2>&1 &
+          nohup gosmee client --saveDir /tmp/gosmee-replay "${PYSMEE_URL}" "https://${CONTROLLER_DOMAIN_URL}" > /tmp/gosmee-main.log 2>&1 &
 
       - name: Generate unique gosmee URL for Gitea tests
         if: startsWith(matrix.provider, 'gitea') || matrix.provider == 'concurrency'
@@ -185,10 +193,11 @@ jobs:
           SMEE_URL=$(curl -s https://hook.pipelinesascode.com -o /dev/null -w '%{redirect_url}')
           echo "Generated unique smee URL: ${SMEE_URL}"
           echo "url=${SMEE_URL}" >> "$GITHUB_OUTPUT"
-          echo "TEST_GITEA_SMEEURL=${SMEE_URL}" >> "$GITHUB_ENV"
 
       - name: Run gosmee for main controller (Gitea)
         if: startsWith(matrix.provider, 'gitea') || matrix.provider == 'concurrency'
+        env:
+          TEST_GITEA_SMEEURL: ${{ steps.gosmee-url.outputs.url }}
         run: |
           nohup gosmee client --saveDir /tmp/gosmee-replay "${TEST_GITEA_SMEEURL}" "https://${CONTROLLER_DOMAIN_URL}" >> /tmp/gosmee-main.log 2>&1 &
 
@@ -199,10 +208,11 @@ jobs:
           SMEE_URL=$(curl -s https://hook.pipelinesascode.com -o /dev/null -w '%{redirect_url}')
           echo "Generated unique GitLab smee URL: ${SMEE_URL}"
           echo "url=${SMEE_URL}" >> "$GITHUB_OUTPUT"
-          echo "TEST_GITLAB_SMEEURL=${SMEE_URL}" >> "$GITHUB_ENV"
 
       - name: Run gosmee for GitLab tests
         if: matrix.provider == 'gitlab_bitbucket'
+        env:
+          TEST_GITLAB_SMEEURL: ${{ steps.gosmee-gitlab-url.outputs.url }}
         run: |
           nohup gosmee client --saveDir /tmp/gosmee-replay-gitlab "${TEST_GITLAB_SMEEURL}" "https://${CONTROLLER_DOMAIN_URL}" >> /tmp/gosmee-gitlab.log 2>&1 &
 
@@ -218,10 +228,11 @@ jobs:
           SMEE_URL=$(curl -s https://hook.pipelinesascode.com -o /dev/null -w '%{redirect_url}')
           echo "Generated unique GHE webhook smee URL: ${SMEE_URL}"
           echo "url=${SMEE_URL}" >> "$GITHUB_OUTPUT"
-          echo "TEST_GITHUB_SECOND_WEBHOOK_SMEE_URL=${SMEE_URL}" >> "$GITHUB_ENV"
 
       - name: Run gosmee for second controller GHE webhook
         if: startsWith(matrix.provider, 'github_ghe') || matrix.provider == 'concurrency'
+        env:
+          TEST_GITHUB_SECOND_WEBHOOK_SMEE_URL: ${{ steps.gosmee-ghe-webhook-url.outputs.url }}
         run: |
           nohup gosmee client --saveDir /tmp/gosmee-replay-ghe-webhook "${TEST_GITHUB_SECOND_WEBHOOK_SMEE_URL}" "https://ghe.paac-127-0-0-1.nip.io" >> /tmp/gosmee-ghe-webhook.log 2>&1 &
 
@@ -267,7 +278,7 @@ jobs:
           TEST_GITLAB_API_URL: https://gitlab.com
           TEST_GITLAB_GROUP: pac-e2e-tests
           TEST_GITLAB_SECOND_GROUP: ${{ vars.TEST_GITLAB_SECOND_GROUP }}
-          TEST_GITLAB_SMEEURL: ${{ env.TEST_GITLAB_SMEEURL }}
+          TEST_GITLAB_SMEEURL: ${{ steps.gosmee-gitlab-url.outputs.url }}
           TEST_GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
           TEST_GITLAB_SECOND_TOKEN: ${{ secrets.TEST_GITLAB_SECOND_TOKEN }}
 
@@ -298,16 +309,18 @@ jobs:
       - name: Start installing cluster with startpaac
         env:
           PAC_DIR: ${{ github.workspace }}
+          VARS_APPLICATION_ID: ${{ vars.APPLICATION_ID }}
+          VARS_TEST_GITHUB_SECOND_APPLICATION_ID: ${{ vars.TEST_GITHUB_SECOND_APPLICATION_ID }}
         run: |
           mkdir -p ~/secrets
-          echo "${{ vars.APPLICATION_ID }}" > ~/secrets/github-application-id
+          echo "${VARS_APPLICATION_ID}" > ~/secrets/github-application-id
           echo "${{ secrets.APP_PRIVATE_KEY }}" > ~/secrets/github-private-key
           echo "${{ secrets.WEBHOOK_SECRET }}" > ~/secrets/webhook.secret
           echo "${{ secrets.PYSMEE_URL }}" > ~/secrets/smee
 
 
           mkdir -p ~/secrets-second
-          echo "${{ vars.TEST_GITHUB_SECOND_APPLICATION_ID }}" > ~/secrets-second/github-application-id
+          echo "${VARS_TEST_GITHUB_SECOND_APPLICATION_ID}" > ~/secrets-second/github-application-id
           echo "${{ secrets.TEST_GITHUB_SECOND_PRIVATE_KEY }}" > ~/secrets-second/github-private-key
           echo "${{ secrets.TEST_GITHUB_SECOND_WEBHOOK_SECRET }}" > ~/secrets-second/webhook.secret
           echo "${{ secrets.TEST_GITHUB_SECOND_SMEE_URL }}" > ~/secrets-second/smee
@@ -393,10 +406,15 @@ jobs:
   notify-slack:
     name: Notify Slack on Failures
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
     needs: [e2e-tests]
     if: ${{ always() && github.ref_name == 'main' && github.event_name == 'schedule' }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Download all artifacts
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:

.github/zizmor.yml

@@ -0,0 +1,12 @@
+rules:
+  # Secrets are gated by the ok-to-test permission check step which runs first.
+  # Using GitHub Environments would require major workflow restructuring.
+  secrets-outside-env:
+    ignore:
+      - e2e.yaml
+
+  # pull_request_target is required to access secrets for fork PRs.
+  # The ok-to-test action runs as the first step and gates all subsequent steps.
+  dangerous-triggers:
+    ignore:
+      - e2e.yaml

.tekton/linter.yaml

@@ -263,6 +263,27 @@ spec:
                 set -euxo pipefail
                 yamllint -f parsable -c .yamllint $(find . -type f -regex ".*y[a]ml" -print)
 
+            - name: zizmor
+              displayName: "GitHub Actions security linter"
+              image: registry.access.redhat.com/ubi9/python-312
+              workingDir: $(workspaces.source.path)
+              env:
+                - name: HUB_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: "nightly-ci-github-hub-token"
+                      key: "hub-token"
+              script: |
+                set -euxo pipefail
+                if uname -m | grep -q aarch64; then
+                  target=aarch64-unknown-linux-gnu
+                else
+                  target=x86_64-unknown-linux-gnu
+                fi
+                version=$(curl -H "Authorization: Bearer ${HUB_TOKEN}" -L -s https://api.github.com/repos/zizmorcore/zizmor/releases/latest | python3 -c 'import sys, json; print(json.load(sys.stdin)["tag_name"])')
+                curl -sH "Authorization: Bearer ${HUB_TOKEN}" -L "https://github.com/zizmorcore/zizmor/releases/download/${version}/zizmor-${target}.tar.gz" | tar -xz -C /tmp/ --strip-components=1 -f-
+                /tmp/zizmor .github/workflows/
+
             - name: ruff-lint
               displayName: "Python Linter (ruff)"
               image: registry.access.redhat.com/ubi9/python-312

docs/content/docs/providers/github-app.md

@@ -42,8 +42,8 @@ To create the GitHub App manually:
 - Subscribe to following events:
   - Check run
   - Check suite
-  - Issue comment
   - Commit comment
+  - Issue comment
   - Pull request
   - Push
 

pkg/provider/github/github.go

@@ -463,6 +463,21 @@ func (v *Provider) GetCommitInfo(ctx context.Context, runevent *info.Event) erro
 		}
 	}
 
+	// For incoming webhooks, DefaultBranch is not populated from the event
+	// payload (since there is no webhook payload to parse). Fetch it from the
+	// GitHub API so that pipelinerun_provenance: default_branch works correctly.
+	// For other event types (push, pull_request), DefaultBranch is already set
+	// by ParsePayload from the webhook payload's repository.default_branch field.
+	if runevent.DefaultBranch == "" && runevent.EventType == "incoming" {
+		ghRepo, _, err := wrapAPI(v, "get_repo", func() (*github.Repository, *github.Response, error) {
+			return v.Client().Repositories.Get(ctx, runevent.Organization, runevent.Repository)
+		})
+		if err != nil {
+			return err
+		}
+		runevent.DefaultBranch = ghRepo.GetDefaultBranch()
+	}
+
 	return nil
 }
 

pkg/provider/github/github_test.go

@@ -932,6 +932,31 @@ func TestGithubGetCommitInfo(t *testing.T) {
 			message:        "chore: deps\n\n[tkn skip]",
 			wantHasSkipCmd: true,
 		},
+		{
+			name: "incoming webhook populates DefaultBranch",
+			event: &info.Event{
+				Organization: "owner",
+				Repository:   "repository",
+				SHA:          "shacommitinfo",
+				EventType:    "incoming",
+			},
+			shaurl:   "https://git.provider/commit/info",
+			shatitle: "My beautiful pony",
+			message:  "My beautiful pony",
+		},
+		{
+			name: "DefaultBranch already set is preserved",
+			event: &info.Event{
+				Organization:  "owner",
+				Repository:    "repository",
+				SHA:           "shacommitinfo",
+				DefaultBranch: "develop",
+				EventType:     "incoming",
+			},
+			shaurl:   "https://git.provider/commit/info",
+			shatitle: "My beautiful pony",
+			message:  "My beautiful pony",
+		},
 		{
 			name: "error",
 			event: &info.Event{
@@ -940,6 +965,7 @@ func TestGithubGetCommitInfo(t *testing.T) {
 				SHA:          "shacommitinfo",
 			},
 			apiReply: "hello moto",
+			wantErr:  "invalid character",
 		},
 		{
 			name:     "noclient",
@@ -952,6 +978,12 @@ func TestGithubGetCommitInfo(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			fakeclient, mux, _, teardown := ghtesthelper.SetupGH()
 			defer teardown()
+			// Mock the repo endpoint so GetCommitInfo can resolve DefaultBranch
+			// when it is not already set on the event (e.g. incoming webhooks).
+			mux.HandleFunc(fmt.Sprintf("/repos/%s/%s",
+				tt.event.Organization, tt.event.Repository), func(rw http.ResponseWriter, _ *http.Request) {
+				fmt.Fprint(rw, `{"default_branch": "main"}`)
+			})
 			mux.HandleFunc(fmt.Sprintf("/repos/%s/%s/git/commits/%s",
 				tt.event.Organization, tt.event.Repository, tt.event.SHA), func(rw http.ResponseWriter, _ *http.Request) {
 				if tt.apiReply != "" {
@@ -1022,6 +1054,7 @@ func TestGithubGetCommitInfo(t *testing.T) {
 				assert.ErrorContains(t, err, tt.wantErr)
 				return
 			}
+			assert.NilError(t, err)
 			assert.Equal(t, tt.shatitle, tt.event.SHATitle)
 			assert.Equal(t, tt.shaurl, tt.event.SHAURL)
 
@@ -1040,6 +1073,16 @@ func TestGithubGetCommitInfo(t *testing.T) {
 				assert.DeepEqual(t, expectedCommitterDate, tt.event.SHACommitterDate)
 			}
 			assert.Equal(t, tt.wantHasSkipCmd, tt.event.HasSkipCommand)
+
+			// For incoming events, verify DefaultBranch is populated
+			if tt.event.EventType == "incoming" {
+				if tt.event.DefaultBranch == "develop" {
+					// If it was already set, it should be preserved
+					assert.Equal(t, "develop", tt.event.DefaultBranch, "DefaultBranch should be preserved")
+				} else {
+					assert.Equal(t, "main", tt.event.DefaultBranch, "DefaultBranch should be populated from API")
+				}
+			}
 		})
 	}
 }