fix: Expand "dynamic" variables in default values

This commit addresses an issue where dynamic variables used as default
values in pipeline parameters are not resolved correctly. Currently,
when an expandable dynamic variable is added as a default value to a
parameter in a Pipeline, it is not resolved, leading to errors.

For example, in the Pipeline.yaml:

- name: REPO_NAME
  default: "{{ repo_name }}"
- name: REVISION
- name: BRANCH
- name: PULL_REQUEST_NUMBER

Omitting the parameter with a default value in the PipelineRun does not
resolve the parameter, resulting not being expanded in the PipelineRun.

Business value:
- Clean up pipelines by reducing the need to pass through all expandable
  dynamic parameters.
- Make shared pipelines easier to use and reduce the surface for
  mistakes.

Jira: https://issues.redhat.com/browse/SRVKP-4070
Signed-off-by: Chmouel Boudjnah <chmouel@redhat.com>

Author: chmouel

pkg/pipelineascode/match.go

@@ -322,7 +322,7 @@ func (p *PacRun) getPipelineRunsFromRepo(ctx context.Context, repo *v1alpha1.Rep
 		}
 	}
 
-	err = changeSecret(pipelineRuns)
+	err = p.changePipelineRun(ctx, repo, pipelineRuns)
 	if err != nil {
 		return nil, err
 	}
@@ -357,12 +357,13 @@ func filterRunningPipelineRunOnTargetTest(testPipeline string, prs []*tektonv1.P
 	return nil
 }
 
-// changeSecret we need to go in each pipelinerun,
-// change the secret template variable with a random one as generated from GetBasicAuthSecretName
-// and store in the annotations so we can create one delete after.
-func changeSecret(prs []*tektonv1.PipelineRun) error {
-	for k, p := range prs {
-		b, err := json.Marshal(p)
+// changePipelineRun go over each pipelineruns and modify things into it.
+//
+// - the secret template variable with a random one as generated from GetBasicAuthSecretName
+// - the template variable with the one from the event (this includes the remote pipeline that has template variables).
+func (p *PacRun) changePipelineRun(ctx context.Context, repo *v1alpha1.Repository, prs []*tektonv1.PipelineRun) error {
+	for k, pr := range prs {
+		b, err := json.Marshal(pr)
 		if err != nil {
 			return err
 		}
@@ -371,6 +372,7 @@ func changeSecret(prs []*tektonv1.PipelineRun) error {
 		processed := templates.ReplacePlaceHoldersVariables(string(b), map[string]string{
 			"git_auth_secret": name,
 		}, nil, nil, map[string]any{})
+		processed = p.makeTemplate(ctx, repo, processed)
 
 		var np *tektonv1.PipelineRun
 		err = json.Unmarshal([]byte(processed), &np)
@@ -382,6 +384,7 @@ func changeSecret(prs []*tektonv1.PipelineRun) error {
 			np.Annotations = map[string]string{}
 		}
 		np.Annotations[apipac.GitAuthSecret] = name
+
 		prs[k] = np
 	}
 	return nil

pkg/pipelineascode/match_test.go

@@ -50,18 +50,30 @@ func TestPacRun_checkNeedUpdate(t *testing.T) {
 	}
 }
 
-func TestChangeSecret(t *testing.T) {
+func TestChangePipelineRun(t *testing.T) {
 	prs := []*tektonv1.PipelineRun{
 		{
 			ObjectMeta: metav1.ObjectMeta{
-				Name: "{{git_auth_secret}}",
+				Name:      "{{git_auth_secret}}",
+				Namespace: "{{ repo_name }}",
 			},
 		},
 	}
-	err := changeSecret(prs)
+	event := info.NewEvent()
+	event.Repository = "testrepo"
+	p := &PacRun{event: event}
+	repo := &v1alpha1.Repository{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "testrepo",
+			Namespace: "test",
+		},
+	}
+	ctx, _ := rtesting.SetupFakeContext(t)
+	err := p.changePipelineRun(ctx, repo, prs)
 	assert.NilError(t, err)
 	assert.Assert(t, strings.HasPrefix(prs[0].GetName(), "pac-gitauth"), prs[0].GetName(), "has no pac-gitauth prefix")
 	assert.Assert(t, prs[0].GetAnnotations()[apipac.GitAuthSecret] != "")
+	assert.Assert(t, prs[0].GetNamespace() == "testrepo", "namespace should be testrepo: %v", prs[0].GetNamespace())
 }
 
 func TestFilterRunningPipelineRunOnTargetTest(t *testing.T) {

test/gitea_test.go

@@ -139,6 +139,30 @@ func TestGiteaPullRequestResolvePipelineOnlyAssociatedWithPipelineRunFilterted(t
 	defer f()
 }
 
+// TestGiteaPullRequestResolvedTektonParamsRemotePipeline see
+// https://issues.redhat.com/browse/SRVKP-4070 for details
+func TestGiteaPullRequestResolvedTektonParamsRemotePipeline(t *testing.T) {
+	topts := &tgitea.TestOpts{
+		Regexp:      successRegexp,
+		TargetEvent: triggertype.PullRequest.String(),
+		YAMLFiles: map[string]string{
+			".tekton/pr.yaml":       "testdata/pipelinerun_with_tekton_params.yaml",
+			".tekton/pipeline.yaml": "testdata/pipeline_with_tekton_params.yaml",
+		},
+		ExpectEvents:   false,
+		CheckForStatus: "success",
+	}
+	_, f := tgitea.TestPR(t, topts)
+	defer f()
+
+	// check the output of the PipelineRun logs
+	err := twait.RegexpMatchingInPodLog(context.Background(),
+		topts.ParamsRun,
+		topts.TargetNS, "pipelinesascode.tekton.dev/event-type=pull_request", "step-task",
+		*regexp.MustCompile("Hello " + topts.TargetRepoName), "", 2)
+	assert.NilError(t, err)
+}
+
 func TestGiteaPullRequestPrivateRepository(t *testing.T) {
 	topts := &tgitea.TestOpts{
 		Regexp:      successRegexp,
@@ -1047,7 +1071,8 @@ func verifyProvenance(t *testing.T, topts *tgitea.TestOpts, expectedOutput, cNam
 	tgitea.WaitForStatus(t, topts, "heads/"+targetRef, "", false)
 
 	// check the output of the PipelineRun logs
-	err = twait.RegexpMatchingInPodLog(context.Background(), topts.ParamsRun, topts.TargetNS, "pipelinesascode.tekton.dev/event-type=pull_request", cName, *regexp.MustCompile(expectedOutput), "", 2)
+	err = twait.RegexpMatchingInPodLog(context.Background(), topts.ParamsRun, topts.TargetNS, "pipelinesascode.tekton.dev/event-type=pull_request",
+		cName, *regexp.MustCompile(expectedOutput), "", 2)
 	assert.NilError(t, err)
 }
 

test/testdata/pipeline_with_tekton_params.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: pipeline-with-tekton-params
+spec:
+  params:
+    - name: foo
+      type: string
+      default: "{{ repo_name }}"
+  tasks:
+    - name: task
+      taskSpec:
+        steps:
+          - name: task
+            image: registry.access.redhat.com/ubi9/ubi-micro
+            script: |
+              echo "Hello $(params.foo)"
+              exit 0

test/testdata/pipelinerun_with_tekton_params.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  name: "piplinerun-with-tekton-params"
+  annotations:
+    pipelinesascode.tekton.dev/target-namespace: "\\ .TargetNamespace //"
+    pipelinesascode.tekton.dev/on-target-branch: "[\\ .TargetBranch //]"
+    pipelinesascode.tekton.dev/on-event: "[\\ .TargetEvent //]"
+spec:
+  pipelineRef:
+    name: pipeline-with-tekton-params