fix(github-webhook): /ok-to-test is not triggering CI on PRs

pkg/adapter/sinker.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/apis/pipelinesascode/v1alpha1"
+	"github.com/openshift-pipelines/pipelines-as-code/pkg/gitclient"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/kubeinteraction"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/matcher"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/params"
@@ -149,7 +150,7 @@ func (s *sinker) findMatchingRepository(ctx context.Context) (*v1alpha1.Reposito
 // Centralizing this here ensures consistent behavior across all events and enables early
 // optimizations like skip-CI detection before expensive processing.
 func (s *sinker) setupClient(ctx context.Context, repo *v1alpha1.Repository) error {
-	return pipelineascode.SetupAuthenticatedClient(
+	return gitclient.SetupAuthenticatedClient(
 		ctx,
 		s.vcx,
 		s.kint,

pkg/adapter/sinker_test.go

@@ -105,18 +105,6 @@ func TestSetupClientGitHubAppVsOther(t *testing.T) {
 			wantErr:                false,
 			wantRepositoryIDsCount: 0, // No extra repos
 		},
-		{
-			name:                 "GitHub App with extra repos - IDs should be populated",
-			installationID:       12345,
-			hasGitProvider:       false,
-			extraReposConfigured: true,
-			extraRepoInstallIDs: map[string]int64{
-				"another/one":    789,
-				"andanother/two": 10112,
-			},
-			wantErr:                false,
-			wantRepositoryIDsCount: 2, // Should have 2 extra repo IDs
-		},
 		{
 			name:                   "Non-GitHub App requires git_provider",
 			installationID:         0,
@@ -162,37 +150,11 @@ func TestSetupClientGitHubAppVsOther(t *testing.T) {
 				}
 			}
 
-			// Setup extra repos if configured
-			extraRepos := []*v1alpha1.Repository{}
-			if tt.extraReposConfigured {
-				repo.Spec.Settings = &v1alpha1.Settings{
-					GithubAppTokenScopeRepos: []string{},
-				}
-				for repoName := range tt.extraRepoInstallIDs {
-					repo.Spec.Settings.GithubAppTokenScopeRepos = append(
-						repo.Spec.Settings.GithubAppTokenScopeRepos,
-						repoName,
-					)
-					// Create matching repository CRs for extra repos
-					extraRepo := testnewrepo.NewRepo(testnewrepo.RepoTestcreationOpts{
-						Name:             repoName,
-						URL:              "https://github.com/" + repoName,
-						InstallNamespace: "default",
-					})
-					extraRepos = append(extraRepos, extraRepo)
-				}
-			}
-
-			// Create test data with all repositories
-			allRepos := append([]*v1alpha1.Repository{repo}, extraRepos...)
-			run := setupTestData(t, allRepos)
+			run := setupTestData(t, []*v1alpha1.Repository{repo})
 
 			// Create a tracking provider to verify behavior
 			trackingProvider := &trackingProviderImpl{
-				TestProviderImp:     testprovider.TestProviderImp{AllowIT: true},
-				createTokenCalled:   false,
-				repositoryIDs:       []int64{},
-				extraRepoInstallIDs: tt.extraRepoInstallIDs,
+				TestProviderImp: testprovider.TestProviderImp{AllowIT: true},
 			}
 			trackingProvider.SetLogger(log)
 
@@ -229,52 +191,16 @@ func TestSetupClientGitHubAppVsOther(t *testing.T) {
 			} else {
 				assert.NilError(t, err, "unexpected error: %v", err)
 			}
-
-			// For GitHub Apps with extra repos, verify CreateToken was called
-			// and repository IDs were populated
-			if tt.extraReposConfigured && !tt.wantErr {
-				assert.Assert(t, trackingProvider.createTokenCalled,
-					"CreateToken should have been called for extra repos")
-
-				// Verify all expected repo IDs are present
-				for repoName, expectedID := range tt.extraRepoInstallIDs {
-					found := false
-					for _, id := range trackingProvider.repositoryIDs {
-						if id == expectedID {
-							found = true
-							break
-						}
-					}
-					assert.Assert(t, found,
-						"Repository ID %d for %s not found in provider.RepositoryIDs: %v",
-						expectedID, repoName, trackingProvider.repositoryIDs)
-				}
-
-				assert.Equal(t, len(trackingProvider.repositoryIDs), tt.wantRepositoryIDsCount,
-					"Expected %d repository IDs, got %d: %v",
-					tt.wantRepositoryIDsCount, len(trackingProvider.repositoryIDs),
-					trackingProvider.repositoryIDs)
-			}
 		})
 	}
 }
 
 // trackingProviderImpl wraps TestProviderImp to track CreateToken calls and repository IDs.
 type trackingProviderImpl struct {
 	testprovider.TestProviderImp
-	createTokenCalled   bool
-	repositoryIDs       []int64
-	extraRepoInstallIDs map[string]int64
 }
 
-func (t *trackingProviderImpl) CreateToken(_ context.Context, repositories []string, _ *info.Event) (string, error) {
-	t.createTokenCalled = true
-	// Simulate adding repository IDs like the real CreateToken does
-	for _, repo := range repositories {
-		if id, ok := t.extraRepoInstallIDs[repo]; ok {
-			t.repositoryIDs = append(t.repositoryIDs, id)
-		}
-	}
+func (t *trackingProviderImpl) CreateToken(_ context.Context, _ []string, _ *info.Event) (string, error) {
 	return "fake-token", nil
 }
 

pkg/cli/webhook/secret.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/apis/pipelinesascode/v1alpha1"
-	"github.com/openshift-pipelines/pipelines-as-code/pkg/pipelineascode"
+	"github.com/openshift-pipelines/pipelines-as-code/pkg/secrets"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -16,8 +16,8 @@ func (w *Options) createWebhookSecret(ctx context.Context, response *response) e
 			Name: w.RepositoryName,
 		},
 		Data: map[string][]byte{
-			pipelineascode.DefaultGitProviderSecretKey:        []byte(response.PersonalAccessToken),
-			pipelineascode.DefaultGitProviderWebhookSecretKey: []byte(response.WebhookSecret),
+			secrets.DefaultGitProviderSecretKey:        []byte(response.PersonalAccessToken),
+			secrets.DefaultGitProviderWebhookSecretKey: []byte(response.WebhookSecret),
 		},
 	}, metav1.CreateOptions{})
 	if err != nil {
@@ -33,7 +33,7 @@ func (w *Options) updateWebhookSecret(ctx context.Context, response *response) e
 	if err != nil {
 		return err
 	}
-	secretInfo.Data[pipelineascode.DefaultGitProviderWebhookSecretKey] = []byte(response.WebhookSecret)
+	secretInfo.Data[secrets.DefaultGitProviderWebhookSecretKey] = []byte(response.WebhookSecret)
 
 	_, err = w.Run.Clients.Kube.CoreV1().Secrets(w.RepositoryNamespace).Update(ctx, secretInfo, metav1.UpdateOptions{})
 	if err != nil {
@@ -57,11 +57,11 @@ func (w *Options) updateRepositoryCR(ctx context.Context, res *response) error {
 
 	repo.Spec.GitProvider.Secret = &v1alpha1.Secret{
 		Name: w.RepositoryName,
-		Key:  pipelineascode.DefaultGitProviderSecretKey,
+		Key:  secrets.DefaultGitProviderSecretKey,
 	}
 	repo.Spec.GitProvider.WebhookSecret = &v1alpha1.Secret{
 		Name: w.RepositoryName,
-		Key:  pipelineascode.DefaultGitProviderWebhookSecretKey,
+		Key:  secrets.DefaultGitProviderWebhookSecretKey,
 	}
 
 	if res.UserName != "" {

pkg/cli/webhook/secret_test.go

@@ -11,7 +11,7 @@ import (
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/params/clients"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/params/info"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/params/settings"
-	"github.com/openshift-pipelines/pipelines-as-code/pkg/pipelineascode"
+	"github.com/openshift-pipelines/pipelines-as-code/pkg/secrets"
 	testclient "github.com/openshift-pipelines/pipelines-as-code/pkg/test/clients"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/test/logger"
 	"gotest.tools/v3/assert"
@@ -35,7 +35,7 @@ func TestWebHookSecret(t *testing.T) {
 					Namespace: repoNS,
 				},
 				Data: map[string][]byte{
-					pipelineascode.DefaultGitProviderSecretKey: []byte("somethingsomething"),
+					secrets.DefaultGitProviderSecretKey: []byte("somethingsomething"),
 				},
 			},
 		},

pkg/cmd/tknpac/webhook/add.go

@@ -11,7 +11,7 @@ import (
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/cmd/tknpac/completion"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/params"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/params/settings"
-	"github.com/openshift-pipelines/pipelines-as-code/pkg/pipelineascode"
+	"github.com/openshift-pipelines/pipelines-as-code/pkg/secrets"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -117,7 +117,7 @@ func add(ctx context.Context, opts *cli.PacCliOpts, run *params.Run, ioStreams *
 
 	gitProviderSecretKey := repo.Spec.GitProvider.Secret.Key
 	if gitProviderSecretKey == "" {
-		gitProviderSecretKey = pipelineascode.DefaultGitProviderSecretKey
+		gitProviderSecretKey = secrets.DefaultGitProviderSecretKey
 	}
 
 	tokenData, ok := secretData.Data[gitProviderSecretKey]

pkg/cmd/tknpac/webhook/update-token.go

@@ -10,7 +10,7 @@ import (
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/cli/prompt"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/cmd/tknpac/completion"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/params"
-	"github.com/openshift-pipelines/pipelines-as-code/pkg/pipelineascode"
+	"github.com/openshift-pipelines/pipelines-as-code/pkg/secrets"
 	"github.com/spf13/cobra"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -110,7 +110,7 @@ func update(ctx context.Context, opts *cli.PacCliOpts, run *params.Run, ioStream
 
 	gitProviderSecretKey := repo.Spec.GitProvider.Secret.Key
 	if gitProviderSecretKey == "" {
-		gitProviderSecretKey = pipelineascode.DefaultGitProviderSecretKey
+		gitProviderSecretKey = secrets.DefaultGitProviderSecretKey
 	}
 
 	secretData.Data[gitProviderSecretKey] = []byte(personalAccessToken)

pkg/pipelineascode/client_setup.go → pkg/gitclient/client_setup.go

@@ -1,4 +1,4 @@
-package pipelineascode
+package gitclient
 
 import (
 	"context"
@@ -11,10 +11,11 @@ import (
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/params"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/params/info"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/provider"
-	"github.com/openshift-pipelines/pipelines-as-code/pkg/provider/github"
+	"github.com/openshift-pipelines/pipelines-as-code/pkg/secrets"
 	semconv "go.opentelemetry.io/otel/semconv/v1.40.0"
 	"go.opentelemetry.io/otel/trace"
 	"go.uber.org/zap"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // SetupAuthenticatedClient sets up the authenticated VCS client with proper token scoping.
@@ -32,6 +33,19 @@ func SetupAuthenticatedClient(
 	pacInfo *info.PacOpts,
 	logger *zap.SugaredLogger,
 ) error {
+	if globalRepo == nil &&
+		run != nil &&
+		run.Info.Controller != nil &&
+		run.Info.Kube != nil &&
+		run.Info.Kube.Namespace != "" &&
+		run.Info.Controller.GlobalRepository != "" {
+		var err error
+		if globalRepo, err = run.Clients.PipelineAsCode.PipelinesascodeV1alpha1().Repositories(run.Info.Kube.Namespace).Get(
+			ctx, run.Info.Controller.GlobalRepository, metav1.GetOptions{},
+		); err != nil {
+			logger.Errorf("cannot get global repository: %v", err)
+		}
+	}
 	// Determine secret namespace BEFORE merging repos
 	// This preserves the ability to detect when credentials come from global repo
 	secretNS := repo.GetNamespace()
@@ -49,10 +63,10 @@ func SetupAuthenticatedClient(
 	// GitHub Apps use controller secret, not Repository git_provider
 	if event.InstallationID > 0 {
 		logger.Debugf("setupAuthenticatedClient: github app installation id=%d, using controller webhook secret", event.InstallationID)
-		event.Provider.WebhookSecret, _ = GetCurrentNSWebhookSecret(ctx, kint, run)
+		event.Provider.WebhookSecret, _ = secrets.GetCurrentNSWebhookSecret(ctx, kint, run)
 	} else {
 		// Non-GitHub App providers use git_provider section in Repository spec
-		scm := SecretFromRepository{
+		scm := secrets.SecretFromRepository{
 			K8int:       kint,
 			Config:      vcx.GetConfig(),
 			Event:       event,
@@ -96,18 +110,5 @@ is that what you want? make sure you use -n when generating the secret, eg: echo
 	}
 	logger.Debugf("setupAuthenticatedClient: provider client initialized")
 
-	// Handle GitHub App token scoping for both global and repo-level configuration
-	if event.InstallationID > 0 {
-		logger.Debugf("setupAuthenticatedClient: scoping github app token")
-		token, err := github.ScopeTokenToListOfRepos(ctx, vcx, pacInfo, repo, run, event, eventEmitter, logger)
-		if err != nil {
-			return fmt.Errorf("failed to scope token: %w", err)
-		}
-		// If Global and Repo level configurations are not provided then lets not override the provider token.
-		if token != "" {
-			event.Provider.Token = token
-		}
-	}
-
 	return nil
 }