Merge branch 'main' into graphql

Author: chmouel

.github/workflows/e2e.yaml

@@ -43,9 +43,8 @@ jobs:
       matrix:
         provider:
           [
-            github_1,
-            github_2,
-            github_second_controller,
+            github_public,
+            github_ghe,
             gitlab_bitbucket,
             gitea_1,
             gitea_2,
@@ -87,7 +86,6 @@ jobs:
       TEST_GITHUB_SECOND_REPO_OWNER_GITHUBAPP: pipelines-as-code/e2e
       TEST_GITHUB_SECOND_TOKEN: ${{ secrets.TEST_GITHUB_SECOND_TOKEN }}
       TEST_GITHUB_TOKEN: ${{ secrets.GH_APPS_TOKEN }}
-      TEST_GITLAB_API_URL: https://gitlab.com
       TEST_GITLAB_PROJECT_ID: ${{ vars.TEST_GITLAB_PROJECT_ID }}
       TEST_GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
     steps:
@@ -440,136 +438,10 @@ jobs:
           name: logs-e2e-tests-${{ matrix.provider }}
           path: /tmp/logs
 
-  e2e-flaky-tests:
-    name: e2e flaky tests
-    runs-on: ubuntu-latest
-    needs: e2e-tests
-    if: always() && !cancelled()
-    concurrency:
-      group: ${{ github.workflow }}-flaky-${{ github.event.pull_request.number || github.ref_name }}
-      cancel-in-progress: true
-
-    env:
-      CONTROLLER_DOMAIN_URL: controller.paac-127-0-0-1.nip.io
-      KOCACHE: /tmp/ko-cache
-      KO_DOCKER_REPO: localhost:5000
-      KUBECONFIG: /home/runner/.kube/config.kind
-      TEST_EL_URL: http://controller.paac-127-0-0-1.nip.io
-      TEST_EL_WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }}
-      TEST_GITHUB_API_URL: api.github.com
-      TEST_GITHUB_PRIVATE_TASK_NAME: task-remote
-      TEST_GITHUB_PRIVATE_TASK_URL: https://github.com/openshift-pipelines/pipelines-as-code-e2e-tests-private/blob/main/remote_task.yaml
-      TEST_GITHUB_REPO_INSTALLATION_ID: ${{ vars.INSTALLATION_ID }}
-      TEST_GITHUB_REPO_OWNER_GITHUBAPP: openshift-pipelines/pipelines-as-code-e2e-tests
-      TEST_GITHUB_SECOND_API_URL: ghe.pipelinesascode.com
-      TEST_GITHUB_SECOND_EL_URL: http://ghe.paac-127-0-0-1.nip.io
-      TEST_GITHUB_SECOND_REPO_INSTALLATION_ID: 1
-      TEST_GITHUB_SECOND_REPO_OWNER_GITHUBAPP: pipelines-as-code/e2e
-      TEST_GITHUB_SECOND_TOKEN: ${{ secrets.TEST_GITHUB_SECOND_TOKEN }}
-      TEST_GITHUB_TOKEN: ${{ secrets.GH_APPS_TOKEN }}
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.target_ref || github.event.pull_request.head.sha || github.sha }}
-
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: "go.mod"
-
-      - name: Cache ko layer cache
-        uses: actions/cache@v5
-        with:
-          path: /tmp/ko-cache
-          key: ${{ runner.os }}-ko-${{ hashFiles('go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-ko-
-
-      - uses: ko-build/setup-ko@v0.9
-
-      - name: Build binaries in parallel with cluster installation
-        run: |
-          nohup make allbinaries > /tmp/binary-build.log 2>&1 &
-          echo $! > /tmp/binary-build.pid
-
-      - name: Install gosmee
-        uses: jaxxstorm/action-install-gh-release@v2.1.0
-        with:
-          repo: chmouel/gosmee
-
-      - name: Install Snazy
-        uses: jaxxstorm/action-install-gh-release@v2.1.0
-        with:
-          repo: chmouel/snazy
-
-      - name: Run gosmee for main controller
-        run: |
-          nohup gosmee client --saveDir /tmp/gosmee-replay ${{ secrets.PYSMEE_URL }} "http://${CONTROLLER_DOMAIN_URL}" > /tmp/gosmee-main.log 2>&1 &
-
-      - name: Start installing cluster
-        run: |
-          export PAC_DIR=${PWD}
-          bash -x ./hack/dev/kind/install.sh
-
-      - name: Create PAC github-app-secret
-        env:
-          PAC_GITHUB_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
-          PAC_GITHUB_APPLICATION_ID: ${{ vars.APPLICATION_ID }}
-          PAC_WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }}
-        run: |
-          ./hack/gh-workflow-ci.sh create_pac_github_app_secret
-
-      - name: Create second Github APP Controller on GHE
-        env:
-          TEST_GITHUB_SECOND_SMEE_URL: ${{ secrets.TEST_GITHUB_SECOND_SMEE_URL }}
-          TEST_GITHUB_SECOND_PRIVATE_KEY: ${{ secrets.TEST_GITHUB_SECOND_PRIVATE_KEY }}
-          TEST_GITHUB_SECOND_WEBHOOK_SECRET: ${{ secrets.TEST_GITHUB_SECOND_WEBHOOK_SECRET }}
-          TEST_GITHUB_SECOND_APPLICATION_ID: ${{ vars.TEST_GITHUB_SECOND_APPLICATION_ID }}
-        run: |
-          ./hack/gh-workflow-ci.sh create_second_github_app_controller_on_ghe
-
-      - name: Enable debug logging for e2e
-        run: |
-          set -euo pipefail
-          kubectl -n pipelines-as-code patch configmap pac-config-logging --type merge -p '{"data":{"loglevel.pipelinesascode":"debug","loglevel.pac-watcher":"debug","loglevel.pipelines-as-code-webhook":"debug"}}'
-          kubectl -n pipelines-as-code rollout restart deployment/pipelines-as-code-controller deployment/pipelines-as-code-webhook deployment/pipelines-as-code-watcher
-          for name in controller webhook watcher; do
-            echo "=== Waiting for $name to be ready ==="
-            kubectl -n pipelines-as-code rollout status deployment/pipelines-as-code-$name --timeout=120s
-          done
-
-      - name: Run Flaky E2E Tests
-        env:
-          TEST_PROVIDER: flaky
-          TEST_EL_WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }}
-          TEST_GITHUB_REPO_INSTALLATION_ID: ${{ vars.INSTALLATION_ID }}
-          TEST_GITHUB_TOKEN: ${{ secrets.GH_APPS_TOKEN }}
-          TEST_GITHUB_SECOND_TOKEN: ${{ secrets.TEST_GITHUB_SECOND_TOKEN }}
-        run: |
-          ./hack/gh-workflow-ci.sh run_e2e_tests
-
-      - name: Collect logs
-        if: ${{ always() }}
-        env:
-          TEST_GITHUB_SECOND_SMEE_URL: ${{ secrets.TEST_GITHUB_SECOND_SMEE_URL }}
-        run: |
-          ./hack/gh-workflow-ci.sh collect_logs
-
-      - name: Show controllers/watcher errors with Snazy
-        if: ${{ always() }}
-        run: |
-          ./hack/gh-workflow-ci.sh output_logs
-
-      - name: Upload artifacts
-        if: ${{ always() }}
-        uses: actions/upload-artifact@v6
-        with:
-          name: logs-e2e-tests-flaky
-          path: /tmp/logs
-
   notify-slack:
     name: Notify Slack on Failures
     runs-on: ubuntu-latest
-    needs: [e2e-tests, e2e-flaky-tests]
+    needs: [e2e-tests]
     if: ${{ always() && github.ref_name == 'main' && github.event_name == 'schedule' }}
     steps:
       - uses: actions/checkout@v6

config/300-repositories.yaml

@@ -476,9 +476,11 @@ spec:
                             CommentStrategy defines how GitLab comments are handled for pipeline results.
                             Options:
                             - 'disable_all': Disables all comments on merge requests
+                            - 'update': Updates a single comment per PipelineRun on every trigger.
                           enum:
                             - ""
                             - disable_all
+                            - update
                           type: string
                       type: object
                     pipelinerun_provenance:

docs/content/docs/guide/cli.md

@@ -421,6 +421,7 @@ The CEL evaluator is only useful for admins, since the payload and headers as se
 `tkn pac cel` — Evaluate CEL (Common Expression Language) expressions interactively with webhook payloads.
 
 This command allows you to test and debug CEL expressions as they would be evaluated by Pipelines-as-Code, using real webhook payloads and headers. It supports interactive and non-interactive modes, provider auto-detection, and persistent history.
+Note that the CEL evaluator may not always produce the same output as when the expression is evaluated in an actual PipelineRun.
 
 To be able to have the CEL evaluator working, you need to have the payload and the headers available in a file. The best way to do this is to go to the webhook configuration on your git provider and copy the payload and headers to different files.
 

hack/gh-workflow-ci.sh

@@ -4,6 +4,7 @@
 set -exufo pipefail
 
 export PAC_API_INSTRUMENTATION_DIR=/tmp/api-instrumentation
+export TEST_GITLAB_API_URL=https://gitlab.pipelinesascode.com
 
 create_pac_github_app_secret() {
   # Read from environment variables instead of arguments
@@ -85,8 +86,8 @@ get_tests() {
   fi
 
   local -a github_tests=()
-  if [[ "${target}" == *"github"* ]] && [[ "${target}" != "github_second_controller" ]]; then
-    mapfile -t github_tests < <(echo "${all_tests}" | grep -iP '^TestGithub' 2>/dev/null | grep -ivP 'Concurrency|GithubSecond|Flaky' 2>/dev/null | sort 2>/dev/null)
+  if [[ "${target}" == *"github"* ]] && [[ "${target}" != "github_ghe" ]] && [[ "${target}" != "github_second_controller" ]]; then
+    mapfile -t github_tests < <(echo "${all_tests}" | grep -iP '^TestGithub' 2>/dev/null | grep -ivP 'Concurrency|GithubGHE' 2>/dev/null | sort 2>/dev/null)
   fi
 
   # Calculate chunk sizes for splitting gitea tests into 3 parts
@@ -96,32 +97,49 @@ get_tests() {
     remainder=$((${#gitea_tests[@]} % 3))
   fi
 
-  # Calculate chunk sizes for splitting github tests into 2 parts
+  # TODO: revert once the new workflow matrix lands on main.
+  # Backward compat: github_1/github_2 chunking for pull_request_target
+  # which runs the workflow YAML from main (old target names).
   local github_chunk_size github_remainder
   if [[ ${#github_tests[@]} -gt 0 ]]; then
-    github_chunk_size=$((${#github_tests[@]} / 2))
-    github_remainder=$((${#github_tests[@]} % 2))
+    github_chunk_size=$(( ${#github_tests[@]} / 2 ))
+    github_remainder=$(( ${#github_tests[@]} % 2 ))
   fi
 
   case "${target}" in
   flaky)
-    printf '%s\n' "${all_tests}" | grep -iP 'Flaky'
+    # no-op: flaky tests have been absorbed into their natural categories.
+    # Kept for backward compat since pull_request_target uses main's YAML
+    # which still references 'flaky'.
     ;;
+
   concurrency)
     printf '%s\n' "${all_tests}" | grep -iP 'Concurrency|Others'
     ;;
+  github_public)
+    if [[ ${#github_tests[@]} -gt 0 ]]; then
+      printf '%s\n' "${github_tests[@]}"
+    fi
+    ;;
+  # TODO: revert - remove github_1, github_2, github_second_controller aliases
+  # once the new workflow matrix lands on main. These exist because
+  # pull_request_target runs the workflow YAML from main which still sends old
+  # target names.
   github_1)
     if [[ ${#github_tests[@]} -gt 0 ]]; then
-      printf '%s\n' "${github_tests[@]:0:${github_chunk_size}}"
+      printf '%s\n' "${github_tests[@]:0:$((github_chunk_size + github_remainder))}"
     fi
     ;;
   github_2)
     if [[ ${#github_tests[@]} -gt 0 ]]; then
-      printf '%s\n' "${github_tests[@]:${github_chunk_size}:$((github_chunk_size + github_remainder))}"
+      printf '%s\n' "${github_tests[@]:$((github_chunk_size + github_remainder))}"
     fi
     ;;
   github_second_controller)
-    printf '%s\n' "${all_tests}" | grep -iP 'GithubSecond' | grep -ivP 'Concurrency|Flaky'
+    printf '%s\n' "${all_tests}" | grep -iP 'GithubGHE' | grep -ivP 'Concurrency'
+    ;;
+  github_ghe)
+    printf '%s\n' "${all_tests}" | grep -iP 'GithubGHE' | grep -ivP 'Concurrency'
     ;;
   gitlab_bitbucket)
     printf '%s\n' "${all_tests}" | grep -iP 'Gitlab|Bitbucket' | grep -ivP 'Concurrency'
@@ -144,7 +162,8 @@ get_tests() {
     ;;
   *)
     echo "Invalid target: ${target}"
-    echo "supported targets: github_1, github_2, github_second_controller, gitlab_bitbucket, gitea_1, gitea_2, gitea_3, concurrency, flaky"
+    echo "supported targets: github_public, github_ghe, gitlab_bitbucket, gitea_1, gitea_2, gitea_3, concurrency, flaky"
+    echo "backward compat aliases: github_1, github_2, github_second_controller"
     ;;
   esac
 }
@@ -157,6 +176,11 @@ run_e2e_tests() {
   mapfile -t tests < <(get_tests "${target}")
   echo "About to run ${#tests[@]} tests: ${tests[*]}"
 
+  if [[ ${#tests[@]} -eq 0 || (-z "${tests[0]}" && ${#tests[@]} -eq 1) ]]; then
+    echo "No tests to run for target '${target}', exiting successfully."
+    return 0
+  fi
+
   mkdir -p /tmp/logs
 
   # shellcheck disable=SC2001
@@ -284,7 +308,7 @@ output_logs)
   ;;
 print_tests)
   set +x
-  for target in github_1 github_2 github_second_controller gitlab_bitbucket gitea_1 gitea_2 gitea_3 concurrency flaky; do
+  for target in github_public github_ghe gitlab_bitbucket gitea_1 gitea_2 gitea_3 concurrency flaky; do
     mapfile -t tests < <(get_tests "${target}")
     echo "Tests for target: ${target} Total: ${#tests[@]}"
     printf '%s\n' "${tests[@]}"

pkg/apis/pipelinesascode/v1alpha1/types.go

@@ -170,8 +170,9 @@ type GitlabSettings struct {
 	// CommentStrategy defines how GitLab comments are handled for pipeline results.
 	// Options:
 	// - 'disable_all': Disables all comments on merge requests
+	// - 'update': Updates a single comment per PipelineRun on every trigger.
 	// +optional
-	// +kubebuilder:validation:Enum="";disable_all
+	// +kubebuilder:validation:Enum="";disable_all;update
 	CommentStrategy string `json:"comment_strategy,omitempty"`
 }
 

pkg/cmd/tknpac/cel/cel.go

@@ -81,8 +81,10 @@ func printBanner(ioStreams *cli.IOStreams, provider, bodyFile, headersFile strin
 
 	fmt.Fprintf(ioStreams.Out, "%s %s\n", cs.Yellow("⚠"), cs.Bold("Important Notice"))
 	fmt.Fprint(ioStreams.Out, "\n")
-	fmt.Fprintf(ioStreams.Out, "This tool provides an interactive environment for testing CEL expressions.\n")
-	fmt.Fprintf(ioStreams.Out, "However, please note the following important differences:\n")
+	fmt.Fprintf(ioStreams.Out, "This is a %s feature for testing CEL expressions.\n", cs.Yellow("tech preview"))
+	fmt.Fprintf(ioStreams.Out, "%s\n", cs.Bold("The evaluator may not always produce the same output as in actual PipelineRuns."))
+	fmt.Fprint(ioStreams.Out, "\n")
+	fmt.Fprintf(ioStreams.Out, "Please note the following important differences:\n")
 	fmt.Fprint(ioStreams.Out, "\n")
 
 	differences := []string{

pkg/matcher/annotation_matcher.go

@@ -298,10 +298,26 @@ func MatchPipelinerunByAnnotation(ctx context.Context, logger *zap.SugaredLogger
 			if err != nil {
 				logger.Errorf("there was an error evaluating the CEL expression, skipping: %v", err)
 				if checkIfCELEvaluateError(err) {
-					celValidationErrors = append(celValidationErrors, &pacerrors.PacYamlValidations{
-						Name: prName,
-						Err:  fmt.Errorf("CEL expression evaluation error: %s", sanitizeErrorAsMarkdown(err)),
-					})
+					if provider.IsCommentStrategyUpdate(repo) {
+						// Using the same logic for getting OriginalPipelineRun as the one used for setting
+						// the annotation which is used in the provider's "update" comment strategy.
+						originPipelineRunName := prun.GetName()
+						if originPipelineRunName == "" && prun.GenerateName != "" {
+							originPipelineRunName = prun.GetGenerateName()
+						}
+
+						if reportErrors {
+							reportCELValidationErrors(ctx, repo, []*pacerrors.PacYamlValidations{{
+								Name: originPipelineRunName,
+								Err:  fmt.Errorf("CEL expression evaluation error: %s", sanitizeErrorAsMarkdown(err)),
+							}}, eventEmitter, vcx, event, fmt.Sprintf(provider.PlrStatusCommentPrefixTemplate, originPipelineRunName))
+						}
+					} else {
+						celValidationErrors = append(celValidationErrors, &pacerrors.PacYamlValidations{
+							Name: prName,
+							Err:  fmt.Errorf("CEL expression evaluation error: %s", sanitizeErrorAsMarkdown(err)),
+						})
+					}
 				}
 				continue
 			}
@@ -395,7 +411,7 @@ func MatchPipelinerunByAnnotation(ctx context.Context, logger *zap.SugaredLogger
 
 	if len(celValidationErrors) > 0 && reportErrors {
 		logger.Debugf("MatchPipelinerunByAnnotation: reporting %d CEL validation errors", len(celValidationErrors))
-		reportCELValidationErrors(ctx, repo, celValidationErrors, eventEmitter, vcx, event)
+		reportCELValidationErrors(ctx, repo, celValidationErrors, eventEmitter, vcx, event, "")
 	}
 
 	if len(matchedPRs) > 0 {

pkg/matcher/errors.go

@@ -38,17 +38,30 @@ func checkIfCELEvaluateError(err error) bool {
 	return false
 }
 
-func reportCELValidationErrors(ctx context.Context, repo *apipac.Repository, validationErrors []*pacerrors.PacYamlValidations, eventEmitter *events.EventEmitter, vcx provider.Interface, event *info.Event) {
+func reportCELValidationErrors(ctx context.Context, repo *apipac.Repository, validationErrors []*pacerrors.PacYamlValidations, eventEmitter *events.EventEmitter, vcx provider.Interface, event *info.Event, prefix string) {
 	errorRows := make([]string, 0, len(validationErrors))
 	for _, err := range validationErrors {
 		errorRows = append(errorRows, fmt.Sprintf("| %s | `%s` |", err.Name, err.Err.Error()))
 	}
 	if len(errorRows) == 0 {
 		return
 	}
-	markdownErrMessage := fmt.Sprintf(`%s
+
+	var err error
+
+	// The prefix is used for a single comment "update" strategy where the same comment is updated
+	// with the celValidationError and the PipelineRun status for any subsequent or prior "runs".
+	if prefix != "" {
+		markdownErrMessage := fmt.Sprintf(`%s
+%s
+%s`, prefix, provider.ValidationErrorTemplate, strings.Join(errorRows, "\n"))
+		err = vcx.CreateComment(ctx, event, markdownErrMessage, prefix)
+	} else {
+		markdownErrMessage := fmt.Sprintf(`%s
 %s`, provider.ValidationErrorTemplate, strings.Join(errorRows, "\n"))
-	if err := vcx.CreateComment(ctx, event, markdownErrMessage, provider.ValidationErrorTemplate); err != nil {
+		err = vcx.CreateComment(ctx, event, markdownErrMessage, provider.ValidationErrorTemplate)
+	}
+	if err != nil {
 		eventEmitter.EmitMessage(repo, zap.ErrorLevel, "PipelineRunCommentCreationError",
 			fmt.Sprintf("failed to create comment: %s", err.Error()))
 	}