feat: Support arbitrary CEL expressions with cel: prefix

Introduced the `cel:` prefix to allow evaluating complex Common
Expression Language (CEL) expressions within PipelineRun templates.
Enabled access to the `body`, `headers`, `files`, or `pac` namespaces
to facilitate advanced logic like ternary operations, safe field
access with `has()`, or collection processing. Ensured expressions
return an empty string upon evaluation or syntax errors to prevent
pipeline disruptions. Added comprehensive documentation, unit tests,
plus integration tests for various use cases.

E2E Tests was added for Gitea, GitHub and GitLab to validate the
feature.

Jira: https://issues.redhat.com/browse/SRVKP-8619
Co-authored-by: Claude <[email protected]>
Signed-off-by: Chmouel Boudjnah <[email protected]>

Author: chmouel

docs/content/docs/guide/authoringprs.md

@@ -187,6 +187,77 @@ for example, this will show the GitHub event type for a GitHub event:
 
 and then you can do the same conditional or access as described above for the `body` keyword.
 
+## Using the cel: prefix for advanced CEL expressions
+
+For more complex CEL expressions that go beyond simple property access, you can
+use the `cel:` prefix. This allows you to write arbitrary CEL expressions with
+access to all available data sources.
+
+The `cel:` prefix provides access to:
+
+- `body` - The full webhook payload
+- `headers` - HTTP request headers
+- `files` - Changed files information (`files.all`, `files.added`, `files.deleted`, `files.modified`, `files.renamed`)
+- `pac` - Standard PAC parameters (`pac.revision`, `pac.target_branch`, `pac.source_branch`, etc.)
+
+### Examples
+
+**Conditional values based on event action:**
+
+```yaml
+params:
+  - name: pr-status
+    value: "{{ cel: body.action == \"opened\" ? \"new-pr\" : \"updated-pr\" }}"
+```
+
+**Environment selection based on target branch:**
+
+```yaml
+params:
+  - name: environment
+    value: "{{ cel: pac.target_branch == \"main\" ? \"production\" : \"staging\" }}"
+```
+
+**Safe field access with has() function:**
+
+Use the `has()` function to safely check if a field exists before accessing it:
+
+```yaml
+params:
+  - name: commit-type
+    value: "{{ cel: has(body.head_commit) && body.head_commit.message.startsWith(\"Merge\") ? \"merge\" : \"regular\" }}"
+```
+
+**Check if Go files were modified:**
+
+```yaml
+params:
+  - name: run-go-tests
+    value: "{{ cel: files.all.exists(f, f.endsWith(\".go\")) ? \"true\" : \"false\" }}"
+```
+
+**String concatenation:**
+
+```yaml
+params:
+  - name: greeting
+    value: "{{ cel: \"Build for \" + pac.repo_name + \" on \" + pac.target_branch }}"
+```
+
+**Count changed files:**
+
+```yaml
+params:
+  - name: file-count
+    value: "{{ cel: files.all.size() }}"
+```
+
+{{< hint info >}}
+If a `cel:` expression has a syntax error or fails to evaluate, it returns an
+empty string. This allows PipelineRuns to continue even if an optional dynamic
+value cannot be computed.
+{{< /hint >}}
+
 ## Using the temporary GitHub APP Token for GitHub API operations
 
 You can use the temporary installation token that is generated by Pipelines as

pkg/templates/templating.go

@@ -27,10 +27,12 @@ var (
 // value.
 //
 // The function first checks if the key in the placeholder has a prefix of
-// "body", "headers", or "files". If it does and both `rawEvent` and `headers`
+// "body", "headers", "files", or "cel:". If it does and both `rawEvent` and `headers`
 // are not nil, it attempts to retrieve the value for the key using the
 // `cel.Value` function and returns the corresponding string
-// representation. If the key does not have any of the mentioned prefixes, the
+// representation. The "cel:" prefix allows evaluating arbitrary CEL expressions
+// with access to body, headers, files, and pac (standard PAC parameters) namespaces.
+// If the key does not have any of the mentioned prefixes, the
 // function checks if the key exists in the `dico` map. If it does, the
 // function replaces the placeholder with the corresponding value from the
 // `dico` map.
@@ -52,10 +54,18 @@ func ReplacePlaceHoldersVariables(template string, dico map[string]string, rawEv
 	return keys.ParamsRe.ReplaceAllStringFunc(template, func(s string) string {
 		parts := keys.ParamsRe.FindStringSubmatch(s)
 		key := strings.TrimSpace(parts[1])
-		if strings.HasPrefix(key, "body") || strings.HasPrefix(key, "headers") || strings.HasPrefix(key, "files") {
+
+		// Check for cel: prefix first - it allows arbitrary CEL expressions
+		isCelExpr := strings.HasPrefix(key, "cel:")
+
+		if strings.HasPrefix(key, "body") || strings.HasPrefix(key, "headers") || strings.HasPrefix(key, "files") || isCelExpr {
 			// Check specific requirements for each prefix
 			canEvaluate := false
+			celExpr := key
 			switch {
+			case isCelExpr:
+				canEvaluate = true
+				celExpr = strings.TrimSpace(strings.TrimPrefix(key, "cel:"))
 			case strings.HasPrefix(key, "body") && rawEvent != nil:
 				canEvaluate = true
 			case strings.HasPrefix(key, "headers") && headers != nil:
@@ -70,8 +80,17 @@ func ReplacePlaceHoldersVariables(template string, dico map[string]string, rawEv
 				for k, v := range headers {
 					headerMap[k] = v[0]
 				}
-				val, err := cel.Value(key, rawEvent, headerMap, map[string]string{}, changedFiles)
+				// For cel: prefix, pass dico as pacParams so pac.* variables are available
+				pacParams := map[string]string{}
+				if isCelExpr {
+					pacParams = dico
+				}
+				val, err := cel.Value(celExpr, rawEvent, headerMap, pacParams, changedFiles)
 				if err != nil {
+					// For cel: prefix, return empty string on error
+					if isCelExpr {
+						return ""
+					}
 					return s
 				}
 				var raw any

pkg/templates/templating_test.go

@@ -286,6 +286,255 @@ func TestReplacePlaceHoldersVariablesJSONOutput(t *testing.T) {
 	}
 }
 
+func TestReplacePlaceHoldersVariablesCelPrefix(t *testing.T) {
+	tests := []struct {
+		name         string
+		template     string
+		expected     string
+		dicto        map[string]string
+		headers      http.Header
+		changedFiles map[string]any
+		rawEvent     any
+	}{
+		{
+			name:         "cel: prefix with simple body access",
+			template:     `result: {{ cel: body.hello }}`,
+			expected:     `result: world`,
+			dicto:        map[string]string{},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent: map[string]string{
+				"hello": "world",
+			},
+		},
+		{
+			name:         "cel: prefix with ternary expression",
+			template:     `status: {{ cel: body.action == "opened" ? "new-pr" : "updated-pr" }}`,
+			expected:     `status: new-pr`,
+			dicto:        map[string]string{},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent: map[string]any{
+				"action": "opened",
+			},
+		},
+		{
+			name:         "cel: prefix with ternary expression - else branch",
+			template:     `status: {{ cel: body.action == "opened" ? "new-pr" : "updated-pr" }}`,
+			expected:     `status: updated-pr`,
+			dicto:        map[string]string{},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent: map[string]any{
+				"action": "synchronize",
+			},
+		},
+		{
+			name:     "cel: prefix with pac namespace access",
+			template: `branch: {{ cel: pac.target_branch }}`,
+			expected: `branch: main`,
+			dicto: map[string]string{
+				"target_branch": "main",
+			},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent:     map[string]any{},
+		},
+		{
+			name:     "cel: prefix with pac namespace conditional",
+			template: `env: {{ cel: pac.target_branch == "main" ? "production" : "staging" }}`,
+			expected: `env: production`,
+			dicto: map[string]string{
+				"target_branch": "main",
+			},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent:     map[string]any{},
+		},
+		{
+			name:     "cel: prefix with pac namespace - staging branch",
+			template: `env: {{ cel: pac.target_branch == "main" ? "production" : "staging" }}`,
+			expected: `env: staging`,
+			dicto: map[string]string{
+				"target_branch": "develop",
+			},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent:     map[string]any{},
+		},
+		{
+			name:         "cel: prefix with has() function",
+			template:     `has_field: {{ cel: has(body.optional_field) ? body.optional_field : "default" }}`,
+			expected:     `has_field: custom_value`,
+			dicto:        map[string]string{},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent: map[string]any{
+				"optional_field": "custom_value",
+			},
+		},
+		{
+			name:         "cel: prefix with has() function - field missing",
+			template:     `has_field: {{ cel: has(body.optional_field) ? body.optional_field : "default" }}`,
+			expected:     `has_field: default`,
+			dicto:        map[string]string{},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent:     map[string]any{},
+		},
+		{
+			name:     "cel: prefix with files access",
+			template: `go_files: {{ cel: files.all.exists(f, f.endsWith(".go")) ? "yes" : "no" }}`,
+			expected: `go_files: yes`,
+			dicto:    map[string]string{},
+			changedFiles: map[string]any{
+				"all": []string{"main.go", "README.md"},
+			},
+			headers:  http.Header{},
+			rawEvent: map[string]any{},
+		},
+		{
+			name:     "cel: prefix with files access - no go files",
+			template: `go_files: {{ cel: files.all.exists(f, f.endsWith(".go")) ? "yes" : "no" }}`,
+			expected: `go_files: no`,
+			dicto:    map[string]string{},
+			changedFiles: map[string]any{
+				"all": []string{"README.md", "config.yaml"},
+			},
+			headers:  http.Header{},
+			rawEvent: map[string]any{},
+		},
+		{
+			name:         "cel: prefix with headers access",
+			template:     `event: {{ cel: headers["X-GitHub-Event"] }}`,
+			expected:     `event: push`,
+			dicto:        map[string]string{},
+			changedFiles: map[string]any{},
+			headers: http.Header{
+				"X-GitHub-Event": []string{"push"},
+			},
+			rawEvent: map[string]any{},
+		},
+		{
+			name:         "cel: prefix with boolean result",
+			template:     `is_draft: {{ cel: body.draft == true }}`,
+			expected:     `is_draft: false`,
+			dicto:        map[string]string{},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent: map[string]any{
+				"draft": false,
+			},
+		},
+		{
+			name:         "cel: prefix with invalid expression returns empty string",
+			template:     `invalid: {{ cel: invalid.syntax[ }}`,
+			expected:     `invalid: `,
+			dicto:        map[string]string{},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent:     map[string]any{},
+		},
+		{
+			name:         "cel: prefix with evaluation error returns empty string",
+			template:     `error: {{ cel: body.nonexistent.deep.field }}`,
+			expected:     `error: `,
+			dicto:        map[string]string{},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent:     map[string]any{},
+		},
+		{
+			name:         "cel: prefix with extra whitespace",
+			template:     `result: {{ cel:    body.hello   }}`,
+			expected:     `result: world`,
+			dicto:        map[string]string{},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent: map[string]string{
+				"hello": "world",
+			},
+		},
+		{
+			name:         "cel: prefix with string concatenation",
+			template:     `greeting: {{ cel: "Hello, " + body.name + "!" }}`,
+			expected:     `greeting: Hello, World!`,
+			dicto:        map[string]string{},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent: map[string]any{
+				"name": "World",
+			},
+		},
+		{
+			name:         "cel: prefix with size function",
+			template:     `count: {{ cel: body.items.size() }}`,
+			expected:     `count: 3`,
+			dicto:        map[string]string{},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent: map[string]any{
+				"items": []string{"a", "b", "c"},
+			},
+		},
+		{
+			name:         "cel: prefix with complex nested conditional (merge commit detection)",
+			template:     `commit_type: {{ cel: has(body.head_commit) && body.head_commit.message.startsWith("Merge") ? "merge" : "regular" }}`,
+			expected:     `commit_type: merge`,
+			dicto:        map[string]string{},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent: map[string]any{
+				"head_commit": map[string]any{
+					"message": "Merge pull request #123",
+				},
+			},
+		},
+		{
+			name:         "cel: prefix with complex nested conditional - regular commit",
+			template:     `commit_type: {{ cel: has(body.head_commit) && body.head_commit.message.startsWith("Merge") ? "merge" : "regular" }}`,
+			expected:     `commit_type: regular`,
+			dicto:        map[string]string{},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent: map[string]any{
+				"head_commit": map[string]any{
+					"message": "Fix bug in parser",
+				},
+			},
+		},
+		{
+			name:     "cel: prefix mixed with regular placeholders",
+			template: `branch: {{ target_branch }}, check: {{ cel: pac.target_branch == "main" ? "prod" : "dev" }}`,
+			expected: `branch: main, check: prod`,
+			dicto: map[string]string{
+				"target_branch": "main",
+			},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent:     map[string]any{},
+		},
+		{
+			name:         "cel: prefix with nil rawEvent still works",
+			template:     `result: {{ cel: pac.revision }}`,
+			expected:     `result: abc123`,
+			dicto:        map[string]string{"revision": "abc123"},
+			changedFiles: map[string]any{},
+			headers:      http.Header{},
+			rawEvent:     nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := ReplacePlaceHoldersVariables(tt.template, tt.dicto, tt.rawEvent, tt.headers, tt.changedFiles)
+			if d := cmp.Diff(got, tt.expected); d != "" {
+				t.Fatalf("-got, +want: %v", d)
+			}
+		})
+	}
+}
+
 func TestReplacePlaceHoldersVariablesEdgeCases(t *testing.T) {
 	tests := []struct {
 		name         string