feat: Enhance error reporting for webhook processing failures

Introduced a mechanism to extract minimal event information from raw webhook
payloads before full parsing. This information is now used to post a failure
status back to the Git provider and emit a Kubernetes event to the controller
namespace if payload parsing fails.

Additionally, when an incoming webhook does not match an existing Repository CR,
a failure status is now posted to the Git provider, along with a controller
namespace event. This provides earlier and more comprehensive feedback to users
and cluster administrators regarding webhook processing failures or
misconfigurations.

AI-assisted-by: Claude
Signed-off-by: Chmouel Boudjnah <chmouel@redhat.com>

Author: chmouel

pkg/adapter/adapter.go

@@ -192,15 +192,19 @@ func (l listener) handleEvent(ctx context.Context) http.HandlerFunc {
 		}
 		gitProvider.SetPacInfo(&pacInfo)
 
+		// Extract minimal info early for error reporting before full parsing
+		minimalInfo := l.extractMinimalInfo(ctx, request, payload, gitProvider)
+
 		s := sinker{
-			run:        l.run,
-			vcx:        gitProvider,
-			kint:       l.kint,
-			event:      l.event,
-			logger:     logger,
-			payload:    payload,
-			pacInfo:    &pacInfo,
-			globalRepo: globalRepo,
+			run:         l.run,
+			vcx:         gitProvider,
+			kint:        l.kint,
+			event:       l.event,
+			logger:      logger,
+			payload:     payload,
+			pacInfo:     &pacInfo,
+			globalRepo:  globalRepo,
+			minimalInfo: minimalInfo,
 		}
 
 		// clone the request to use it further
@@ -289,3 +293,55 @@ func (l listener) writeResponse(response http.ResponseWriter, statusCode int, me
 		l.logger.Errorf("failed to write back sink response: %v", err)
 	}
 }
+
+// extractMinimalInfo extracts minimal event info from the raw payload for error reporting.
+// This is done before full payload parsing so that errors during parsing can still be
+// reported back to the user via the Git provider or controller namespace events.
+// For GitHub Apps, it also generates a token early so we can post status on errors.
+func (l listener) extractMinimalInfo(ctx context.Context, request *http.Request, payload []byte, gitProvider provider.Interface) *provider.MinimalEventInfo {
+	var minimalInfo *provider.MinimalEventInfo
+
+	// Try to extract based on provider type
+	switch request.Header.Get("X-GitHub-Event") {
+	case "":
+		// Not a GitHub event, try other providers
+		if eventType := request.Header.Get("X-Gitea-Event-Type"); eventType != "" {
+			minimalInfo = provider.ExtractMinimalInfoFromGitea(eventType, payload)
+		} else if eventType := request.Header.Get("X-Gitlab-Event"); eventType != "" {
+			minimalInfo = provider.ExtractMinimalInfoFromGitLab(eventType, payload)
+		} else {
+			// Fallback to generic extraction (just URL)
+			minimalInfo = provider.ExtractMinimalInfoGeneric(payload)
+		}
+	default:
+		// GitHub event
+		eventType := request.Header.Get("X-GitHub-Event")
+		gheURL := request.Header.Get("X-GitHub-Enterprise-Host")
+		minimalInfo = provider.ExtractMinimalInfoFromGitHub(eventType, payload, gheURL)
+	}
+
+	if minimalInfo == nil {
+		return nil
+	}
+
+	// For GitHub Apps with installation ID, try to generate token early
+	// This allows us to post status even if full parsing fails later
+	if minimalInfo.InstallationID > 0 {
+		if ghProvider, ok := gitProvider.(*github.Provider); ok {
+			token, err := ghProvider.GetAppToken(
+				ctx,
+				l.run.Clients.Kube,
+				minimalInfo.GHEURL,
+				minimalInfo.InstallationID,
+				l.run.Info.Kube.Namespace,
+			)
+			if err != nil {
+				l.logger.Warnf("failed to get GitHub App token for early error reporting: %v", err)
+			} else {
+				minimalInfo.Token = token
+			}
+		}
+	}
+
+	return minimalInfo
+}

pkg/adapter/sinker.go

@@ -3,9 +3,11 @@ package adapter
 import (
 	"bytes"
 	"context"
+	"fmt"
 	"net/http"
 
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/apis/pipelinesascode/v1alpha1"
+	"github.com/openshift-pipelines/pipelines-as-code/pkg/events"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/kubeinteraction"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/params"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/params/info"
@@ -15,21 +17,24 @@ import (
 )
 
 type sinker struct {
-	run        *params.Run
-	vcx        provider.Interface
-	kint       kubeinteraction.Interface
-	event      *info.Event
-	logger     *zap.SugaredLogger
-	payload    []byte
-	pacInfo    *info.PacOpts
-	globalRepo *v1alpha1.Repository
+	run         *params.Run
+	vcx         provider.Interface
+	kint        kubeinteraction.Interface
+	event       *info.Event
+	logger      *zap.SugaredLogger
+	payload     []byte
+	pacInfo     *info.PacOpts
+	globalRepo  *v1alpha1.Repository
+	minimalInfo *provider.MinimalEventInfo
 }
 
 func (s *sinker) processEventPayload(ctx context.Context, request *http.Request) error {
 	var err error
 	s.event, err = s.vcx.ParsePayload(ctx, s.run, request, string(s.payload))
 	if err != nil {
 		s.logger.Errorf("failed to parse event: %v", err)
+		// Report the parse error to the user via Git provider or controller events
+		s.reportParseError(ctx, err)
 		return err
 	}
 
@@ -74,3 +79,53 @@ func (s *sinker) processEvent(ctx context.Context, request *http.Request) error
 	p := pipelineascode.NewPacs(s.event, s.vcx, s.run, s.pacInfo, s.kint, s.logger, s.globalRepo)
 	return p.Run(ctx)
 }
+
+// reportParseError reports a payload parsing error to the user.
+// It attempts to post a status to the Git provider if we have enough info (token, SHA, org, repo).
+// It also emits a Kubernetes event to the controller namespace for visibility.
+func (s *sinker) reportParseError(ctx context.Context, parseErr error) {
+	if s.minimalInfo == nil {
+		// No minimal info available, just emit to controller namespace
+		emitter := events.NewEventEmitter(s.run.Clients.Kube, s.logger)
+		emitter.SetControllerNamespace(s.run.Info.Kube.Namespace)
+		emitter.EmitControllerEvent("PayloadParseError", parseErr.Error(), "", "")
+		return
+	}
+
+	// Try to post status to Git provider if we have a token and SHA
+	// Note: For GitLab, Organization contains the full path (org/repo) and Repository is empty
+	// For other providers, both Organization and Repository are populated
+	if s.minimalInfo.Token != "" && s.minimalInfo.SHA != "" &&
+		(s.minimalInfo.Organization != "" || s.minimalInfo.Repository != "") {
+		// Create a minimal event for CreateStatus
+		event := &info.Event{
+			Organization: s.minimalInfo.Organization,
+			Repository:   s.minimalInfo.Repository,
+			SHA:          s.minimalInfo.SHA,
+			URL:          s.minimalInfo.URL,
+			EventType:    s.minimalInfo.EventType,
+			Provider: &info.Provider{
+				Token: s.minimalInfo.Token,
+				URL:   s.minimalInfo.GHEURL,
+			},
+		}
+
+		status := provider.StatusOpts{
+			Status:     "completed",
+			Conclusion: "failure",
+			Title:      "Webhook Processing Error",
+			Text:       fmt.Sprintf("Failed to process webhook payload: %v", parseErr),
+		}
+
+		if err := s.vcx.CreateStatus(ctx, event, status); err != nil {
+			s.logger.Warnf("failed to create status for parse error: %v", err)
+		} else {
+			s.logger.Info("posted error status to Git provider for payload parse error")
+		}
+	}
+
+	// Also emit to controller namespace for visibility
+	emitter := events.NewEventEmitter(s.run.Clients.Kube, s.logger)
+	emitter.SetControllerNamespace(s.run.Info.Kube.Namespace)
+	emitter.EmitControllerEvent("PayloadParseError", parseErr.Error(), s.minimalInfo.URL, s.minimalInfo.SHA)
+}

pkg/events/emit.go

@@ -22,14 +22,76 @@ func NewEventEmitter(client kubernetes.Interface, logger *zap.SugaredLogger) *Ev
 }
 
 type EventEmitter struct {
-	client kubernetes.Interface
-	logger *zap.SugaredLogger
+	client              kubernetes.Interface
+	logger              *zap.SugaredLogger
+	controllerNamespace string
 }
 
 func (e *EventEmitter) SetLogger(logger *zap.SugaredLogger) {
 	e.logger = logger
 }
 
+// SetControllerNamespace sets the controller namespace for emitting events
+// when no Repository CR is available.
+func (e *EventEmitter) SetControllerNamespace(ns string) {
+	e.controllerNamespace = ns
+}
+
+// EmitControllerEvent emits a Kubernetes event in the controller namespace
+// when no Repository CR is available (e.g., before repo matching or on parse errors).
+// This allows visibility into webhook processing errors even without a matched repository.
+func (e *EventEmitter) EmitControllerEvent(reason, message, sourceURL, sha string) {
+	// Always log the message
+	if e.logger != nil {
+		e.logger.Warnf("%s: %s", reason, message)
+	}
+
+	// Create K8s event in controller namespace if possible
+	if e.client == nil || e.controllerNamespace == "" {
+		return
+	}
+
+	annotations := map[string]string{
+		keys.ControllerInfo: "true",
+	}
+	if sourceURL != "" {
+		annotations[keys.SourceRepoURL] = sourceURL
+	}
+	if sha != "" {
+		annotations[keys.SHA] = sha
+	}
+
+	event := &v1.Event{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: "pac-webhook-",
+			Namespace:    e.controllerNamespace,
+			Labels: map[string]string{
+				"pipelinesascode.tekton.dev/event-type": "webhook-error",
+			},
+			Annotations: annotations,
+		},
+		Message: message,
+		Reason:  reason,
+		Type:    v1.EventTypeWarning,
+		// InvolvedObject references a generic resource in the controller namespace
+		// since we don't have a specific Repository CR to reference
+		InvolvedObject: v1.ObjectReference{
+			APIVersion: "v1",
+			Kind:       "Namespace",
+			Name:       e.controllerNamespace,
+		},
+		Source: v1.EventSource{
+			Component: "Pipelines As Code",
+		},
+	}
+
+	if _, err := e.client.CoreV1().Events(e.controllerNamespace).Create(context.Background(), event, metav1.CreateOptions{}); err != nil {
+		if e.logger != nil {
+			e.logger.Infof("Cannot create controller event: %s", err.Error())
+		}
+	}
+}
+
 func (e *EventEmitter) EmitMessage(repo *v1alpha1.Repository, loggerLevel zapcore.Level, reason, message string) {
 	if repo != nil && e.client != nil {
 		event := makeEvent(repo, loggerLevel, reason, message)

pkg/pipelineascode/match.go

@@ -54,7 +54,25 @@ func (p *PacRun) verifyRepoAndUser(ctx context.Context) (*v1alpha1.Repository, e
 
 	if repo == nil {
 		msg := fmt.Sprintf("cannot find a repository match for %s", p.event.URL)
-		p.eventEmitter.EmitMessage(nil, zap.WarnLevel, "RepositoryNamespaceMatch", msg)
+
+		// Try to post status to Git provider if we have a token and SHA
+		// This gives users visibility even when no Repository CR is configured
+		if p.event.Provider != nil && p.event.Provider.Token != "" && p.event.SHA != "" {
+			status := provider.StatusOpts{
+				Status:     "completed",
+				Conclusion: "failure",
+				Title:      "Repository Not Configured",
+				Text:       fmt.Sprintf("No Pipelines-as-Code Repository CR found matching URL: %s. Please create a Repository CR to enable CI.", p.event.URL),
+			}
+			if err := p.vcx.CreateStatus(ctx, p.event, status); err != nil {
+				p.logger.Warnf("failed to create status for no repo match: %v", err)
+			} else {
+				p.logger.Info("posted error status to Git provider for no repository match")
+			}
+		}
+
+		// Also emit to controller namespace for cluster-level visibility
+		p.eventEmitter.EmitControllerEvent("RepositoryNamespaceMatch", msg, p.event.URL, p.event.SHA)
 		return nil, nil
 	}
 

pkg/pipelineascode/pipelineascode.go

@@ -48,9 +48,13 @@ type PacRun struct {
 }
 
 func NewPacs(event *info.Event, vcx provider.Interface, run *params.Run, pacInfo *info.PacOpts, k8int kubeinteraction.Interface, logger *zap.SugaredLogger, globalRepo *v1alpha1.Repository) PacRun {
+	emitter := events.NewEventEmitter(run.Clients.Kube, logger)
+	if run.Info.Kube != nil && run.Info.Kube.Namespace != "" {
+		emitter.SetControllerNamespace(run.Info.Kube.Namespace)
+	}
 	return PacRun{
 		event: event, run: run, vcx: vcx, k8int: k8int, pacInfo: pacInfo, logger: logger, globalRepo: globalRepo,
-		eventEmitter: events.NewEventEmitter(run.Clients.Kube, logger),
+		eventEmitter: emitter,
 		manager:      NewConcurrencyManager(),
 	}
 }

pkg/pipelineascode/pipelineascode_test.go

@@ -377,7 +377,7 @@ func TestRun(t *testing.T) {
 			finalStatusText: "directory for this repository",
 		},
 		{
-			name: "Skipped/Test no repositories match",
+			name: "Error/Test no repositories match",
 			runevent: info.Event{
 				SHA:           "principale",
 				Organization:  "organizationes",
@@ -390,8 +390,8 @@ func TestRun(t *testing.T) {
 				TriggerTarget: "pull_request",
 			},
 			tektondir:       "",
-			finalStatus:     "skipped",
-			finalStatusText: "not find a namespace match",
+			finalStatus:     "failure",
+			finalStatusText: "No Pipelines-as-Code Repository CR found matching URL",
 			repositories: []*v1alpha1.Repository{
 				testnewrepo.NewRepo(
 					testnewrepo.RepoTestcreationOpts{