Fix update credentials

We forgot to account for gitea credentials when updating an entity.

This change makes sure we look for credentials in the appropriate table.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>

Author: gabriel-samfira

database/sql/enterprise.go

@@ -174,10 +174,9 @@ func (s *sqlDatabase) UpdateEnterprise(ctx context.Context, enterpriseID string,
 		}
 	}()
 	var enterprise Enterprise
-	var creds GithubCredentials
 	err = s.conn.Transaction(func(tx *gorm.DB) error {
 		var err error
-		enterprise, err = s.getEnterpriseByID(ctx, tx, enterpriseID)
+		enterprise, err = s.getEnterpriseByID(ctx, tx, enterpriseID, "Endpoint")
 		if err != nil {
 			return fmt.Errorf("error fetching enterprise: %w", err)
 		}
@@ -186,19 +185,8 @@ func (s *sqlDatabase) UpdateEnterprise(ctx context.Context, enterpriseID string,
 			return fmt.Errorf("error enterprise has no endpoint: %w", runnerErrors.ErrUnprocessable)
 		}
 
-		if param.CredentialsName != "" {
-			creds, err = s.getGithubCredentialsByName(ctx, tx, param.CredentialsName, false)
-			if err != nil {
-				return fmt.Errorf("error fetching credentials: %w", err)
-			}
-			if creds.EndpointName == nil {
-				return fmt.Errorf("error credentials have no endpoint: %w", runnerErrors.ErrUnprocessable)
-			}
-
-			if *creds.EndpointName != *enterprise.EndpointName {
-				return fmt.Errorf("error endpoint mismatch: %w", runnerErrors.ErrBadRequest)
-			}
-			enterprise.CredentialsID = &creds.ID
+		if err := s.updateEntityCredentials(ctx, tx, &enterprise, param.CredentialsName); err != nil {
+			return err
 		}
 		if param.WebhookSecret != "" {
 			secret, err := util.Seal([]byte(param.WebhookSecret), []byte(s.cfg.Passphrase))
@@ -216,7 +204,7 @@ func (s *sqlDatabase) UpdateEnterprise(ctx context.Context, enterpriseID string,
 			enterprise.AgentMode = *param.AgentMode
 		}
 
-		q := tx.Save(&enterprise)
+		q := tx.Model(&enterprise).Omit("Endpoint").Save(&enterprise)
 		if q.Error != nil {
 			return fmt.Errorf("error saving enterprise: %w", q.Error)
 		}

database/sql/enterprise_test.go

@@ -419,15 +419,22 @@ func (s *EnterpriseTestSuite) TestUpdateEnterpriseDBEncryptErr() {
 		WithArgs(s.Fixtures.Enterprises[0].ID, 1).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "endpoint_name"}).
 			AddRow(s.Fixtures.Enterprises[0].ID, s.Fixtures.Enterprises[0].Endpoint.Name))
+	// Expect Endpoint preload for enterprise
+	s.Fixtures.SQLMock.ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_endpoints` WHERE `github_endpoints`.`name` = ? AND `github_endpoints`.`deleted_at` IS NULL")).
+		WithArgs(s.Fixtures.Enterprises[0].Endpoint.Name).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "endpoint_type"}).
+			AddRow(s.Fixtures.Enterprises[0].Endpoint.Name, s.Fixtures.Enterprises[0].Endpoint.EndpointType))
+	// Expect credentials fetch
 	s.Fixtures.SQLMock.
 		ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_credentials` WHERE user_id = ? AND name = ? AND `github_credentials`.`deleted_at` IS NULL ORDER BY `github_credentials`.`id` LIMIT ?")).
 		WithArgs(s.adminUserID, s.secondaryTestCreds.Name, 1).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "endpoint_name"}).
 			AddRow(s.secondaryTestCreds.ID, s.secondaryTestCreds.Endpoint.Name))
+	// Expect Endpoint preload for credentials
 	s.Fixtures.SQLMock.ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_endpoints` WHERE `github_endpoints`.`name` = ? AND `github_endpoints`.`deleted_at` IS NULL")).
-		WithArgs(s.testCreds.Endpoint.Name).
-		WillReturnRows(sqlmock.NewRows([]string{"name"}).
-			AddRow(s.secondaryTestCreds.Endpoint.Name))
+		WithArgs(s.secondaryTestCreds.Endpoint.Name).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "endpoint_type"}).
+			AddRow(s.secondaryTestCreds.Endpoint.Name, s.secondaryTestCreds.Endpoint.EndpointType))
 	s.Fixtures.SQLMock.ExpectRollback()
 
 	_, err := s.StoreSQLMocked.UpdateEnterprise(s.adminCtx, s.Fixtures.Enterprises[0].ID, s.Fixtures.UpdateRepoParams)
@@ -444,15 +451,22 @@ func (s *EnterpriseTestSuite) TestUpdateEnterpriseDBSaveErr() {
 		WithArgs(s.Fixtures.Enterprises[0].ID, 1).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "endpoint_name"}).
 			AddRow(s.Fixtures.Enterprises[0].ID, s.Fixtures.Enterprises[0].Endpoint.Name))
+	// Expect Endpoint preload for enterprise
+	s.Fixtures.SQLMock.ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_endpoints` WHERE `github_endpoints`.`name` = ? AND `github_endpoints`.`deleted_at` IS NULL")).
+		WithArgs(s.Fixtures.Enterprises[0].Endpoint.Name).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "endpoint_type"}).
+			AddRow(s.Fixtures.Enterprises[0].Endpoint.Name, s.Fixtures.Enterprises[0].Endpoint.EndpointType))
+	// Expect credentials fetch
 	s.Fixtures.SQLMock.
 		ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_credentials` WHERE user_id = ? AND name = ? AND `github_credentials`.`deleted_at` IS NULL ORDER BY `github_credentials`.`id` LIMIT ?")).
 		WithArgs(s.adminUserID, s.secondaryTestCreds.Name, 1).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "endpoint_name"}).
 			AddRow(s.secondaryTestCreds.ID, s.secondaryTestCreds.Endpoint.Name))
+	// Expect Endpoint preload for credentials
 	s.Fixtures.SQLMock.ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_endpoints` WHERE `github_endpoints`.`name` = ? AND `github_endpoints`.`deleted_at` IS NULL")).
-		WithArgs(s.testCreds.Endpoint.Name).
-		WillReturnRows(sqlmock.NewRows([]string{"name"}).
-			AddRow(s.secondaryTestCreds.Endpoint.Name))
+		WithArgs(s.secondaryTestCreds.Endpoint.Name).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "endpoint_type"}).
+			AddRow(s.secondaryTestCreds.Endpoint.Name, s.secondaryTestCreds.Endpoint.EndpointType))
 	s.Fixtures.SQLMock.
 		ExpectExec(("UPDATE `enterprises` SET")).
 		WillReturnError(fmt.Errorf("saving enterprise mock error"))
@@ -475,15 +489,22 @@ func (s *EnterpriseTestSuite) TestUpdateEnterpriseDBDecryptingErr() {
 		WithArgs(s.Fixtures.Enterprises[0].ID, 1).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "endpoint_name"}).
 			AddRow(s.Fixtures.Enterprises[0].ID, s.Fixtures.Enterprises[0].Endpoint.Name))
+	// Expect Endpoint preload for enterprise
+	s.Fixtures.SQLMock.ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_endpoints` WHERE `github_endpoints`.`name` = ? AND `github_endpoints`.`deleted_at` IS NULL")).
+		WithArgs(s.Fixtures.Enterprises[0].Endpoint.Name).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "endpoint_type"}).
+			AddRow(s.Fixtures.Enterprises[0].Endpoint.Name, s.Fixtures.Enterprises[0].Endpoint.EndpointType))
+	// Expect credentials fetch
 	s.Fixtures.SQLMock.
 		ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_credentials` WHERE user_id = ? AND name = ? AND `github_credentials`.`deleted_at` IS NULL ORDER BY `github_credentials`.`id` LIMIT ?")).
 		WithArgs(s.adminUserID, s.secondaryTestCreds.Name, 1).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "endpoint_name"}).
 			AddRow(s.secondaryTestCreds.ID, s.secondaryTestCreds.Endpoint.Name))
+	// Expect Endpoint preload for credentials
 	s.Fixtures.SQLMock.ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_endpoints` WHERE `github_endpoints`.`name` = ? AND `github_endpoints`.`deleted_at` IS NULL")).
-		WithArgs(s.testCreds.Endpoint.Name).
-		WillReturnRows(sqlmock.NewRows([]string{"name"}).
-			AddRow(s.secondaryTestCreds.Endpoint.Name))
+		WithArgs(s.secondaryTestCreds.Endpoint.Name).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "endpoint_type"}).
+			AddRow(s.secondaryTestCreds.Endpoint.Name, s.secondaryTestCreds.Endpoint.EndpointType))
 	s.Fixtures.SQLMock.ExpectRollback()
 
 	_, err := s.StoreSQLMocked.UpdateEnterprise(s.adminCtx, s.Fixtures.Enterprises[0].ID, s.Fixtures.UpdateRepoParams)

database/sql/models.go

@@ -22,6 +22,7 @@ import (
 	"gorm.io/datatypes"
 	"gorm.io/gorm"
 
+	runnerErrors "github.com/cloudbase/garm-provider-common/errors"
 	commonParams "github.com/cloudbase/garm-provider-common/params"
 	"github.com/cloudbase/garm/params"
 )
@@ -483,6 +484,14 @@ type GithubCredentials struct {
 	Enterprises   []Enterprise   `gorm:"foreignKey:CredentialsID"`
 }
 
+func (g GithubCredentials) GetEndpointName() *string {
+	return g.EndpointName
+}
+
+func (g GithubCredentials) GetID() uint {
+	return g.ID
+}
+
 type GiteaCredentials struct {
 	gorm.Model
 
@@ -501,6 +510,80 @@ type GiteaCredentials struct {
 	Organizations []Organization `gorm:"foreignKey:GiteaCredentialsID"`
 }
 
+func (g GiteaCredentials) GetEndpointName() *string {
+	return g.EndpointName
+}
+
+func (g GiteaCredentials) GetID() uint {
+	return g.ID
+}
+
+// ForgeEntity represents an entity (Repository, Organization, Enterprise) that can have forge credentials
+type ForgeEntity interface {
+	GetEndpoint() GithubEndpoint
+	GetEndpointName() *string
+	SetCredentials(id uint) error
+}
+
+// Repository implements ForgeEntity
+func (r *Repository) GetEndpoint() GithubEndpoint {
+	return r.Endpoint
+}
+
+func (r *Repository) GetEndpointName() *string {
+	return r.EndpointName
+}
+
+func (r *Repository) SetCredentials(id uint) error {
+	switch r.Endpoint.EndpointType {
+	case params.GithubEndpointType:
+		r.CredentialsID = &id
+	case params.GiteaEndpointType:
+		r.GiteaCredentialsID = &id
+	default:
+		return runnerErrors.NewBadRequestError("unsupported endpoint type: %s", r.Endpoint.EndpointType)
+	}
+	return nil
+}
+
+// Organization implements ForgeEntity
+func (o *Organization) GetEndpoint() GithubEndpoint {
+	return o.Endpoint
+}
+
+func (o *Organization) GetEndpointName() *string {
+	return o.EndpointName
+}
+
+func (o *Organization) SetCredentials(id uint) error {
+	switch o.Endpoint.EndpointType {
+	case params.GithubEndpointType:
+		o.CredentialsID = &id
+	case params.GiteaEndpointType:
+		o.GiteaCredentialsID = &id
+	default:
+		return runnerErrors.NewBadRequestError("unsupported endpoint type: %s", o.Endpoint.EndpointType)
+	}
+	return nil
+}
+
+// Enterprise implements ForgeEntity
+func (e *Enterprise) GetEndpoint() GithubEndpoint {
+	return e.Endpoint
+}
+
+func (e *Enterprise) GetEndpointName() *string {
+	return e.EndpointName
+}
+
+func (e *Enterprise) SetCredentials(id uint) error {
+	if e.Endpoint.EndpointType != params.GithubEndpointType {
+		return runnerErrors.NewBadRequestError("enterprise only supports GitHub credentials")
+	}
+	e.CredentialsID = &id
+	return nil
+}
+
 // FileObject represents the table that holds files. This can be used to store
 // GARM agent binaries, runner binary downloads that may be cached, etc.
 type FileObject struct {

database/sql/organizations.go

@@ -158,30 +158,18 @@ func (s *sqlDatabase) UpdateOrganization(ctx context.Context, orgID string, para
 		}
 	}()
 	var org Organization
-	var creds GithubCredentials
 	err = s.conn.Transaction(func(tx *gorm.DB) error {
 		var err error
-		org, err = s.getOrgByID(ctx, tx, orgID)
+		org, err = s.getOrgByID(ctx, tx, orgID, "Endpoint")
 		if err != nil {
 			return fmt.Errorf("error fetching org: %w", err)
 		}
 		if org.EndpointName == nil {
 			return fmt.Errorf("error org has no endpoint: %w", runnerErrors.ErrUnprocessable)
 		}
 
-		if param.CredentialsName != "" {
-			creds, err = s.getGithubCredentialsByName(ctx, tx, param.CredentialsName, false)
-			if err != nil {
-				return fmt.Errorf("error fetching credentials: %w", err)
-			}
-			if creds.EndpointName == nil {
-				return fmt.Errorf("error credentials have no endpoint: %w", runnerErrors.ErrUnprocessable)
-			}
-
-			if *creds.EndpointName != *org.EndpointName {
-				return fmt.Errorf("error endpoint mismatch: %w", runnerErrors.ErrBadRequest)
-			}
-			org.CredentialsID = &creds.ID
+		if err := s.updateEntityCredentials(ctx, tx, &org, param.CredentialsName); err != nil {
+			return err
 		}
 
 		if param.WebhookSecret != "" {
@@ -200,7 +188,7 @@ func (s *sqlDatabase) UpdateOrganization(ctx context.Context, orgID string, para
 			org.AgentMode = *param.AgentMode
 		}
 
-		q := tx.Save(&org)
+		q := tx.Model(&org).Omit("Endpoint").Save(&org)
 		if q.Error != nil {
 			return fmt.Errorf("error saving org: %w", q.Error)
 		}

database/sql/organizations_test.go

@@ -485,15 +485,22 @@ func (s *OrgTestSuite) TestUpdateOrganizationDBEncryptErr() {
 		WithArgs(s.Fixtures.Orgs[0].ID, 1).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "endpoint_name"}).
 			AddRow(s.Fixtures.Orgs[0].ID, s.Fixtures.Orgs[0].Endpoint.Name))
+	// Expect Endpoint preload for organization
+	s.Fixtures.SQLMock.ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_endpoints` WHERE `github_endpoints`.`name` = ? AND `github_endpoints`.`deleted_at` IS NULL")).
+		WithArgs(s.Fixtures.Orgs[0].Endpoint.Name).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "endpoint_type"}).
+			AddRow(s.Fixtures.Orgs[0].Endpoint.Name, s.Fixtures.Orgs[0].Endpoint.EndpointType))
+	// Expect credentials fetch
 	s.Fixtures.SQLMock.
 		ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_credentials` WHERE user_id = ? AND name = ? AND `github_credentials`.`deleted_at` IS NULL ORDER BY `github_credentials`.`id` LIMIT ?")).
 		WithArgs(s.adminUserID, s.secondaryTestCreds.Name, 1).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "endpoint_name"}).
 			AddRow(s.secondaryTestCreds.ID, s.secondaryTestCreds.Endpoint.Name))
+	// Expect Endpoint preload for credentials
 	s.Fixtures.SQLMock.ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_endpoints` WHERE `github_endpoints`.`name` = ? AND `github_endpoints`.`deleted_at` IS NULL")).
-		WithArgs(s.testCreds.Endpoint.Name).
-		WillReturnRows(sqlmock.NewRows([]string{"name"}).
-			AddRow(s.secondaryTestCreds.Endpoint.Name))
+		WithArgs(s.secondaryTestCreds.Endpoint.Name).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "endpoint_type"}).
+			AddRow(s.secondaryTestCreds.Endpoint.Name, s.secondaryTestCreds.Endpoint.EndpointType))
 	s.Fixtures.SQLMock.ExpectRollback()
 
 	_, err := s.StoreSQLMocked.UpdateOrganization(s.adminCtx, s.Fixtures.Orgs[0].ID, s.Fixtures.UpdateRepoParams)
@@ -510,15 +517,22 @@ func (s *OrgTestSuite) TestUpdateOrganizationDBSaveErr() {
 		WithArgs(s.Fixtures.Orgs[0].ID, 1).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "endpoint_name"}).
 			AddRow(s.Fixtures.Orgs[0].ID, s.Fixtures.Orgs[0].Endpoint.Name))
+	// Expect Endpoint preload for organization
+	s.Fixtures.SQLMock.ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_endpoints` WHERE `github_endpoints`.`name` = ? AND `github_endpoints`.`deleted_at` IS NULL")).
+		WithArgs(s.Fixtures.Orgs[0].Endpoint.Name).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "endpoint_type"}).
+			AddRow(s.Fixtures.Orgs[0].Endpoint.Name, s.Fixtures.Orgs[0].Endpoint.EndpointType))
+	// Expect credentials fetch
 	s.Fixtures.SQLMock.
 		ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_credentials` WHERE user_id = ? AND name = ? AND `github_credentials`.`deleted_at` IS NULL ORDER BY `github_credentials`.`id` LIMIT ?")).
 		WithArgs(s.adminUserID, s.secondaryTestCreds.Name, 1).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "endpoint_name"}).
 			AddRow(s.secondaryTestCreds.ID, s.secondaryTestCreds.Endpoint.Name))
+	// Expect Endpoint preload for credentials
 	s.Fixtures.SQLMock.ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_endpoints` WHERE `github_endpoints`.`name` = ? AND `github_endpoints`.`deleted_at` IS NULL")).
-		WithArgs(s.testCreds.Endpoint.Name).
-		WillReturnRows(sqlmock.NewRows([]string{"name"}).
-			AddRow(s.secondaryTestCreds.Endpoint.Name))
+		WithArgs(s.secondaryTestCreds.Endpoint.Name).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "endpoint_type"}).
+			AddRow(s.secondaryTestCreds.Endpoint.Name, s.secondaryTestCreds.Endpoint.EndpointType))
 	s.Fixtures.SQLMock.
 		ExpectExec(("UPDATE `organizations` SET")).
 		WillReturnError(fmt.Errorf("saving org mock error"))
@@ -539,17 +553,24 @@ func (s *OrgTestSuite) TestUpdateOrganizationDBDecryptingErr() {
 	s.Fixtures.SQLMock.
 		ExpectQuery(regexp.QuoteMeta("SELECT * FROM `organizations` WHERE id = ? AND `organizations`.`deleted_at` IS NULL ORDER BY `organizations`.`id` LIMIT ?")).
 		WithArgs(s.Fixtures.Orgs[0].ID, 1).
-		WillReturnRows(sqlmock.NewRows([]string{"id", "endpoint_name"}).
-			AddRow(s.Fixtures.Orgs[0].ID, s.Fixtures.Orgs[0].Endpoint.Name))
+		WillReturnRows(sqlmock.NewRows([]string{"id", "endpoint_name", "webhook_secret"}).
+			AddRow(s.Fixtures.Orgs[0].ID, s.Fixtures.Orgs[0].Endpoint.Name, s.Fixtures.Orgs[0].WebhookSecret))
+	// Expect Endpoint preload for organization
+	s.Fixtures.SQLMock.ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_endpoints` WHERE `github_endpoints`.`name` = ? AND `github_endpoints`.`deleted_at` IS NULL")).
+		WithArgs(s.Fixtures.Orgs[0].Endpoint.Name).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "endpoint_type"}).
+			AddRow(s.Fixtures.Orgs[0].Endpoint.Name, s.Fixtures.Orgs[0].Endpoint.EndpointType))
+	// Expect credentials fetch
 	s.Fixtures.SQLMock.
 		ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_credentials` WHERE user_id = ? AND name = ? AND `github_credentials`.`deleted_at` IS NULL ORDER BY `github_credentials`.`id` LIMIT ?")).
 		WithArgs(s.adminUserID, s.secondaryTestCreds.Name, 1).
 		WillReturnRows(sqlmock.NewRows([]string{"id", "endpoint_name"}).
 			AddRow(s.secondaryTestCreds.ID, s.secondaryTestCreds.Endpoint.Name))
+	// Expect Endpoint preload for credentials
 	s.Fixtures.SQLMock.ExpectQuery(regexp.QuoteMeta("SELECT * FROM `github_endpoints` WHERE `github_endpoints`.`name` = ? AND `github_endpoints`.`deleted_at` IS NULL")).
-		WithArgs(s.testCreds.Endpoint.Name).
-		WillReturnRows(sqlmock.NewRows([]string{"name"}).
-			AddRow(s.secondaryTestCreds.Endpoint.Name))
+		WithArgs(s.secondaryTestCreds.Endpoint.Name).
+		WillReturnRows(sqlmock.NewRows([]string{"name", "endpoint_type"}).
+			AddRow(s.secondaryTestCreds.Endpoint.Name, s.secondaryTestCreds.Endpoint.EndpointType))
 	s.Fixtures.SQLMock.ExpectRollback()
 
 	_, err := s.StoreSQLMocked.UpdateOrganization(s.adminCtx, s.Fixtures.Orgs[0].ID, s.Fixtures.UpdateRepoParams)

database/sql/repositories.go

@@ -160,30 +160,18 @@ func (s *sqlDatabase) UpdateRepository(ctx context.Context, repoID string, param
 		}
 	}()
 	var repo Repository
-	var creds GithubCredentials
 	err = s.conn.Transaction(func(tx *gorm.DB) error {
 		var err error
-		repo, err = s.getRepoByID(ctx, tx, repoID)
+		repo, err = s.getRepoByID(ctx, tx, repoID, "Endpoint")
 		if err != nil {
 			return fmt.Errorf("error fetching repo: %w", err)
 		}
 		if repo.EndpointName == nil {
 			return runnerErrors.NewUnprocessableError("repository has no endpoint")
 		}
 
-		if param.CredentialsName != "" {
-			creds, err = s.getGithubCredentialsByName(ctx, tx, param.CredentialsName, false)
-			if err != nil {
-				return fmt.Errorf("error fetching credentials: %w", err)
-			}
-			if creds.EndpointName == nil {
-				return runnerErrors.NewUnprocessableError("credentials have no endpoint")
-			}
-
-			if *creds.EndpointName != *repo.EndpointName {
-				return runnerErrors.NewBadRequestError("endpoint mismatch")
-			}
-			repo.CredentialsID = &creds.ID
+		if err := s.updateEntityCredentials(ctx, tx, &repo, param.CredentialsName); err != nil {
+			return err
 		}
 
 		if param.WebhookSecret != "" {
@@ -201,7 +189,7 @@ func (s *sqlDatabase) UpdateRepository(ctx context.Context, repoID string, param
 			repo.AgentMode = *param.AgentMode
 		}
 
-		q := tx.Save(&repo)
+		q := tx.Model(&repo).Omit("Endpoint").Save(&repo)
 		if q.Error != nil {
 			return fmt.Errorf("error saving repo: %w", q.Error)
 		}