fix(gitlab): pin commit statuses to same pipeline

  When PAC posts multiple commit statuses for the same SHA, GitLab's
  auto-assignment logic can route them to different pipelines, leaving the
  MR pipeline permanently stuck with stale intermediate statuses.

  Cache the pipeline_id returned by the first SetCommitStatus response
  and pass it on subsequent calls for the same (project, SHA) pair so
  all statuses land in the same GitLab pipeline.

  Co-authored-by: Claude <noreply@anthropic.com>
  Signed-off-by: Abhishek Ghosh <abghosh@redhat.com>

Author: ab-ghosh

pkg/apis/pipelinesascode/keys/keys.go

@@ -48,6 +48,7 @@ const (
 	OriginalPRName         = pipelinesascode.GroupName + "/original-prname"
 	GitAuthSecret          = pipelinesascode.GroupName + "/git-auth-secret"
 	CheckRunID             = pipelinesascode.GroupName + "/check-run-id"
+	GitLabPipelineID       = pipelinesascode.GroupName + "/gitlab-pipeline-id"
 	OnEvent                = pipelinesascode.GroupName + "/on-event"
 	OnComment              = pipelinesascode.GroupName + "/on-comment"
 	OnTargetBranch         = pipelinesascode.GroupName + "/on-target-branch"

pkg/provider/gitlab/gitlab.go

@@ -11,7 +11,10 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"sync"
 
+	"github.com/openshift-pipelines/pipelines-as-code/pkg/action"
+	"github.com/openshift-pipelines/pipelines-as-code/pkg/apis/pipelinesascode/keys"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/apis/pipelinesascode/v1alpha1"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/changedfiles"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/events"
@@ -69,6 +72,10 @@ type Provider struct {
 	memberCache        map[int64]bool
 	cachedChangedFiles *changedfiles.ChangedFiles
 	pacUserID          int64 // user login used by PAC
+	// pipelineIDMu protects pipelineIDCache from concurrent access when
+	// multiple PipelineRun goroutines call CreateStatus simultaneously.
+	pipelineIDMu    *sync.Mutex
+	pipelineIDCache map[string]int64
 }
 
 var defaultGitlabListOptions = gitlab.ListOptions{
@@ -89,6 +96,9 @@ func (v *Provider) Client() *gitlab.Client {
 
 func (v *Provider) SetGitLabClient(client *gitlab.Client) {
 	v.gitlabClient = client
+	if v.pipelineIDMu == nil {
+		v.pipelineIDMu = &sync.Mutex{}
+	}
 }
 
 func (v *Provider) SetPacInfo(pacInfo *info.PacOpts) {
@@ -220,6 +230,9 @@ func (v *Provider) SetClient(_ context.Context, run *params.Run, runevent *info.
 	v.eventEmitter = eventsEmitter
 	v.repo = repo
 	v.triggerEvent = runevent.EventType
+	if v.pipelineIDMu == nil {
+		v.pipelineIDMu = &sync.Mutex{}
+	}
 
 	// Try to detect automatically the API url if url is not coming from public
 	// gitlab. Unless user has set a spec.provider.url in its repo crd
@@ -354,22 +367,46 @@ func (v *Provider) CreateStatus(ctx context.Context, event *info.Event, statusOp
 		Context:     gitlab.Ptr(contextName),
 	}
 
+	// Reuse a previously discovered pipeline ID so that all commit statuses
+	// for the same SHA land in the same GitLab pipeline. Check the in-memory
+	// cache first (shared across concurrent PipelineRun goroutines within the
+	// same webhook event), then fall back to the PipelineRun annotation
+	// (persisted across Provider instances for the reconciler phase).
+	if pid := v.getPipelineID(event.SHA); pid != 0 {
+		opt.PipelineID = gitlab.Ptr(pid)
+	} else if statusOpts.PipelineRun != nil {
+		if id, ok := statusOpts.PipelineRun.GetAnnotations()[keys.GitLabPipelineID]; ok {
+			pid, err := strconv.ParseInt(id, 10, 64)
+			if err == nil {
+				opt.PipelineID = gitlab.Ptr(pid)
+			}
+		}
+	}
+
 	// In case we have access, set the status. Typically, on a Merge Request (MR)
 	// from a fork in an upstream repository, the token needs to have write access
 	// to the fork repository in order to create a status. However, the token set on the
 	// Repository CR usually doesn't have such broad access, preventing from creating
 	// a status comment on it.
 	// This would work on a push or an MR from a branch within the same repo.
 	// Ignoring errors because of the write access issues,
-	_, _, err := v.Client().Commits.SetCommitStatus(event.SourceProjectID, event.SHA, opt)
+	commitStatus, _, err := v.Client().Commits.SetCommitStatus(event.SourceProjectID, event.SHA, opt)
 	if err != nil {
 		v.Logger.Debugf("cannot set status with the GitLab token on the source project: %v", err)
 	} else {
+		v.storePipelineID(ctx, event.SHA, statusOpts, commitStatus)
 		// we managed to set the status on the source repo, all good we are done
 		v.Logger.Debugf("created commit status on source project ID %d", event.TargetProjectID)
 		return nil
 	}
-	if _, _, err = v.Client().Commits.SetCommitStatus(event.TargetProjectID, event.SHA, opt); err == nil {
+	// Clear pipeline ID when falling back to the target project — the cached
+	// ID belongs to the source project's pipeline namespace and is invalid on
+	// a different project (fork MR scenario).
+	if event.SourceProjectID != event.TargetProjectID {
+		opt.PipelineID = nil
+	}
+	if commitStatus, _, err = v.Client().Commits.SetCommitStatus(event.TargetProjectID, event.SHA, opt); err == nil {
+		v.storePipelineID(ctx, event.SHA, statusOpts, commitStatus)
 		v.Logger.Debugf("created commit status on target project ID %d", event.TargetProjectID)
 		// we managed to set the status on the target repo, all good we are done
 		return nil
@@ -860,3 +897,53 @@ func (v *Provider) formatPipelineComment(sha string, status providerstatus.Statu
 	return fmt.Sprintf("%s **%s: %s/%s for %s**\n\n%s\n\n<small>Full log available [here](%s)</small>",
 		emoji, status.Title, v.pacInfo.ApplicationName, status.OriginalPipelineRunName, sha, status.Text, status.DetailsURL)
 }
+
+// getPipelineID returns a cached pipeline ID for the given SHA, or 0 if none.
+func (v *Provider) getPipelineID(sha string) int64 {
+	v.pipelineIDMu.Lock()
+	defer v.pipelineIDMu.Unlock()
+	if v.pipelineIDCache == nil {
+		return 0
+	}
+	return v.pipelineIDCache[sha]
+}
+
+// storePipelineID caches the pipeline ID from a successful SetCommitStatus
+// response in the in-memory map (for concurrent goroutines within the same
+// webhook event) and patches it onto the PipelineRun annotation (for the
+// reconciler which creates a new Provider instance).
+func (v *Provider) storePipelineID(ctx context.Context, sha string, statusOpts providerstatus.StatusOpts, cs *gitlab.CommitStatus) {
+	if cs == nil || cs.PipelineID == 0 {
+		return
+	}
+	v.pipelineIDMu.Lock()
+	if v.pipelineIDCache == nil {
+		v.pipelineIDCache = make(map[string]int64)
+	}
+	v.pipelineIDCache[sha] = cs.PipelineID
+	v.pipelineIDMu.Unlock()
+
+	v.patchPipelineIDAnnotation(ctx, statusOpts, cs)
+}
+
+// patchPipelineIDAnnotation stores the GitLab pipeline ID as a PipelineRun
+// annotation so the reconciler can read it back across Provider instances.
+func (v *Provider) patchPipelineIDAnnotation(ctx context.Context, statusOpts providerstatus.StatusOpts, cs *gitlab.CommitStatus) {
+	pr := statusOpts.PipelineRun
+	if pr == nil || (pr.GetName() == "" && pr.GetGenerateName() == "") {
+		return
+	}
+	if _, ok := pr.GetAnnotations()[keys.GitLabPipelineID]; ok {
+		return
+	}
+	mergePatch := map[string]any{
+		"metadata": map[string]any{
+			"annotations": map[string]string{
+				keys.GitLabPipelineID: strconv.FormatInt(cs.PipelineID, 10),
+			},
+		},
+	}
+	if _, err := action.PatchPipelineRun(ctx, v.Logger, "gitlabPipelineID", v.run.Clients.Tekton, pr, mergePatch); err != nil {
+		v.Logger.Debugf("failed to patch pipelinerun with gitlab pipeline ID: %v", err)
+	}
+}