[DNM] Release 0.27.3

[chmouel]

Ignore

Enforced strict validation to require both the X-Gitlab-Token header and a configured webhook secret. This prevented unauthenticated requests that were previously accepted when both values were empty.

📝 Description of the Change

👨🏻‍ Linked Jira

🔗 Linked GitHub Issue

Fixes #

🚀 Type of Change

• 🐛 Bug fix (fix:)
• ✨ New feature (feat:)
• 💥 Breaking change (feat!:, fix!:)
• 📚 Documentation update (docs:)
• ⚙️ Chore (chore:)
• 💅 Refactor (refactor:)
• 🔧 Enhancement (enhance:)
• 📦 Dependency update (deps:)

🧪 Testing Strategy

• Unit tests
• Integration tests
• End-to-end tests
• Manual testing
• Not Applicable

🤖 AI Assistance

• I have not used any AI assistance for this PR.
• I have used AI assistance for this PR.

If you have used AI assistance, please provide the following details:

Which LLM was used?

• GitHub Copilot
• ChatGPT (OpenAI)
• Claude (Anthropic)
• Cursor
• Gemini (Google)
• Other: ____________

Extent of AI Assistance:

• Documentation and research only
• Unit tests or E2E tests only
• Code generation (parts of the code)
• Full code generation (most of the PR)
• PR description and comments
• Commit message(s)

Important

If the majority of the code in this PR was generated by an AI, please add a Co-authored-by trailer to your commit message.
For example:

Co-authored-by: Gemini gemini@google.com
Co-authored-by: ChatGPT noreply@chatgpt.com
Co-authored-by: Claude noreply@anthropic.com
Co-authored-by: Cursor noreply@cursor.com
Co-authored-by: Copilot Copilot@users.noreply.github.com

**💡You can use the script ./hack/add-llm-coauthor.sh to automatically add
these co-author trailers to your commits.

✅ Submitter Checklist

• 📝 My commit messages are clear, informative, and follow the project's How to write a git commit message guide. The Gitlint linter ensures in CI it's properly validated
• ✨ I have ensured my commit message prefix (e.g., fix:, feat:) matches the "Type of Change" I selected above.
• ♽ I have run make test and make lint locally to check for and fix any
  issues. For an efficient workflow, I have considered installing
  pre-commit and running pre-commit install to
  automate these checks.
• 📖 I have added or updated documentation for any user-facing changes.
• 🧪 I have added sufficient unit tests for my code changes.
• 🎁 I have added end-to-end tests where feasible. See README for more details.
• 🔎 I have addressed any CI test flakiness or provided a clear reason to bypass it.
• If adding a provider feature, I have filled in the following and updated the provider documentation:
  • GitHub App
  • GitHub Webhook
  • Gitea/Forgejo
  • GitLab
  • Bitbucket Cloud
  • Bitbucket Data Center

[gemini-code-assist]

Summary of Changes

Hello @chmouel, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security of GitLab webhook validation by enforcing a stricter policy. It ensures that all incoming GitLab webhook requests must include an 'X-Gitlab-Token' header and that a corresponding 'WebhookSecret' is configured. This closes a potential security loophole where requests could bypass authentication if both the token and secret were absent, thereby safeguarding the system against unauthorized access.

Highlights

• Stricter GitLab Webhook Validation: The validation logic for GitLab webhooks has been enhanced to explicitly require both the 'X-Gitlab-Token' header and a configured 'WebhookSecret'. This prevents unauthenticated requests that were previously accepted when both values were empty.
• Improved Error Messaging: New, more descriptive error messages are now returned when the 'X-Gitlab-Token' header is missing or when no webhook secret is configured, providing clearer feedback on validation failures.
• Security Fix: This change addresses a security vulnerability where GitLab webhook validation could be bypassed if both the 'X-Gitlab-Token' and the configured 'WebhookSecret' were empty, allowing unauthenticated access.
• Enhanced Test Coverage: The unit tests for GitLab webhook validation have been updated to include a specific test case for the security fix (empty token and secret) and now assert specific error messages for more robust testing.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a crucial security enhancement to the GitLab webhook validation process. The changes correctly enforce that both the X-Gitlab-Token header and a configured webhook secret must be present and valid, effectively closing a vulnerability that allowed unauthenticated requests when both values were empty. The updated logic is clear and robust, and the error messages have been improved for better diagnostics. Furthermore, the test suite has been significantly improved by checking for specific error messages and adding a test case that explicitly covers the fixed security flaw. The overall implementation is excellent.

[chmouel]

E2E is too much of impossible to fix here is the gitlab test run (since it only touches that)

Setting kubeconfig profile to civuole
repository.pipelinesascode.tekton.dev "pac-e2e-test-gtxks" deleted from pac-e2e-test-gtxks namespace
==========================
     Running tests
==========================
• TestGitlabMergeRequest
• TestGitlabOnComment
• TestGitlabIssueGitopsComment
• TestGitlabIncomingWebhook
namespace "pac-e2e-test-gtxks" deleted
Env profile gitlab-personal has been applied
Running ^TestGitlabMergeRequest$
Cleaning test cache
go test -v -tags e2e -count=1 -race -failfast -run ^TestGitlabMergeRequest$ 
=== RUN   TestGitlabMergeRequest
💡 13:22:08 Found pipelines-as-code installation in namespace pipelines-as-code
💡 13:22:08 Pipelines as Code Controller: &{Name:default Configmap:pipelines-as-code Secret:pipelines-as-code-secret GlobalRepository:pipelines-as-code}
💡 13:22:08 Testing with Gitlab
💡 13:22:09 Namespace pac-e2e-ns-9mmrc created
💡 13:22:09 PipelinesAsCode Repository pac-e2e-ns-9mmrc has been created in namespace pac-e2e-ns-9mmrc
💡 13:22:14 Pushed files to repo https://gitlab.com/chmouel/pac-personal-test branch pac-e2e-test-kg9qh
💡 13:22:19 Branch pac-e2e-test-kg9qh has been created and pushed with files
💡 13:22:20 MergeRequest https://gitlab.com/chmouel/pac-personal-test/-/merge_requests/255 has been created
💡 13:22:25 Pushed files to repo https://gitlab.com/chmouel/pac-personal-test branch pac-e2e-test-kg9qh
💡 13:22:30 Waiting for Repository to be updated
💡 13:22:30 Still waiting for repository status to be updated: 0/4
💡 13:22:36 Still waiting for repository status to be updated: 0/4
💡 13:22:44 Still waiting for repository status to be updated: 0/4
💡 13:22:47 Still waiting for repository status to be updated: 2/4
💡 13:22:50 Still waiting for repository status to be updated: 2/4
💡 13:22:53 Still waiting for repository status to be updated: 4/4
💡 13:22:55 Check if we have the repository set as succeeded
💡 13:22:55 Success, number of status 4 has been matched
💡 13:22:55 Sending /retest comment on MergeRequest https://gitlab.com/chmouel/pac-personal-test/-/merge_requests/255
💡 13:22:55 Checking that PAC has posted successful comments for all PR that has been tested
💡 13:22:55 Waiting for Repository to be updated
💡 13:22:55 Still waiting for repository status to be updated: 4/5
💡 13:22:58 Still waiting for repository status to be updated: 4/5
💡 13:23:04 Still waiting for repository status to be updated: 4/5
💡 13:23:06 Still waiting for repository status to be updated: 4/5
💡 13:23:09 Still waiting for repository status to be updated: 4/5
💡 13:23:12 Still waiting for repository status to be updated: 5/5
💡 13:23:14 Check if we have the repository set as succeeded
💡 13:23:14 Success, number of status 5 has been matched
💡 13:23:15 Closing PR 255
💡 13:23:16 Deleting Repository in pac-e2e-ns-9mmrc
💡 13:23:16 Deleting NS pac-e2e-ns-9mmrc
💡 13:23:16 Deleting Ref pac-e2e-test-kg9qh
--- PASS: TestGitlabMergeRequest (68.48s)
PASS
ok  	github.com/openshift-pipelines/pipelines-as-code/test	69.515s
No resources found
namespace "pac-e2e-ns-9mmrc" deleted
Env profile gitlab-personal has been applied
Running ^TestGitlabOnComment$
Cleaning test cache
go test -v -tags e2e -count=1 -race -failfast -run ^TestGitlabOnComment$ 
=== RUN   TestGitlabOnComment
💡 13:23:20 Found pipelines-as-code installation in namespace pipelines-as-code
💡 13:23:20 Pipelines as Code Controller: &{Name:default Configmap:pipelines-as-code Secret:pipelines-as-code-secret GlobalRepository:pipelines-as-code}
💡 13:23:20 Testing Gitlab on Comment matches
💡 13:23:20 Namespace pac-e2e-ns-wfklz created
💡 13:23:21 PipelinesAsCode Repository pac-e2e-ns-wfklz has been created in namespace pac-e2e-ns-wfklz
💡 13:23:24 Pushed files to repo https://gitlab.com/chmouel/pac-personal-test branch pac-e2e-test-2wdn8
💡 13:23:29 Branch pac-e2e-test-2wdn8 has been created and pushed with files
💡 13:23:30 MergeRequest https://gitlab.com/chmouel/pac-personal-test/-/merge_requests/256 has been created
💡 13:23:30 Note https://gitlab.com/chmouel/pac-personal-test/-/merge_requests/256/notes/3044536709 has been created
💡 13:23:30 Waiting for Repository to be updated
💡 13:23:30 Still waiting for repository status to be updated: 0/1
💡 13:23:33 Still waiting for repository status to be updated: 0/1
💡 13:23:36 Still waiting for repository status to be updated: 0/1
💡 13:23:39 Still waiting for repository status to be updated: 0/1
💡 13:23:42 Still waiting for repository status to be updated: 1/1
💡 13:23:44 Check if we have the repository set as succeeded
💡 13:23:44 Success, number of status 1 has been matched
💡 13:23:45 Still waiting for repository status to be updated: 1/1
💡 13:23:47 Check if we have the repository set as succeeded
💡 13:23:47 looking for regexp /hello-world in namespace: pac-e2e-ns-wfklz for label tekton.dev/pipelineRun=on-comment-tk9vx and container step-task
💡 13:23:47 matched regexp /hello-world in labelSelector/container tekton.dev/pipelineRun=on-comment-tk9vx:step-task
💡 13:23:47 Closing PR 256
💡 13:23:48 Deleting Repository in pac-e2e-ns-wfklz
💡 13:23:48 Deleting NS pac-e2e-ns-wfklz
💡 13:23:48 Deleting Ref pac-e2e-test-2wdn8
--- PASS: TestGitlabOnComment (29.36s)
PASS
ok  	github.com/openshift-pipelines/pipelines-as-code/test	30.404s
No resources found
namespace "pac-e2e-ns-wfklz" deleted
Env profile gitlab-personal has been applied
Running ^TestGitlabIssueGitopsComment$
Cleaning test cache
go test -v -tags e2e -count=1 -race -failfast -run ^TestGitlabIssueGitopsComment$ 
=== RUN   TestGitlabIssueGitopsComment
💡 13:23:52 Found pipelines-as-code installation in namespace pipelines-as-code
💡 13:23:52 Pipelines as Code Controller: &{Name:default Configmap:pipelines-as-code Secret:pipelines-as-code-secret GlobalRepository:pipelines-as-code}
💡 13:23:52 Testing Gitlabs test/retest comments
💡 13:23:53 Namespace pac-e2e-ns-pxw45 created
💡 13:23:53 PipelinesAsCode Repository pac-e2e-ns-pxw45 has been created in namespace pac-e2e-ns-pxw45
💡 13:23:57 Pushed files to repo https://gitlab.com/chmouel/pac-personal-test branch pac-e2e-test-p9jk4
💡 13:24:02 Branch pac-e2e-test-p9jk4 has been created and pushed with files
💡 13:24:02 MergeRequest https://gitlab.com/chmouel/pac-personal-test/-/merge_requests/257 has been created
💡 13:24:03 Created gitops comment /test no-match to get the no-match tested
💡 13:24:03 Waiting for Repository to be updated
💡 13:24:03 Still waiting for repository status to be updated: 0/1
💡 13:24:06 Still waiting for repository status to be updated: 0/1
💡 13:24:10 Still waiting for repository status to be updated: 0/1
💡 13:24:13 Still waiting for repository status to be updated: 0/1
💡 13:24:16 Still waiting for repository status to be updated: 1/1
💡 13:24:18 Check if we have the repository set as succeeded
💡 13:24:18 Success, number of status 1 has been matched
💡 13:24:18 Closing PR 257
💡 13:24:19 Deleting Repository in pac-e2e-ns-pxw45
💡 13:24:19 Deleting NS pac-e2e-ns-pxw45
💡 13:24:19 Deleting Ref pac-e2e-test-p9jk4
--- PASS: TestGitlabIssueGitopsComment (27.80s)
PASS
ok  	github.com/openshift-pipelines/pipelines-as-code/test	28.837s
No resources found
namespace "pac-e2e-ns-pxw45" deleted
Env profile gitlab-personal has been applied
Running ^TestGitlabIncomingWebhook$
Cleaning test cache
go test -v -tags e2e -count=1 -race -failfast -run ^TestGitlabIncomingWebhook$ 
=== RUN   TestGitlabIncomingWebhook
💡 13:24:23 Found pipelines-as-code installation in namespace pipelines-as-code
💡 13:24:23 Pipelines as Code Controller: &{Name:default Configmap:pipelines-as-code Secret:pipelines-as-code-secret GlobalRepository:pipelines-as-code}
💡 13:24:23 Testing with Gitlab
💡 13:24:23 Namespace pac-e2e-ns-jdfnj created
💡 13:24:23 PipelinesAsCode Repository pac-e2e-ns-jdfnj has been created in namespace pac-e2e-ns-jdfnj
💡 13:24:27 Pushed files to repo https://gitlab.com/chmouel/pac-personal-test branch pac-e2e-ns-jdfnj
💡 13:24:32 Branch pac-e2e-ns-jdfnj has been created and pushed with files
💡 13:24:32 Kicked off on incoming-webhook URL: https://paac.civuole.lan/incoming?repository=pac-e2e-ns-jdfnj&branch=pac-e2e-ns-jdfnj&pipelinerun=pipelinerun-incoming&secret=shhhh-secrete
💡 13:24:32 Waiting for Repository to be updated
💡 13:24:32 Still waiting for repository status to be updated: 0/1
💡 13:24:35 Still waiting for repository status to be updated: 0/1
💡 13:24:38 Still waiting for repository status to be updated: 0/1
💡 13:24:41 Still waiting for repository status to be updated: 1/1
💡 13:24:43 Check if we have the repository set as succeeded
💡 13:24:43 Success, number of status 1 has been matched
💡 13:24:43 Closing PR -1
💡 13:24:43 Deleting Repository in pac-e2e-ns-jdfnj
💡 13:24:43 Deleting NS pac-e2e-ns-jdfnj
💡 13:24:43 Deleting Ref pac-e2e-ns-jdfnj
--- PASS: TestGitlabIncomingWebhook (21.25s)