feat: implement Gitea webhook support

[jaysomani]

• Implement getEvent() for push and pull_request events
• Implement validateWebhookEvent() with HMAC-SHA256 validation
• Parse webhook payloads to match GitHub adapter format
• Add comprehensive test coverage for all webhook scenarios
• Test push events with affected files tracking
• Test pull request events including external/fork detection
• Test signature validation (valid and invalid cases)
• Test error handling for invalid payloads and unsupported events
• Add abstract method stub for PHPStan compatibility

Resolves webhook functionality for Gitea adapter

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[greptile-apps]

Greptile Summary

This PR implements the previously stubbed getEvent() and validateWebhookEvent() methods on the Gitea adapter, parsing webhook payloads for push and pull_request events into the same shape used by the GitHub adapter, and adds a broad suite of unit tests.

Key observations:

• The HMAC signature comparison in validateWebhookEvent() uses PHP's === operator instead of hash_equals(), leaving the endpoint open to timing-based side-channel attacks.
• Two variables — $payloadPullRequestHeadUser and $payloadPullRequestBaseUser — are assigned in the pull_request case but never consumed, likely leftovers from copying the GitHub adapter structure.
• pullRequestNumber is cast to string via strval(), while the GitHub adapter leaves it as the raw JSON integer; downstream consumers that switch between adapters may hit type inconsistencies.
• The fork/external detection approach (comparing full_name values) is reasonable and arguably more reliable than the GitHub adapter's login-comparison approach.
• testGetEvent is a trivially-passing assertTrue(true) with no actual assertions; it should either be removed or replaced with a meaningful test.

Confidence Score: 3/5

• Safe to merge after addressing the timing-safe comparison issue in signature validation.
• The implementation is largely correct and well-tested, but the use of === instead of hash_equals() for HMAC comparison is a security concern that should be fixed before merging. The other issues (unused variables, type inconsistency, trivial test) are minor but worth cleaning up.
• Pay close attention to src/VCS/Adapter/Git/Gitea.php, specifically the validateWebhookEvent() method.

Important Files Changed

Filename	Overview
src/VCS/Adapter/Git/Gitea.php	Implements getEvent() for push and pull_request events and validateWebhookEvent() with HMAC-SHA256. Main concerns: signature validation uses === instead of hash_equals() (timing-attack risk), two unused variables in the pull_request case, and pullRequestNumber is cast to string inconsistently with the GitHub adapter.
tests/VCS/Adapter/GiteaTest.php	Adds comprehensive webhook tests covering push events, pull request events (internal and fork/external), signature validation, invalid payloads, and unsupported events. The testGetEvent method is a trivially-passing no-op (assertTrue(true)) rather than a meaningful test.

_{Last reviewed commit: "feat: implement Gite..."}