Allow setting policies on actions

[chmouel]

Policies is a new concept which let you allowing teams to do some
actions and reject member who are not part of those teams.

Current actions supported are pull_request and ok_to_test (more to
come in the future)

See the documentation attached to this PullRequest for more description
on how to use this feature.

[pipelines-as-code]

Golang test coverage difference report

Coverage increased by 0.02%. 🏅 Keep it up 🏅

Package report

package                                                                            before    after    delta
-------                                                                           -------  -------  -------
pkg/acl                                                                           100.00%  100.00%         
pkg/action                                                                         76.19%   76.19%         
pkg/adapter                                                                        72.41%   72.41%         
pkg/apis/features                                                                 100.00%  100.00%         
pkg/cli/info                                                                       88.23%   88.23%         
pkg/cli/prompt                                                                     74.46%   74.46%         
pkg/cli/status                                                                     95.23%   95.23%         
pkg/cli/webhook                                                                    59.36%   59.36%         
pkg/cmd/tknpac/bootstrap                                                            5.72%    5.72%         
pkg/cmd/tknpac/completion                                                          50.00%   50.00%         
pkg/cmd/tknpac/create                                                              43.36%   43.36%         
pkg/cmd/tknpac/describe                                                            46.31%   46.31%         
pkg/cmd/tknpac/generate                                                            62.20%   62.20%         
pkg/cmd/tknpac/info                                                                62.50%   62.50%         
pkg/cmd/tknpac/list                                                                46.47%   46.47%         
pkg/cmd/tknpac/resolve                                                             74.67%   74.67%         
pkg/cmd/tknpac/webhook                                                             52.47%   52.47%         
pkg/consoleui                                                                      84.12%   84.12%         
pkg/customparams                                                                   94.11%   94.11%         
pkg/events                                                                         73.33%   73.33%         
pkg/formatting                                                                     98.73%   98.73%         
pkg/git                                                                            84.84%   84.84%         
pkg/hub                                                                            90.62%   90.62%         
pkg/kubeinteraction                                                                54.76%   54.76%         
pkg/kubeinteraction/status                                                         77.27%   77.27%         
pkg/matcher                                                                        86.47%   86.47%         
pkg/params/clients                                                                 14.86%   14.86%         
pkg/params/settings                                                                79.48%   79.48%         
pkg/pipelineascode                                                                 80.90%   80.90%         
pkg/policy                                                                         94.11%   94.11%         
pkg/provider                                                                       76.19%   76.19%         
pkg/provider/bitbucketcloud                                                        86.86%   86.86%         
pkg/provider/bitbucketserver                                                       88.05%   88.05%         
pkg/provider/gitea                                                                 32.82%   32.82%         
pkg/provider/gitea/structs                                                         22.68%   22.68%         
pkg/provider/github                                                                83.23%   83.23%         
pkg/provider/github/app                                                            78.33%   78.33%         
pkg/provider/gitlab                                                                86.18%   86.18%         
pkg/random                                                                        100.00%  100.00%         
pkg/reconciler                                                                     46.10%   46.10%         
pkg/resolve                                                                        87.93%   87.93%         
pkg/secrets                                                                        93.02%   93.02%         
pkg/sort                                                                           50.60%   51.20%   +0.60%
pkg/sync                                                                           91.13%   91.13%         
pkg/templates                                                                     100.00%  100.00%         
pkg/webhook                                                                        22.22%   22.22%         
                                                                          total:   67.20%   67.22%   +0.02%

[chmouel]

weird, things are green for me locally when running the test locally

% e2e-run -k kind -p gitea-kind -n TestGiteaACL
Running TestGiteaACL
Cleaning test cache
=== RUN   TestGiteaACLOrgAllowed
💡 06:20:51 Namespace pac-e2e-test-vb9sq created
💡 06:20:51 Creating gitea repository pac-e2e-test-vb9sq for user pac
💡 06:20:52 Creating webhook to smee url on gitea repository pac-e2e-test-vb9sq
💡 06:20:52 PipelinesAsCode Repository pac-e2e-test-vb9sq has been created in namespace pac-e2e-test-vb9sq
    scm.go:44: skipping cleanup because TEST_NOCLEANUP was enabled.
    scm.go:50: skipping cleanup because TEST_NOCLEANUP was enabled.
💡 06:20:53 Pushed files to repo http://localhost:3000/pac/pac-e2e-test-vb9sq branch pac-e2e-test-vb9sq
💡 06:20:54 PullRequest http://localhost:3000/pac/pac-e2e-test-vb9sq/pulls/1 has been created
💡 06:20:55 Forked repository http://localhost:3000/pac-e2e-test-vb9sq/pac-e2e-test-vb9sq.git has been created
    scm.go:44: skipping cleanup because TEST_NOCLEANUP was enabled.
    scm.go:50: skipping cleanup because TEST_NOCLEANUP was enabled.
💡 06:20:56 Pushed files to repo  branch pac-e2e-test-vb9sq
💡 06:21:00 Created pr http://localhost:3000/pac/pac-e2e-test-vb9sq/pulls/2 branch:main from fork pac-e2e-test-vb9sq/pac-e2e-test-vb9sq, branch:pac-e2e-test-vb9sq
💡 06:21:17 Status on SHA: pac-e2e-test-vb9sq is success
--- PASS: TestGiteaACLOrgAllowed (25.79s)
=== RUN   TestGiteaACLOrgSkipped
💡 06:21:17 Namespace pac-e2e-test-tt8z4 created
💡 06:21:17 Creating gitea repository pac-e2e-test-tt8z4 for user pac
💡 06:21:18 Creating webhook to smee url on gitea repository pac-e2e-test-tt8z4
💡 06:21:18 PipelinesAsCode Repository pac-e2e-test-tt8z4 has been created in namespace pac-e2e-test-tt8z4
    scm.go:44: skipping cleanup because TEST_NOCLEANUP was enabled.
    scm.go:50: skipping cleanup because TEST_NOCLEANUP was enabled.
💡 06:21:19 Pushed files to repo http://localhost:3000/pac/pac-e2e-test-tt8z4 branch pac-e2e-test-tt8z4
💡 06:21:26 PullRequest http://localhost:3000/pac/pac-e2e-test-tt8z4/pulls/1 has been created
💡 06:21:34 Forked repository http://localhost:3000/pac-e2e-test-tt8z4/pac-e2e-test-tt8z4.git has been created
    scm.go:44: skipping cleanup because TEST_NOCLEANUP was enabled.
    scm.go:50: skipping cleanup because TEST_NOCLEANUP was enabled.
💡 06:21:35 Pushed files to repo  branch pac-e2e-test-tt8z4
💡 06:21:38 Created pr http://localhost:3000/pac/pac-e2e-test-tt8z4/pulls/2 branch:main from fork pac-e2e-test-tt8z4/pac-e2e-test-tt8z4, branch:pac-e2e-test-tt8z4
💡 06:21:48 Status on SHA: 73f9452288ea578d13e1cbce74a2a6aa6144ec5e is success
💡 06:21:49 Found regexp ".*is skipping this commit.*" in PR comments
--- PASS: TestGiteaACLOrgSkipped (31.68s)
=== RUN   TestGiteaACLCommentsAllowing
=== RUN   TestGiteaACLCommentsAllowing/OK_to_Test
💡 06:21:49 Namespace pac-e2e-test-hx7rv created
💡 06:21:49 Creating gitea repository pac-e2e-test-hx7rv for user pac
💡 06:21:49 Creating webhook to smee url on gitea repository pac-e2e-test-hx7rv
💡 06:21:49 PipelinesAsCode Repository pac-e2e-test-hx7rv has been created in namespace pac-e2e-test-hx7rv
    scm.go:44: skipping cleanup because TEST_NOCLEANUP was enabled.
    scm.go:50: skipping cleanup because TEST_NOCLEANUP was enabled.
💡 06:21:50 Pushed files to repo http://localhost:3000/pac/pac-e2e-test-hx7rv branch pac-e2e-test-hx7rv
💡 06:21:50 PullRequest http://localhost:3000/pac/pac-e2e-test-hx7rv/pulls/1 has been created
💡 06:21:51 Forked repository http://localhost:3000/pac-e2e-test-hx7rv/pac-e2e-test-hx7rv.git has been created
    scm.go:44: skipping cleanup because TEST_NOCLEANUP was enabled.
    scm.go:50: skipping cleanup because TEST_NOCLEANUP was enabled.
💡 06:21:51 Pushed files to repo  branch pac-e2e-test-hx7rv
💡 06:21:52 Created pr http://localhost:3000/pac/pac-e2e-test-hx7rv/pulls/2 branch:main from fork pac-e2e-test-hx7rv/pac-e2e-test-hx7rv, branch:pac-e2e-test-hx7rv
💡 06:21:57 Status on SHA: c7c80483769aa088b9cc31f2631ba90f6117660b is success
💡 06:21:57 Found regexp ".*is skipping this commit.*" in PR comments
💡 06:21:57 Posted comment "/ok-to-test" in http://localhost:3000/pac/pac-e2e-test-hx7rv/pulls/2
💡 06:21:57 Found regexp "^Pipelines as Code CI.*has.*successfully" in PR comments
=== RUN   TestGiteaACLCommentsAllowing/Retest
💡 06:21:57 Namespace pac-e2e-test-xl4r4 created
💡 06:21:57 Creating gitea repository pac-e2e-test-xl4r4 for user pac
💡 06:21:57 Creating webhook to smee url on gitea repository pac-e2e-test-xl4r4
💡 06:21:57 PipelinesAsCode Repository pac-e2e-test-xl4r4 has been created in namespace pac-e2e-test-xl4r4
    scm.go:44: skipping cleanup because TEST_NOCLEANUP was enabled.
    scm.go:50: skipping cleanup because TEST_NOCLEANUP was enabled.
💡 06:21:58 Pushed files to repo http://localhost:3000/pac/pac-e2e-test-xl4r4 branch pac-e2e-test-xl4r4
💡 06:21:58 PullRequest http://localhost:3000/pac/pac-e2e-test-xl4r4/pulls/1 has been created
💡 06:21:59 Forked repository http://localhost:3000/pac-e2e-test-xl4r4/pac-e2e-test-xl4r4.git has been created
    scm.go:44: skipping cleanup because TEST_NOCLEANUP was enabled.
    scm.go:50: skipping cleanup because TEST_NOCLEANUP was enabled.
💡 06:21:59 Pushed files to repo  branch pac-e2e-test-xl4r4
💡 06:22:00 Created pr http://localhost:3000/pac/pac-e2e-test-xl4r4/pulls/2 branch:main from fork pac-e2e-test-xl4r4/pac-e2e-test-xl4r4, branch:pac-e2e-test-xl4r4
💡 06:22:05 Status on SHA: d5e741bb6b2d935008a0937528428e19656599e4 is success
💡 06:22:05 Found regexp ".*is skipping this commit.*" in PR comments
💡 06:22:05 Posted comment "/retest" in http://localhost:3000/pac/pac-e2e-test-xl4r4/pulls/2
💡 06:22:05 Found regexp "^Pipelines as Code CI.*has.*successfully" in PR comments
=== RUN   TestGiteaACLCommentsAllowing/Test_PR
💡 06:22:05 Namespace pac-e2e-test-8sxlq created
💡 06:22:05 Creating gitea repository pac-e2e-test-8sxlq for user pac
💡 06:22:05 Creating webhook to smee url on gitea repository pac-e2e-test-8sxlq
💡 06:22:06 PipelinesAsCode Repository pac-e2e-test-8sxlq has been created in namespace pac-e2e-test-8sxlq
    scm.go:44: skipping cleanup because TEST_NOCLEANUP was enabled.
    scm.go:50: skipping cleanup because TEST_NOCLEANUP was enabled.
💡 06:22:06 Pushed files to repo http://localhost:3000/pac/pac-e2e-test-8sxlq branch pac-e2e-test-8sxlq
💡 06:22:06 PullRequest http://localhost:3000/pac/pac-e2e-test-8sxlq/pulls/1 has been created
💡 06:22:07 Forked repository http://localhost:3000/pac-e2e-test-8sxlq/pac-e2e-test-8sxlq.git has been created
    scm.go:44: skipping cleanup because TEST_NOCLEANUP was enabled.
    scm.go:50: skipping cleanup because TEST_NOCLEANUP was enabled.
💡 06:22:07 Pushed files to repo  branch pac-e2e-test-8sxlq
💡 06:22:08 Created pr http://localhost:3000/pac/pac-e2e-test-8sxlq/pulls/2 branch:main from fork pac-e2e-test-8sxlq/pac-e2e-test-8sxlq, branch:pac-e2e-test-8sxlq
💡 06:22:13 Status on SHA: 4a54977e031c3b27219795491b73fa185cf4c07a is success
💡 06:22:13 Found regexp ".*is skipping this commit.*" in PR comments
💡 06:22:13 Posted comment "/test pr" in http://localhost:3000/pac/pac-e2e-test-8sxlq/pulls/2
💡 06:22:13 Found regexp "^Pipelines as Code CI.*has.*successfully" in PR comments
--- PASS: TestGiteaACLCommentsAllowing (24.37s)
    --- PASS: TestGiteaACLCommentsAllowing/OK_to_Test (8.34s)
    --- PASS: TestGiteaACLCommentsAllowing/Retest (8.05s)
    --- PASS: TestGiteaACLCommentsAllowing/Test_PR (7.98s)
PASS
ok  	github.com/openshift-pipelines/pipelines-as-code/test	81.868s

[chmouel]

nevermind the other comment the error was legitimate

[sm43]

what does pull_request action means here? 🤔

[chmouel]

@sm43 it's this

* `pull_request` - This action is triggering the CI on Pipelines as Code,
   specifying a team will only allow the members of the team to trigger the CI
   and will not allow other members regadless if they are Owners or Collaborators
   of the repository or the Organization. The OWNERS file is still taken into
   account and will as well allow the members of the OWNERS file to trigger the
   CI.

[sm43]

lgtm

[savitaashture]

I feel explanation is somewhat confusing to tell the exact operation which ci-admins can do
May its for me 🤔

[chmouel]

is that less confusing ? (chatgpt)

To set up the policy for the Repository CR, follow these steps:

1. Open the settings of the Repository CR.
2. Add the following code snippet to the configuration:

apiVersion: "pipelinesascode.tekton.dev/v1alpha1"
kind: Repository
metadata:
  name: repository1
spec:
  url: "https://github.com/org/repo"
  settings:
    policy:
      ok_to_test: 
        - ci-admins
      pull_request: 
        - ci-users

This configuration allows specific user groups to perform certain actions on pull requests:

• Users in the ci-admins team can authorize other users to run continuous integration (CI) on the pull request.
• Users in the ci-users team can run CI on their own pull requests.

[savitaashture]

@chmouel this is easy to understand 👍

[chmouel]

/retest

[codecov]

Codecov Report

Merging #1324 (52a6bde) into main (6ec4bf8) will increase coverage by 0.25%.
The diff coverage is 85.93%.

@@            Coverage Diff             @@
##             main    #1324      +/-   ##
==========================================
+ Coverage   60.36%   60.62%   +0.25%     
==========================================
  Files         135      136       +1     
  Lines        9722     9839     +117     
==========================================
+ Hits         5869     5965      +96     
- Misses       3377     3396      +19     
- Partials      476      478       +2     

Impacted Files	Coverage Δ
pkg/provider/gitea/gitea.go	6.69% <0.00%> (-0.04%)	⬇️
pkg/provider/bitbucketcloud/bitbucket.go	71.29% <33.33%> (-0.69%)	⬇️
pkg/provider/bitbucketserver/bitbucketserver.go	77.08% <33.33%> (-0.82%)	⬇️
pkg/provider/gitlab/gitlab.go	71.17% <33.33%> (-0.65%)	⬇️
pkg/reconciler/reconciler.go	21.38% <50.00%> (ø)
pkg/provider/gitea/acl.go	74.79% <76.19%> (+0.40%)	⬆️
pkg/provider/github/acl.go	86.06% <89.18%> (+0.78%)	⬆️
pkg/policy/policy.go	92.30% <92.30%> (ø)
pkg/provider/github/detect.go	92.30% <94.59%> (+0.37%)	⬆️
pkg/pipelineascode/match.go	63.35% <100.00%> (ø)
... and 3 more

[savitaashture]

/lgtm

[piyush-garg]

/lgtm