fix: recover fork PR re-runs when GitHub omits PR metadata

[chmouel]

When GitHub receives a Re-run request for a Pipelines as Code check tied to a pull request from a fork, the webhook payload can omit the usual pull request metadata. PAC could already recover by looking up pull requests for the head SHA, but fork PRs still failed when GitHub's commits/{sha}/pulls API returned no matches.

This change makes rerequest handling more resilient and keeps the selection rules safe:

• check_run rerequests now honor pull request data attached directly to the event when GitHub provides it
• if the commit lookup API returns no open PR, PAC falls back to listing open pull requests and matching by head SHA so fork PR rerequests can still resolve
• the SHA fallback now preserves the existing ambiguity guard and fails if more than one open PR shares the same head SHA instead of picking one arbitrarily
• tests now cover the direct-event path, fork fallback success, missing-PR failures, and the ambiguous fallback regression

📝 Description of the Change

Improve GitHub rerequest PR resolution so fork pull requests can be recovered safely even when GitHub omits PR metadata or the commit lookup API returns no match.

🔗 Linked GitHub Issue

Not linked.

🧪 Testing Strategy

• Unit tests
• Integration tests
• End-to-end tests
• Manual testing
• Not Applicable

Ran:

• go test ./pkg/provider/github

🤖 AI Assistance

• I have not used any AI assistance for this PR.
• I have used AI assistance for this PR.

AI assistance was used to help draft and refine the code change, tests, and PR description. The resulting changes were reviewed and validated with the package test run above.

✅ Submitter Checklist

• 📝 My commit messages are clear, informative, and follow the project's How to write a git commit message guide. The Gitlint linter ensures in CI it's properly validated
• ✨ I have ensured my commit message prefix (e.g., fix:, feat:) matches the "Type of Change" I selected above.
• ♽ I have run make test and make lint locally to check for and fix any
  issues. For an efficient workflow, I have considered installing
  pre-commit and running pre-commit install to
  automate these checks.
• 📖 I have added or updated documentation for any user-facing changes.
• 🧪 I have added sufficient unit tests for my code changes.
• 🎁 I have added end-to-end tests where feasible. See README for more details.
• 🔎 I have addressed any CI test flakiness or provided a clear reason to bypass it.
• If adding a provider feature, I have filled in the following and updated the provider documentation:
  • GitHub App
  • GitHub Webhook
  • Gitea/Forgejo
  • GitLab
  • Bitbucket Cloud
  • Bitbucket Data Center

[codecov-commenter]

Codecov Report

❌ Patch coverage is 96.42857% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.87%. Comparing base (fff1dac) to head (6eb152f).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/provider/github/parse_payload.go	96.42%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2655      +/-   ##
==========================================
+ Coverage   59.77%   59.87%   +0.10%     
==========================================
  Files         210      210              
  Lines       21135    21180      +45     
==========================================
+ Hits        12633    12682      +49     
+ Misses       7707     7703       -4     
  Partials      795      795              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[gemini-code-assist]

Code Review

This pull request introduces a fallback mechanism to resolve pull requests by SHA when the standard commit API fails, which is particularly useful for fork PRs. It also adds logic to extract pull request information directly from the check_run event. Feedback focuses on ensuring consistency and handling ambiguity when multiple pull requests might match a single SHA or check run, suggesting the use of existing helper functions to validate that only a single open pull request is processed.

[chmouel]

tested on dogfooding as working

[zakisk]

can we call the findOpenPullRequestBySHA only if its fork because if its not fork and there is no matching PRs as well then it would be just redundant API calls! (hint: event.pull_request.head.fork)

[chmouel]

the whole reason we end up here is that github stripped the PR metadata from the webhook — there's no checkSuite.PullRequests, no checkRun.PullRequests, nothing. so there's no event.pull_request.head.fork to look at either, that data is exactly what's missing. the fallback exists precisely because we have zero PR context to work with.

[zakisk]

Suggested change

	if len(checkSuite.PullRequests) > 0 {
	runevent.PullRequestNumber = checkSuite.PullRequests[0].GetNumber()
	runevent.TriggerTarget = triggertype.PullRequest
	v.Logger.Infof("Recheck of PR %s/%s#%d has been requested", runevent.Organization, runevent.Repository, runevent.PullRequestNumber)
	return v.getPullRequest(ctx, runevent)
	}

[zakisk]

you can delete this as you're already doing this on line 557 below

[chmouel]

these are two different things they come from different levels of the webhook payload and github can populate one without the other. can't remove the first block.

[chmouel]

Code review: found 2 issue(s).

[chmouel]

This still leaves the fork rerun authorized as the PR author rather than the user who clicked Re-run. runevent.Sender is empty on this resolved-PR path, so populateRunEventFromPullRequest fills it with pr.GetUser().GetLogin(). The later non-push ACL check then evaluates the external fork contributor, and /ok-to-test replay does not handle CheckRunEvent, so a maintainer-rerequested fork PR can still be denied after this fallback successfully finds it. Set runevent.Sender and v.userType from event.GetSender() before returning the PR path, like the push path below does.

[chmouel]

Addressed in 6eb152f: rerun events now keep the GitHub actor who clicked Re-run as runevent.Sender before PR population, so the ACL check no longer falls back to the fork PR author.

[chmouel]

This /pulls/987 fixture is never used by the fork fallback path: after /pulls returns the matching PR, the code calls populateRunEventFromPullRequest(runevent, pr) directly and never fetches the single-PR endpoint. That makes the test look like it covers a full PR fetch when it only relies on the list response. Please remove the dead handler or add assertions for fields populated from the list-response PR so the intended coverage is explicit.

[chmouel]

Addressed in 6eb152f: the unused /pulls/987 fixture was removed, and the test now asserts fields populated from the list-response PR so the fork fallback coverage is explicit.

[chmouel]

Jira for the GitHub fork PR rerun fix in this PR: SRVKP-12590.