feat(github): add glob pattern support for token scope repos

theakshaypant · theakshaypant · commit 55820ee9aad7 · 2026-01-14T10:39:57.000+05:30
Add support for glob patterns when specifying repositories for GitHub App token scoping in both global and repository-level configurations. Users can now use patterns like "myorg/*" to match multiple repos instead of listing each one explicitly. For global config (secret-github-app-scope-extra-repos), glob patterns are expanded by listing all repositories where the GitHub App is installed. Results are cached to avoid repeated API calls when multiple patterns are specified. For repository-level config (github_app_token_scope_repos), glob patterns are matched against Repository CRDs in the same namespace, maintaining the existing namespace isolation requirement. Both exact matches and glob patterns can be combined. Invalid glob patterns are validated early and return clear error messages. Jira: https://issues.redhat.com/browse/SRVKP-10030 Signed-off-by: Akshay Pant <akshay.akshaypant@gmail.com>
diff --git a/docs/content/docs/guide/repositorycrd.md b/docs/content/docs/guide/repositorycrd.md
@@ -240,6 +240,7 @@ This setting enables the scoping of the GitHub token to private and public repos
 ### Scoping the GitHub token using Global configuration
 
 You can use the global configuration to use as a list of repositories used from any Repository CR in any namespace.
+You can specify repositories using exact names or glob patterns (e.g., `myorg/*` to match all repositories under an organization where the app is installed).
 
 To set the global configuration, in the `pipelines-as-code` configmap, set the `secret-github-app-scope-extra-repos` key, as in the following example:
 
@@ -250,13 +251,14 @@ To set the global configuration, in the `pipelines-as-code` configmap, set the `
     name: pipelines-as-code
     namespace: pipelines-as-code
   data:
-    secret-github-app-scope-extra-repos: "owner2/project2, owner3/project3"
+    secret-github-app-scope-extra-repos: "owner2/project2, owner3/*"
   ```
 
 ### Scoping the GitHub token using Repository level configuration
 
 You can use the `Repository` custom resource to scope the generated GitHub token to a list of repositories.
 The repositories can be public or private, but must reside in the same namespace as the repository with which the `Repository` resource is associated.
+You can specify repositories using exact names or glob patterns (e.g., `myorg/*` to match all repositories under an organization which have the GitHub app installed).
 
 Set the `github_app_token_scope_repos` spec configuration within the `Repository` custom resource, as in the following example:
 
@@ -271,18 +273,18 @@ Set the `github_app_token_scope_repos` spec configuration within the `Repository
     settings:
       github_app_token_scope_repos:
       - "owner/project"
-      - "owner1/project1"
+      - "owner1/*"
   ```
 
 In this example, the `Repository` custom resource is associated with the `linda/project` repository in the `test-repo` namespace.
-The scope of the generated GitHub token is extended to the `owner/project` and `owner1/project1` repositories, as well as the `linda/project` repository. These repositories must exist under the `test-repo` namespace.
+The scope of the generated GitHub token is extended to the `owner/project` repository, all repositories matching `owner1/*`, as well as the `linda/project` repository. These repositories must exist under the `test-repo` namespace.
 
 **Note:**
 
-If any of the repositories do not exist in the namespace, the scoping of the GitHub token fails with an error message as in the following example:
+If any of the repositories or patterns do not match any repository in the namespace, the scoping of the GitHub token fails with an error message as in the following example:
 
 ```console
-failed to scope GitHub token as repo owner1/project1 does not exist in namespace test-repo
+failed to scope GitHub token as repo with pattern owner1/project1 does not exist in namespace test-repo
 ```
 
 ### Combining global and repository level configuration
@@ -335,10 +337,10 @@ creation of the GitHub token fails with the following error message:
     ```
 
 - If the scoping of the GitHub token to the repositories set in global or repository level configuration fails for any reason,
-the CI process does not run. This includes cases where the same repository is listed in the global or repository level configuration,
+the CI process does not run. This includes cases where the same repository is listed (or matched) in the global or repository level configuration,
 and the scoping fails for the repository level configuration because the repository is not in the same namespace as the `Repository` custom resource.
 
-  In the following example, the `owner5/project5` repository is listed in both the global configuration and in the repository level configuration:
+  In the following example, the `owner5/project5` repository is listed in the global configuration and matches the pattern in the repository level configuration:
 
   ```yaml
   apiVersion: v1
@@ -360,11 +362,11 @@ and the scoping fails for the repository level configuration because the reposit
     url: "https://github.com/linda/project"
     settings:
       github_app_token_scope_repos:
-      - "owner5/project5"
+      - "owner5/*"
   ```
 
-  In this example, if the `owner5/project5` repository is not under the `test-repo` namespace, scoping of the GitHub token fails with the following error message:
+  In this example, if the `owner5/project5` repository (or any other repository satisfying the specified pattern of `owner5/*`) is not under the `test-repo` namespace, scoping of the GitHub token fails with the following error message:
 
   ```yaml
-  failed to scope GitHub token as repo owner5/project5 does not exist in namespace test-repo
+  failed to scope GitHub token as repo with pattern owner5/* does not exist in namespace test-repo
   ```
diff --git a/pkg/provider/github/github.go b/pkg/provider/github/github.go
@@ -11,6 +11,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/gobwas/glob"
 	"github.com/google/go-github/v74/github"
 	"github.com/jonboulle/clockwork"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/apis/pipelinesascode/keys"
@@ -636,7 +637,17 @@ func ListRepos(ctx context.Context, v *Provider) ([]string, error) {
 }
 
 func (v *Provider) CreateToken(ctx context.Context, repository []string, event *info.Event) (string, error) {
+	var appReposCache []*github.Repository
+
 	for _, r := range repository {
+		// Check if this is a glob pattern
+		if strings.ContainsAny(r, "*?[") {
+			if err := v.expandGlobAndAddRepoIDs(ctx, r, &appReposCache); err != nil {
+				v.Logger.Warn("failed to expand glob pattern %q: %v", r, err)
+			}
+			continue
+		}
+
 		split := strings.Split(r, "/")
 		infoData, _, err := wrapAPI(v, "get_repository", func() (*github.Repository, *github.Response, error) {
 			return v.Client().Repositories.Get(ctx, split[0], split[1])
@@ -655,6 +666,52 @@ func (v *Provider) CreateToken(ctx context.Context, repository []string, event *
 	return token, nil
 }
 
+func (v *Provider) expandGlobAndAddRepoIDs(ctx context.Context, repoPattern string, cache *[]*github.Repository) error {
+	// We can skip error check here as all the glob compilation has been checked
+	// before this method is called.
+	reposToScope, _ := glob.Compile(repoPattern)
+
+	if *cache == nil {
+		repos, err := v.listAppRepos(ctx)
+		if err != nil {
+			return err
+		}
+		*cache = repos
+	}
+
+	for _, repo := range *cache {
+		repoFullName := repo.GetFullName()
+		if reposToScope.Match(repoFullName) {
+			v.RepositoryIDs = uniqueRepositoryID(v.RepositoryIDs, repo.GetID())
+		}
+	}
+
+	return nil
+}
+
+func (v *Provider) listAppRepos(ctx context.Context) ([]*github.Repository, error) {
+	var allRepos []*github.Repository
+
+	opt := &github.ListOptions{PerPage: v.PaginedNumber}
+	for {
+		repoList, resp, err := wrapAPI(v, "list_app_repos", func() (*github.ListRepositories, *github.Response, error) {
+			return v.Client().Apps.ListRepos(ctx, opt)
+		})
+		if err != nil {
+			return nil, fmt.Errorf("failed to list app repos: %w", err)
+		}
+
+		allRepos = append(allRepos, repoList.Repositories...)
+
+		if resp.NextPage == 0 {
+			break
+		}
+		opt.Page = resp.NextPage
+	}
+
+	return allRepos, nil
+}
+
 func uniqueRepositoryID(repoIDs []int64, id int64) []int64 {
 	r := repoIDs
 	m := make(map[int64]bool)
diff --git a/pkg/provider/github/scope.go b/pkg/provider/github/scope.go
@@ -7,6 +7,7 @@ import (
 	"net/url"
 	"strings"
 
+	"github.com/gobwas/glob"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/apis/pipelinesascode/v1alpha1"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/events"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/params"
@@ -24,7 +25,7 @@ func ScopeTokenToListOfRepos(ctx context.Context, vcx provider.Interface, pacInf
 		listRepos bool
 		token     string
 	)
-	listURLs := map[string]string{}
+	listURLs := []string{}
 	repoListToScopeToken := []string{}
 
 	// This is a Global config to provide list of repos to scope token
@@ -34,6 +35,14 @@ func ScopeTokenToListOfRepos(ctx context.Context, vcx provider.Interface, pacInf
 			if configValueS == "" {
 				continue
 			}
+			// May or may not be a glob
+			if _, err := glob.Compile(configValueS); err != nil {
+				msg := fmt.Sprintf("invalid repo glob specified %s", configValueS)
+				eventEmitter.EmitMessage(nil, zap.ErrorLevel, "InvalidRepoGlobSpecified", msg)
+
+				return "", errors.New(msg)
+			}
+
 			repoListToScopeToken = append(repoListToScopeToken, configValueS)
 		}
 		listRepos = true
@@ -50,15 +59,30 @@ func ScopeTokenToListOfRepos(ctx context.Context, vcx provider.Interface, pacInf
 			if err != nil {
 				return "", err
 			}
-			listURLs[splitData[1]+"/"+splitData[2]] = splitData[1] + "/" + splitData[2]
+			listURLs = append(listURLs, splitData[1]+"/"+splitData[2])
 		}
 		for i := range repo.Spec.Settings.GithubAppTokenScopeRepos {
-			if _, ok := listURLs[repo.Spec.Settings.GithubAppTokenScopeRepos[i]]; !ok {
-				msg := fmt.Sprintf("failed to scope GitHub token as repo %s does not exist in namespace %s", repo.Spec.Settings.GithubAppTokenScopeRepos[i], ns)
+			// May or may not be a glob
+			repoToScope, err := glob.Compile(repo.Spec.Settings.GithubAppTokenScopeRepos[i])
+			if err != nil {
+				msg := fmt.Sprintf("invalid repo glob specified %s", repo.Spec.Settings.GithubAppTokenScopeRepos[i])
+				eventEmitter.EmitMessage(nil, zap.ErrorLevel, "InvalidRepoGlobSpecified", msg)
+
+				return "", errors.New(msg)
+			}
+			globMatchFound := false
+			// Match glob to repos list.
+			for _, repoKey := range listURLs {
+				if repoToScope.Match(repoKey) {
+					repoListToScopeToken = append(repoListToScopeToken, repoKey)
+					globMatchFound = true
+				}
+			}
+			if !globMatchFound {
+				msg := fmt.Sprintf("failed to scope GitHub token as repo with pattern %s does not exist in namespace %s", repo.Spec.Settings.GithubAppTokenScopeRepos[i], ns)
 				eventEmitter.EmitMessage(nil, zap.ErrorLevel, "RepoDoesNotExistInNamespace", msg)
 				return "", errors.New(msg)
 			}
-			repoListToScopeToken = append(repoListToScopeToken, repo.Spec.Settings.GithubAppTokenScopeRepos[i])
 		}
 		// When the global configuration is not set then check for secret-github-app-token-scoped key for the repo level configuration
 		if pacInfo.SecretGHAppRepoScoped && pacInfo.SecretGhAppTokenScopedExtraRepos == "" {
diff --git a/pkg/provider/github/scope_test.go b/pkg/provider/github/scope_test.go
@@ -71,6 +71,75 @@ func TestScopeTokenToListOfRepos(t *testing.T) {
 			URL: privateRepo,
 		},
 	}
+
+	// Additional repos for glob pattern testing
+	repoDataGlobAndExact := &v1alpha1.Repository{
+		TypeMeta: metav1.TypeMeta{},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "publicrepo-glob-and-exact",
+			Namespace: testNamespace.Name,
+		},
+		Spec: v1alpha1.RepositorySpec{
+			URL: repoFromWhichEventComes,
+			Settings: &v1alpha1.Settings{
+				GithubAppTokenScopeRepos: []string{"owner1/repo1", "owner2/*"},
+			},
+		},
+	}
+
+	repoDataInvalidGlob := &v1alpha1.Repository{
+		TypeMeta: metav1.TypeMeta{},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "publicrepo-invalid-glob",
+			Namespace: testNamespace.Name,
+		},
+		Spec: v1alpha1.RepositorySpec{
+			URL: repoFromWhichEventComes,
+			Settings: &v1alpha1.Settings{
+				GithubAppTokenScopeRepos: []string{"owner2/[invalid"},
+			},
+		},
+	}
+
+	repoDataGlobNoMatch := &v1alpha1.Repository{
+		TypeMeta: metav1.TypeMeta{},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "publicrepo-glob-nomatch",
+			Namespace: testNamespace.Name,
+		},
+		Spec: v1alpha1.RepositorySpec{
+			URL: repoFromWhichEventComes,
+			Settings: &v1alpha1.Settings{
+				GithubAppTokenScopeRepos: []string{"nonexistent/*"},
+			},
+		},
+	}
+
+	// Additional private repos for glob testing
+	privateRepo2 := "https://org.com/owner2/repo3"
+	repoData2 := &v1alpha1.Repository{
+		TypeMeta: metav1.TypeMeta{},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "privaterepo2",
+			Namespace: testNamespace.Name,
+		},
+		Spec: v1alpha1.RepositorySpec{
+			URL: privateRepo2,
+		},
+	}
+
+	privateRepo3 := "https://org.com/owner1/repo1"
+	repoData3 := &v1alpha1.Repository{
+		TypeMeta: metav1.TypeMeta{},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "privaterepo3",
+			Namespace: testNamespace.Name,
+		},
+		Spec: v1alpha1.RepositorySpec{
+			URL: privateRepo3,
+		},
+	}
+
 	tests := []struct {
 		name                     string
 		tData                    testclient.Data
@@ -129,7 +198,7 @@ func TestScopeTokenToListOfRepos(t *testing.T) {
 			},
 			repository:            repoData,
 			repoListsByGlobalConf: "",
-			wantError:             "failed to scope GitHub token as repo owner2/repo2 does not exist in namespace pipelinesascode",
+			wantError:             "failed to scope GitHub token as repo with pattern owner2/repo2 does not exist in namespace pipelinesascode",
 			wantToken:             "",
 		},
 		{
@@ -178,6 +247,69 @@ func TestScopeTokenToListOfRepos(t *testing.T) {
 			wantToken:                "123abcdfrf",
 			repositoryID:             []int64{789, 10112, 112233},
 		},
+		{
+			name: "repos are listed using both glob pattern and exact match",
+			tData: testclient.Data{
+				Namespaces: []*corev1.Namespace{testNamespace},
+				Secret:     []*corev1.Secret{validSecret},
+				Repositories: []*v1alpha1.Repository{
+					repoDataGlobAndExact, repoData1, repoData2, repoData3,
+				},
+			},
+			repository:            repoDataGlobAndExact,
+			repoListsByGlobalConf: "",
+			wantError:             "",
+			wantToken:             "123abcdfrf",
+			repositoryID:          []int64{789, 10112, 112233, 445566},
+		},
+		{
+			name: "invalid glob pattern returns error",
+			tData: testclient.Data{
+				Namespaces: []*corev1.Namespace{testNamespace},
+				Secret:     []*corev1.Secret{validSecret},
+				Repositories: []*v1alpha1.Repository{
+					repoDataInvalidGlob, repoData1,
+				},
+			},
+			repository:            repoDataInvalidGlob,
+			repoListsByGlobalConf: "",
+			wantError:             "invalid repo glob specified",
+			wantToken:             "",
+		},
+		{
+			name: "glob pattern that matches no repos returns error",
+			tData: testclient.Data{
+				Namespaces: []*corev1.Namespace{testNamespace},
+				Secret:     []*corev1.Secret{validSecret},
+				Repositories: []*v1alpha1.Repository{
+					repoDataGlobNoMatch, repoData1,
+				},
+			},
+			repository:            repoDataGlobNoMatch,
+			repoListsByGlobalConf: "",
+			wantError:             "failed to scope GitHub token as repo with pattern nonexistent/* does not exist in namespace pipelinesascode",
+			wantToken:             "",
+		},
+		{
+			name: "invalid glob pattern in global config returns error",
+			tData: testclient.Data{
+				Namespaces: []*corev1.Namespace{testNamespace},
+				Secret:     []*corev1.Secret{validSecret},
+			},
+			repository: &v1alpha1.Repository{
+				TypeMeta: metav1.TypeMeta{},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "publicrepo",
+					Namespace: testNamespace.Name,
+				},
+				Spec: v1alpha1.RepositorySpec{
+					URL: repoFromWhichEventComes,
+				},
+			},
+			repoListsByGlobalConf: "owner1/[invalid",
+			wantError:             "invalid repo glob specified",
+			wantToken:             "",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -232,7 +364,7 @@ func TestScopeTokenToListOfRepos(t *testing.T) {
 				pacInfo:  pacInfo,
 			}
 
-			extraRepoInstallIDs := map[string]string{"owner/repo": "789", "owner1/repo1": "10112", "owner2/repo2": "112233"}
+			extraRepoInstallIDs := map[string]string{"owner/repo": "789", "owner1/repo1": "10112", "owner2/repo2": "112233", "owner2/repo3": "445566"}
 			for v := range extraRepoInstallIDs {
 				split := strings.Split(v, "/")
 				mux.HandleFunc(fmt.Sprintf("/repos/%s/%s", split[0], split[1]), func(w http.ResponseWriter, _ *http.Request) {
@@ -243,8 +375,11 @@ func TestScopeTokenToListOfRepos(t *testing.T) {
 			eventEmitter := events.NewEventEmitter(run.Clients.Kube, logger)
 			token, err := ScopeTokenToListOfRepos(ctx, gvcs, pacInfo, tt.repository, run, info, eventEmitter, logger)
 			assert.Equal(t, token, tt.wantToken)
-			if err != nil {
-				assert.Equal(t, err.Error(), tt.wantError)
+			if tt.wantError != "" {
+				assert.Assert(t, err != nil, "expected error but got none")
+				assert.Assert(t, strings.Contains(err.Error(), tt.wantError), "error %q should contain %q", err.Error(), tt.wantError)
+			} else {
+				assert.NilError(t, err)
 			}
 			assert.Equal(t, len(gvcs.RepositoryIDs), len(tt.repositoryID))
 		})
diff --git a/test/github_scope_token_to_list_of_private_public_repos_test.go b/test/github_scope_token_to_list_of_private_public_repos_test.go
