incoming webhook: pipelinerun_provenance default_branch fails because DefaultBranch is never set

[vdemeester]

Description

When using incoming webhooks with pipelinerun_provenance: default_branch set on the Repository CR, the PipelineRun definition fetch fails with a 404 because the event's DefaultBranch field is never populated for incoming webhook events.

Steps to Reproduce

1. Configure a Repository CR with:

   spec:
     settings:
       pipelinerun_provenance: default_branch
     incoming:
       - type: webhook-url
         targets: ["release-v*"]
         secret:
           name: pac-incoming-secret
         params: [version]

2. Have .tekton/ PipelineRun definitions on the default branch (main) but NOT on the target release branch
3. Trigger an incoming webhook:

   curl -X POST https://pac.example.com/incoming \
     -H "Content-Type: application/json" \
     -d '{"repository":"my-repo","branch":"release-v1.0.x","pipelinerun":"release-patch","secret":"...","params":{"version":"v1.0.1"}}'

Expected Behavior

PAC should fetch the .tekton/ directory from the repository's default branch (e.g., main), matching the behavior of push and pull_request events.

Actual Behavior

PAC logs:

"Using PipelineRun definition from default_branch: "    ← empty!
GitHub API call failed: GET https://api.github.com/repos/org/repo/git/trees/: 404 Not Found

The DefaultBranch field is empty, causing GetTektonDir() to call the GitHub Trees API with an empty revision, resulting in a 404.

Root Cause

In pkg/adapter/incoming.go, the event fields set for incoming webhooks are:

event.EventType = "incoming"
event.TriggerTarget = "push"
event.TargetPipelineRun = payload.PipelineRun
event.HeadBranch = payload.Branch
event.BaseBranch = payload.Branch
event.URL = repo.Spec.URL
event.Sender = "incoming"

event.DefaultBranch is never set. This field is populated by ParsePayload for push/PR events (from the webhook payload's repository.default_branch), but incoming webhooks bypass ParsePayload entirely.

When pipelinerun_provenance: default_branch is configured, GetTektonDir() in pkg/provider/github/github.go uses runevent.DefaultBranch as the tree revision:

if provenance == "default_branch" {
    revision = runevent.DefaultBranch  // empty string!
}

Same issue affects GetFileInsideRepo() which also uses runevent.DefaultBranch when provenance is default_branch.

Affected Versions

All versions since incoming webhook support was added. Confirmed on v0.43.0 and v0.44.0.

Proposed Fix

In GetCommitInfo() (or verifyRepoAndUser()), when DefaultBranch is empty and we already have the GitHub client, fetch the repository metadata to populate DefaultBranch. The branch info is already fetched in GetCommitInfo() for incoming webhooks (to resolve SHA from HeadBranch), so the additional API call would be minimal.

Workaround

There is no clean workaround:

• pipelinerun_provenance: source (default) would try to fetch .tekton/ from the incoming branch, which may not have the files
• Cherry-picking .tekton/ files to every release branch defeats the purpose of default_branch provenance

/kind bug

[chmouel]

Internal tracking: https://redhat.atlassian.net/browse/SRVKP-11511