fix: skip prun when target-ns repo cannot be found

[chmouel]

📝 Description of the Change

This fix addresses a critical issue in PipelineRun handling when target namespace repositories are not found. The problem was when a PipelineRun carries a target-namespace annotation pointing to a namespace where no matching Repository object exists, the code was silently falling back to the originating repository. This caused:

• Foreign PipelineRuns (e.g., /test no-match) to execute in the wrong namespace
• Repository status pollution, leading to flaky E2E assertions
• Incorrect cancellation behavior in the ops-comment flow

Why the original fix in 606c830 needed this follow-up

The resolveTargetNamespaceRepo function introduced in 606c830 was written with a defensive fallback philosophy: if anything goes wrong (lookup error, repo not found), return the fallbackRepo so the system keeps working. The assumption was that it's better to run in the wrong namespace than to fail entirely.

However, this removed the caller's ability to distinguish between "resolved successfully" and "failed, gave you the fallback", and the silent fallback did the wrong thing depending on which code path was calling:

• /test path (getPipelineRunsFromRepo): If a PipelineRun template says target-namespace: "production" but no Repository CR exists in that namespace, the old code would silently run the PipelineRun using the source repo — executing it in the wrong namespace with no indication. The user thinks it's targeting production, but it's not. This is a silent misconfiguration that should be surfaced, not hidden.
• /cancel path (resolveRepoForTargetCancelPipelineRun): Here, falling back is actually fine — you still want to cancel the running PipelineRun even if the target-namespace repo is gone. But the old code had no logging to indicate the fallback happened.

This fix changes resolveTargetNamespaceRepo to return nil on failure, pushing the decision back to each caller: /test now skips the PipelineRun and emits an event, while /cancel still falls back but logs a warning.

👨🏻‍ Linked Jira

🔗 Linked GitHub Issue

🚀 Type of Change

• 🐛 Bug fix (fix:)
• ✨ New feature (feat:)
• 💥 Breaking change (feat!:, fix!:)
• 📚 Documentation update (docs:)
• ⚙️ Chore (chore:)
• 💅 Refactor (refactor:)
• 🔧 Enhancement (enhance:)
• 📦 Dependency update (deps:)

🧪 Testing Strategy

• Unit tests
• Integration tests
• End-to-end tests
• Manual testing
• Not Applicable

🤖 AI Assistance

• I have not used any AI assistance for this PR.
• I have used AI assistance for this PR.

If you have used AI assistance, please provide the following details:

Which LLM was used?

• GitHub Copilot
• ChatGPT (OpenAI)
• Claude (Anthropic)
• Cursor
• Gemini (Google)
• Other: ____________

Extent of AI Assistance:

• Documentation and research only
• Unit tests or E2E tests only
• Code generation (parts of the code)
• Full code generation (most of the PR)
• PR description and comments
• Commit message(s)

Important

If the majority of the code in this PR was generated by an AI, please add a Co-authored-by trailer to your commit message.
For example:

Co-authored-by: Gemini gemini@google.com
Co-authored-by: ChatGPT noreply@chatgpt.com
Co-authored-by: Claude noreply@anthropic.com
Co-authored-by: Cursor noreply@cursor.com
Co-authored-by: Copilot Copilot@users.noreply.github.com

**💡You can use the script ./hack/add-llm-coauthor.sh to automatically add
these co-author trailers to your commits.

✅ Submitter Checklist

• 📝 My commit messages are clear, informative, and follow the project's How to write a git commit message guide. The Gitlint linter ensures in CI it's properly validated
• ✨ I have ensured my commit message prefix (e.g., fix:, feat:) matches the "Type of Change" I selected above.
• ♽ I have run make test and make lint locally to check for and fix any issues. For an efficient workflow, I have considered installing pre-commit and running pre-commit install to automate these checks.
• 📖 I have added or updated documentation for any user-facing changes.
• 🧪 I have added sufficient unit tests for my code changes.
• 🎁 I have added end-to-end tests where feasible. See README for more details.
• 🔎 I have addressed any CI test flakiness or provided a clear reason to bypass it.
• If adding a provider feature, I have filled in the following and updated the provider documentation:
  • GitHub App
  • GitHub Webhook
  • Gitea/Forgejo
  • GitLab
  • Bitbucket Cloud
  • Bitbucket Data Center

[gemini-code-assist]

Summary of Changes

Hello @chmouel, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves an issue where PipelineRuns annotated with a target-namespace would incorrectly proceed using the originating repository if the specified target Repository did not exist. The changes ensure that the system correctly identifies and handles the absence of a target Repository, either by skipping the PipelineRun or logging a warning and falling back explicitly, thereby preventing erroneous execution and status pollution.

Highlights

• Improved Target Namespace Repository Resolution: The resolveTargetNamespaceRepo function now explicitly returns nil if a Repository object cannot be found in the target-namespace specified by a PipelineRun annotation, instead of silently falling back.
• Enhanced PipelineRun Cancellation Logic: The resolveRepoForTargetCancelPipelineRun function has been updated to check for a nil return from resolveTargetNamespaceRepo. If the target repository is not found, it logs a warning before falling back to the originating repository for cancellation operations.
• Skipping PipelineRuns with Missing Target Repositories: The getPipelineRunsFromRepo function was modified to skip PipelineRuns that specify a target-namespace where no matching Repository object exists, preventing them from being processed incorrectly.
• Comprehensive Unit Testing: New unit tests have been added to cover scenarios where the target namespace repository is missing, ensuring correct behavior for both PipelineRun cancellation and matching.

Changelog

• pkg/pipelineascode/cancel_pipelineruns.go
  • Modified resolveRepoForTargetCancelPipelineRun to check if resolveTargetNamespaceRepo returns nil and log a warning before falling back to the original repository.
• pkg/pipelineascode/cancel_pipelineruns_test.go
  • Added TestCancelPipelineRunsOpsCommentFallsBackWhenTargetNamespaceRepoMissing to test the fallback mechanism during cancellation when the target repository is not found.
• pkg/pipelineascode/match.go
  • Updated getPipelineRunsFromRepo to skip PipelineRuns if resolveTargetNamespaceRepo returns nil for the target namespace.
  • Modified resolveTargetNamespaceRepo to return nil instead of the fallbackRepo when the target repository is not found or an error occurs during lookup.
• pkg/pipelineascode/match_test.go
  • Extended TestGetPipelineRunsFromRepoExplicitTestUsesTargetNamespaceRepo with a new test case to verify that PipelineRuns are skipped when the target namespace repository is missing.

Activity

• No specific activity (comments, reviews, etc.) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request addresses an issue where PipelineRuns with a target-namespace annotation would incorrectly fall back to the original repository's namespace when the target repository could not be found. The core change modifies resolveTargetNamespaceRepo to return nil in such cases, allowing for more explicit handling. Consequently, pipeline execution is now correctly skipped, preventing runs in the wrong context. For cancellation operations, the logic now logs a warning and intentionally falls back to the original repository. The changes are logical, well-tested with new unit tests for both scenarios, and effectively resolve the described problem. The code is clean and I have no further recommendations.

[Copilot]

Pull request overview

This PR fixes a bug where PipelineRuns with target-namespace annotations pointing to non-existent Repository objects would incorrectly fall back to executing in the originating namespace, causing namespace pollution and flaky E2E tests.

Changes:

• Modified resolveTargetNamespaceRepo to return nil instead of falling back when target namespace repository is not found
• Added logic to skip PipelineRun execution when target namespace repository is missing (for explicit /test commands)
• Added fallback behavior with warning for cancel operations when target namespace repository is missing
• Added comprehensive test coverage for both scenarios

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
pkg/pipelineascode/match.go	Modified resolveTargetNamespaceRepo to return nil on missing target repo; added check to skip PipelineRun when target repo not found
pkg/pipelineascode/cancel_pipelineruns.go	Added fallback logic to use original repo when target namespace repo is missing during cancel operations
pkg/pipelineascode/match_test.go	Added test case for skipping PipelineRun when target namespace repo not found
pkg/pipelineascode/cancel_pipelineruns_test.go	Added test to verify fallback behavior during cancel operations when target namespace repo is missing

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.