fix(resolve): restore relative task path resolution for repository paths

[theakshaypant]

📝 Description of the Change

Commit 6e36620 broke relative task path resolution for repository file paths by only allowing HTTP(S) URLs. This caused paths containing '..' to be passed unresolved to the GitHub API, which rejects them with "path must not contain '..' due to auth vulnerability issue".

This fix restores the original behavior by allowing both HTTP(S) URLs and repository file paths (e.g., .tekton/pipelines/build.yaml) to have their relative paths resolved, while still excluding catalog/hub references (catalog://, hub://).

Also added relative local path resolution in e2e test TestGiteaPullRequestTaskAnnotations.

👨🏻‍ Linked Jira

https://redhat.atlassian.net/browse/SRVKP-11021

🔗 Linked GitHub Issue

Fixes #2549

🧪 Testing Strategy

• Unit tests
• Integration tests
• End-to-end tests
• Manual testing
• Not Applicable

🤖 AI Assistance

• I have not used any AI assistance for this PR.
• I have used AI assistance for this PR.

If you have used AI assistance, please provide the following details:

Which LLM was used?

• GitHub Copilot
• ChatGPT (OpenAI)
• Claude (Anthropic)
• Cursor
• Gemini (Google)
• Other: ____________

Extent of AI Assistance:

• Documentation and research only
• Unit tests or E2E tests only
• Code generation (parts of the code)
• Full code generation (most of the PR)
• PR description and comments
• Commit message(s)

Important

If the majority of the code in this PR was generated by an AI, please add a Co-authored-by trailer to your commit message.
For example:

Co-authored-by: Gemini gemini@google.com
Co-authored-by: ChatGPT noreply@chatgpt.com
Co-authored-by: Claude noreply@anthropic.com
Co-authored-by: Cursor noreply@cursor.com
Co-authored-by: Copilot Copilot@users.noreply.github.com

**💡You can use the script ./hack/add-llm-coauthor.sh to automatically add
these co-author trailers to your commits.

✅ Submitter Checklist

• 📝 My commit messages are clear, informative, and follow the project's How to write a git commit message guide. The Gitlint linter ensures in CI it's properly validated
• ✨ I have ensured my commit message prefix (e.g., fix:, feat:) matches the "Type of Change" I selected above.
• ♽ I have run make test and make lint locally to check for and fix any
  issues. For an efficient workflow, I have considered installing
  pre-commit and running pre-commit install to
  automate these checks.
• 📖 I have added or updated documentation for any user-facing changes.
• 🧪 I have added sufficient unit tests for my code changes.
• 🎁 I have added end-to-end tests where feasible. See README for more details.
• 🔎 I have addressed any CI test flakiness or provided a clear reason to bypass it.
• If adding a provider feature, I have filled in the following and updated the provider documentation:
  • GitHub App
  • GitHub Webhook
  • Gitea/Forgejo
  • GitLab
  • Bitbucket Cloud
  • Bitbucket Data Center

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a regression that prevented the proper resolution of relative task paths when referencing files within a repository. The fix re-enables this critical functionality, allowing users to define tasks using relative paths without encountering errors from the GitHub API. It ensures that the system can correctly interpret and resolve these paths, improving the robustness and flexibility of task definitions within repositories.

Highlights

• Relative Path Resolution: Restored the ability to resolve relative task paths for repository file paths, which was previously broken. This ensures that paths containing '..' are correctly handled and do not lead to GitHub API errors.
• Path Type Support: Expanded the assembleTaskFQDNs function to correctly process both HTTP(S) URLs and repository file paths (e.g., .tekton/pipelines/build.yaml) for relative task resolution, while still excluding catalog/hub references.
• End-to-End Testing: Added a new end-to-end test case to validate the correct resolution of relative local paths within repository contexts.

Changelog

• pkg/resolve/remote.go
  • Modified the assembleTaskFQDNs function to allow relative task path resolution for both HTTP(S) URLs and repository file paths, instead of only HTTP(S) URLs.
• pkg/resolve/remote_test.go
  • Updated an existing test case to verify that repository file paths now correctly resolve relative tasks, reflecting the new behavior.
• test/gitea_test.go
  • Added a new YAML file reference (.other-tasks/task2-referenced-internally.yaml) to the YAMLFiles map for an e2e test case.
• test/github_scope_token_to_list_of_private_public_repos_test.go
  • Included a new YAML file reference (.other-tasks/task2-referenced-internally.yaml) in the payload.GetEntries map for the GitHub token scope test.
• test/testdata/pipeline_in_tektondir.yaml
  • Added a new task reference (task2-referenced-internally) to the pipeline specification.
• test/testdata/pipelinerun_remote_task_annotations.yaml
  • Added a new annotation (pipelinesascode.tekton.dev/task-3) referencing task2-referenced-internally.yaml.
• test/testdata/task2_referenced_internally.yaml
  • Added a new Tekton Task definition file named task2-referenced-internally.yaml.

Activity

• The author used AI assistance (Claude) for generating commit messages.
• The author performed end-to-end testing and manual testing.
• The author ensured commit messages are clear and follow project guidelines.
• The author ran make test and make lint locally.
• The author added sufficient unit and end-to-end tests.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[pipelines-as-code]

🔍 PR Lint Feedback

Note: This automated check helps ensure your PR follows our contribution guidelines.

⚠️ Items that need attention:

🤖 AI attribution

The following commits lack an explicit AI attribution footer:

• 57c149d fix(resolve): restore relative task path resolution for repository paths

If no AI assistance was used for a commit, you can ignore this warning.
Otherwise add an Assisted-by: or Co-authored-by: footer referencing the AI used.

---

ℹ️ Next Steps

• Review and address the items above
• Push new commits to update this PR
• This comment will be automatically updated when issues are resolved

🔧 Admin Tools (click to expand)

Automated Issue/Ticket Creation:

• /issue-create - Generate a GitHub issue from this PR content using AI
• /jira-create - Create a SRVKP Jira ticket from this PR content using AI

⚠️ Important: Always review and edit generated content before finalizing tickets/issues.
The AI-generated content should be used as a starting point and may need adjustments.

These commands are available to maintainers and will post the generated content as PR comments for review.

_{🤖 This feedback was generated automatically by the PR CI system}

[gemini-code-assist]

Code Review

This pull request effectively addresses a regression that broke relative task path resolution for tasks defined within repository file paths. The fix correctly extends the resolution logic to handle both HTTP(S) URLs and local repository paths, and the change is well-supported by a new unit test case. However, I've identified a potential issue with the new logic for detecting repository paths, which may not work for files at the repository root. I've also included a minor suggestion to clean up some commented-out code.

[theakshaypant]

I have tried to restore the original behaviour of the function but a bit doubtful if the second resolution is what we expect expect.

[theakshaypant]

These tests are skipped but still modified them (not tested).

[theakshaypant]

Both tasks are same, one is referenced using its absolute path in the repo and the other with relative path

pipelinesascode.tekton.dev/task: "[.other-tasks/task-referenced-internally.yaml]"
pipelinesascode.tekton.dev/task-3: "[../.other-tasks/task2-referenced-internally.yaml]"

[chmouel]

@theakshaypant we will ned a jira for this one.

[theakshaypant]

@theakshaypant we will ned a jira for this one.

Created downstream ticket to track this SRVKP-11021

[theakshaypant]

/retest go-testing

[chmouel]

I think this is fixing the right bug in the code, but the new e2e test is proving a different thing than what the code actually changed.

The patch teaches PAC how to resolve relative task paths when they come from the Pipeline file.
But the new test adds a relative task path on the PipelineRun annotation instead (task-3: [../.other-tasks/task2-referenced-internally.yaml]). That path still goes through a different code path, so this PR does not really prove that case is fixed. But the new test adds a relative task path on the PipelineRun annotation instead (task-3: [../.other-tasks/task2-referenced-internally.yaml]).

That path still goes through a different code path, so this PR does not really prove that case is fixed.

[chmouel]

/retest

[theakshaypant]

@chmouel Thanks for pointing this out! Updated the test in fab0670 to use a pipeline annotation. Verified a added log that the test hits the targeted code path.