feat(git): add tag support for TerraformLayers and enhance provider fallback logic (#652)

* feat: Add tag support for git providers

- Add CloneWithFallback function to support both branch and tag references
- Implement ReferenceName and ReferenceNameForTag helper functions
- Update GitHub, GitLab, and Standard providers to use new clone strategy
- Add comprehensive test coverage for new functionality
- Improve error handling and logging for clone operations

This enhancement allows TerraformRepository resources to reference Git tags
in addition to branches, enabling more flexible versioning strategies.

* feat: Add ServiceAccount and ClusterRole for burrito-runner in RBAC configuration
chore: Update .gitignore to include test-repo directory
fix: Clean up whitespace in bundle.go for better readability

* feat: Add allowPrOnTags field to TerraformLayerSpec and update related manifests

* feat: Replace AllowPrOnTags with AdditionalTargetRefs in TerraformLayerSpec and update related manifests

* feat: Include layer name in the generated comment template for better clarity

* refactor: Simplify additionalTargetRefs check using slices.Contains

* feat: Add RBAC configuration for burrito-runner with ClusterRole and necessary permissions

Author: nerdeveloper

.gitignore

@@ -40,3 +40,6 @@ test.out/*
 .venv
 env/
 venv/
+
+test-repo/
+TIltfile

api/v1alpha1/terraformlayer_types.go

@@ -30,15 +30,16 @@ type TerraformLayerSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 
-	Path                string                   `json:"path,omitempty"`
-	Branch              string                   `json:"branch,omitempty"`
-	TerraformConfig     TerraformConfig          `json:"terraform,omitempty"`
-	OpenTofuConfig      OpenTofuConfig           `json:"opentofu,omitempty"`
-	TerragruntConfig    TerragruntConfig         `json:"terragrunt,omitempty"`
-	Repository          TerraformLayerRepository `json:"repository,omitempty"`
-	RemediationStrategy RemediationStrategy      `json:"remediationStrategy,omitempty"`
-	OverrideRunnerSpec  OverrideRunnerSpec       `json:"overrideRunnerSpec,omitempty"`
-	RunHistoryPolicy    RunHistoryPolicy         `json:"runHistoryPolicy,omitempty"`
+	Path                 string                   `json:"path,omitempty"`
+	Branch               string                   `json:"branch,omitempty"`
+	AdditionalTargetRefs []string                 `json:"additionalTargetRefs,omitempty"`
+	TerraformConfig      TerraformConfig          `json:"terraform,omitempty"`
+	OpenTofuConfig       OpenTofuConfig           `json:"opentofu,omitempty"`
+	TerragruntConfig     TerragruntConfig         `json:"terragrunt,omitempty"`
+	Repository           TerraformLayerRepository `json:"repository,omitempty"`
+	RemediationStrategy  RemediationStrategy      `json:"remediationStrategy,omitempty"`
+	OverrideRunnerSpec   OverrideRunnerSpec       `json:"overrideRunnerSpec,omitempty"`
+	RunHistoryPolicy     RunHistoryPolicy         `json:"runHistoryPolicy,omitempty"`
 }
 
 type TerraformLayerRepository struct {

api/v1alpha1/zz_generated.deepcopy.go

@@ -1,3 +1,4 @@
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -32,4 +33,4 @@ rules:
   resources:
   - terraformrepositories
   verbs:
-  - get
+  - get

deploy/charts/burrito/templates/rbac-runner.yaml

@@ -17,6 +17,7 @@ var (
 )
 
 type ReportedLayer struct {
+	Name       string
 	ShortDiff  string
 	Path       string
 	PrettyPlan string
@@ -49,6 +50,7 @@ func (c *DefaultComment) Generate(commit string) (string, error) {
 			return "", err
 		}
 		reportedLayer := ReportedLayer{
+			Name:       layer.Name,
 			Path:       layer.Spec.Path,
 			ShortDiff:  string(shortDiff),
 			PrettyPlan: string(plan),

internal/controllers/terraformpullrequest/comment/default.go

@@ -4,7 +4,7 @@
 
 {{ range .Layers }}
 
-### Layer {{ .Path }}
+### Layer {{ .Name }} ({{ .Path }})
 
 `{{ .ShortDiff }}`
 

internal/controllers/terraformpullrequest/comment/templates/comment.md

@@ -3,6 +3,7 @@ package terraformpullrequest
 import (
 	"context"
 	"fmt"
+	"slices"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -48,7 +49,12 @@ func isLayerAffected(layer configv1alpha1.TerraformLayer, pr configv1alpha1.Terr
 	if layer.Spec.Repository.Namespace != pr.Spec.Repository.Namespace {
 		return false
 	}
-	if layer.Spec.Branch != pr.Spec.Base {
+	// Check if branch matches OR if PR base is in additionalTargetRefs
+	branchMatches := layer.Spec.Branch == pr.Spec.Base
+	additionalTargetMatches := slices.Contains(layer.Spec.AdditionalTargetRefs, pr.Spec.Base)
+
+	// If neither branch matches nor is in additional targets, skip this layer
+	if !branchMatches && !additionalTargetMatches {
 		return false
 	}
 	if controller.LayerFilesHaveChanged(layer, changes) {

internal/controllers/terraformpullrequest/layer.go

@@ -19,6 +19,16 @@ const (
 	BundleDir  = "/tmp/burrito/gitbundles"
 )
 
+// ReferenceName converts a ref string to a plumbing.ReferenceName
+// If ref starts with "refs/", use it directly; otherwise assume it's a branch
+func ReferenceName(ref string) plumbing.ReferenceName {
+	if strings.HasPrefix(ref, "refs/") {
+		return plumbing.ReferenceName(ref)
+	}
+	// Default to branch for backward compatibility
+	return plumbing.NewBranchReferenceName(ref)
+}
+
 func GetGitBundle(repository *configv1alpha1.TerraformRepository, ref string, revision string, auth transport.AuthMethod) ([]byte, error) {
 	repoKey := fmt.Sprintf("%s-%s-%s", repository.Namespace, repository.Name, strings.ReplaceAll(ref, "/", "--"))
 	repoDir := filepath.Join(WorkingDir, repoKey)
@@ -32,10 +42,11 @@ func GetGitBundle(repository *configv1alpha1.TerraformRepository, ref string, re
 
 		// Clone if it doesn't exist
 		log.Infof("Cloning repository %s to %s", repository.Spec.Repository.Url, repoDir)
+
 		cloneOpts := &git.CloneOptions{
 			URL:           repository.Spec.Repository.Url,
 			Auth:          auth,
-			ReferenceName: plumbing.NewBranchReferenceName(ref),
+			ReferenceName: ReferenceName(ref),
 		}
 
 		repo, err = git.PlainClone(repoDir, false, cloneOpts)

internal/utils/gitprovider/common/bundle.go

@@ -13,14 +13,14 @@ import (
 
 	"github.com/bradleyfalzon/ghinstallation/v2"
 	"github.com/go-git/go-git/v5"
-	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	wh "github.com/go-playground/webhooks/github"
 	"github.com/google/go-github/v74/github"
 	configv1alpha1 "github.com/padok-team/burrito/api/v1alpha1"
 	"github.com/padok-team/burrito/internal/annotations"
 	"github.com/padok-team/burrito/internal/controllers/terraformpullrequest/comment"
+	"github.com/padok-team/burrito/internal/utils/gitprovider/common"
 	"github.com/padok-team/burrito/internal/utils/gitprovider/types"
 	utils "github.com/padok-team/burrito/internal/utils/url"
 	"github.com/padok-team/burrito/internal/webhook/event"
@@ -185,12 +185,12 @@ func (g *Github) Clone(repository *configv1alpha1.TerraformRepository, branch st
 	}
 
 	cloneOptions := &git.CloneOptions{
-		ReferenceName: plumbing.NewBranchReferenceName(branch),
+		ReferenceName: common.ReferenceName(branch),
 		URL:           repository.Spec.Repository.Url,
 		Auth:          auth,
 	}
 
-	log.Infof("Cloning github repository %s on %s branch with github %s authentication", repository.Spec.Repository.Url, branch, g.GitHubClientType)
+	log.Infof("Cloning github repository %s on ref %s with github %s authentication", repository.Spec.Repository.Url, branch, g.GitHubClientType)
 	repo, err := git.PlainClone(repositoryPath, false, cloneOptions)
 	if err != nil {
 		return nil, err

internal/utils/gitprovider/github/github.go

@@ -10,13 +10,13 @@ import (
 	"strings"
 
 	"github.com/go-git/go-git/v5"
-	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	wh "github.com/go-playground/webhooks/gitlab"
 	configv1alpha1 "github.com/padok-team/burrito/api/v1alpha1"
 	"github.com/padok-team/burrito/internal/annotations"
 	"github.com/padok-team/burrito/internal/controllers/terraformpullrequest/comment"
+	"github.com/padok-team/burrito/internal/utils/gitprovider/common"
 	"github.com/padok-team/burrito/internal/utils/gitprovider/types"
 	utils "github.com/padok-team/burrito/internal/utils/url"
 	"github.com/padok-team/burrito/internal/webhook/event"
@@ -139,17 +139,17 @@ func (g *Gitlab) Clone(repository *configv1alpha1.TerraformRepository, branch st
 		return nil, err
 	}
 
+	if auth == nil {
+		return nil, errors.New("no valid authentication method provided")
+	}
+
 	cloneOptions := &git.CloneOptions{
-		ReferenceName: plumbing.NewBranchReferenceName(branch),
+		ReferenceName: common.ReferenceName(branch),
 		URL:           repository.Spec.Repository.Url,
 		Auth:          auth,
 	}
 
-	if auth == nil {
-		return nil, errors.New("no valid authentication method provided")
-	}
-
-	log.Infof("Cloning gitlab repository %s on %s branch", repository.Spec.Repository.Url, branch)
+	log.Infof("Cloning gitlab repository %s on ref %s", repository.Spec.Repository.Url, branch)
 	repo, err := git.PlainClone(repositoryPath, false, cloneOptions)
 	if err != nil {
 		return nil, err