fix(gitlab): check permission according to RememberOkToTest setting

[zakisk]

Refactor ACL check to properly handle RememberOKToTest setting:

• When RememberOKToTest is disabled for MergeEvent, skip checking all discussion notes and return false early
• When RememberOKToTest is disabled for MergeCommentEvent, check only the current comment instead of all discussion history
• Add aclAllowedOkToTestCurrentComment function to validate the specific comment that triggered the event

This avoids checking all comments for /ok-to-test regardless of RememberOkToTest setting and optimizes the ACL check by avoiding unnecessary API calls to fetch all discussion notes when RememberOKToTest is disabled.

📝 Description of the Change

👨🏻‍ Linked Jira

https://issues.redhat.com/browse/SRVKP-9200

🔗 Linked GitHub Issue

Fixes #

🚀 Type of Change

• 🐛 Bug fix (fix:)
• ✨ New feature (feat:)
• 💥 Breaking change (feat!:, fix!:)
• 📚 Documentation update (docs:)
• ⚙️ Chore (chore:)
• 💅 Refactor (refactor:)
• 🔧 Enhancement (enhance:)
• 📦 Dependency update (deps:)

🧪 Testing Strategy

• Unit tests
• Integration tests
• End-to-end tests
• Manual testing
• Not Applicable

🤖 AI Assistance

• I have not used any AI assistance for this PR.
• I have used AI assistance for this PR.

If you have used AI assistance, please provide the following details:

Which LLM was used?

• GitHub Copilot
• ChatGPT (OpenAI)
• Claude (Anthropic)
• Cursor
• Gemini (Google)
• Other: ____________

Extent of AI Assistance:

• Documentation and research only
• Unit tests or E2E tests only
• Code generation (parts of the code)
• Full code generation (most of the PR)
• PR description and comments
• Commit message(s)

Important

If the majority of the code in this PR was generated by an AI, please add a Co-authored-by trailer to your commit message.
For example:

Co-authored-by: Gemini [email protected]
Co-authored-by: ChatGPT [email protected]
Co-authored-by: Claude [email protected]
Co-authored-by: Cursor [email protected]
Co-authored-by: Copilot [email protected]

**💡You can use the script ./hack/add-llm-coauthor.sh to automatically add
these co-author trailers to your commits.

✅ Submitter Checklist

• 📝 My commit messages are clear, informative, and follow the project's How to write a git commit message guide. The Gitlint linter ensures in CI it's properly validated
• ✨ I have ensured my commit message prefix (e.g., fix:, feat:) matches the "Type of Change" I selected above.
• ♽ I have run make test and make lint locally to check for and fix any
  issues. For an efficient workflow, I have considered installing
  pre-commit and running pre-commit install to
  automate these checks.
• 📖 I have added or updated documentation for any user-facing changes.
• 🧪 I have added sufficient unit tests for my code changes.
• 🎁 I have added end-to-end tests where feasible. See README for more details.
• 🔎 I have addressed any CI test flakiness or provided a clear reason to bypass it.
• If adding a provider feature, I have filled in the following and updated the provider documentation:
  • GitHub App
  • GitHub Webhook
  • Gitea/Forgejo
  • GitLab
  • Bitbucket Cloud
  • Bitbucket Data Center

[gemini-code-assist]

Summary of Changes

Hello @zakisk, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a bug in the GitLab ACL check mechanism by refining how the RememberOKToTest setting is applied. The changes optimize performance by preventing redundant API calls to fetch merge request discussion notes when the setting is disabled, ensuring that /ok-to-test commands are processed efficiently and correctly based on the configured behavior.

Highlights

• Refactored ACL Check Logic: The Access Control List (ACL) check for GitLab events has been refactored to properly handle the RememberOKToTest setting, improving efficiency and accuracy.
• Optimized MergeEvent Handling: When RememberOKToTest is disabled for a MergeEvent, the system now skips checking all discussion notes, returning false early and avoiding unnecessary API calls.
• Optimized MergeCommentEvent Handling: For MergeCommentEvents with RememberOKToTest disabled, the system will now only check the current comment for /ok-to-test instead of iterating through the entire discussion history.
• New ACL Function for Current Comment: A new function, aclAllowedOkToTestCurrentComment, has been introduced to specifically validate the single comment that triggered a MergeCommentEvent when RememberOKToTest is off.
• Enhanced Test Coverage: New test cases have been added to acl_test.go to cover scenarios where the RememberOKToTest setting is both enabled and disabled, ensuring the new logic behaves as expected.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[pipelines-as-code]

🔍 PR Lint Feedback

Note: This automated check helps ensure your PR follows our contribution guidelines.

⚠️ Items that need attention:

🤖 AI attribution

The following commits lack an explicit AI attribution footer:

• 2f0871e fix(gitlab): check permission according to RememberOkToTest setting

If no AI assistance was used for a commit, you can ignore this warning.
Otherwise add an Assisted-by: or Co-authored-by: footer referencing the AI used.

---

ℹ️ Next Steps

• Review and address the items above
• Push new commits to update this PR
• This comment will be automatically updated when issues are resolved

🔧 Admin Tools (click to expand)

Automated Issue/Ticket Creation:

• /issue-create - Generate a GitHub issue from this PR content using AI
• /jira-create - Create a SRVKP Jira ticket from this PR content using AI

⚠️ Important: Always review and edit generated content before finalizing tickets/issues.
The AI-generated content should be used as a starting point and may need adjustments.

These commands are available to maintainers and will post the generated content as PR comments for review.

_{🤖 This feedback was generated automatically by the PR CI system}

[gemini-code-assist]

Code Review

This pull request refactors the GitLab ACL check to correctly handle the RememberOKToTest setting, which is a good optimization to avoid unnecessary API calls. The changes look mostly correct, but I've identified a couple of issues. There's an inconsistency in how the event sender is updated when an /ok-to-test comment is found, which depends on the RememberOKToTest setting. Additionally, I've found an issue in the test setup that causes the tests for the /ok-to-test feature to pass for the wrong reason, not actually testing the intended logic. My review includes detailed comments and suggestions to address these points.

[gemini-code-assist]

This line seems to introduce a bug in the test logic for /ok-to-test scenarios. By setting v.userID = tt.allowMemberID, you are overwriting the ID of the user who triggered the event (the non-member) with the ID of the authorized user.

As a result, the initial v.checkMembership(ctx, event, v.userID) check in IsAllowed will pass, and the test will succeed without ever exercising the checkOkToTestCommentFromApprovedMember logic, which is what these tests are supposed to validate.

The v.userID on the provider should represent the user who triggered the event. The allowMemberID is correctly used to mock the API response for when the commenter's membership is checked inside checkOkToTestCommentFromApprovedMember. This line should be removed to correctly test the intended code path.

[zakisk]

/gemini review

[gemini-code-assist]

Code Review

This pull request refactors the GitLab ACL checks to correctly handle the RememberOKToTest setting, which avoids unnecessary API calls. The implementation is logical and adds corresponding unit tests.

I have two main points of feedback:

1. In pkg/provider/gitlab/acl.go, I've suggested a small refactoring to make the creation of a temporary info.Event more robust and less prone to future errors.
2. In pkg/provider/gitlab/acl_test.go, I've identified a logic issue in the test setup that causes some tests to pass for incorrect reasons. Fixing this is important to ensure the new functionality is properly tested.

Once these points are addressed, the PR will be in great shape.

[gemini-code-assist]

This line v.userID = tt.allowMemberID appears to be a bug in the test logic. It overwrites the userID of the provider with the ID of the allowed member.

For tests checking the /ok-to-test functionality, v.userID should be the ID of the user who triggered the event (e.g., the PR author), who is typically not a project member. The initial membership check in IsAllowed should fail, and the logic should then proceed to check for /ok-to-test comments.

By setting v.userID to tt.allowMemberID, the initial v.checkMembership(ctx, event, v.userID) in IsAllowed will pass, and the test will succeed without ever exercising the checkOkToTestCommentFromApprovedMember code path. This means the tests for /ok-to-test are not actually testing the intended functionality.

Please remove this line to ensure the tests are correctly validating the ACL logic for /ok-to-test comments.

[gemini-code-assist]

Creating a new info.Event and manually copying only a few fields is brittle. If checkMembership or its callees start depending on other fields from the event struct in the future, this could lead to subtle bugs because those fields would have their zero value.

It's safer to create a shallow copy of the original event and then modify only the fields that need to be changed. This ensures that all other context from the original event is preserved.

Suggested change

	commenterEvent := info.NewEvent()
	commenterEvent.Event = event.Event
	commenterEvent.Sender = comment.Author.Username
	commenterEvent.BaseBranch = event.BaseBranch
	commenterEvent.HeadBranch = event.HeadBranch
	commenterEvent.DefaultBranch = event.DefaultBranch
	commenterEvent := new(info.Event)
	event.DeepCopyInto(commenterEvent)
	commenterEvent.Sender = comment.Author.Username

[zakisk]

/test

[zakisk]

/retest