feat(cel): add direct custom param variable access

Allow custom parameters from Repository CR to be accessed directly as
CEL variables without template expansion. Parameters can now be used
as: param_name == "value" on top of "{{param_name}}" == "value".

Jira: https://issues.redhat.com/browse/SRVKP-9118

Signed-off-by: Akshay Pant <akshay.akshaypant@gmail.com>

Author: theakshaypant

pkg/matcher/annotation_matcher.go

@@ -9,9 +9,11 @@ import (
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/apis/pipelinesascode"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/apis/pipelinesascode/keys"
 	apipac "github.com/openshift-pipelines/pipelines-as-code/pkg/apis/pipelinesascode/v1alpha1"
+	"github.com/openshift-pipelines/pipelines-as-code/pkg/customparams"
 	pacerrors "github.com/openshift-pipelines/pipelines-as-code/pkg/errors"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/events"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/formatting"
+	"github.com/openshift-pipelines/pipelines-as-code/pkg/kubeinteraction"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/opscomments"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/params"
 	"github.com/openshift-pipelines/pipelines-as-code/pkg/params/info"
@@ -210,6 +212,12 @@ func MatchPipelinerunByAnnotation(ctx context.Context, logger *zap.SugaredLogger
 	}
 	logger.Info(infomsg)
 
+	// Resolve custom params once for all PipelineRuns (for use in CEL expressions)
+	customParams := resolveCustomParamsForCEL(ctx, repo, event, cs, vcx, eventEmitter, logger)
+	if len(customParams) > 0 {
+		logger.Debugf("resolved %d custom params from repo for CEL", len(customParams))
+	}
+
 	celValidationErrors := []*pacerrors.PacYamlValidations{}
 	for _, prun := range pruns {
 		prMatch := Match{
@@ -280,7 +288,7 @@ func MatchPipelinerunByAnnotation(ctx context.Context, logger *zap.SugaredLogger
 		if celExpr, ok := prun.GetObjectMeta().GetAnnotations()[keys.OnCelExpression]; ok {
 			checkPipelineRunAnnotation(prun, eventEmitter, repo)
 
-			out, err := celEvaluate(ctx, celExpr, event, vcx)
+			out, err := celEvaluate(ctx, celExpr, event, vcx, customParams)
 			if err != nil {
 				logger.Errorf("there was an error evaluating the CEL expression, skipping: %v", err)
 				if checkIfCELEvaluateError(err) {
@@ -508,3 +516,40 @@ func MatchRunningPipelineRunForIncomingWebhook(eventType, incomingPipelineRun st
 	}
 	return nil
 }
+
+// resolveCustomParamsForCEL resolves custom parameters from the Repository CR for use in CEL expressions.
+// It returns a map of parameter names to values, excluding reserved keywords.
+// All parameters are returned as strings, including those from secret_ref.
+func resolveCustomParamsForCEL(ctx context.Context, repo *apipac.Repository, event *info.Event, cs *params.Run, vcx provider.Interface, eventEmitter *events.EventEmitter, logger *zap.SugaredLogger) map[string]string {
+	if repo == nil || repo.Spec.Params == nil {
+		return map[string]string{}
+	}
+
+	// Create kubeinteraction interface
+	kinteract, err := kubeinteraction.NewKubernetesInteraction(cs)
+	if err != nil {
+		logger.Warnf("failed to create kubernetes interaction for custom params: %s", err.Error())
+		return map[string]string{}
+	}
+
+	// Use existing customparams package to resolve all params
+	cp := customparams.NewCustomParams(event, repo, cs, kinteract, eventEmitter, vcx)
+	allParams, _, err := cp.GetParams(ctx)
+	if err != nil {
+		eventEmitter.EmitMessage(repo, zap.WarnLevel, "CustomParamsCELError",
+			fmt.Sprintf("failed to resolve custom params for CEL: %s", err.Error()))
+		return map[string]string{}
+	}
+
+	// Filter to only include params defined in repo.Spec.Params (not standard PAC params)
+	result := make(map[string]string)
+	if repo.Spec.Params != nil {
+		for _, param := range *repo.Spec.Params {
+			if value, ok := allParams[param.Name]; ok {
+				result[param.Name] = value
+			}
+		}
+	}
+
+	return result
+}

pkg/matcher/annotation_matcher_test.go

@@ -1346,6 +1346,262 @@ func TestMatchPipelinerunAnnotationAndRepositories(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "cel/custom-params-simple",
+			args: annotationTestArgs{
+				pruns: []*tektonv1.PipelineRun{
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: pipelineTargetNSName,
+							Annotations: map[string]string{
+								keys.OnCelExpression: "test_enabled == \"true\"",
+							},
+						},
+					},
+				},
+				runevent: info.Event{
+					URL:           targetURL,
+					TriggerTarget: "push",
+					BaseBranch:    mainBranch,
+					EventType:     "push",
+				},
+				data: testclient.Data{
+					Repositories: []*v1alpha1.Repository{
+						testnewrepo.NewRepo(
+							testnewrepo.RepoTestcreationOpts{
+								Name:             "test-good",
+								URL:              targetURL,
+								InstallNamespace: targetNamespace,
+								Params: &[]v1alpha1.Params{
+									{
+										Name:  "test_enabled",
+										Value: "true",
+									},
+								},
+							},
+						),
+					},
+				},
+			},
+			wantPRName: pipelineTargetNSName,
+			wantErr:    false,
+		},
+		{
+			name: "cel/custom-params-multiple",
+			args: annotationTestArgs{
+				pruns: []*tektonv1.PipelineRun{
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: pipelineTargetNSName,
+							Annotations: map[string]string{
+								keys.OnCelExpression: "environment == \"production\" && deploy_enabled == \"true\"",
+							},
+						},
+					},
+				},
+				runevent: info.Event{
+					URL:           targetURL,
+					TriggerTarget: "push",
+					BaseBranch:    mainBranch,
+					EventType:     "push",
+				},
+				data: testclient.Data{
+					Repositories: []*v1alpha1.Repository{
+						testnewrepo.NewRepo(
+							testnewrepo.RepoTestcreationOpts{
+								Name:             "test-good",
+								URL:              targetURL,
+								InstallNamespace: targetNamespace,
+								Params: &[]v1alpha1.Params{
+									{
+										Name:  "environment",
+										Value: "production",
+									},
+									{
+										Name:  "deploy_enabled",
+										Value: "true",
+									},
+								},
+							},
+						),
+					},
+				},
+			},
+			wantPRName: pipelineTargetNSName,
+			wantErr:    false,
+		},
+		{
+			name: "cel/custom-params-not-matching",
+			args: annotationTestArgs{
+				pruns: []*tektonv1.PipelineRun{
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: pipelineTargetNSName,
+							Annotations: map[string]string{
+								keys.OnCelExpression: "deploy_enabled == \"true\"",
+							},
+						},
+					},
+				},
+				runevent: info.Event{
+					URL:           targetURL,
+					TriggerTarget: "push",
+					BaseBranch:    mainBranch,
+					EventType:     "push",
+				},
+				data: testclient.Data{
+					Repositories: []*v1alpha1.Repository{
+						testnewrepo.NewRepo(
+							testnewrepo.RepoTestcreationOpts{
+								Name:             "test-good",
+								URL:              targetURL,
+								InstallNamespace: targetNamespace,
+								Params: &[]v1alpha1.Params{
+									{
+										Name:  "deploy_enabled",
+										Value: "false",
+									},
+								},
+							},
+						),
+					},
+				},
+			},
+			wantPRName: "",
+			wantErr:    true,
+		},
+		{
+			name: "cel/custom-params-with-reserved-keyword",
+			args: annotationTestArgs{
+				pruns: []*tektonv1.PipelineRun{
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: pipelineTargetNSName,
+							Annotations: map[string]string{
+								keys.OnCelExpression: "event == \"push\"",
+							},
+						},
+					},
+				},
+				runevent: info.Event{
+					URL:           targetURL,
+					TriggerTarget: "push",
+					BaseBranch:    mainBranch,
+					EventType:     "push",
+				},
+				data: testclient.Data{
+					Repositories: []*v1alpha1.Repository{
+						testnewrepo.NewRepo(
+							testnewrepo.RepoTestcreationOpts{
+								Name:             "test-good",
+								URL:              targetURL,
+								InstallNamespace: targetNamespace,
+								Params: &[]v1alpha1.Params{
+									{
+										Name:  "event", // Reserved keyword - should be ignored
+										Value: "invalid",
+									},
+								},
+							},
+						),
+					},
+				},
+			},
+			wantPRName: pipelineTargetNSName,
+			wantErr:    false,
+		},
+		{
+			name: "cel/custom-params-combined-with-builtin",
+			args: annotationTestArgs{
+				pruns: []*tektonv1.PipelineRun{
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: pipelineTargetNSName,
+							Annotations: map[string]string{
+								keys.OnCelExpression: "event == \"pull_request\" && target_branch == \"" + mainBranch + "\" && run_tests == \"true\"",
+							},
+						},
+					},
+				},
+				runevent: info.Event{
+					URL:               targetURL,
+					TriggerTarget:     "pull_request",
+					BaseBranch:        mainBranch,
+					HeadBranch:        "feature-branch",
+					EventType:         "pull_request",
+					PullRequestNumber: 123,
+				},
+				data: testclient.Data{
+					Repositories: []*v1alpha1.Repository{
+						testnewrepo.NewRepo(
+							testnewrepo.RepoTestcreationOpts{
+								Name:             "test-good",
+								URL:              targetURL,
+								InstallNamespace: targetNamespace,
+								Params: &[]v1alpha1.Params{
+									{
+										Name:  "run_tests",
+										Value: "true",
+									},
+								},
+							},
+						),
+					},
+				},
+			},
+			wantPRName: pipelineTargetNSName,
+			wantErr:    false,
+		},
+		{
+			name: "cel/custom-params-template-vs-direct-access",
+			args: annotationTestArgs{
+				pruns: []*tektonv1.PipelineRun{
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: pipelineTargetNSName,
+							Annotations: map[string]string{
+								// Old way: template substitution - {{enable_ci}} gets replaced to "true" before CEL evaluation
+								keys.OnCelExpression: "event == \"push\" && \"{{enable_ci}}\" == \"true\"",
+							},
+						},
+					},
+					{
+						ObjectMeta: metav1.ObjectMeta{
+							Name: "pipeline-direct-access",
+							Annotations: map[string]string{
+								// New way: direct param access as CEL variable (no {{ }})
+								keys.OnCelExpression: "event == \"push\" && enable_ci == \"true\"",
+							},
+						},
+					},
+				},
+				runevent: info.Event{
+					URL:           targetURL,
+					TriggerTarget: "push",
+					BaseBranch:    mainBranch,
+					EventType:     "push",
+				},
+				data: testclient.Data{
+					Repositories: []*v1alpha1.Repository{
+						testnewrepo.NewRepo(
+							testnewrepo.RepoTestcreationOpts{
+								Name:             "test-good",
+								URL:              targetURL,
+								InstallNamespace: targetNamespace,
+								Params: &[]v1alpha1.Params{
+									{
+										Name:  "enable_ci",
+										Value: "true",
+									},
+								},
+							},
+						),
+					},
+				},
+			},
+			wantPRName: "pipeline-direct-access", // Both PRs match, but direct access is returned first
+			wantErr:    false,
+		},
 	}
 
 	for _, tt := range tests {
@@ -1419,9 +1675,16 @@ func runTest(ctx context.Context, t *testing.T, tt annotationTest, vcx provider.
 	}
 
 	eventEmitter := events.NewEventEmitter(cs.Kube, logger)
+
+	// Get the repository for custom params resolution
+	var repo *v1alpha1.Repository
+	if len(tt.args.data.Repositories) > 0 {
+		repo = tt.args.data.Repositories[0]
+	}
+
 	matches, err := MatchPipelinerunByAnnotation(ctx, logger,
 		tt.args.pruns,
-		client, &tt.args.runevent, vcx, eventEmitter, nil,
+		client, &tt.args.runevent, vcx, eventEmitter, repo,
 	)
 
 	if tt.wantLog != "" {