Story (Required)

As a platform engineer managing CI/CD pipelines I want Pipelines-as-Code to only edit comments it originally created

Ensures PAC only modifies its own status comments on pull requests/merge requests and doesn't accidentally edit or overwrite comments created by other users or bots that may contain the same update marker. This prevents confusion and potential data loss when multiple bots or users post comments with similar formats.

Background (Required)

Currently, Pipelines-as-Code identifies comments to update using a regex marker pattern. If another user or bot posts a comment containing the same marker text, PAC may attempt to edit that comment, leading to:

• Overwriting legitimate user/bot comments

• Permission errors when PAC lacks edit access to other users' comments

• Confusion in PR/MR discussions

This change adds ownership validation to ensure PAC only edits comments it originally created, improving safety and reliability across all supported Git providers.

Out of scope

• Handling comments created by different PAC installations (same user assumption)

• Retroactive validation of previously created comments

• Migration of existing comments to new ownership tracking

Approach (Required)

Implement user/bot ownership validation before editing comments for all three Git providers:

• GitHub Provider
• GitLab Provider
• Gitea Provider

Dependencies

• github.com/golang-jwt/jwt/v4 - Already vendored, used for GitHub App JWT generation

• No new external dependencies required

Acceptance Criteria (Mandatory)

Functional Requirements:

• PAC only edits comments where the author matches the PAC user/bot

• Non-matching comments are skipped with debug log message

• New comments are created when no matching owned comment exists

• User ID/login is cached to minimize API calls

Provider-Specific Requirements:

• GitHub: Works with both GitHub Apps (<slug>[bot]) and PAT/OAuth authentication

• GitLab: Correctly identifies PAC user via user ID

• Gitea/Forgejo: Correctly identifies PAC user via user ID

Edge Cases:

• Handle case where PAC user info cannot be fetched (continue with existing behavior)

• Support scenarios where marker exists but comment belongs to different user

• Ensure backward compatibility - existing PAC comments still get updated

Testing Requirements:

• Unit tests verify ownership check for all providers

• Unit tests mock /user API responses

• Tests cover both matching and non-matching author scenarios

• Tests verify new comment creation when no owned comment exists

INVEST Checklist

Dependencies identified: None - uses existing vendored libraries

Blockers noted and expected delivery timelines set: None

Design is implementable: Yes, follows existing provider patterns with minimal changes

Acceptance criteria agreed upon: Pending review

Story estimated: TBD

Done Checklist

• Code is completed, reviewed, documented and checked in

• Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment

• Continuous Delivery pipeline(s) is able to proceed with new code included

• Customer facing documentation, API docs etc. are produced/updated, reviewed and published

• Acceptance criteria are met