feat(incoming): Set default secret key for incoming webhooks

When no secret key is specified in the Repository CR's incoming
webhook configuration, the system now defaults to using "secret" as
the key name when retrieving the secret value from the Secret
resource.

Changes:
- Add default key fallback logic in incoming webhook adapter
- Document the default "secret" key behavior in incoming webhook
  guide

This simplifies configuration by not requiring users to explicitly
specify the secret key when using the standard "secret" key name.

Signed-off-by: Zaki Shaikh <zashaikh@redhat.com>

Author: zakisk

docs/content/docs/guide/incoming_webhook.md

@@ -59,6 +59,8 @@ spec:
       type: webhook-url
 ```
 
+**Note:** If no secret key is specified in the Repository CR, the default key `secret` will be used to retrieve the secret value from the `repo-incoming-secret` Secret resource.
+
 ### Glob Pattern Matching in Targets
 
 The `targets` field supports both exact string matching and glob patterns, allowing you to match multiple branches with a single rule.

pkg/adapter/incoming.go

@@ -23,6 +23,10 @@ import (
 	"go.uber.org/zap"
 )
 
+const (
+	defaultIncomingWebhookSecretKey = "secret"
+)
+
 func compareSecret(incomingSecret, secretValue string) bool {
 	return subtle.ConstantTimeCompare([]byte(incomingSecret), []byte(secretValue)) != 0
 }
@@ -122,6 +126,11 @@ func (l *listener) detectIncoming(ctx context.Context, req *http.Request, payloa
 		Name:      hook.Secret.Name,
 		Key:       hook.Secret.Key,
 	}
+
+	if secretOpts.Key == "" {
+		secretOpts.Key = defaultIncomingWebhookSecretKey
+	}
+
 	secretValue, err := l.kint.GetSecret(ctx, secretOpts)
 	if err != nil {
 		return false, nil, fmt.Errorf("error getting secret referenced in incoming-webhook: %w", err)

pkg/adapter/incoming_test.go

@@ -232,6 +232,43 @@ func Test_listener_detectIncoming(t *testing.T) {
 				incomingBody:     `{"params":{"the_best_superhero_is":"you"}}`,
 			},
 		},
+		{
+			name: "good/incoming with default secret key",
+			want: true,
+			args: args{
+				secretResult: map[string]string{"incoming-secret": "verysecrete"},
+				data: testclient.Data{
+					Repositories: []*v1alpha1.Repository{
+						{
+							ObjectMeta: metav1.ObjectMeta{
+								Name: "test-default-key",
+							},
+							Spec: v1alpha1.RepositorySpec{
+								URL: goodURL,
+								Incomings: &[]v1alpha1.Incoming{
+									{
+										Targets: []string{"main"},
+										Secret: v1alpha1.Secret{
+											Name: "incoming-secret",
+											// Key is not specified, should default to "secret"
+										},
+									},
+								},
+								GitProvider: &v1alpha1.GitProvider{
+									Type: "github",
+								},
+							},
+						},
+					},
+				},
+				method:           http.MethodPost,
+				queryURL:         "/incoming",
+				queryRepository:  "test-default-key",
+				querySecret:      "verysecrete",
+				queryPipelineRun: "pipelinerun1",
+				queryBranch:      "main",
+			},
+		},
 		{
 			name: "invalid incoming body",
 			args: args{