feat: wake up Promotions waiting on PRs via pull_request webhooks

[DavidS-ovm]

Summary

When a GitHub pull_request event with a closed action arrives, Kargo can now
immediately re-reconcile any running Promotion whose current git-wait-for-pr
step is waiting on that PR — reducing detection latency from ~5 minutes (polling)
to near-instant. Polling remains as a reliability fallback.

Closes #5834. Related: #3303, #647, #4969, #5450

Design

This follows the approach discussed in
#5450 (comment) —
extending the existing webhook infrastructure rather than introducing a new
mechanism.

Indexer — A new RunningPromotionsByPullRequestField indexer maps
{normalizedRepoURL}:{prNumber} to running Promotions. It follows the
RunningPromotionsByArgoCDApplications pattern: filtering to running
Promotions, iterating steps up to CurrentStep, evaluating template
expressions for repoURL and prNumber, and normalizing Git URLs. Registered
in the external webhook server.

Webhook handler — The GitHub receiver now accepts pull_request events.
On closed action (merged or not), it queries the index with both the clone
URL and SSH URL from the event payload, de-dupes matching Promotions by
ObjectKey, and calls api.RefreshObject on each. Non-closed actions return
200 OK with no side effects. The new refreshPromotions helper in refresh.go
mirrors refreshWarehouses and is provider-agnostic so future GitLab/Bitbucket
handlers can reuse it.

Why only closed? A merged PR fires closed with merged: true; the
git-wait-for-pr step detects the merge on next reconcile and succeeds. A PR
closed without merge fires closed with merged: false; the step detects
closure and fails with a terminal error. All other actions (opened,
synchronize, etc.) are irrelevant to the step's outcome.

User-facing changes

• Users must add pull_request to the event types on their GitHub webhook
  configuration (one-time change). Users who do not make this change experience
  no behavior change.
• No new CRD fields, no new CLI flags, no breaking changes.

Documentation

• GitHub webhook receiver page: added pull_request to supported events, added
  Promotion "refreshing" explanation, updated event selection instructions for
  all three setup methods (single repo, org, GitHub App)
• git-wait-for-pr step reference: added a tip about webhook acceleration
• Webhook receivers index, Working with Warehouses guide, and Cluster
  Configuration guide: broadened webhook framing to mention Promotion refresh

Test plan

• 15 table-driven unit tests for the indexer covering: expression evaluation,
  literal values, non-git-wait-for-pr steps ignored, non-running Promotions
  excluded, multiple PRs across steps, URL normalization (clone URL, SSH URL),
  template expressions with outputs and vars, steps beyond CurrentStep
• 5 unit tests for the webhook handler covering: closed+merged refreshes
  Promotion, closed+not-merged refreshes Promotion, non-closed action returns
  200, no matching Promotions returns 200 with 0 refreshed, SSH URL form matches
• All existing tests pass unchanged

Signed-off-by: David Schmitt david@overmind.tech

[netlify]

✅ Deploy Preview for docs-kargo-io ready!

Name	Link
🔨 Latest commit	3d6dca1
🔍 Latest deploy log	https://app.netlify.com/projects/docs-kargo-io/deploys/69d4d48c605a2b0008c6ce18
😎 Deploy Preview	https://deploy-preview-5852.docs.kargo.io
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 86.78815% with 58 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.33%. Comparing base (8fdd7f4) to head (3d6dca1).
⚠️ Report is 10 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/webhook/external/refresh.go	55.55%	16 Missing and 4 partials ⚠️
pkg/webhook/external/bitbucket.go	77.77%	15 Missing and 3 partials ⚠️
cmd/controlplane/external_webhooks.go	0.00%	8 Missing ⚠️
pkg/webhook/external/gitea.go	90.90%	5 Missing and 1 partial ⚠️
pkg/webhook/external/gitlab.go	94.33%	2 Missing and 1 partial ⚠️
pkg/gitprovider/azure/azure.go	77.77%	1 Missing and 1 partial ⚠️
pkg/webhook/external/azure.go	96.96%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5852      +/-   ##
==========================================
+ Coverage   57.03%   57.33%   +0.29%     
==========================================
  Files         463      470       +7     
  Lines       39112    39961     +849     
==========================================
+ Hits        22309    22911     +602     
- Misses      15474    15681     +207     
- Partials     1329     1369      +40     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[krancour]

We might be doing a lot more than is necessary to build this index. I think all the expression evaluation stuff probably isn't necessary. The PR URL is in a git-open-pr step's output. That value will always be static; not an expression. Isn't that sufficient information for inferring a relationship between a PR and a Promotion?

[DavidS-ovm]

This was an interesting one. I was under the impression that running steps didn't have outputs yet (but then I only looked at our 1.8 install, and maybe just the wrong steps, or it doesn't show up in the app). Since then I've updated to 1.9 and looked at our git-wait-for-pr step, and indeed, the required values are right there! So I removed the whole index and replaced it with a small check of those outputs.

This might have a small window where github is fast enough to deliver an event but the step hasn't yet updated - maybe if people are doing weird stuff in the stage between opening the PR and waiting for the merge, but in that case either the task already sees the merged PR and proceeds, or - worst case - the polling loop will catch it later.

[krancour]

It would be good if we didn't do this only for GitHub, but for all git hosting providers that support a similar event.

[DavidS-ovm]

I agree that that would be good.

I don't have infrastructure to test, nor budget to support anything other than what my team uses.

[krancour]

I have this an initial look, but wondering if @fuskovic would be so kind as to take over as the sherpa here.