Summary

Repository CR URLs with extra path segments (e.g., https://github.com/org/repo/extra) pass admission and are truncated to org/repo during token scoping. This allows a malformed URL to satisfy repo-exists-in-namespace checks and can scope a GitHub App token to repositories not truly represented by a valid Repository CR URL.

Impact

• The namespace guard for github_app_token_scope_repos can be bypassed by a crafted URL containing extra path segments.
• Duplicate URL isolation does not catch this because it only checks exact URL strings.
• If the GitHub App installation has access to the target repo, tokens may be scoped to repos outside the intended namespace ownership.

Steps to Reproduce (conceptual)

1. Create Repository CR in namespace A with URL: https://github.com/org/repo/extra (passes admission).
2. Configure github_app_token_scope_repos to include org/repo or a glob that matches it.
3. Trigger a GitHub App event for that Repository CR.

Current Behavior

• Admission only validates scheme/URL parse, not path shape.
• Scoping logic uses only the first two path segments (org/repo) and ignores extra segments.
• The malformed CR is treated as if it represents org/repo for scoping checks.

Expected Behavior

• Reject Repository CR URLs that do not match the expected /org/repo path shape.
• Alternatively, normalize/validate URL path segments before scoping to ensure exact repo identity.

Evidence

• pkg/provider/github/scope.go (URL path split/truncation)
• pkg/webhook/validation.go (admission validation lacks path checks)

Notes

Not introduced by PR #2386; pre-existing behavior.