Enforce explicitly setting SHA in API requests

Signed-off-by: Lukas Peter Aldershaab <[email protected]>

Author: lukaspj

Diff for: server/controllers/api_controller.go

@@ -39,6 +39,7 @@ type APIRequest struct {
 	Repository string `validate:"required"`
 	Ref        string `validate:"required"`
 	Type       string `validate:"required"`
+	Sha        string `validate:"required"`
 	PR         int
 	Projects   []string
 	Paths      []struct {
@@ -239,7 +240,7 @@ func (a *APIController) apiParseAndValidate(r *http.Request) (*APIRequest, *comm
 			Num:        request.PR,
 			BaseBranch: request.Ref,
 			HeadBranch: request.Ref,
-			HeadCommit: request.Ref,
+			HeadCommit: request.Sha,
 			BaseRepo:   baseRepo,
 		},
 		Scope: a.Scope,

Diff for: server/controllers/api_controller_test.go

@@ -28,6 +28,7 @@ func TestAPIController_Plan(t *testing.T) {
 	body, _ := json.Marshal(controllers.APIRequest{
 		Repository: "Repo",
 		Ref:        "main",
+		Sha:        "abc123",
 		Type:       "Gitlab",
 		Projects:   []string{"default"},
 	})
@@ -45,6 +46,7 @@ func TestAPIController_Apply(t *testing.T) {
 	body, _ := json.Marshal(controllers.APIRequest{
 		Repository: "Repo",
 		Ref:        "main",
+		Sha:        "abc123",
 		Type:       "Gitlab",
 		Projects:   []string{"default"},
 	})