code cleaning, address pr comments

app/api/auth/repo.go

@@ -58,18 +58,7 @@ func CheckRepoIsPublic(
 	publicAccess publicaccess.PublicAccess,
 	repo *types.Repository,
 ) (bool, error) {
-	parentSpace, name, err := paths.DisectLeaf(repo.Path)
+	return publicAccess.Get(ctx, enum.PublicResourceTypeRepo, repo.Path)
-	if err != nil {
-		return false, fmt.Errorf("failed to disect path '%s': %w", repo.Path, err)
-	}
-
-	scope := &types.Scope{SpacePath: parentSpace}
-	resource := &types.Resource{
-		Type:       enum.ResourceTypeRepo,
-		Identifier: name,
-	}
-
-	return publicAccess.Get(ctx, scope, resource)
 }
 
 func IsRepoOwner(

app/api/auth/space.go

@@ -75,16 +75,5 @@ func CheckSpaceIsPublic(
 	publicAccess publicaccess.PublicAccess,
 	space *types.Space,
 ) (bool, error) {
-	parentSpace, name, err := paths.DisectLeaf(space.Path)
+	return publicAccess.Get(ctx, enum.PublicResourceTypeSpace, space.Path)
-	if err != nil {
-		return false, fmt.Errorf("failed to disect path '%s': %w", space.Path, err)
-	}
-
-	scope := &types.Scope{SpacePath: parentSpace}
-	resource := &types.Resource{
-		Type:       enum.ResourceTypeSpace,
-		Identifier: name,
-	}
-
-	return publicAccess.Get(ctx, scope, resource)
 }

app/api/controller/pullreq/reviewer_add.go

@@ -43,7 +43,7 @@ func (c *Controller) ReviewerAdd(
 	prNum int64,
 	in *ReviewerAddInput,
 ) (*types.PullReqReviewer, error) {
-	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoPush)
+	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoReview)
 	if err != nil {
 		return nil, fmt.Errorf("failed to acquire access to repo: %w", err)
 	}

app/api/controller/pullreq/reviewer_delete.go

@@ -25,7 +25,7 @@ import (
 // ReviewerDelete deletes reviewer from the reviewerlist for the given PR.
 func (c *Controller) ReviewerDelete(ctx context.Context, session *auth.Session,
 	repoRef string, prNum, reviewerID int64) error {
-	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoPush)
+	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoReview)
 	if err != nil {
 		return fmt.Errorf("failed to acquire access to repo: %w", err)
 	}

app/api/controller/repo/archive.go

@@ -37,7 +37,7 @@ func (c *Controller) Archive(
 	}
 
 	return c.git.Archive(ctx, git.ArchiveParams{
-		ReadParams:    git.CreateReadParams(repo.Repository),
+		ReadParams:    git.CreateReadParams(repo),
 		ArchiveParams: params,
 	}, w)
 }

app/api/controller/repo/blame.go

@@ -45,12 +45,12 @@ func (c *Controller) Blame(ctx context.Context,
 	}
 
 	if gitRef == "" {
-		gitRef = repo.Repository.DefaultBranch
+		gitRef = repo.DefaultBranch
 	}
 
 	reader := git.NewStreamReader(
 		c.git.Blame(ctx, &git.BlameParams{
-			ReadParams: git.CreateReadParams(repo.Repository),
+			ReadParams: git.CreateReadParams(repo),
 			GitRef:     gitRef,
 			Path:       path,
 			LineFrom:   lineFrom,

app/api/controller/repo/codeowner_validate.go

@@ -34,10 +34,10 @@ func (c *Controller) CodeOwnersValidate(
 	}
 
 	if ref == "" {
-		ref = repo.Repository.DefaultBranch
+		ref = repo.DefaultBranch
 	}
 
-	violations, err := c.codeOwners.Validate(ctx, &repo.Repository, ref)
+	violations, err := c.codeOwners.Validate(ctx, repo, ref)
 	if err != nil {
 		return nil, err
 	}

app/api/controller/repo/commit.go

@@ -67,7 +67,7 @@ func (c *Controller) CommitFiles(ctx context.Context,
 		return types.CommitFilesResponse{}, nil, err
 	}
 
-	rules, isRepoOwner, err := c.fetchRules(ctx, session, &repo.Repository)
+	rules, isRepoOwner, err := c.fetchRules(ctx, session, repo)
 	if err != nil {
 		return types.CommitFilesResponse{}, nil, err
 	}
@@ -86,7 +86,7 @@ func (c *Controller) CommitFiles(ctx context.Context,
 		Actor:       &session.Principal,
 		AllowBypass: in.BypassRules,
 		IsRepoOwner: isRepoOwner,
-		Repo:        &repo.Repository,
+		Repo:        repo,
 		RefAction:   refAction,
 		RefType:     protection.RefTypeBranch,
 		RefNames:    []string{branchName},
@@ -131,7 +131,7 @@ func (c *Controller) CommitFiles(ctx context.Context,
 	}
 
 	// Create internal write params. Note: This will skip the pre-commit protection rules check.
-	writeParams, err := controller.CreateRPCInternalWriteParams(ctx, c.urlProvider, session, &repo.Repository)
+	writeParams, err := controller.CreateRPCInternalWriteParams(ctx, c.urlProvider, session, repo)
 	if err != nil {
 		return types.CommitFilesResponse{}, nil, fmt.Errorf("failed to create RPC write params: %w", err)
 	}

app/api/controller/repo/content_get.go

@@ -108,11 +108,11 @@ func (c *Controller) GetContent(ctx context.Context,
 
 	// set gitRef to default branch in case an empty reference was provided
 	if gitRef == "" {
-		gitRef = repo.Repository.DefaultBranch
+		gitRef = repo.DefaultBranch
 	}
 
 	// create read params once
-	readParams := git.CreateReadParams(repo.Repository)
+	readParams := git.CreateReadParams(repo)
 
 	treeNodeOutput, err := c.git.GetTreeNode(ctx, &git.GetTreeNodeParams{
 		ReadParams:          readParams,

app/api/controller/repo/content_paths_details.go

@@ -56,11 +56,11 @@ func (c *Controller) PathsDetails(ctx context.Context,
 
 	// set gitRef to default branch in case an empty reference was provided
 	if gitRef == "" {
-		gitRef = repo.Repository.DefaultBranch
+		gitRef = repo.DefaultBranch
 	}
 
 	result, err := c.git.PathsDetails(ctx, git.PathsDetailsParams{
-		ReadParams: git.CreateReadParams(repo.Repository),
+		ReadParams: git.CreateReadParams(repo),
 		GitREF:     gitRef,
 		Paths:      input.Paths,
 	})

app/api/controller/repo/controller.go

@@ -53,18 +53,6 @@ type Repository struct {
 	IsPublic bool `json:"is_public" yaml:"is_public"`
 }
 
-// Clone makes deep copy of repository object.
-func (r Repository) Clone() Repository {
-	var deleted *int64
-	if r.Repository.Deleted != nil {
-		id := *r.Repository.Deleted
-		deleted = &id
-	}
-	r.Repository.Deleted = deleted
-
-	return r
-}
-
 type Controller struct {
 	defaultBranch                 string
 	publicResourceCreationEnabled bool
@@ -153,10 +141,9 @@ func NewController(
 func (c *Controller) getRepo(
 	ctx context.Context,
 	repoRef string,
-) (*Repository, error) {
+) (*types.Repository, error) {
 	return GetRepo(
 		ctx,
-		c.publicAccess,
 		c.repoStore,
 		repoRef,
 	)
@@ -169,12 +156,11 @@ func (c *Controller) getRepoCheckAccess(
 	session *auth.Session,
 	repoRef string,
 	reqPermission enum.Permission,
-) (*Repository, error) {
+) (*types.Repository, error) {
 	return GetRepoCheckAccess(
 		ctx,
 		c.repoStore,
 		c.authorizer,
-		c.publicAccess,
 		session,
 		repoRef,
 		reqPermission,

app/api/controller/repo/create.go

@@ -109,28 +109,21 @@ func (c *Controller) Create(ctx context.Context, session *auth.Session, in *Crea
 			IsEmpty:       isEmpty,
 		}
 
-		err = c.repoStore.Create(ctx, repo)
+		return c.repoStore.Create(ctx, repo)
+	}, sql.TxOptions{Isolation: sql.LevelSerializable})
 	if err != nil {
+		// best effort cleanup
 		if dErr := c.DeleteGitRepository(ctx, session, repo); dErr != nil {
 			log.Ctx(ctx).Warn().Err(dErr).Msg("failed to delete repo for cleanup")
 		}
-			return fmt.Errorf("failed to create repository in storage: %w", err)
-		}
-
-		return nil
-	}, sql.TxOptions{Isolation: sql.LevelSerializable})
-	if err != nil {
 		return nil, err
 	}
 
-	if in.IsPublic && c.publicResourceCreationEnabled {
+	if err = c.SetRepoPublicAccess(ctx, repo, in.IsPublic); err != nil {
-		err = c.SetPublicRepo(ctx, repo)
-		if err != nil {
 		if dErr := c.PurgeNoAuth(ctx, session, repo); dErr != nil {
 			log.Ctx(ctx).Warn().Err(dErr).Msg("failed to purge repo for cleanup")
 		}
-			return nil, fmt.Errorf("failed to set a public resource: %w", err)
+		return nil, fmt.Errorf("failed to set repo public access: %w", err)
-		}
 	}
 
 	// backfil GitURL
@@ -287,19 +280,16 @@ func (c *Controller) createGitRepository(ctx context.Context, session *auth.Sess
 	return resp, len(files) == 0, nil
 }
 
-func (c *Controller) SetPublicRepo(ctx context.Context, repo *types.Repository) error {
+func (c *Controller) SetRepoPublicAccess(
-	parentSpace, name, err := paths.DisectLeaf(repo.Path)
+	ctx context.Context,
-	if err != nil {
+	repo *types.Repository,
-		return fmt.Errorf("failed to disect path '%s': %w", repo.Path, err)
+	isPublic bool,
+) error {
+	if isPublic && !c.publicResourceCreationEnabled {
+		return errPublicRepoCreationDisabled
 	}
 
-	scope := &types.Scope{SpacePath: parentSpace}
+	return c.publicAccess.Set(ctx, enum.PublicResourceTypeRepo, repo.Path, isPublic)
-	resource := &types.Resource{
-		Type:       enum.ResourceTypeRepo,
-		Identifier: name,
-	}
-
-	return c.publicAccess.Set(ctx, scope, resource, true)
 }
 
 func createReadme(name, description string) []byte {

app/api/controller/repo/create_branch.go

@@ -50,10 +50,10 @@ func (c *Controller) CreateBranch(ctx context.Context,
 
 	// set target to default branch in case no target was provided
 	if in.Target == "" {
-		in.Target = repo.Repository.DefaultBranch
+		in.Target = repo.DefaultBranch
 	}
 
-	rules, isRepoOwner, err := c.fetchRules(ctx, session, &repo.Repository)
+	rules, isRepoOwner, err := c.fetchRules(ctx, session, repo)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -62,7 +62,7 @@ func (c *Controller) CreateBranch(ctx context.Context,
 		Actor:       &session.Principal,
 		AllowBypass: in.BypassRules,
 		IsRepoOwner: isRepoOwner,
-		Repo:        &repo.Repository,
+		Repo:        repo,
 		RefAction:   protection.RefActionCreate,
 		RefType:     protection.RefTypeBranch,
 		RefNames:    []string{in.Name},
@@ -74,7 +74,7 @@ func (c *Controller) CreateBranch(ctx context.Context,
 		return nil, violations, nil
 	}
 
-	writeParams, err := controller.CreateRPCInternalWriteParams(ctx, c.urlProvider, session, &repo.Repository)
+	writeParams, err := controller.CreateRPCInternalWriteParams(ctx, c.urlProvider, session, repo)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to create RPC write params: %w", err)
 	}

app/api/controller/repo/create_commit_tag.go

@@ -54,10 +54,10 @@ func (c *Controller) CreateCommitTag(ctx context.Context,
 
 	// set target to default branch in case no branch or commit was provided
 	if in.Target == "" {
-		in.Target = repo.Repository.DefaultBranch
+		in.Target = repo.DefaultBranch
 	}
 
-	rules, isRepoOwner, err := c.fetchRules(ctx, session, &repo.Repository)
+	rules, isRepoOwner, err := c.fetchRules(ctx, session, repo)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -66,7 +66,7 @@ func (c *Controller) CreateCommitTag(ctx context.Context,
 		Actor:       &session.Principal,
 		AllowBypass: in.BypassRules,
 		IsRepoOwner: isRepoOwner,
-		Repo:        &repo.Repository,
+		Repo:        repo,
 		RefAction:   protection.RefActionCreate,
 		RefType:     protection.RefTypeTag,
 		RefNames:    []string{in.Name},
@@ -78,7 +78,7 @@ func (c *Controller) CreateCommitTag(ctx context.Context,
 		return nil, violations, nil
 	}
 
-	writeParams, err := controller.CreateRPCInternalWriteParams(ctx, c.urlProvider, session, &repo.Repository)
+	writeParams, err := controller.CreateRPCInternalWriteParams(ctx, c.urlProvider, session, repo)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to create RPC write params: %w", err)
 	}

app/api/controller/repo/default_branch.go

@@ -57,7 +57,7 @@ func (c *Controller) UpdateDefaultBranch(
 	// requests will wait for previous ones to compelete before proceed
 	unlock, err := c.locker.LockDefaultBranch(
 		ctx,
-		repo.Repository.ID,
+		repo.ID,
 		in.Name,                // branch name only used for logging (lock is on repo)
 		timeout+30*time.Second, // add 30s to the lock to give enough time for updating default branch
 	)
@@ -66,7 +66,7 @@ func (c *Controller) UpdateDefaultBranch(
 	}
 	defer unlock()
 
-	writeParams, err := controller.CreateRPCInternalWriteParams(ctx, c.urlProvider, session, &repo.Repository)
+	writeParams, err := controller.CreateRPCInternalWriteParams(ctx, c.urlProvider, session, repo)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create RPC write params: %w", err)
 	}
@@ -87,8 +87,8 @@ func (c *Controller) UpdateDefaultBranch(
 		return nil, fmt.Errorf("failed to update the repo default branch: %w", err)
 	}
 
-	oldName := repo.Repository.DefaultBranch
+	oldName := repo.DefaultBranch
-	repoBase, err := c.repoStore.UpdateOptLock(ctx, &repo.Repository, func(r *types.Repository) error {
+	repo, err = c.repoStore.UpdateOptLock(ctx, repo, func(r *types.Repository) error {
 		r.DefaultBranch = in.Name
 		return nil
 	})
@@ -96,16 +96,11 @@ func (c *Controller) UpdateDefaultBranch(
 		return nil, fmt.Errorf("failed to update the repo default branch on db:%w", err)
 	}
 
-	repo = &Repository{
-		Repository: *repoBase,
-		IsPublic:   repo.IsPublic,
-	}
-
 	err = c.auditService.Log(ctx,
 		session.Principal,
-		audit.NewResource(audit.ResourceTypeRepository, repo.Repository.Identifier),
+		audit.NewResource(audit.ResourceTypeRepository, repo.Identifier),
 		audit.ActionUpdated,
-		paths.Parent(repo.Repository.Path),
+		paths.Parent(repo.Path),
 		audit.WithOldObject(repoClone),
 		audit.WithNewObject(repo),
 	)
@@ -114,11 +109,11 @@ func (c *Controller) UpdateDefaultBranch(
 	}
 
 	c.eventReporter.DefaultBranchUpdated(ctx, &repoevents.DefaultBranchUpdatedPayload{
-		RepoID:      repoBase.ID,
+		RepoID:      repo.ID,
 		PrincipalID: bootstrap.NewSystemServiceSession().Principal.ID,
 		OldName:     oldName,
-		NewName:     repoBase.DefaultBranch,
+		NewName:     repo.DefaultBranch,
 	})
 
-	return repo, nil
+	return GetRepoOutput(ctx, c.publicAccess, repo)
 }

app/api/controller/repo/delete_branch.go

@@ -43,11 +43,11 @@ func (c *Controller) DeleteBranch(ctx context.Context,
 	// ASSUMPTION: lower layer calls explicit branch api
 	// and 'refs/heads/branch1' would fail if 'branch1' exists.
 	// TODO: Add functional test to ensure the scenario is covered!
-	if branchName == repo.Repository.DefaultBranch {
+	if branchName == repo.DefaultBranch {
 		return nil, usererror.ErrDefaultBranchCantBeDeleted
 	}
 
-	rules, isRepoOwner, err := c.fetchRules(ctx, session, &repo.Repository)
+	rules, isRepoOwner, err := c.fetchRules(ctx, session, repo)
 	if err != nil {
 		return nil, err
 	}
@@ -56,7 +56,7 @@ func (c *Controller) DeleteBranch(ctx context.Context,
 		Actor:       &session.Principal,
 		AllowBypass: bypassRules,
 		IsRepoOwner: isRepoOwner,
-		Repo:        &repo.Repository,
+		Repo:        repo,
 		RefAction:   protection.RefActionDelete,
 		RefType:     protection.RefTypeBranch,
 		RefNames:    []string{branchName},
@@ -68,7 +68,7 @@ func (c *Controller) DeleteBranch(ctx context.Context,
 		return violations, nil
 	}
 
-	writeParams, err := controller.CreateRPCInternalWriteParams(ctx, c.urlProvider, session, &repo.Repository)
+	writeParams, err := controller.CreateRPCInternalWriteParams(ctx, c.urlProvider, session, repo)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create RPC write params: %w", err)
 	}

app/api/controller/repo/delete_tag.go

@@ -38,7 +38,7 @@ func (c *Controller) DeleteTag(ctx context.Context,
 		return nil, err
 	}
 
-	rules, isRepoOwner, err := c.fetchRules(ctx, session, &repo.Repository)
+	rules, isRepoOwner, err := c.fetchRules(ctx, session, repo)
 	if err != nil {
 		return nil, err
 	}
@@ -47,7 +47,7 @@ func (c *Controller) DeleteTag(ctx context.Context,
 		Actor:       &session.Principal,
 		AllowBypass: bypassRules,
 		IsRepoOwner: isRepoOwner,
-		Repo:        &repo.Repository,
+		Repo:        repo,
 		RefAction:   protection.RefActionDelete,
 		RefType:     protection.RefTypeTag,
 		RefNames:    []string{tagName},
@@ -59,7 +59,7 @@ func (c *Controller) DeleteTag(ctx context.Context,
 		return violations, nil
 	}
 
-	writeParams, err := controller.CreateRPCInternalWriteParams(ctx, c.urlProvider, session, &repo.Repository)
+	writeParams, err := controller.CreateRPCInternalWriteParams(ctx, c.urlProvider, session, repo)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create RPC write params: %w", err)
 	}

app/api/controller/repo/diff.go

@@ -47,7 +47,7 @@ func (c *Controller) RawDiff(
 	}
 
 	return c.git.RawDiff(ctx, w, &git.DiffParams{
-		ReadParams: git.CreateReadParams(&repo.Repository),
+		ReadParams: git.CreateReadParams(repo),
 		BaseRef:    info.BaseRef,
 		HeadRef:    info.HeadRef,
 		MergeBase:  info.MergeBase,
@@ -67,7 +67,7 @@ func (c *Controller) CommitDiff(
 	}
 
 	return c.git.CommitDiff(ctx, &git.GetCommitParams{
-		ReadParams: git.CreateReadParams(&repo.Repository),
+		ReadParams: git.CreateReadParams(repo),
 		Revision:   rev,
 	}, w)
 }

app/api/controller/repo/get_branch.go

@@ -35,7 +35,7 @@ func (c *Controller) GetBranch(ctx context.Context,
 	}
 
 	rpcOut, err := c.git.GetBranch(ctx, &git.GetBranchParams{
-		ReadParams: git.CreateReadParams(repo.Repository),
+		ReadParams: git.CreateReadParams(repo),
 		BranchName: branchName,
 	})
 	if err != nil {

app/api/controller/repo/get_commit.go

@@ -37,7 +37,7 @@ func (c *Controller) GetCommit(ctx context.Context,
 	}
 
 	rpcOut, err := c.git.GetCommit(ctx, &git.GetCommitParams{
-		ReadParams: git.CreateReadParams(repo.Repository),
+		ReadParams: git.CreateReadParams(repo),
 		Revision:   sha,
 	})
 	if err != nil {

app/api/controller/repo/get_commit_divergences.go

@@ -71,7 +71,7 @@ func (c *Controller) GetCommitDivergences(ctx context.Context,
 
 	// map to rpc params
 	options := &git.GetCommitDivergencesParams{
-		ReadParams: git.CreateReadParams(repo.Repository),
+		ReadParams: git.CreateReadParams(repo),
 		MaxCount:   in.MaxCount,
 		Requests:   make([]git.CommitDivergenceRequest, len(in.Requests)),
 	}
@@ -80,7 +80,7 @@ func (c *Controller) GetCommitDivergences(ctx context.Context,
 		options.Requests[i].To = in.Requests[i].To
 		// backfil default branch if no 'to' was provided
 		if len(options.Requests[i].To) == 0 {
-			options.Requests[i].To = repo.Repository.DefaultBranch
+			options.Requests[i].To = repo.DefaultBranch
 		}
 	}
 

app/api/controller/repo/git_info_refs.go

@@ -39,7 +39,7 @@ func (c *Controller) GitInfoRefs(
 	}
 
 	if err = c.git.GetInfoRefs(ctx, w, &git.InfoRefsParams{
-		ReadParams: git.CreateReadParams(repo.Repository),
+		ReadParams: git.CreateReadParams(repo),
 		// TODO: git shouldn't take a random string here, but instead have accepted enum values.
 		Service:     string(service),
 		Options:     nil,

app/api/controller/repo/git_service_pack.go

@@ -59,13 +59,13 @@ func (c *Controller) GitServicePack(
 	// setup read/writeparams depending on whether it's a write operation
 	if isWriteOperation {
 		var writeParams git.WriteParams
-		writeParams, err = controller.CreateRPCExternalWriteParams(ctx, c.urlProvider, session, &repo.Repository)
+		writeParams, err = controller.CreateRPCExternalWriteParams(ctx, c.urlProvider, session, repo)
 		if err != nil {
 			return fmt.Errorf("failed to create RPC write params: %w", err)
 		}
 		params.WriteParams = &writeParams
 	} else {
-		readParams := git.CreateReadParams(repo.Repository)
+		readParams := git.CreateReadParams(repo)
 		params.ReadParams = &readParams
 	}
 

app/api/controller/repo/helper.go

@@ -24,16 +24,16 @@ import (
 	"github.com/harness/gitness/app/auth/authz"
 	"github.com/harness/gitness/app/services/publicaccess"
 	"github.com/harness/gitness/app/store"
+	"github.com/harness/gitness/types"
 	"github.com/harness/gitness/types/enum"
 )
 
 // GetRepo fetches an active repo (not one that is currently being imported).
 func GetRepo(
 	ctx context.Context,
-	publicAccess publicaccess.PublicAccess,
 	repoStore store.RepoStore,
 	repoRef string,
-) (*Repository, error) {
+) (*types.Repository, error) {
 	if repoRef == "" {
 		return nil, usererror.BadRequest("A valid repository reference must be provided.")
 	}
@@ -47,6 +47,36 @@ func GetRepo(
 		return nil, usererror.BadRequest("Repository import is in progress.")
 	}
 
+	return repo, nil
+}
+
+// GetRepoCheckAccess fetches an active repo (not one that is currently being imported)
+// and checks if the current user has permission to access it.
+func GetRepoCheckAccess(
+	ctx context.Context,
+	repoStore store.RepoStore,
+	authorizer authz.Authorizer,
+	session *auth.Session,
+	repoRef string,
+	reqPermission enum.Permission,
+) (*types.Repository, error) {
+	repo, err := GetRepo(ctx, repoStore, repoRef)
+	if err != nil {
+		return nil, fmt.Errorf("failed to find repo: %w", err)
+	}
+
+	if err = apiauth.CheckRepo(ctx, authorizer, session, repo, reqPermission); err != nil {
+		return nil, fmt.Errorf("access check failed: %w", err)
+	}
+
+	return repo, nil
+}
+
+func GetRepoOutput(
+	ctx context.Context,
+	publicAccess publicaccess.PublicAccess,
+	repo *types.Repository,
+) (*Repository, error) {
 	isPublic, err := apiauth.CheckRepoIsPublic(ctx, publicAccess, repo)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check if repo is public: %w", err)
@@ -57,26 +87,3 @@ func GetRepo(
 		IsPublic:   isPublic,
 	}, nil
 }
-
-// GetRepoCheckAccess fetches an active repo (not one that is currently being imported)
-// and checks if the current user has permission to access it.
-func GetRepoCheckAccess(
-	ctx context.Context,
-	repoStore store.RepoStore,
-	authorizer authz.Authorizer,
-	publicAccess publicaccess.PublicAccess,
-	session *auth.Session,
-	repoRef string,
-	reqPermission enum.Permission,
-) (*Repository, error) {
-	repo, err := GetRepo(ctx, publicAccess, repoStore, repoRef)
-	if err != nil {
-		return nil, fmt.Errorf("failed to find repo: %w", err)
-	}
-
-	if err = apiauth.CheckRepo(ctx, authorizer, session, &repo.Repository, reqPermission); err != nil {
-		return nil, fmt.Errorf("access check failed: %w", err)
-	}
-
-	return repo, nil
-}

app/api/controller/repo/import.go

@@ -82,11 +82,8 @@ func (c *Controller) Import(ctx context.Context, session *auth.Session, in *Impo
 			return fmt.Errorf("failed to create repository in storage: %w", err)
 		}
 
-		// update public resources
+		if err = c.SetRepoPublicAccess(ctx, repo, isPublic); err != nil {
-		if isPublic && c.publicResourceCreationEnabled {
+			return fmt.Errorf("failed to set repo public access: %w", err)
-			if err = c.SetPublicRepo(ctx, repo); err != nil {
-				return fmt.Errorf("failed to set a public repo: %w", err)
-			}
 		}
 
 		err = c.importer.Run(ctx,

app/api/controller/repo/list_branches.go

@@ -44,7 +44,7 @@ func (c *Controller) ListBranches(ctx context.Context,
 	}
 
 	rpcOut, err := c.git.ListBranches(ctx, &git.ListBranchesParams{
-		ReadParams:    git.CreateReadParams(repo.Repository),
+		ReadParams:    git.CreateReadParams(repo),
 		IncludeCommit: includeCommit,
 		Query:         filter.Query,
 		Sort:          mapToRPCBranchSortOption(filter.Sort),

app/api/controller/repo/list_commit_tags.go

@@ -48,7 +48,7 @@ func (c *Controller) ListCommitTags(ctx context.Context,
 	}
 
 	rpcOut, err := c.git.ListCommitTags(ctx, &git.ListCommitTagsParams{
-		ReadParams:    git.CreateReadParams(repo.Repository),
+		ReadParams:    git.CreateReadParams(repo),
 		IncludeCommit: includeCommit,
 		Query:         filter.Query,
 		Sort:          mapToRPCTagSortOption(filter.Sort),

app/api/controller/repo/list_commits.go

@@ -39,11 +39,11 @@ func (c *Controller) ListCommits(ctx context.Context,
 
 	// set gitRef to default branch in case an empty reference was provided
 	if gitRef == "" {
-		gitRef = repo.Repository.DefaultBranch
+		gitRef = repo.DefaultBranch
 	}
 
 	rpcOut, err := c.git.ListCommits(ctx, &git.ListCommitsParams{
-		ReadParams:   git.CreateReadParams(repo.Repository),
+		ReadParams:   git.CreateReadParams(repo),
 		GitREF:       gitRef,
 		After:        filter.After,
 		Page:         int32(filter.Page),

app/api/controller/repo/list_paths.go

@@ -42,11 +42,11 @@ func (c *Controller) ListPaths(ctx context.Context,
 
 	// set gitRef to default branch in case an empty reference was provided
 	if gitRef == "" {
-		gitRef = repo.Repository.DefaultBranch
+		gitRef = repo.DefaultBranch
 	}
 
 	rpcOut, err := c.git.ListPaths(ctx, &git.ListPathsParams{
-		ReadParams:         git.CreateReadParams(repo.Repository),
+		ReadParams:         git.CreateReadParams(repo),
 		GitREF:             gitRef,
 		IncludeDirectories: includeDirectories,
 	})

app/api/controller/repo/list_pipelines.go

@@ -37,7 +37,7 @@ func (c *Controller) ListPipelines(
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to find repo: %w", err)
 	}
-	if err := apiauth.CheckPipeline(ctx, c.authorizer, session, repo.Repository.Path, "", enum.PermissionPipelineView); err != nil {
+	if err := apiauth.CheckPipeline(ctx, c.authorizer, session, repo.Path, "", enum.PermissionPipelineView); err != nil {
 		return nil, 0, fmt.Errorf("access check failed: %w", err)
 	}
 
@@ -45,18 +45,18 @@ func (c *Controller) ListPipelines(
 	var pipelines []*types.Pipeline
 
 	err = c.tx.WithTx(ctx, func(ctx context.Context) (err error) {
-		count, err = c.pipelineStore.Count(ctx, repo.Repository.ID, filter)
+		count, err = c.pipelineStore.Count(ctx, repo.ID, filter)
 		if err != nil {
 			return fmt.Errorf("failed to count child executions: %w", err)
 		}
 
 		if !latest {
-			pipelines, err = c.pipelineStore.List(ctx, repo.Repository.ID, filter)
+			pipelines, err = c.pipelineStore.List(ctx, repo.ID, filter)
 			if err != nil {
 				return fmt.Errorf("failed to list pipelines: %w", err)
 			}
 		} else {
-			pipelines, err = c.pipelineStore.ListLatest(ctx, repo.Repository.ID, filter)
+			pipelines, err = c.pipelineStore.ListLatest(ctx, repo.ID, filter)
 			if err != nil {
 				return fmt.Errorf("failed to list latest pipelines: %w", err)
 			}

app/api/controller/repo/list_service_accounts.go

@@ -42,12 +42,12 @@ func (c *Controller) ListServiceAccounts(
 		c.spaceStore,
 		c.repoStore,
 		enum.ParentResourceTypeRepo,
-		repo.Repository.ID,
+		repo.ID,
 		"",
 		enum.PermissionServiceAccountView,
 	); err != nil {
 		return nil, fmt.Errorf("access check failed: %w", err)
 	}
 
-	return c.principalStore.ListServiceAccounts(ctx, enum.ParentResourceTypeRepo, repo.Repository.ID)
+	return c.principalStore.ListServiceAccounts(ctx, enum.ParentResourceTypeRepo, repo.ID)
 }

app/api/controller/repo/merge_check.go

@@ -45,7 +45,7 @@ func (c *Controller) MergeCheck(
 		return MergeCheck{}, err
 	}
 
-	writeParams, err := controller.CreateRPCInternalWriteParams(ctx, c.urlProvider, session, &repo.Repository)
+	writeParams, err := controller.CreateRPCInternalWriteParams(ctx, c.urlProvider, session, repo)
 	if err != nil {
 		return MergeCheck{}, fmt.Errorf("failed to create rpc write params: %w", err)
 	}

app/api/controller/repo/pipeline_generate.go

@@ -35,7 +35,7 @@ func (c *Controller) PipelineGenerate(
 	}
 
 	result, err := c.git.GeneratePipeline(ctx, &git.GeneratePipelineParams{
-		ReadParams: git.CreateReadParams(repo.Repository),
+		ReadParams: git.CreateReadParams(repo),
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate pipeline: %w", err)

app/api/controller/repo/public_access_update.go

@@ -18,10 +18,10 @@ import (
 	"context"
 	"fmt"
 
+	apiauth "github.com/harness/gitness/app/api/auth"
 	"github.com/harness/gitness/app/auth"
 	"github.com/harness/gitness/app/paths"
 	"github.com/harness/gitness/audit"
-	"github.com/harness/gitness/types"
 	"github.com/harness/gitness/types/enum"
 
 	"github.com/rs/zerolog/log"
@@ -31,49 +31,48 @@ type PublicAccessUpdateInput struct {
 	EnablePublic bool `json:"enable_public"`
 }
 
-type PublicAccessUpdateOutput struct {
-	IsPublic bool `json:"is_public"`
-}
-
 func (c *Controller) PublicAccessUpdate(ctx context.Context,
 	session *auth.Session,
 	repoRef string,
 	in *PublicAccessUpdateInput,
-) (*PublicAccessUpdateOutput, error) {
+) (*Repository, error) {
 	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoEdit)
 	if err != nil {
 		return nil, err
 	}
 
-	repoClone := repo.Clone()
-
 	if err = c.sanitizeVisibilityInput(in); err != nil {
 		return nil, fmt.Errorf("failed to sanitize input: %w", err)
 	}
 
-	parentSpace, name, err := paths.DisectLeaf(repo.Repository.Path)
+	repoClone := repo.Clone()
+
+	// get current public access vale for audit
+	isPublic, err := apiauth.CheckRepoIsPublic(ctx, c.publicAccess, repo)
 	if err != nil {
-		return nil, fmt.Errorf("failed to disect path '%s': %w", repo.Repository.Path, err)
+		return nil, fmt.Errorf("failed to check current public access status: %w", err)
 	}
 
-	scope := &types.Scope{SpacePath: parentSpace}
+	// no op
-	resource := &types.Resource{
+	if isPublic == in.EnablePublic {
-		Type:       enum.ResourceTypeRepo,
+		return GetRepoOutput(ctx, c.publicAccess, repo)
-		Identifier: name,
 	}
 
-	if err = c.publicAccess.Set(ctx, scope, resource, in.EnablePublic); err != nil {
+	if err = c.publicAccess.Set(ctx, enum.PublicResourceTypeRepo, repo.Path, in.EnablePublic); err != nil {
 		return nil, fmt.Errorf("failed to update repo public access: %w", err)
 	}
 
 	err = c.auditService.Log(ctx,
 		session.Principal,
-		audit.NewResource(audit.ResourceTypeRepository, repo.Repository.Identifier),
+		audit.NewResource(audit.ResourceTypeRepository, repo.Identifier),
 		audit.ActionUpdated,
-		paths.Parent(repo.Repository.Path),
+		paths.Parent(repo.Path),
-		audit.WithOldObject(repoClone),
+		audit.WithOldObject(&Repository{
+			Repository: repoClone,
+			IsPublic:   isPublic,
+		}),
 		audit.WithNewObject(&Repository{
-			Repository: repo.Repository,
+			Repository: *repo,
 			IsPublic:   in.EnablePublic,
 		}),
 	)
@@ -81,9 +80,7 @@ func (c *Controller) PublicAccessUpdate(ctx context.Context,
 		log.Ctx(ctx).Warn().Msgf("failed to insert audit log for update repository operation: %s", err)
 	}
 
-	return &PublicAccessUpdateOutput{
+	return GetRepoOutput(ctx, c.publicAccess, repo)
-		in.EnablePublic,
-	}, nil
 
 }
 

app/api/controller/repo/purge.go

@@ -23,7 +23,6 @@ import (
 	"github.com/harness/gitness/app/api/usererror"
 	"github.com/harness/gitness/app/auth"
 	repoevents "github.com/harness/gitness/app/events/repo"
-	"github.com/harness/gitness/app/paths"
 	"github.com/harness/gitness/errors"
 	"github.com/harness/gitness/git"
 	"github.com/harness/gitness/types"
@@ -79,7 +78,7 @@ func (c *Controller) PurgeNoAuth(
 	}
 
 	if isPublic {
-		if err := c.disablePublicRepo(ctx, repo); err != nil {
+		if err := c.SetRepoPublicAccess(ctx, repo, false); err != nil {
 			log.Ctx(ctx).Err(err).Msg("failed to disable repo public access")
 		}
 	}
@@ -124,18 +123,3 @@ func (c *Controller) DeleteGitRepository(
 	}
 	return nil
 }
-
-func (c *Controller) disablePublicRepo(ctx context.Context, repo *types.Repository) error {
-	parentSpace, name, err := paths.DisectLeaf(repo.Path)
-	if err != nil {
-		return fmt.Errorf("failed to disect path '%s': %w", repo.Path, err)
-	}
-
-	scope := &types.Scope{SpacePath: parentSpace}
-	resource := &types.Resource{
-		Type:       enum.ResourceTypeRepo,
-		Identifier: name,
-	}
-
-	return c.publicAccess.Set(ctx, scope, resource, false)
-}

app/api/controller/repo/raw.go

@@ -40,11 +40,11 @@ func (c *Controller) Raw(ctx context.Context,
 
 	// set gitRef to default branch in case an empty reference was provided
 	if gitRef == "" {
-		gitRef = repo.Repository.DefaultBranch
+		gitRef = repo.DefaultBranch
 	}
 
 	// create read params once
-	readParams := git.CreateReadParams(repo.Repository)
+	readParams := git.CreateReadParams(repo)
 	treeNodeOutput, err := c.git.GetTreeNode(ctx, &git.GetTreeNodeParams{
 		ReadParams:          readParams,
 		GitREF:              gitRef,

app/api/controller/repo/rule_create.go

@@ -100,7 +100,7 @@ func (c *Controller) RuleCreate(ctx context.Context,
 		CreatedBy:     session.Principal.ID,
 		Created:       now,
 		Updated:       now,
-		RepoID:        &repo.Repository.ID,
+		RepoID:        &repo.ID,
 		SpaceID:       nil,
 		Type:          in.Type,
 		State:         in.State,
@@ -120,7 +120,7 @@ func (c *Controller) RuleCreate(ctx context.Context,
 		session.Principal,
 		audit.NewResource(audit.ResourceTypeBranchRule, r.Identifier),
 		audit.ActionCreated,
-		paths.Parent(repo.Repository.Path),
+		paths.Parent(repo.Path),
 		audit.WithNewObject(r),
 	)
 	if err != nil {

app/api/controller/repo/rule_delete.go

@@ -37,7 +37,7 @@ func (c *Controller) RuleDelete(ctx context.Context,
 		return err
 	}
 
-	r, err := c.ruleStore.FindByIdentifier(ctx, nil, &repo.Repository.ID, identifier)
+	r, err := c.ruleStore.FindByIdentifier(ctx, nil, &repo.ID, identifier)
 	if err != nil {
 		return fmt.Errorf("failed to find repository-level protection rule by identifier: %w", err)
 	}
@@ -51,7 +51,7 @@ func (c *Controller) RuleDelete(ctx context.Context,
 		session.Principal,
 		audit.NewResource(audit.ResourceTypeBranchRule, r.Identifier),
 		audit.ActionDeleted,
-		paths.Parent(repo.Repository.Path),
+		paths.Parent(repo.Path),
 		audit.WithOldObject(r),
 	)
 	if err != nil {

app/api/controller/repo/rule_find.go

@@ -34,7 +34,7 @@ func (c *Controller) RuleFind(ctx context.Context,
 		return nil, err
 	}
 
-	r, err := c.ruleStore.FindByIdentifier(ctx, nil, &repo.Repository.ID, identifier)
+	r, err := c.ruleStore.FindByIdentifier(ctx, nil, &repo.ID, identifier)
 	if err != nil {
 		return nil, fmt.Errorf("failed to find repository-level protection rule by identifier: %w", err)
 	}

app/api/controller/repo/rule_list.go

@@ -39,7 +39,7 @@ func (c *Controller) RuleList(ctx context.Context,
 	var count int64
 
 	err = c.tx.WithTx(ctx, func(ctx context.Context) error {
-		list, err = c.ruleStore.List(ctx, nil, &repo.Repository.ID, filter)
+		list, err = c.ruleStore.List(ctx, nil, &repo.ID, filter)
 		if err != nil {
 			return fmt.Errorf("failed to list repository-level protection rules: %w", err)
 		}
@@ -49,7 +49,7 @@ func (c *Controller) RuleList(ctx context.Context,
 			return nil
 		}
 
-		count, err = c.ruleStore.Count(ctx, nil, &repo.Repository.ID, filter)
+		count, err = c.ruleStore.Count(ctx, nil, &repo.ID, filter)
 		if err != nil {
 			return fmt.Errorf("failed to count repository-level protection rules: %w", err)
 		}

app/api/controller/repo/rule_update.go

@@ -96,7 +96,7 @@ func (c *Controller) RuleUpdate(ctx context.Context,
 		return nil, err
 	}
 
-	r, err := c.ruleStore.FindByIdentifier(ctx, nil, &repo.Repository.ID, identifier)
+	r, err := c.ruleStore.FindByIdentifier(ctx, nil, &repo.ID, identifier)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get a repository rule by its identifier: %w", err)
 	}
@@ -142,7 +142,7 @@ func (c *Controller) RuleUpdate(ctx context.Context,
 		session.Principal,
 		audit.NewResource(audit.ResourceTypeBranchRule, r.Identifier),
 		audit.ActionUpdated,
-		paths.Parent(repo.Repository.Path),
+		paths.Parent(repo.Path),
 		audit.WithOldObject(oldRule),
 		audit.WithNewObject(r),
 	)

app/api/controller/repo/update.go

@@ -19,7 +19,6 @@ import (
 	"fmt"
 	"strings"
 
-	apiauth "github.com/harness/gitness/app/api/auth"
 	"github.com/harness/gitness/app/auth"
 	"github.com/harness/gitness/app/paths"
 	"github.com/harness/gitness/audit"
@@ -52,15 +51,15 @@ func (c *Controller) Update(ctx context.Context,
 
 	repoClone := repo.Clone()
 
-	if !in.hasChanges(&repo.Repository) {
+	if !in.hasChanges(repo) {
-		return repo, nil
+		return GetRepoOutput(ctx, c.publicAccess, repo)
 	}
 
 	if err = c.sanitizeUpdateInput(in); err != nil {
 		return nil, fmt.Errorf("failed to sanitize input: %w", err)
 	}
 
-	repoBase, err := c.repoStore.UpdateOptLock(ctx, &repo.Repository, func(repo *types.Repository) error {
+	repo, err = c.repoStore.UpdateOptLock(ctx, repo, func(repo *types.Repository) error {
 		// update values only if provided
 		if in.Description != nil {
 			repo.Description = *in.Description
@@ -72,21 +71,11 @@ func (c *Controller) Update(ctx context.Context,
 		return nil, err
 	}
 
-	isPublic, err := apiauth.CheckRepoIsPublic(ctx, c.publicAccess, repoBase)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get resource public access mode: %w", err)
-	}
-
-	repo = &Repository{
-		Repository: *repoBase,
-		IsPublic:   isPublic,
-	}
-
 	err = c.auditService.Log(ctx,
 		session.Principal,
-		audit.NewResource(audit.ResourceTypeRepository, repo.Repository.Identifier),
+		audit.NewResource(audit.ResourceTypeRepository, repo.Identifier),
 		audit.ActionUpdated,
-		paths.Parent(repo.Repository.Path),
+		paths.Parent(repo.Path),
 		audit.WithOldObject(repoClone),
 		audit.WithNewObject(repo),
 	)
@@ -95,9 +84,9 @@ func (c *Controller) Update(ctx context.Context,
 	}
 
 	// backfill repo url
-	repo.Repository.GitURL = c.urlProvider.GenerateGITCloneURL(repo.Repository.Path)
+	repo.GitURL = c.urlProvider.GenerateGITCloneURL(repo.Path)
 
-	return repo, nil
+	return GetRepoOutput(ctx, c.publicAccess, repo)
 }
 
 func (c *Controller) sanitizeUpdateInput(in *UpdateInput) error {

app/api/controller/reposettings/controller.go

@@ -20,10 +20,10 @@ import (
 	"github.com/harness/gitness/app/api/controller/repo"
 	"github.com/harness/gitness/app/auth"
 	"github.com/harness/gitness/app/auth/authz"
-	"github.com/harness/gitness/app/services/publicaccess"
 	"github.com/harness/gitness/app/services/settings"
 	"github.com/harness/gitness/app/store"
 	"github.com/harness/gitness/audit"
+	"github.com/harness/gitness/types"
 	"github.com/harness/gitness/types/enum"
 )
 
@@ -31,7 +31,6 @@ type Controller struct {
 	authorizer   authz.Authorizer
 	repoStore    store.RepoStore
 	settings     *settings.Service
-	publicAccess publicaccess.PublicAccess
 	auditService audit.Service
 }
 
@@ -39,14 +38,12 @@ func NewController(
 	authorizer authz.Authorizer,
 	repoStore store.RepoStore,
 	settings *settings.Service,
-	publicAccess publicaccess.PublicAccess,
 	auditService audit.Service,
 ) *Controller {
 	return &Controller{
 		authorizer:   authorizer,
 		repoStore:    repoStore,
 		settings:     settings,
-		publicAccess: publicAccess,
 		auditService: auditService,
 	}
 }
@@ -58,12 +55,11 @@ func (c *Controller) getRepoCheckAccess(
 	session *auth.Session,
 	repoRef string,
 	reqPermission enum.Permission,
-) (*repo.Repository, error) {
+) (*types.Repository, error) {
 	return repo.GetRepoCheckAccess(
 		ctx,
 		c.repoStore,
 		c.authorizer,
-		c.publicAccess,
 		session,
 		repoRef,
 		reqPermission,

app/api/controller/reposettings/general_find.go

@@ -35,7 +35,7 @@ func (c *Controller) GeneralFind(
 
 	out := GetDefaultGeneralSettings()
 	mappings := GetGeneralSettingsMappings(out)
-	err = c.settings.RepoMap(ctx, repo.Repository.ID, mappings...)
+	err = c.settings.RepoMap(ctx, repo.ID, mappings...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to map settings: %w", err)
 	}

app/api/controller/reposettings/general_update.go

@@ -41,12 +41,12 @@ func (c *Controller) GeneralUpdate(
 	// read old settings values
 	old := GetDefaultGeneralSettings()
 	oldMappings := GetGeneralSettingsMappings(old)
-	err = c.settings.RepoMap(ctx, repo.Repository.ID, oldMappings...)
+	err = c.settings.RepoMap(ctx, repo.ID, oldMappings...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to map settings (old): %w", err)
 	}
 
-	err = c.settings.RepoSetMany(ctx, repo.Repository.ID, GetGeneralSettingsAsKeyValues(in)...)
+	err = c.settings.RepoSetMany(ctx, repo.ID, GetGeneralSettingsAsKeyValues(in)...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to set settings: %w", err)
 	}
@@ -54,16 +54,16 @@ func (c *Controller) GeneralUpdate(
 	// read all settings and return complete config
 	out := GetDefaultGeneralSettings()
 	mappings := GetGeneralSettingsMappings(out)
-	err = c.settings.RepoMap(ctx, repo.Repository.ID, mappings...)
+	err = c.settings.RepoMap(ctx, repo.ID, mappings...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to map settings: %w", err)
 	}
 
 	err = c.auditService.Log(ctx,
 		session.Principal,
-		audit.NewResource(audit.ResourceTypeRepositorySettings, repo.Repository.Identifier),
+		audit.NewResource(audit.ResourceTypeRepositorySettings, repo.Identifier),
 		audit.ActionUpdated,
-		paths.Parent(repo.Repository.Path),
+		paths.Parent(repo.Path),
 		audit.WithOldObject(old),
 		audit.WithNewObject(out),
 	)

app/api/controller/reposettings/wire.go

@@ -16,7 +16,6 @@ package reposettings
 
 import (
 	"github.com/harness/gitness/app/auth/authz"
-	"github.com/harness/gitness/app/services/publicaccess"
 	"github.com/harness/gitness/app/services/settings"
 	"github.com/harness/gitness/app/store"
 	"github.com/harness/gitness/audit"
@@ -33,8 +32,7 @@ func ProvideController(
 	authorizer authz.Authorizer,
 	repoStore store.RepoStore,
 	settings *settings.Service,
-	publicAccess publicaccess.PublicAccess,
 	auditService audit.Service,
 ) *Controller {
-	return NewController(authorizer, repoStore, settings, publicAccess, auditService)
+	return NewController(authorizer, repoStore, settings, auditService)
 }

app/api/controller/space/create.go

@@ -146,10 +146,8 @@ func (c *Controller) createSpaceInnerInTX(
 		}
 	}
 
-	if in.IsPublic {
+	if err := c.setSpacePublicAccess(ctx, space, in.IsPublic); err != nil {
-		if err := c.setPublicSpace(ctx, space); err != nil {
+		return nil, fmt.Errorf("failed to set a space public: %w", err)
-			return nil, fmt.Errorf("failed to insert a public resource: %w", err)
-		}
 	}
 
 	return space, nil
@@ -189,19 +187,16 @@ func (c *Controller) getSpaceCheckAuthSpaceCreation(
 	return parentSpace, nil
 }
 
-func (c *Controller) setPublicSpace(ctx context.Context, space *types.Space) error {
+func (c *Controller) setSpacePublicAccess(
-	parentSpace, name, err := paths.DisectLeaf(space.Path)
+	ctx context.Context,
-	if err != nil {
+	space *types.Space,
-		return fmt.Errorf("failed to disect path '%s': %w", space.Path, err)
+	isPublic bool,
+) error {
+	if isPublic && !c.publicResourceCreationEnabled {
+		return errPublicSpaceCreationDisabled
 	}
 
-	scope := &types.Scope{SpacePath: parentSpace}
+	return c.publicAccess.Set(ctx, enum.PublicResourceTypeSpace, space.Path, isPublic)
-	resource := &types.Resource{
-		Type:       enum.ResourceTypeSpace,
-		Identifier: name,
-	}
-
-	return c.publicAccess.Set(ctx, scope, resource, true)
 }
 
 func (c *Controller) sanitizeCreateInput(in *CreateInput) error {

app/api/controller/space/helper.go

@@ -12,12 +12,29 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package types
+package space
 
-import "github.com/harness/gitness/types/enum"
+import (
+	"context"
+	"fmt"
 
-// PublicResource defines a public resource info.
+	apiauth "github.com/harness/gitness/app/api/auth"
-type PublicResource struct {
+	"github.com/harness/gitness/app/services/publicaccess"
-	Type enum.PublicResourceType
+	"github.com/harness/gitness/types"
-	ID   int64
+)
+
+func GetSpaceOutput(
+	ctx context.Context,
+	publicAccess publicaccess.PublicAccess,
+	space *types.Space,
+) (*Space, error) {
+	isPublic, err := apiauth.CheckSpaceIsPublic(ctx, publicAccess, space)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get resource public access mode: %w", err)
+	}
+
+	return &Space{
+		Space:    *space,
+		IsPublic: isPublic,
+	}, nil
 }

app/api/controller/space/import.go

@@ -98,12 +98,10 @@ func (c *Controller) Import(ctx context.Context, session *auth.Session, in *Impo
 			repoIDs[i] = repo.ID
 			cloneURLs[i] = remoteRepository.CloneURL
 
-			// update public resources
+			if err := c.repoCtrl.SetRepoPublicAccess(ctx, repo, isPublic); err != nil {
-			if isPublic && c.publicResourceCreationEnabled {
+				return fmt.Errorf("failed to set repo public access: %w", err)
-				if err := c.repoCtrl.SetPublicRepo(ctx, repo); err != nil {
-					return fmt.Errorf("failed to set a public repo: %w", err)
-				}
 			}
+
 		}
 
 		jobGroupID := fmt.Sprintf("space-import-%d", space.ID)

app/api/controller/space/import_repositories.go

@@ -126,11 +126,8 @@ func (c *Controller) ImportRepositories(
 				return fmt.Errorf("failed to create repository in storage: %w", err)
 			}
 
-			// update public resources
+			if err := c.repoCtrl.SetRepoPublicAccess(ctx, repo, isPublic); err != nil {
-			if isPublic && c.publicResourceCreationEnabled {
+				return fmt.Errorf("failed to set repo public access: %w", err)
-				if err := c.repoCtrl.SetPublicRepo(ctx, repo); err != nil {
-					return fmt.Errorf("failed to set a public repo: %w", err)
-				}
 			}
 
 			repos = append(repos, repo)

app/api/controller/space/update.go

@@ -47,18 +47,8 @@ func (c *Controller) Update(ctx context.Context, session *auth.Session,
 		return nil, err
 	}
 
-	isPublic, err := apiauth.CheckSpaceIsPublic(ctx, c.publicAccess, space)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get resource public access mode: %w", err)
-	}
-
-	spaceData := &Space{
-		Space:    *space,
-		IsPublic: isPublic,
-	}
-
 	if !in.hasChanges(space) {
-		return spaceData, nil
+		return GetSpaceOutput(ctx, c.publicAccess, space)
 	}
 
 	if err = c.sanitizeUpdateInput(in); err != nil {
@@ -77,10 +67,7 @@ func (c *Controller) Update(ctx context.Context, session *auth.Session,
 		return nil, err
 	}
 
-	return &Space{
+	return GetSpaceOutput(ctx, c.publicAccess, space)
-		Space:    *space,
-		IsPublic: isPublic,
-	}, nil
 }
 
 func (c *Controller) sanitizeUpdateInput(in *UpdateInput) error {

app/api/controller/webhook/controller.go

@@ -22,7 +22,6 @@ import (
 	"github.com/harness/gitness/app/api/usererror"
 	"github.com/harness/gitness/app/auth"
 	"github.com/harness/gitness/app/auth/authz"
-	"github.com/harness/gitness/app/services/publicaccess"
 	"github.com/harness/gitness/app/services/webhook"
 	"github.com/harness/gitness/app/store"
 	"github.com/harness/gitness/encrypt"
@@ -40,7 +39,6 @@ type Controller struct {
 	repoStore             store.RepoStore
 	webhookService        *webhook.Service
 	encrypter             encrypt.Encrypter
-	publicAccess          publicaccess.PublicAccess
 }
 
 func NewController(
@@ -52,7 +50,6 @@ func NewController(
 	repoStore store.RepoStore,
 	webhookService *webhook.Service,
 	encrypter encrypt.Encrypter,
-	publicAccess publicaccess.PublicAccess,
 ) *Controller {
 	return &Controller{
 		allowLoopback:         allowLoopback,
@@ -63,7 +60,6 @@ func NewController(
 		repoStore:             repoStore,
 		webhookService:        webhookService,
 		encrypter:             encrypter,
-		publicAccess:          publicAccess,
 	}
 }
 

app/api/controller/webhook/wire.go

@@ -16,7 +16,6 @@ package webhook
 
 import (
 	"github.com/harness/gitness/app/auth/authz"
-	"github.com/harness/gitness/app/services/publicaccess"
 	"github.com/harness/gitness/app/services/webhook"
 	"github.com/harness/gitness/app/store"
 	"github.com/harness/gitness/encrypt"
@@ -31,10 +30,10 @@ var WireSet = wire.NewSet(
 
 func ProvideController(config webhook.Config, authorizer authz.Authorizer,
 	webhookStore store.WebhookStore, webhookExecutionStore store.WebhookExecutionStore,
-	repoStore store.RepoStore, webhookService *webhook.Service, encrypter encrypt.Encrypter, publicAccess publicaccess.PublicAccess,
+	repoStore store.RepoStore, webhookService *webhook.Service, encrypter encrypt.Encrypter,
 ) *Controller {
 	return NewController(
 		config.AllowLoopback, config.AllowPrivateNetwork, authorizer,
 		webhookStore, webhookExecutionStore,
-		repoStore, webhookService, encrypter, publicAccess)
+		repoStore, webhookService, encrypter)
 }

app/auth/anonymouse.go

@@ -19,12 +19,10 @@ import (
 	"github.com/harness/gitness/types/enum"
 )
 
-// Anonymous is an in-memory principal for users with no auth data.
+// anonymousPrincipal is an in-memory principal for users with no auth data.
-// Authorizer is in charge of handling public access.
+// Authorizer is in charge of handling anonymouse access.
-func Anonymous() *types.Principal {
+var AnonymousPrincipal = types.Principal{
-	return &types.Principal{
 	ID:   -1,
-		UID:  "ALL_USERS",
+	UID:  "anonymous",
 	Type: enum.PrincipalTypeUser,
 }
-}

app/auth/authn/jwt.go

@@ -57,7 +57,7 @@ func (a *JWTAuthenticator) Authenticate(r *http.Request) (*auth.Session, error)
 
 	if len(str) == 0 {
 		return &auth.Session{
-			Principal: *auth.Anonymous(),
+			Principal: auth.AnonymousPrincipal,
 		}, nil
 	}
 

app/auth/authz/membership.go

@@ -55,12 +55,12 @@ func (a *MembershipAuthorizer) Check(
 	resource *types.Resource,
 	permission enum.Permission,
 ) (bool, error) {
-	isPublic, err := a.CheckPublicAccess(ctx, scope, resource, permission)
+	publicAccessAllowed, err := a.CheckPublicAccess(ctx, scope, resource, permission)
 	if err != nil {
 		return false, fmt.Errorf("failed to check public access: %w", err)
 	}
 
-	if isPublic {
+	if publicAccessAllowed {
 		return true, nil
 	}
 

app/auth/authz/public_access.go

@@ -17,6 +17,7 @@ package authz
 import (
 	"context"
 
+	"github.com/harness/gitness/app/paths"
 	"github.com/harness/gitness/types"
 	"github.com/harness/gitness/types/enum"
 )
@@ -33,11 +34,19 @@ func (a *MembershipAuthorizer) CheckPublicAccess(
 		return false, nil
 	}
 
-	// public access is enabled on these resource types.
+	pubResType, pubResPath := mapResource(scope, resource)
-	if resource.Type != enum.ResourceTypeRepo &&
+
-		resource.Type != enum.ResourceTypeSpace {
+	return a.publicAccess.Get(ctx, pubResType, pubResPath)
-		return false, nil
 }
 
-	return a.publicAccess.Get(ctx, scope, resource)
+func mapResource(scope *types.Scope, resource *types.Resource,
+) (enum.PublicResourceType, string) {
+	pubResType := enum.PublicResourceTypeSpace
+
+	if resource.Type == enum.ResourceTypeRepo &&
+		resource.Identifier != "" {
+		pubResType = enum.PublicResourceTypeRepo
+	}
+
+	return pubResType, paths.Concatenate(scope.SpacePath, resource.Identifier)
 }

app/pipeline/converter/converter.go

@@ -21,6 +21,8 @@ import (
 	"github.com/harness/gitness/app/pipeline/converter/jsonnet"
 	"github.com/harness/gitness/app/pipeline/converter/starlark"
 	"github.com/harness/gitness/app/pipeline/file"
+	"github.com/harness/gitness/app/services/publicaccess"
+	"github.com/harness/gitness/types/enum"
 )
 
 const (
@@ -31,6 +33,7 @@ const (
 
 type converter struct {
 	fileService  file.Service
+	publicaccess publicaccess.PublicAccess
 }
 
 func newConverter(fileService file.Service) Service {
@@ -40,14 +43,20 @@ func newConverter(fileService file.Service) Service {
 func (c *converter) Convert(_ context.Context, args *ConvertArgs) (*file.File, error) {
 	path := args.Pipeline.ConfigPath
 
+	// get public access visibility of the repo
+	repoIsPublic, err := c.publicaccess.Get(context.Background(), enum.PublicResourceTypeRepo, args.Repo.Path)
+	if err != nil {
+		return nil, err
+	}
+
 	if isJSONNet(path) {
-		str, err := jsonnet.Parse(args.Repo, args.Pipeline, args.Execution, args.File, c.fileService, jsonnetImportLimit)
+		str, err := jsonnet.Parse(args.Repo, repoIsPublic, args.Pipeline, args.Execution, args.File, c.fileService, jsonnetImportLimit)
 		if err != nil {
 			return nil, err
 		}
 		return &file.File{Data: []byte(str)}, nil
 	} else if isStarlark(path) {
-		str, err := starlark.Parse(args.Repo, args.Pipeline, args.Execution, args.File, starlarkStepLimit, starlarkSizeLimit)
+		str, err := starlark.Parse(args.Repo, repoIsPublic, args.Pipeline, args.Execution, args.File, starlarkStepLimit, starlarkSizeLimit)
 		if err != nil {
 			return nil, err
 		}

app/pipeline/converter/jsonnet/jsonnet.go

@@ -23,7 +23,6 @@ import (
 	"strconv"
 	"strings"
 
-	repoCtrl "github.com/harness/gitness/app/api/controller/repo"
 	"github.com/harness/gitness/app/pipeline/file"
 	"github.com/harness/gitness/types"
 
@@ -37,7 +36,7 @@ const param = "param."
 var noContext = context.Background()
 
 type importer struct {
-	repo      *repoCtrl.Repository
+	repo      *types.Repository
 	execution *types.Execution
 
 	// jsonnet does not cache file imports and may request
@@ -104,7 +103,8 @@ func (i *importer) Import(importedFrom, importedPath string) (contents jsonnet.C
 }
 
 func Parse(
-	repo *repoCtrl.Repository,
+	repo *types.Repository,
+	repoIsPublic bool,
 	pipeline *types.Pipeline,
 	execution *types.Execution,
 	file *file.File,
@@ -131,7 +131,7 @@ func Parse(
 		mapBuild(execution, vm)
 	}
 	if repo != nil {
-		mapRepo(repo, pipeline, vm)
+		mapRepo(repo, pipeline, vm, repoIsPublic)
 	}
 
 	jsonnetFile := file
@@ -189,24 +189,24 @@ func mapBuild(v *types.Execution, vm *jsonnet.VM) {
 // mapBuild populates repo level variables available to jsonnet templates.
 // Since we want to maintain compatibility with drone 2.x, the older format
 // needs to be maintained (even if the variables do not exist in gitness).
-func mapRepo(v *repoCtrl.Repository, p *types.Pipeline, vm *jsonnet.VM) {
+func mapRepo(v *types.Repository, p *types.Pipeline, vm *jsonnet.VM, publicRepo bool) {
 	namespace := v.Path
 	idx := strings.LastIndex(v.Path, "/")
 	if idx != -1 {
 		namespace = v.Path[:idx]
 	}
 	// TODO [CODE-1363]: remove after identifier migration.
-	vm.ExtVar(repo+"uid", v.Repository.Identifier)
+	vm.ExtVar(repo+"uid", v.Identifier)
-	vm.ExtVar(repo+"identifier", v.Repository.Identifier)
+	vm.ExtVar(repo+"identifier", v.Identifier)
-	vm.ExtVar(repo+"name", v.Repository.Identifier)
+	vm.ExtVar(repo+"name", v.Identifier)
 	vm.ExtVar(repo+"namespace", namespace)
-	vm.ExtVar(repo+"slug", v.Repository.Path)
+	vm.ExtVar(repo+"slug", v.Path)
-	vm.ExtVar(repo+"git_http_url", v.Repository.GitURL)
+	vm.ExtVar(repo+"git_http_url", v.GitURL)
-	vm.ExtVar(repo+"git_ssh_url", v.Repository.GitURL)
+	vm.ExtVar(repo+"git_ssh_url", v.GitURL)
-	vm.ExtVar(repo+"link", v.Repository.GitURL)
+	vm.ExtVar(repo+"link", v.GitURL)
-	vm.ExtVar(repo+"branch", v.Repository.DefaultBranch)
+	vm.ExtVar(repo+"branch", v.DefaultBranch)
 	vm.ExtVar(repo+"config", p.ConfigPath)
-	vm.ExtVar(repo+"private", strconv.FormatBool(!v.IsPublic))
+	vm.ExtVar(repo+"private", strconv.FormatBool(!publicRepo))
 	vm.ExtVar(repo+"visibility", "internal")
 	vm.ExtVar(repo+"active", strconv.FormatBool(true))
 	vm.ExtVar(repo+"trusted", strconv.FormatBool(true))

app/pipeline/converter/service.go

@@ -17,7 +17,6 @@ package converter
 import (
 	"context"
 
-	"github.com/harness/gitness/app/api/controller/repo"
 	"github.com/harness/gitness/app/pipeline/file"
 	"github.com/harness/gitness/types"
 )
@@ -26,10 +25,11 @@ type (
 	// ConvertArgs represents a request to the pipeline
 	// conversion service.
 	ConvertArgs struct {
-		Repo      *repo.Repository `json:"repository,omitempty"`
+		Repo         *types.Repository `json:"repository,omitempty"`
 		Pipeline     *types.Pipeline   `json:"pipeline,omitempty"`
 		Execution    *types.Execution  `json:"execution,omitempty"`
 		File         *file.File        `json:"config,omitempty"`
+		RepoIsPublic bool              `json:"repo_is_public,omitempty"`
 	}
 
 	// Service converts a file which is in starlark/jsonnet form by looking

app/pipeline/converter/starlark/args.go

@@ -17,7 +17,6 @@ package starlark
 import (
 	"strings"
 
-	"github.com/harness/gitness/app/api/controller/repo"
 	"github.com/harness/gitness/types"
 
 	"go.starlark.net/starlark"
@@ -25,15 +24,16 @@ import (
 )
 
 func createArgs(
-	repo *repo.Repository,
+	repo *types.Repository,
 	pipeline *types.Pipeline,
 	execution *types.Execution,
+	repoIsPublic bool,
 ) []starlark.Value {
 	args := []starlark.Value{
 		starlarkstruct.FromStringDict(
 			starlark.String("context"),
 			starlark.StringDict{
-				"repo":  starlarkstruct.FromStringDict(starlark.String("repo"), fromRepo(repo, pipeline)),
+				"repo":  starlarkstruct.FromStringDict(starlark.String("repo"), fromRepo(repo, pipeline, repoIsPublic)),
 				"build": starlarkstruct.FromStringDict(starlark.String("build"), fromBuild(execution)),
 			},
 		),
@@ -67,7 +67,7 @@ func fromBuild(v *types.Execution) starlark.StringDict {
 	}
 }
 
-func fromRepo(v *repo.Repository, p *types.Pipeline) starlark.StringDict {
+func fromRepo(v *types.Repository, p *types.Pipeline, publicRepo bool) starlark.StringDict {
 	namespace := v.Path
 	idx := strings.LastIndex(v.Path, "/")
 	if idx != -1 {
@@ -76,17 +76,17 @@ func fromRepo(v *repo.Repository, p *types.Pipeline) starlark.StringDict {
 
 	return starlark.StringDict{
 		// TODO [CODE-1363]: remove after identifier migration?
-		"uid":                  starlark.String(v.Repository.Identifier),
+		"uid":                  starlark.String(v.Identifier),
-		"identifier":           starlark.String(v.Repository.Identifier),
+		"identifier":           starlark.String(v.Identifier),
-		"name":                 starlark.String(v.Repository.Identifier),
+		"name":                 starlark.String(v.Identifier),
 		"namespace":            starlark.String(namespace),
-		"slug":                 starlark.String(v.Repository.Path),
+		"slug":                 starlark.String(v.Path),
-		"git_http_url":         starlark.String(v.Repository.GitURL),
+		"git_http_url":         starlark.String(v.GitURL),
-		"git_ssh_url":          starlark.String(v.Repository.GitURL),
+		"git_ssh_url":          starlark.String(v.GitURL),
-		"link":                 starlark.String(v.Repository.GitURL),
+		"link":                 starlark.String(v.GitURL),
-		"branch":               starlark.String(v.Repository.DefaultBranch),
+		"branch":               starlark.String(v.DefaultBranch),
 		"config":               starlark.String(p.ConfigPath),
-		"private":              !starlark.Bool(v.IsPublic),
+		"private":              !starlark.Bool(publicRepo),
 		"visibility":           starlark.String("internal"),
 		"active":               starlark.Bool(true),
 		"trusted":              starlark.Bool(true),

app/pipeline/converter/starlark/starlark.go

@@ -18,7 +18,6 @@ import (
 	"bytes"
 	"errors"
 
-	"github.com/harness/gitness/app/api/controller/repo"
 	"github.com/harness/gitness/app/pipeline/file"
 	"github.com/harness/gitness/types"
 
@@ -57,7 +56,8 @@ var (
 )
 
 func Parse(
-	repo *repo.Repository,
+	repo *types.Repository,
+	repoIsPublic bool,
 	pipeline *types.Pipeline,
 	execution *types.Execution,
 	file *file.File,
@@ -69,8 +69,8 @@ func Parse(
 		Load: noLoad,
 		Print: func(_ *starlark.Thread, msg string) {
 			logrus.WithFields(logrus.Fields{
-				"namespace": repo.Repository.Path, // TODO: update to just be the space
+				"namespace": repo.Path, // TODO: update to just be the space
-				"name":      repo.Repository.Identifier,
+				"name":      repo.Identifier,
 			}).Traceln(msg)
 		},
 	}
@@ -96,7 +96,7 @@ func Parse(
 
 	// create the input args and invoke the main method
 	// using the input args.
-	args := createArgs(repo, pipeline, execution)
+	args := createArgs(repo, pipeline, execution, repoIsPublic)
 
 	// set the maximum number of operations in the script. this
 	// mitigates long running scripts.

app/pipeline/file/gitness.go

@@ -19,8 +19,8 @@ import (
 	"fmt"
 	"io"
 
-	"github.com/harness/gitness/app/api/controller/repo"
 	"github.com/harness/gitness/git"
+	"github.com/harness/gitness/types"
 
 	"github.com/rs/zerolog/log"
 )
@@ -35,12 +35,12 @@ func newService(git git.Interface) Service {
 
 func (f *service) Get(
 	ctx context.Context,
-	repo *repo.Repository,
+	repo *types.Repository,
 	path string,
 	ref string,
 ) (*File, error) {
 	readParams := git.ReadParams{
-		RepoUID: repo.Repository.GitUID,
+		RepoUID: repo.GitUID,
 	}
 	treeNodeOutput, err := f.git.GetTreeNode(ctx, &git.GetTreeNodeParams{
 		ReadParams:          readParams,

app/pipeline/file/service.go

@@ -17,7 +17,7 @@ package file
 import (
 	"context"
 
-	"github.com/harness/gitness/app/api/controller/repo"
+	"github.com/harness/gitness/types"
 )
 
 type (
@@ -36,6 +36,6 @@ type (
 	Service interface {
 		// path is the path in the repo to read
 		// ref is the git ref for the repository e.g. refs/heads/master
-		Get(ctx context.Context, repo *repo.Repository, path, ref string) (*File, error)
+		Get(ctx context.Context, repo *types.Repository, path, ref string) (*File, error)
 	}
 )

app/pipeline/manager/client.go

@@ -103,7 +103,7 @@ func (e *embedded) Detail(ctx context.Context, stage *drone.Stage) (*client.Cont
 
 	return &client.Context{
 		Build:   ConvertToDroneBuild(details.Execution),
-		Repo:    ConvertToDroneRepo(details.Repo),
+		Repo:    ConvertToDroneRepo(details.Repo, details.RepoIsPublic),
 		Stage:   ConvertToDroneStage(details.Stage),
 		Secrets: ConvertToDroneSecrets(details.Secrets),
 		Config:  ConvertToDroneFile(details.Config),

app/pipeline/manager/convert.go

@@ -17,7 +17,6 @@ package manager
 import (
 	"time"
 
-	"github.com/harness/gitness/app/api/controller/repo"
 	"github.com/harness/gitness/app/pipeline/file"
 	"github.com/harness/gitness/livelog"
 	"github.com/harness/gitness/types"
@@ -208,21 +207,21 @@ func ConvertToDroneBuild(execution *types.Execution) *drone.Build {
 	}
 }
 
-func ConvertToDroneRepo(repo *repo.Repository) *drone.Repo {
+func ConvertToDroneRepo(repo *types.Repository, repoIsPublic bool) *drone.Repo {
 	return &drone.Repo{
-		ID:        repo.Repository.ID,
+		ID:        repo.ID,
 		Trusted:   true, // as builds are running on user machines, the repo is marked trusted.
-		UID:       repo.Repository.Identifier,
+		UID:       repo.Identifier,
-		UserID:    repo.Repository.CreatedBy,
+		UserID:    repo.CreatedBy,
-		Namespace: repo.Repository.Path,
+		Namespace: repo.Path,
-		Name:      repo.Repository.Identifier,
+		Name:      repo.Identifier,
-		HTTPURL:   repo.Repository.GitURL,
+		HTTPURL:   repo.GitURL,
-		Link:      repo.Repository.GitURL,
+		Link:      repo.GitURL,
-		Private:   !repo.IsPublic,
+		Private:   !repoIsPublic,
-		Created:   repo.Repository.Created,
+		Created:   repo.Created,
-		Updated:   repo.Repository.Updated,
+		Updated:   repo.Updated,
-		Version:   repo.Repository.Version,
+		Version:   repo.Version,
-		Branch:    repo.Repository.DefaultBranch,
+		Branch:    repo.DefaultBranch,
 		// TODO: We can get this from configuration once we start populating it.
 		// If this is not set drone runner cancels the build.
 		Timeout: int64((10 * time.Hour).Seconds()),

app/pipeline/manager/manager.go

@@ -23,7 +23,6 @@ import (
 	"time"
 
 	apiauth "github.com/harness/gitness/app/api/auth"
-	"github.com/harness/gitness/app/api/controller/repo"
 	"github.com/harness/gitness/app/bootstrap"
 	"github.com/harness/gitness/app/jwt"
 	"github.com/harness/gitness/app/pipeline/converter"
@@ -83,7 +82,8 @@ type (
 	// ExecutionContext represents the minimum amount of information
 	// required by the runner to execute a build.
 	ExecutionContext struct {
-		Repo      *repo.Repository `json:"repository"`
+		Repo         *types.Repository `json:"repository"`
+		RepoIsPublic bool              `json:"repository_is_public,omitempty"`
 		Execution    *types.Execution  `json:"build"`
 		Stage        *types.Stage      `json:"stage"`
 		Secrets      []*types.Secret   `json:"secrets"`
@@ -302,24 +302,14 @@ func (m *Manager) Details(_ context.Context, stageID int64) (*ExecutionContext,
 		log.Warn().Err(err).Msg("manager: cannot find pipeline")
 		return nil, err
 	}
-	repoBase, err := m.Repos.Find(noContext, execution.RepoID)
+	repo, err := m.Repos.Find(noContext, execution.RepoID)
 	if err != nil {
 		log.Warn().Err(err).Msg("manager: cannot find repo")
 		return nil, err
 	}
 
-	isPublic, err := apiauth.CheckRepoIsPublic(noContext, m.publicAccess, repoBase)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check if repo is public: %w", err)
-	}
-
-	repo := &repo.Repository{
-		Repository: *repoBase,
-		IsPublic:   isPublic,
-	}
-
 	// Backfill clone URL
-	repo.Repository.GitURL = m.urlProvider.GenerateContainerGITCloneURL(repo.Repository.Path)
+	repo.GitURL = m.urlProvider.GenerateContainerGITCloneURL(repo.Path)
 
 	stages, err := m.Stages.List(noContext, stage.ExecutionID)
 	if err != nil {
@@ -329,12 +319,12 @@ func (m *Manager) Details(_ context.Context, stageID int64) (*ExecutionContext,
 	execution.Stages = stages
 	log = log.With().
 		Int64("build", execution.Number).
-		Str("repo", repo.Repository.GetGitUID()).
+		Str("repo", repo.GetGitUID()).
 		Logger()
 
 	// TODO: Currently we fetch all the secrets from the same space.
 	// This logic can be updated when needed.
-	secrets, err := m.Secrets.ListAll(noContext, repo.Repository.ParentID)
+	secrets, err := m.Secrets.ListAll(noContext, repo.ParentID)
 	if err != nil {
 		log.Warn().Err(err).Msg("manager: cannot list secrets")
 		return nil, err
@@ -347,12 +337,20 @@ func (m *Manager) Details(_ context.Context, stageID int64) (*ExecutionContext,
 		return nil, err
 	}
 
+	// Get public access settings of the repo
+	repoIsPublic, err := apiauth.CheckRepoIsPublic(noContext, m.publicAccess, repo)
+	if err != nil {
+		log.Warn().Err(err).Msg("manager: cannot check if repo is public")
+		return nil, err
+	}
+
 	// Convert file contents in case templates are being used.
 	args := &converter.ConvertArgs{
 		Repo:         repo,
 		Pipeline:     pipeline,
 		Execution:    execution,
 		File:         file,
+		RepoIsPublic: repoIsPublic,
 	}
 	file, err = m.ConverterService.Convert(noContext, args)
 	if err != nil {
@@ -368,6 +366,7 @@ func (m *Manager) Details(_ context.Context, stageID int64) (*ExecutionContext,
 
 	return &ExecutionContext{
 		Repo:         repo,
+		RepoIsPublic: repoIsPublic,
 		Execution:    execution,
 		Stage:        stage,
 		Secrets:      secrets,
@@ -376,11 +375,11 @@ func (m *Manager) Details(_ context.Context, stageID int64) (*ExecutionContext,
 	}, nil
 }
 
-func (m *Manager) createNetrc(repo *repo.Repository) (*Netrc, error) {
+func (m *Manager) createNetrc(repo *types.Repository) (*Netrc, error) {
 	pipelinePrincipal := bootstrap.NewPipelineServiceSession().Principal
 	jwt, err := jwt.GenerateWithMembership(
 		pipelinePrincipal.ID,
-		repo.Repository.ParentID,
+		repo.ParentID,
 		pipelineJWTRole,
 		pipelineJWTLifetime,
 		pipelinePrincipal.Salt,
@@ -389,7 +388,7 @@ func (m *Manager) createNetrc(repo *repo.Repository) (*Netrc, error) {
 		return nil, fmt.Errorf("failed to create jwt: %w", err)
 	}
 
-	cloneURL, err := url.Parse(repo.Repository.GitURL)
+	cloneURL, err := url.Parse(repo.GitURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse clone url '%s': %w", cloneURL, err)
 	}

app/pipeline/triggerer/env.go

@@ -15,7 +15,6 @@
 package triggerer
 
 import (
-	"github.com/harness/gitness/app/api/controller/repo"
 	"github.com/harness/gitness/app/url"
 	"github.com/harness/gitness/types"
 
@@ -33,11 +32,11 @@ func combine(env ...map[string]string) map[string]string {
 }
 
 func Envs(
-	repo *repo.Repository,
+	repo *types.Repository,
 	pipeline *types.Pipeline,
 	urlProvider url.Provider,
 ) map[string]string {
 	return map[string]string{
-		"DRONE_BUILD_LINK": urlProvider.GenerateUIBuildURL(repo.Repository.Path, pipeline.Identifier, pipeline.Seq),
+		"DRONE_BUILD_LINK": urlProvider.GenerateUIBuildURL(repo.Path, pipeline.Identifier, pipeline.Seq),
 	}
 }

app/pipeline/triggerer/trigger.go

@@ -22,7 +22,6 @@ import (
 	"time"
 
 	apiauth "github.com/harness/gitness/app/api/auth"
-	"github.com/harness/gitness/app/api/controller/repo"
 	"github.com/harness/gitness/app/pipeline/checks"
 	"github.com/harness/gitness/app/pipeline/converter"
 	"github.com/harness/gitness/app/pipeline/file"
@@ -154,19 +153,15 @@ func (t *triggerer) Trigger(
 
 	event := string(base.Action.GetTriggerEvent())
 
-	repoBase, err := t.repoStore.Find(ctx, pipeline.RepoID)
+	repo, err := t.repoStore.Find(ctx, pipeline.RepoID)
 	if err != nil {
 		log.Error().Err(err).Msg("could not find repo")
 		return nil, err
 	}
-	isPublic, err := apiauth.CheckRepoIsPublic(ctx, t.publicAccess, repoBase)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check if repo is public: %w", err)
-	}
 
-	repo := &repo.Repository{
+	repoIsPublic, err := apiauth.CheckRepoIsPublic(ctx, t.publicAccess, repo)
-		Repository: *repoBase,
+	if err != nil {
-		IsPublic:   isPublic,
+		return nil, fmt.Errorf("could not check if repo is public: %w", err)
 	}
 
 	file, err := t.fileService.Get(ctx, repo, pipeline.ConfigPath, base.After)
@@ -177,7 +172,7 @@ func (t *triggerer) Trigger(
 
 	now := time.Now().UnixMilli()
 	execution := &types.Execution{
-		RepoID:     repo.Repository.ID,
+		RepoID:     repo.ID,
 		PipelineID: pipeline.ID,
 		Trigger:    base.Trigger,
 		CreatedBy:  base.TriggeredBy,
@@ -219,6 +214,7 @@ func (t *triggerer) Trigger(
 			Pipeline:     pipeline,
 			Execution:    execution,
 			File:         file,
+			RepoIsPublic: repoIsPublic,
 		}
 		file, err = t.converterService.Convert(ctx, args)
 		if err != nil {
@@ -265,7 +261,7 @@ func (t *triggerer) Trigger(
 				log.Info().Str("pipeline", name).Msg("trigger: skipping pipeline, does not match action")
 			case skipRef(pipeline, base.Ref):
 				log.Info().Str("pipeline", name).Msg("trigger: skipping pipeline, does not match ref")
-			case skipRepo(pipeline, repo.Repository.Path):
+			case skipRepo(pipeline, repo.Path):
 				log.Info().Str("pipeline", name).Msg("trigger: skipping pipeline, does not match repo")
 			case skipCron(pipeline, base.Cron):
 				log.Info().Str("pipeline", name).Msg("trigger: skipping pipeline, does not match cron job")
@@ -293,7 +289,7 @@ func (t *triggerer) Trigger(
 			}
 
 			stage := &types.Stage{
-				RepoID:    repo.Repository.ID,
+				RepoID:    repo.ID,
 				Number:    int64(i + 1),
 				Name:      match.Name,
 				Kind:      match.Kind,
@@ -346,7 +342,7 @@ func (t *triggerer) Trigger(
 		}
 	} else {
 		stages, err = parseV1Stages(
-			ctx, file.Data, repo, execution, t.templateStore, t.pluginStore)
+			ctx, file.Data, repo, execution, t.templateStore, t.pluginStore, t.publicAccess)
 		if err != nil {
 			return nil, fmt.Errorf("could not parse v1 YAML into stages: %w", err)
 		}
@@ -406,10 +402,11 @@ func trunc(s string, i int) string {
 func parseV1Stages(
 	ctx context.Context,
 	data []byte,
-	repo *repo.Repository,
+	repo *types.Repository,
 	execution *types.Execution,
 	templateStore store.TemplateStore,
 	pluginStore store.PluginStore,
+	publicaccess publicaccess.PublicAccess,
 ) ([]*types.Stage, error) {
 	stages := []*types.Stage{}
 	// For V1 YAML, just go through the YAML and create stages serially for now
@@ -428,8 +425,14 @@ func parseV1Stages(
 		return nil, fmt.Errorf("cannot support non-pipeline kinds in v1 at the moment: %w", err)
 	}
 
+	// get repo public access
+	repoIsPublic, err := publicaccess.Get(ctx, enum.PublicResourceTypeRepo, repo.Path)
+	if err != nil {
+		return nil, fmt.Errorf("could not check repo public access: %w", err)
+	}
+
 	inputParams := map[string]interface{}{}
-	inputParams["repo"] = inputs.Repo(manager.ConvertToDroneRepo(repo))
+	inputParams["repo"] = inputs.Repo(manager.ConvertToDroneRepo(repo, repoIsPublic))
 	inputParams["build"] = inputs.Build(manager.ConvertToDroneBuild(execution))
 
 	var prevStage string
@@ -476,7 +479,7 @@ func parseV1Stages(
 					status = enum.CIStatusPending
 				}
 				temp := &types.Stage{
-					RepoID:    repo.Repository.ID,
+					RepoID:    repo.ID,
 					Number:    int64(idx + 1),
 					Name:      stage.Id, // for v1, ID is the unique identifier per stage
 					Created:   now,

app/services/exporter/repository.go

@@ -35,7 +35,6 @@ import (
 	"github.com/harness/gitness/types"
 	"github.com/harness/gitness/types/enum"
 
-	apiauth "github.com/harness/gitness/app/api/auth"
 	"github.com/rs/zerolog/log"
 )
 
@@ -117,16 +116,11 @@ func (r *Repository) RunManyForSpace(
 
 	jobDefinitions := make([]job.Definition, len(repos))
 	for i, repository := range repos {
-		isPublic, err := apiauth.CheckRepoIsPublic(ctx, r.publicAccess, repository)
-		if err != nil {
-			return fmt.Errorf("failed to check repo public visibility: %w", err)
-		}
-
 		repoJobData := Input{
 			Identifier:      repository.Identifier,
 			ID:              repository.ID,
 			Description:     repository.Description,
-			IsPublic:        isPublic,
+			IsPublic:        false, // todo: use repository.IsPublic once public is available.
 			HarnessCodeInfo: *harnessCodeInfo,
 		}
 
@@ -193,16 +187,11 @@ func (r *Repository) Handle(ctx context.Context, data string, _ job.ProgressRepo
 		return "", err
 	}
 
-	isPublic, err := apiauth.CheckRepoIsPublic(ctx, r.publicAccess, repository)
-	if err != nil {
-		return "", fmt.Errorf("failed to check if repo is public: %w", err)
-	}
-
 	remoteRepo, err := client.CreateRepo(ctx, repo.CreateInput{
 		Identifier:    repository.Identifier,
 		DefaultBranch: repository.DefaultBranch,
 		Description:   repository.Description,
-		IsPublic:      isPublic,
+		IsPublic:      false, // TODO: use apiauth.CheckRepoIsPublic once public access is deployed on HC.
 		Readme:        false,
 		License:       "",
 		GitIgnore:     "",

app/services/publicaccess/public_access.go

@@ -17,7 +17,7 @@ package publicaccess
 import (
 	"context"
 
-	"github.com/harness/gitness/types"
+	"github.com/harness/gitness/types/enum"
 )
 
 // PublicAccess is an abstraction of an entity responsible for managing public access to resources.
@@ -31,8 +31,8 @@ type PublicAccess interface {
 	 */
 	Get(
 		ctx context.Context,
-		scope *types.Scope,
+		resourceType enum.PublicResourceType,
-		resource *types.Resource,
+		resourcePath string,
 	) (bool, error)
 
 	/*
@@ -43,8 +43,8 @@ type PublicAccess interface {
 	 */
 	Set(
 		ctx context.Context,
-		scope *types.Scope,
+		resourceType enum.PublicResourceType,
-		resource *types.Resource,
+		resourcePath string,
 		enable bool,
 	) error
 }

app/services/publicaccess/resources.go

@@ -18,70 +18,52 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/harness/gitness/app/paths"
-	"github.com/harness/gitness/types"
 	"github.com/harness/gitness/types/enum"
 )
 
 func (s *Service) getPublicResource(
 	ctx context.Context,
-	scope *types.Scope,
+	resourceType enum.PublicResourceType,
-	resource *types.Resource,
+	resourcePath string,
-) (*types.PublicResource, error) {
+) (int64, error) {
-	resType := resource.Type
+	var id int64
-
-	// set scope type to space for checks within space scope.
-	if resource.Identifier == "" {
-		resType = enum.ResourceTypeSpace
-	}
-	var pubRes *types.PublicResource
 	var err error
-	switch resType {
+	switch resourceType {
-	case enum.ResourceTypeRepo:
+	case enum.PublicResourceTypeRepo:
-		pubRes, err = s.getResourceRepo(ctx, scope, resource)
+		id, err = s.getResourceRepo(ctx, resourcePath)
-	case enum.ResourceTypeSpace:
+	case enum.PublicResourceTypeSpace:
-		pubRes, err = s.getResourceSpace(ctx, scope, resource)
+		id, err = s.getResourceSpace(ctx, resourcePath)
 	default:
-		return nil, fmt.Errorf("invalid public resource type")
+		return 0, fmt.Errorf("invalid public resource type")
 	}
 
 	if err != nil {
-		return nil, fmt.Errorf("failed to get public resource: %w", err)
+		return 0, fmt.Errorf("failed to get public resource: %w", err)
 	}
 
-	return pubRes, nil
+	return id, nil
 }
 
 func (s *Service) getResourceRepo(
 	ctx context.Context,
-	scope *types.Scope,
+	path string,
-	resource *types.Resource,
+) (int64, error) {
-) (*types.PublicResource, error) {
+	repo, err := s.repoStore.FindByRef(ctx, path)
-	repoRef := paths.Concatenate(scope.SpacePath, resource.Identifier)
-	repo, err := s.repoStore.FindByRef(ctx, repoRef)
 	if err != nil {
-		return nil, fmt.Errorf("failed to find repo: %w", err)
+		return 0, fmt.Errorf("failed to find repo: %w", err)
 	}
 
-	return &types.PublicResource{
+	return repo.ID, nil
-		Type: enum.PublicResourceTypeRepo,
-		ID:   repo.ID,
-	}, nil
 }
 
 func (s *Service) getResourceSpace(
 	ctx context.Context,
-	scope *types.Scope,
+	path string,
-	resource *types.Resource,
+) (int64, error) {
-) (*types.PublicResource, error) {
+	space, err := s.spaceStore.FindByRef(ctx, path)
-	spaceRef := paths.Concatenate(scope.SpacePath, resource.Identifier)
-	space, err := s.spaceStore.FindByRef(ctx, spaceRef)
 	if err != nil {
-		return nil, fmt.Errorf("failed to find space: %w", err)
+		return 0, fmt.Errorf("failed to find space: %w", err)
 	}
 
-	return &types.PublicResource{
+	return space.ID, nil
-		Type: enum.PublicResourceTypeSpace,
-		ID:   space.ID,
-	}, nil
 }

app/services/publicaccess/service.go

@@ -21,22 +21,22 @@ import (
 
 	"github.com/harness/gitness/app/store"
 	gitness_store "github.com/harness/gitness/store"
-	"github.com/harness/gitness/types"
+	"github.com/harness/gitness/types/enum"
 )
 
 type Service struct {
-	publicResourceStore store.PublicResource
+	publicAccessStore store.PublicAccessStore
 	repoStore         store.RepoStore
 	spaceStore        store.SpaceStore
 }
 
 func NewService(
-	publicResourceStore store.PublicResource,
+	publicAccessStore store.PublicAccessStore,
 	repoStore store.RepoStore,
 	spaceStore store.SpaceStore,
 ) PublicAccess {
 	return &Service{
-		publicResourceStore: publicResourceStore,
+		publicAccessStore: publicAccessStore,
 		repoStore:         repoStore,
 		spaceStore:        spaceStore,
 	}
@@ -44,15 +44,15 @@ func NewService(
 
 func (s *Service) Get(
 	ctx context.Context,
-	scope *types.Scope,
+	resourceType enum.PublicResourceType,
-	resource *types.Resource,
+	resourcePath string,
 ) (bool, error) {
-	pubRes, err := s.getPublicResource(ctx, scope, resource)
+	pubResID, err := s.getPublicResource(ctx, resourceType, resourcePath)
 	if err != nil {
 		return false, err
 	}
 
-	err = s.publicResourceStore.Find(ctx, pubRes)
+	err = s.publicAccessStore.Find(ctx, resourceType, pubResID)
 	if errors.Is(err, gitness_store.ErrResourceNotFound) {
 		return false, nil
 	}
@@ -65,22 +65,22 @@ func (s *Service) Get(
 
 func (s *Service) Set(
 	ctx context.Context,
-	scope *types.Scope,
+	resourceType enum.PublicResourceType,
-	resource *types.Resource,
+	resourcePath string,
 	enable bool,
 ) error {
-	pubRes, err := s.getPublicResource(ctx, scope, resource)
+	pubResID, err := s.getPublicResource(ctx, resourceType, resourcePath)
 	if err != nil {
 		return err
 	}
 
 	if enable {
-		err := s.publicResourceStore.Create(ctx, pubRes)
+		err := s.publicAccessStore.Create(ctx, resourceType, pubResID)
 		if errors.Is(err, gitness_store.ErrDuplicate) {
 			return nil
 		}
 		return err
 	} else {
-		return s.publicResourceStore.Delete(ctx, pubRes)
+		return s.publicAccessStore.Delete(ctx, resourceType, pubResID)
 	}
 }

app/services/publicaccess/wire.go

@@ -25,9 +25,9 @@ var WireSet = wire.NewSet(
 )
 
 func ProvidePublicAccess(
-	publicResources store.PublicResource,
+	publicAccessStore store.PublicAccessStore,
 	repoStore store.RepoStore,
 	spaceStore store.SpaceStore,
 ) PublicAccess {
-	return NewService(publicResources, repoStore, spaceStore)
+	return NewService(publicAccessStore, repoStore, spaceStore)
 }

app/store/database.go

@@ -290,11 +290,11 @@ type (
 		ListSpaces(ctx context.Context, userID int64, filter types.MembershipSpaceFilter) ([]types.MembershipSpace, error)
 	}
 
-	// PublicResource defines the publicly accessible resources data storage.
+	// PublicAccessStore defines the publicly accessible resources data storage.
-	PublicResource interface {
+	PublicAccessStore interface {
-		Find(ctx context.Context, pubRes *types.PublicResource) error
+		Find(ctx context.Context, typ enum.PublicResourceType, id int64) error
-		Create(ctx context.Context, pubRes *types.PublicResource) error
+		Create(ctx context.Context, typ enum.PublicResourceType, id int64) error
-		Delete(ctx context.Context, pubRes *types.PublicResource) error
+		Delete(ctx context.Context, typ enum.PublicResourceType, id int64) error
 	}
 
 	// TokenStore defines the token data storage.

app/store/database/migrate/postgres/0051_create_table_public_resources.down.sql

@@ -1,28 +1,28 @@
 -- copy public repositories
-ALTER TABLE repositories ADD COLUMN repo_is_public;
+ALTER TABLE repositories ADD COLUMN repo_is_public BOOLEAN;
 
 UPDATE repositories
 WHERE repo_id IN (
-    SELECT public_resource_repo_id
+    SELECT public_access_repo_id
-    FROM public_resources 
+    FROM public_access
-    WHERE public_resource_repo_id IS NOT NULL;
+    WHERE public_access_repo_id IS NOT NULL;
 ) SET 
 repo_is_public = TRUE;
 
 
 -- copy public spaces
-ALTER TABLE spaces ADD COLUMN space_is_public;
+ALTER TABLE spaces ADD COLUMN space_is_public BOOLEAN;
 
--- update public resources
+-- update public access
 UPDATE spaces
 WHERE space_id IN (
-    SELECT public_resource_space_id
+    SELECT public_access_space_id
-    FROM public_resources 
+    FROM public_access
-    WHERE public_resource_space_id IS NOT NULL;
+    WHERE public_access_space_id IS NOT NULL;
 ) SET 
-sapce_is_public = TRUE;
+space_is_public = TRUE;
 
--- clear public_resoureces
+-- clear public access
-DROP INDEX public_resource_space_id_key;
+DROP INDEX public_access_space_id_key;
-DROP INDEX public_resource_repo_id_key;
+DROP INDEX public_access_repo_id_key;
-DROP TABLE public_resources;
+DROP TABLE public_access;

app/store/database/migrate/postgres/0051_create_table_public_resources.up.sql

@@ -1,48 +1,44 @@
-CREATE TABLE public_resources (
+CREATE TABLE public_access (
- public_resource_id SERIAL PRIMARY KEY
+ public_access_id SERIAL PRIMARY KEY
-,public_resource_space_id INTEGER
+,public_access_space_id INTEGER
-,public_resource_repo_id INTEGER
+,public_access_repo_id INTEGER
 
-,CONSTRAINT fk_public_resource_space_id FOREIGN KEY (public_resource_space_id)
+,CONSTRAINT fk_public_access_space_id FOREIGN KEY (public_access_space_id)
     REFERENCES spaces (space_id) MATCH SIMPLE
     ON UPDATE NO ACTION
     ON DELETE CASCADE
-,CONSTRAINT fk_public_resource_repo_id FOREIGN KEY (public_resource_repo_id)
+,CONSTRAINT fk_public_access_repo_id FOREIGN KEY (public_access_repo_id)
     REFERENCES repositories (repo_id) MATCH SIMPLE
     ON UPDATE NO ACTION
     ON DELETE CASCADE
 );
 
-CREATE UNIQUE INDEX public_resource_space_id_key
+CREATE UNIQUE INDEX public_access_space_id_key
-	ON public_resources(public_resource_space_id)
+	ON public_access(public_access_space_id)
-	WHERE public_resource_space_id IS NOT NULL;
+	WHERE public_access_space_id IS NOT NULL;
 
-CREATE UNIQUE INDEX public_resource_repo_id_key
+CREATE UNIQUE INDEX public_access_repo_id_key
-	ON public_resources(public_resource_repo_id)
+	ON public_access(public_access_repo_id)
-	WHERE public_resource_repo_id IS NOT NULL;
+	WHERE public_access_repo_id IS NOT NULL;
 
--- move public repos into public_resource
+-- move public repos into public_access
-INSERT INTO public_resources (
+INSERT INTO public_access (
-     public_resource_space_id
+     public_access_repo_id
-    ,public_resource_repo_id
 )
 SELECT
-     NULL   
+     repo_id
-    ,repo_id
 FROM repositories
 WHERE repo_is_public = TRUE;
 
 -- alter repo table
 ALTER TABLE repositories DROP COLUMN repo_is_public;
 
--- move public spaces into public_resource
+-- move public spaces into public_access
-INSERT INTO public_resources (
+INSERT INTO public_access (
-     public_resource_space_id
+     public_access_space_id
-    ,public_resource_repo_id
 )
 SELECT
      space_id
-    ,NULL
 FROM spaces
 WHERE space_is_public = TRUE;
 

app/store/database/migrate/sqlite/0051_create_table_public_resources.down.sql

@@ -1,28 +1,28 @@
 -- copy public repositories
-ALTER TABLE repositories ADD COLUMN repo_is_public;
+ALTER TABLE repositories ADD COLUMN repo_is_public BOOLEAN;
 
 UPDATE repositories
 WHERE repo_id IN (
-    SELECT public_resource_repo_id
+    SELECT public_access_repo_id
-    FROM public_resources 
+    FROM public_access
-    WHERE public_resource_repo_id IS NOT NULL;
+    WHERE public_access_repo_id IS NOT NULL;
 ) SET 
 repo_is_public = TRUE;
 
 
 -- copy public spaces
-ALTER TABLE spaces ADD COLUMN space_is_public;
+ALTER TABLE spaces ADD COLUMN space_is_public BOOLEAN;
 
--- update public resources
+-- update public access
 UPDATE spaces
 WHERE space_id IN (
-    SELECT public_resource_space_id
+    SELECT public_access_space_id
-    FROM public_resources 
+    FROM public_access
-    WHERE public_resource_space_id IS NOT NULL;
+    WHERE public_access_space_id IS NOT NULL;
 ) SET 
-sapce_is_public = TRUE;
+space_is_public = TRUE;
 
--- clear public_resoureces
+-- clear public_access
-DROP INDEX public_resource_space_id_key;
+DROP INDEX public_access_space_id_key;
-DROP INDEX public_resource_repo_id_key;
+DROP INDEX public_access_repo_id_key;
-DROP TABLE public_resources;
+DROP TABLE public_access;

app/store/database/migrate/sqlite/0051_create_table_public_resources.up.sql

@@ -1,48 +1,44 @@
-CREATE TABLE public_resources (
+CREATE TABLE public_access (
- public_resource_id INTEGER PRIMARY KEY AUTOINCREMENT
+ public_access_id INTEGER PRIMARY KEY AUTOINCREMENT
-,public_resource_space_id INTEGER
+,public_access_space_id INTEGER
-,public_resource_repo_id INTEGER
+,public_access_repo_id INTEGER
 
-,CONSTRAINT fk_public_resource_space_id FOREIGN KEY (public_resource_space_id)
+,CONSTRAINT fk_public_access_space_id FOREIGN KEY (public_access_space_id)
     REFERENCES spaces (space_id) MATCH SIMPLE
     ON UPDATE NO ACTION
     ON DELETE CASCADE
-,CONSTRAINT fk_public_resource_repo_id FOREIGN KEY (public_resource_repo_id)
+,CONSTRAINT fk_public_access_repo_id FOREIGN KEY (public_access_repo_id)
     REFERENCES repositories (repo_id) MATCH SIMPLE
     ON UPDATE NO ACTION
     ON DELETE CASCADE
 );
 
-CREATE UNIQUE INDEX public_resource_space_id_key
+CREATE UNIQUE INDEX public_access_space_id_key
-	ON public_resources(public_resource_space_id)
+	ON public_access(public_access_space_id)
-	WHERE public_resource_space_id IS NOT NULL;
+	WHERE public_access_space_id IS NOT NULL;
 
-CREATE UNIQUE INDEX public_resource_repo_id_key
+CREATE UNIQUE INDEX public_access_repo_id_key
-	ON public_resources(public_resource_repo_id)
+	ON public_access(public_access_repo_id)
-	WHERE public_resource_repo_id IS NOT NULL;
+	WHERE public_access_repo_id IS NOT NULL;
 
--- move public repos into public_resource
+-- move public repos into public_access
-INSERT INTO public_resources (
+INSERT INTO public_access (
-     public_resource_space_id
+     public_access_repo_id
-    ,public_resource_repo_id
 )
 SELECT
-     NULL
+     repo_id
-    ,repo_id
 FROM repositories
 WHERE repo_is_public = TRUE;
 
 -- alter repo table
 ALTER TABLE repositories DROP COLUMN repo_is_public;
 
--- move public spaces into public_resource
+-- move public spaces into public_access
-INSERT INTO public_resources (
+INSERT INTO public_access (
-     public_resource_space_id
+     public_access_space_id
-    ,public_resource_repo_id
 )
 SELECT
      space_id
-    ,NULL
 FROM spaces
 WHERE space_is_public = TRUE;
 

app/store/database/public_access.go

@@ -21,56 +21,56 @@ import (
 	"github.com/harness/gitness/app/store"
 	"github.com/harness/gitness/store/database"
 	"github.com/harness/gitness/store/database/dbtx"
-	"github.com/harness/gitness/types"
 	"github.com/harness/gitness/types/enum"
 
 	"github.com/guregu/null"
 	"github.com/jmoiron/sqlx"
 )
 
-var _ store.PublicResource = (*PublicResourcesStore)(nil)
+var _ store.PublicAccessStore = (*PublicAccessStore)(nil)
 
-// NewPublicResourcesStore returns a new PublicResourcesStore.
+// NewPublicAccessStore returns a new PublicAccessStore.
-func NewPublicResourcesStore(db *sqlx.DB) *PublicResourcesStore {
+func NewPublicAccessStore(db *sqlx.DB) *PublicAccessStore {
-	return &PublicResourcesStore{
+	return &PublicAccessStore{
 		db: db,
 	}
 }
 
-// PublicResourcesStore implements store.SettingsStore backed by a relational database.
+// PublicAccessStore implements store.PublicAccessStore backed by a relational database.
-type PublicResourcesStore struct {
+type PublicAccessStore struct {
 	db *sqlx.DB
 }
 
-type publicResource struct {
+type publicAccess struct {
-	ID      int64    `db:"public_resource_id"`
+	ID      int64    `db:"public_access_id"`
-	SpaceID null.Int `db:"public_resource_space_id"`
+	SpaceID null.Int `db:"public_access_space_id"`
-	RepoID  null.Int `db:"public_resource_repo_id"`
+	RepoID  null.Int `db:"public_access_repo_id"`
 }
 
 const (
-	publicResourceColumns = `
+	publicAccessColumns = `
-	 public_resource_id
+	 public_access_id
-	,public_resource_space_id
+	,public_access_space_id
-	,public_resource_repo_id
+	,public_access_repo_id
 	`
 )
 
-func (p *PublicResourcesStore) Find(
+func (p *PublicAccessStore) Find(
 	ctx context.Context,
-	pubRes *types.PublicResource,
+	typ enum.PublicResourceType,
+	id int64,
 ) error {
 	stmt := database.Builder.
-		Select(publicResourceColumns).
+		Select(publicAccessColumns).
-		From("public_resources")
+		From("public_access")
 
-	switch pubRes.Type {
+	switch typ {
 	case enum.PublicResourceTypeRepo:
-		stmt = stmt.Where("public_resource_repo_id = ?", pubRes.ID)
+		stmt = stmt.Where("public_access_repo_id = ?", id)
 	case enum.PublicResourceTypeSpace:
-		stmt = stmt.Where("public_resource_space_id = ?", pubRes.ID)
+		stmt = stmt.Where("public_access_space_id = ?", id)
 	default:
-		return fmt.Errorf("public resource type %q is not supported", pubRes.Type)
+		return fmt.Errorf("public resource type %q is not supported", typ)
 	}
 
 	sql, args, err := stmt.ToSql()
@@ -80,7 +80,7 @@ func (p *PublicResourcesStore) Find(
 
 	db := dbtx.GetAccessor(ctx, p.db)
 
-	dst := &publicResource{}
+	dst := &publicAccess{}
 	if err = db.GetContext(ctx, dst, sql, args...); err != nil {
 		return database.ProcessSQLErrorf(ctx, err, "Select query failed")
 	}
@@ -88,25 +88,26 @@ func (p *PublicResourcesStore) Find(
 	return nil
 }
 
-func (p *PublicResourcesStore) Create(
+func (p *PublicAccessStore) Create(
 	ctx context.Context,
-	pubRes *types.PublicResource,
+	typ enum.PublicResourceType,
+	id int64,
 ) error {
 	stmt := database.Builder.
 		Insert("").
-		Into("public_resources").
+		Into("public_access").
 		Columns(
-			"public_resource_space_id",
+			"public_access_space_id",
-			"public_resource_repo_id",
+			"public_access_repo_id",
 		)
 
-	switch pubRes.Type {
+	switch typ {
 	case enum.PublicResourceTypeRepo:
-		stmt = stmt.Values(null.Int{}, null.IntFrom(pubRes.ID))
+		stmt = stmt.Values(null.Int{}, null.IntFrom(id))
 	case enum.PublicResourceTypeSpace:
-		stmt = stmt.Values(null.IntFrom(pubRes.ID), null.Int{})
+		stmt = stmt.Values(null.IntFrom(id), null.Int{})
 	default:
-		return fmt.Errorf("public resource type %q is not supported", pubRes.Type)
+		return fmt.Errorf("public resource type %q is not supported", typ)
 	}
 
 	sql, args, err := stmt.ToSql()
@@ -123,20 +124,21 @@ func (p *PublicResourcesStore) Create(
 	return nil
 }
 
-func (p *PublicResourcesStore) Delete(
+func (p *PublicAccessStore) Delete(
 	ctx context.Context,
-	pubRes *types.PublicResource,
+	typ enum.PublicResourceType,
+	id int64,
 ) error {
 	stmt := database.Builder.
-		Delete("public_resources")
+		Delete("public_access")
 
-	switch pubRes.Type {
+	switch typ {
 	case enum.PublicResourceTypeRepo:
-		stmt = stmt.Where("public_resource_repo_id = ?", pubRes.ID)
+		stmt = stmt.Where("public_access_repo_id = ?", id)
 	case enum.PublicResourceTypeSpace:
-		stmt = stmt.Where("public_resource_space_id = ?", pubRes.ID)
+		stmt = stmt.Where("public_access_space_id = ?", id)
 	default:
-		return fmt.Errorf("public resource type %q is not supported", pubRes.Type)
+		return fmt.Errorf("public resource type %q is not supported", typ)
 	}
 
 	sql, args, err := stmt.ToSql()

app/store/database/wire.go

@@ -53,7 +53,7 @@ var WireSet = wire.NewSet(
 	ProvideWebhookStore,
 	ProvideWebhookExecutionStore,
 	ProvideSettingsStore,
-	ProvidePublicResourcesStore,
+	ProvidePublicPublicAccessStore,
 	ProvideCheckStore,
 	ProvideConnectorStore,
 	ProvideTemplateStore,
@@ -249,7 +249,7 @@ func ProvideSettingsStore(db *sqlx.DB) store.SettingsStore {
 	return NewSettingsStore(db)
 }
 
-// ProvidePublicResourcesStore provides a pulic resources store.
+// ProvidePublicPublicAccessStore provides a pulic access store.
-func ProvidePublicResourcesStore(db *sqlx.DB) store.PublicResource {
+func ProvidePublicPublicAccessStore(db *sqlx.DB) store.PublicAccessStore {
-	return NewPublicResourcesStore(db)
+	return NewPublicAccessStore(db)
 }

cmd/gitness/wire_gen.go

@@ -115,9 +115,9 @@ func initSystem(ctx context.Context, config *types.Config) (*server.System, erro
 	principalInfoCache := cache.ProvidePrincipalInfoCache(principalInfoView)
 	membershipStore := database.ProvideMembershipStore(db, principalInfoCache, spacePathStore, spaceStore)
 	permissionCache := authz.ProvidePermissionCache(spaceStore, membershipStore)
-	publicResource := database.ProvidePublicResourcesStore(db)
+	publicAccessStore := database.ProvidePublicPublicAccessStore(db)
 	repoStore := database.ProvideRepoStore(db, spacePathCache, spacePathStore, spaceStore)
-	publicAccess := publicaccess.ProvidePublicAccess(publicResource, repoStore, spaceStore)
+	publicAccess := publicaccess.ProvidePublicAccess(publicAccessStore, repoStore, spaceStore)
 	authorizer := authz.ProvideAuthorizer(permissionCache, spaceStore, publicAccess)
 	principalUIDTransformation := store.ProvidePrincipalUIDTransformation()
 	principalStore := database.ProvidePrincipalStore(db, principalUIDTransformation)
@@ -201,7 +201,7 @@ func initSystem(ctx context.Context, config *types.Config) (*server.System, erro
 	repoIdentifier := check.ProvideRepoIdentifierCheck()
 	repoCheck := repo.ProvideRepoCheck()
 	repoController := repo.ProvideController(config, transactor, provider, authorizer, repoStore, spaceStore, pipelineStore, principalStore, ruleStore, settingsService, principalInfoCache, protectionManager, gitInterface, repository, codeownersService, reporter, indexer, resourceLimiter, lockerLocker, auditService, mutexManager, repoIdentifier, repoCheck, publicAccess)
-	reposettingsController := reposettings.ProvideController(authorizer, repoStore, settingsService, publicAccess, auditService)
+	reposettingsController := reposettings.ProvideController(authorizer, repoStore, settingsService, auditService)
 	executionStore := database.ProvideExecutionStore(db)
 	checkStore := database.ProvideCheckStore(db, principalInfoCache)
 	stageStore := database.ProvideStageStore(db)
@@ -268,7 +268,7 @@ func initSystem(ctx context.Context, config *types.Config) (*server.System, erro
 	if err != nil {
 		return nil, err
 	}
-	webhookController := webhook2.ProvideController(webhookConfig, authorizer, webhookStore, webhookExecutionStore, repoStore, webhookService, encrypter, publicAccess)
+	webhookController := webhook2.ProvideController(webhookConfig, authorizer, webhookStore, webhookExecutionStore, repoStore, webhookService, encrypter)
 	reporter2, err := events4.ProvideReporter(eventsSystem)
 	if err != nil {
 		return nil, err

types/enum/public_resource.go

@@ -20,7 +20,7 @@ func (PublicResourceType) Enum() []interface{} {
 	return toInterfaceSlice(GetAllPublicResourceTypes())
 }
 
-var (
+const (
 	PublicResourceTypeRepo  PublicResourceType = "repository"
 	PublicResourceTypeSpace PublicResourceType = "space"
 )

types/repo.go

@@ -70,6 +70,18 @@ func (r Repository) MarshalJSON() ([]byte, error) {
 	})
 }
 
+// Clone makes deep copy of repository object.
+func (r Repository) Clone() Repository {
+	var deleted *int64
+	if r.Deleted != nil {
+		id := *r.Deleted
+		deleted = &id
+	}
+	r.Deleted = deleted
+
+	return r
+}
+
 type RepositorySizeInfo struct {
 	ID     int64  `json:"id"`
 	GitUID string `json:"git_uid"`