Add VCS instances functionality

[paukert]

No description provided.

[Copilot]

Pull request overview

Adds the ability for admins to create new VCS instances (GitHub/GitLab) through the web UI, wiring up backend validation + persistence and exposing the entry point from the repositories screen.

Changes:

• Added admin routes and a new VcsInstanceController for create/store.
• Introduced a VCS instance creation page (Inertia/Vue) and associated TS types.
• Centralized VCS instance validation rules in the VcsInstance model and added VcsPlatform::getLabels() for UI options.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
routes/web.php	Adds admin resource routes for creating/storing VCS instances.
resources/js/types/index.d.ts	Adds a VcsInstance TS interface for the form payload.
resources/js/pages/vcsInstances/Create.vue	New UI page to create a VCS instance (platform, API URL, token/installation id).
resources/js/pages/repositories/Repositories.vue	Adds a button linking to the VCS instance create page.
app/Models/VcsInstance.php	Adds mass-assignable fields and validation rules for VCS instance creation.
app/Http/Requests/VcsInstances/VcsInstanceCreateRequest.php	Adds a FormRequest that uses the model’s validation rules.
app/Http/Controllers/VcsInstanceController.php	Implements create/store endpoints and persists VCS instances.
app/Enums/VcsPlatform.php	Adds getLabels() to provide platform labels for the UI.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

api_url is later used to build outbound HTTP requests (e.g., GitHub/GitLab API calls). Validating with the generic url rule allows non-HTTP(S) schemes and potentially internal/loopback/private-network hosts, which can lead to misconfiguration and SSRF risk. Consider restricting to HTTPS and (if feasible) rejecting localhost/private IP ranges / non-public hosts at validation time.

Suggested change

	'api_url' => ['required', 'url', 'max:255'],
	'api_url' => [
	'required',
	'url',
	'max:255',
	/**
	* Ensure the API URL uses HTTP(S) and does not point to localhost or private/reserved IP ranges.
	*
	* @param string $attribute
	* @param mixed $value
	* @param callable $fail
	*/
	function ($attribute, $value, $fail): void {
	if (!is_string($value)) {
	$fail('The ' . $attribute . ' must be a valid URL.');
	return;
	}
	$parts = parse_url($value);
	if ($parts === false || !isset($parts['scheme'], $parts['host'])) {
	$fail('The ' . $attribute . ' must be a valid URL.');
	return;
	}
	$scheme = strtolower($parts['scheme']);
	if (!in_array($scheme, ['http', 'https'], true)) {
	$fail('The ' . $attribute . ' must use the http or https scheme.');
	return;
	}
	$host = strtolower($parts['host']);
	// Explicitly disallow localhost.
	if ($host === 'localhost') {
	$fail('The ' . $attribute . ' must not point to localhost.');
	return;
	}
	// If host is a literal IP address, ensure it is not private or reserved.
	if (filter_var($host, FILTER_VALIDATE_IP) !== false) {
	$publicIp = filter_var(
	$host,
	FILTER_VALIDATE_IP,
	FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
	);
	if ($publicIp === false) {
	$fail('The ' . $attribute . ' must not point to a private or reserved IP address.');
	}
	}
	},
	],

[Copilot]

installation_id is accepted as an arbitrary string, but it is used as a path parameter in GitHub API calls and is expected to be numeric. Allowing non-numeric values will pass validation but will fail at runtime when calling the GitHub API. Consider validating it as an integer/numeric value (and optionally enforcing a sensible range) when platform is GitHub.

Suggested change

	'installation_id' => ['required_if:platform,github', 'nullable', 'string', 'max:255'],
	'installation_id' => ['required_if:platform,github', 'nullable', 'integer', 'min:1', 'max:255'],