Introduce resource-level filter for Receiver

[matheuscscp]

Follow-up for #1313

CEL expressions get ugly fast (in general).

This PR introduces a .spec.resources[]-level .filter to enhance the readability for filtering CEL expressions in Receiver.

Note: .spec.resourceFilter and .spec.resources[].filter are stacked together i.e. they are AND'd together. If both are set, then both have to return true for a resource to be triggered.

Before this PR:

apiVersion: notification.toolkit.fluxcd.io/v1
kind: Receiver
metadata:
  name: flux-webhook-receiver
  namespace: flux-system
spec:
  type: generic-oidc
  oidcProviders:
    - issuerURL: https://token.actions.githubusercontent.com
      validations:
        - expression: >-
            claims.job_workflow_ref.matches(r"^controlplaneio-fluxcd/d2-fleet/\.github/workflows/push-artifact\.yaml@<< inputs.artifactSubjectGitRef >>$")
            || claims.job_workflow_ref.matches(r"^controlplaneio-fluxcd/flux-appx/\.github/workflows/push-image\.yml@refs/(heads/main|pull/[0-9]+/merge)$")
          message: "token job_workflow_ref is not an allowed d2-fleet/flux-appx workflow"
  resourceFilter: >-
    (claims.repository == 'controlplaneio-fluxcd/d2-fleet' && res.kind == 'OCIRepository') ||
    (claims.repository == 'controlplaneio-fluxcd/flux-appx' && res.kind == 'ResourceSetInputProvider')
  resources:
    - apiVersion: source.toolkit.fluxcd.io/v1
      kind: OCIRepository
      name: flux-system
    - apiVersion: fluxcd.controlplane.io/v1
      kind: ResourceSetInputProvider
      name: '*'
      matchLabels:
        preview: "true"

After this PR:

apiVersion: notification.toolkit.fluxcd.io/v1
kind: Receiver
metadata:
  name: flux-webhook-receiver
  namespace: flux-system
spec:
  type: generic-oidc
  oidcProviders:
    - issuerURL: https://token.actions.githubusercontent.com
      validations:
        - expression: "claims.repository_owner == 'controlplaneio-fluxcd'"
          message: "token is not from the controlplaneio-fluxcd org"
  resources:
    - apiVersion: source.toolkit.fluxcd.io/v1
      kind: OCIRepository
      name: flux-system
      filter: 'claims.job_workflow_ref.matches(r"^controlplaneio-fluxcd/d2-fleet/\.github/workflows/push-artifact\.yaml@<< inputs.artifactSubjectGitRef >>$")'
    - apiVersion: fluxcd.controlplane.io/v1
      kind: ResourceSetInputProvider
      name: '*'
      matchLabels:
        preview: "true"
      filter: 'claims.job_workflow_ref.matches(r"^controlplaneio-fluxcd/flux-appx/\.github/workflows/push-image\.yml@refs/(heads/main|pull/[0-9]+/merge)$")'

[matheuscscp]

@stefanprodan I successfully tested this API e2e across all my Receiver paths in an EKS fleet with 4 clusters.

[stefanprodan]

LGTM

Thanks @matheuscscp 🏅