Skip to content

Register webhook and script in create PR command #3998

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
richardhjtan wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Register webhook and script in create PR command #3998

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 59 additions & 1 deletion packages/host/app/commands/create-listing-pr.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,24 @@ export default class CreateListingPRCommand extends HostBaseCommand<

log.debug('PR created successfully:', prResult);

// Open room and send PR status message with full details
// Register webhook for PR status updates
const webhookData = await this.registerPRWebhook(prResult.prNumber);

if (webhookData) {
manifest.webhook = {
id: webhookData.id,
path: webhookData.path,
signingSecret: webhookData.signingSecret,
};

log.debug('Webhook registered for PR:', {
webhookUrl: `${this.realmServer.url.href}_webhooks/${webhookData.path}`,
signingSecret: webhookData.signingSecret,
prNumber: prResult.prNumber,
Comment on lines +200 to +203
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Stop logging webhook signing secrets

The debug log currently includes signingSecret, which is the credential used to authenticate webhook payloads. In any environment where debug logging is enabled (staging, incident debugging, or local logs shipped to a shared sink), this leaks enough information to forge valid X-Hub-Signature-256 headers and spoof GitHub webhook events for the registered path.

Useful? React with 👍 / 👎.

});
}

// Open room and send PR status message
await new UseAiAssistantCommand(this.commandContext).execute({
roomId,
prompt: `I just submitted a PR for my listing "${listing.name ?? listing.id}".
Expand All @@ -208,6 +225,47 @@ PR Details:
return await this.makeResult(manifest);
}

private async registerPRWebhook(
prNumber: number,
): Promise<{ id: string; path: string; signingSecret: string } | null> {
try {
const webhook = await this.realmServer.createIncomingWebhook({
verificationType: 'HMAC_SHA256_HEADER',
verificationConfig: {
header: 'x-hub-signature-256',
Copy link

Copilot AI Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The header name should be 'X-Hub-Signature-256' with capital letters instead of 'x-hub-signature-256'. While HTTP headers are case-insensitive, the GitHub API documentation and all existing tests in the codebase consistently use 'X-Hub-Signature-256' with capital letters. This inconsistency could cause confusion and should be corrected for consistency with the rest of the codebase.

Suggested change
header: 'x-hub-signature-256',
header: 'X-Hub-Signature-256',

Copilot uses AI. Check for mistakes.
encoding: 'hex',
},
});

log.debug('Created incoming webhook:', {
id: webhook.id,
path: webhook.webhookPath,
});

await this.realmServer.createWebhookCommand({
incomingWebhookId: webhook.id,
command: `${this.realmServer.url.href}catalog-realm/commands/process-github-webhook`,
filter: {
eventType: 'pull_request',
prNumber: prNumber,
},
});

log.debug('Registered webhook command for PR', { prNumber });

return {
id: webhook.id,
path: webhook.webhookPath,
signingSecret: webhook.signingSecret,
};
} catch (error: any) {
log.error('Failed to register PR webhook:', error);
// Don't fail the entire PR creation if webhook registration fails
// Just log and continue
return null;
}
}
Comment on lines +228 to +267
Copy link

Copilot AI Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The registerPRWebhook method always creates a new webhook and webhook command without checking if one already exists for this PR. This could lead to duplicate webhooks being created if the PR creation is retried or if the command is called multiple times. Consider implementing idempotent webhook registration similar to the approach in register-github-webhook.ts (see ensureIncomingWebhook and ensureWebhookCommand functions) to prevent duplicate webhooks.

Copilot uses AI. Check for mistakes.

private async collectAndFetchFiles(
listing: Listing,
plan: ReturnType<PlanBuilder['build']>,
Expand Down
124 changes: 124 additions & 0 deletions packages/host/app/services/realm-server.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1022,6 +1022,130 @@ export default class RealmServerService extends Service {
return data.attributes;
}

async createIncomingWebhook(params: {
verificationType: 'HMAC_SHA256_HEADER';
verificationConfig: {
header: string;
encoding: 'hex' | 'base64';
};
}): Promise<{
id: string;
webhookPath: string;
signingSecret: string;
username: string;
createdAt: string;
}> {
await this.login();

const response = await this.authedFetch(
`${this.url.href}_incoming-webhooks`,
{
method: 'POST',
headers: {
Accept: SupportedMimeType.JSONAPI,
'Content-Type': 'application/vnd.api+json',
},
body: JSON.stringify({
data: {
type: 'incoming-webhook',
attributes: params,
},
}),
},
);

if (!response.ok) {
const errorText = await response.text();
throw new Error(
`Failed to create incoming webhook: ${response.status} - ${errorText}`,
);
}

const { data } = (await response.json()) as {
data: {
type: string;
id: string;
attributes: {
username: string;
webhookPath: string;
verificationType: string;
verificationConfig: Record<string, unknown>;
signingSecret: string;
createdAt: string;
updatedAt: string;
};
};
};

return {
id: data.id,
webhookPath: data.attributes.webhookPath,
signingSecret: data.attributes.signingSecret,
username: data.attributes.username,
createdAt: data.attributes.createdAt,
};
}

async createWebhookCommand(params: {
incomingWebhookId: string;
command: string;
filter?: Record<string, unknown> | null;
}): Promise<{
id: string;
incomingWebhookId: string;
command: string;
filter: Record<string, unknown> | null;
createdAt: string;
}> {
await this.login();

const response = await this.authedFetch(
`${this.url.href}_webhook-commands`,
{
method: 'POST',
headers: {
Accept: SupportedMimeType.JSONAPI,
'Content-Type': 'application/vnd.api+json',
},
body: JSON.stringify({
data: {
type: 'webhook-command',
attributes: params,
},
}),
},
);

if (!response.ok) {
const errorText = await response.text();
throw new Error(
`Failed to create webhook command: ${response.status} - ${errorText}`,
);
}

const { data } = (await response.json()) as {
data: {
type: string;
id: string;
attributes: {
incomingWebhookId: string;
command: string;
filter: Record<string, unknown> | null;
createdAt: string;
updatedAt: string;
};
};
};

return {
id: data.id,
incomingWebhookId: data.attributes.incomingWebhookId,
command: data.attributes.command,
filter: data.attributes.filter,
createdAt: data.attributes.createdAt,
};
}

private async getToken() {
if (!this.token) {
await this.login();
Expand Down
Loading
Loading