-
Notifications
You must be signed in to change notification settings - Fork 1
feat(api): add GitHub webhook receiver for evented refresh#1317
Merged
jonnii merged 1 commit intoJun 24, 2026
Merged
Conversation
POST /api/v1/webhooks/github turns a verified push into an immediate refresh of the matching managed checkout, so server state tracks GitHub without waiting for the next interval tick. The interval loop stays as a backstop. - The route bypasses the session/CSRF gate (GitHub carries neither) but stays rate-limited, mirroring how /config is mounted on the public mux. It is authenticated solely by the X-Hub-Signature-256 HMAC and fails closed (404) when STACKIT_GITHUB_WEBHOOK_SECRET is unset, so it is never an open trigger — the correct posture for local/dev servers GitHub cannot reach. - The handler acks immediately (202) and runs the mirror-fetch in the background, since a fetch can outlast GitHub's delivery timeout. Coalescing bursts is a follow-up. - The shared *reposync.Syncer is now built once in NewServer (guarding the typed-nil provider trap) and drives both the interval loop and the webhook, so on-demand refresh works even with the loop disabled. handlers depends on it only through a narrow RepoSyncer interface.
This was referenced Jun 23, 2026
Merged
Base automatically changed from
jonnii/20260623024903/add-GitHub-webhook-signature-push-parsing-helper
to
main
June 24, 2026 02:00
@jonnii
jonnii
deleted the
jonnii/20260623025415/add-GitHub-webhook-receiver-for-evented-refresh
branch
June 24, 2026 02:00
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
POST /api/v1/webhooks/github turns a verified push into an immediate refresh of
the matching managed checkout, so server state tracks GitHub without waiting for
the next interval tick. The interval loop stays as a backstop.
rate-limited, mirroring how /config is mounted on the public mux. It is
authenticated solely by the X-Hub-Signature-256 HMAC and fails closed (404)
when STACKIT_GITHUB_WEBHOOK_SECRET is unset, so it is never an open trigger —
the correct posture for local/dev servers GitHub cannot reach.
background, since a fetch can outlast GitHub's delivery timeout. Coalescing
bursts is a follow-up.
typed-nil provider trap) and drives both the interval loop and the webhook,
so on-demand refresh works even with the loop disabled. handlers depends on it
only through a narrow RepoSyncer interface.
Stack
Auto-generated by Stackit
Merged via consolidation into #1326 by jonnii