fix: harden webhook entrypoint#2
Merged
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the GitHub webhook adapter by introducing a WSGI entrypoint and enforcing HMAC SHA-256 signature verification before routing deliveries, while also making policy handling more resilient when expected fields are missing.
Changes:
- Add a WSGI
applicationhandling/webhook(POST) and/healthz(GET) with GitHub signature verification. - Support
GITHUB_WEBHOOK_SECRETwith fallback to legacyWEBHOOK_SECRET. - Stop falling back to a hardcoded familiar policy; ignore events when familiar policy is missing, and add unit tests covering signature behavior and missing familiar policy.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
coven_github_adapter.py |
Adds WSGI webhook entrypoint, signature verification, and safer handling of missing familiar policy. |
tests/test_webhook_adapter.py |
Adds unit tests for signature acceptance/rejection, legacy secret env var, and missing familiar policy behavior. |
README.md |
Documents required env vars and adds a local smoke test flow for signature verification. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
BunsDev
added a commit
that referenced
this pull request
Jul 6, 2026
Addresses Copilot review follow-ups from #2: - capped webhook request bodies at 10 MB - read missing or unparsable WSGI content lengths from capped EOF - tolerated surrounding whitespace on the GitHub signature header - added coverage for webhook secret misconfiguration Verified with: - python3 -m unittest discover -s tests -v - python3 -m py_compile coven_github_adapter.py tests/test_webhook_adapter.py - git diff --check - scripts/smoke-webhook.sh http://127.0.0.1:8765/webhook smoke-secret Co-authored-by: Nova <nova@openclaw.local>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/webhookand/healthzWEBHOOK_SECRET, and missing familiar policyVerification
python3 -m unittest discover -s tests -vpython3 -m py_compile coven_github_adapter.py tests/test_webhook_adapter.pygit diff --checkscripts/smoke-webhook.sh http://127.0.0.1:8765/webhookagainst a temporary local WSGI serverCo-authored-by: Nova nova@opencoven.ai