Skip to content

fix: harden webhook entrypoint#2

Merged
BunsDev merged 1 commit into
mainfrom
chore/webhook-hardening
Jul 6, 2026
Merged

fix: harden webhook entrypoint#2
BunsDev merged 1 commit into
mainfrom
chore/webhook-hardening

Conversation

@BunsDev

@BunsDev BunsDev commented Jul 6, 2026

Copy link
Copy Markdown
Member

Summary

  • add a WSGI webhook entrypoint for /webhook and /healthz
  • verify GitHub HMAC SHA-256 signatures before routing deliveries
  • handle missing familiar policy without crashing on a hardcoded fallback
  • add unit coverage for signature handling, signed pings, legacy WEBHOOK_SECRET, and missing familiar policy

Verification

  • python3 -m unittest discover -s tests -v
  • python3 -m py_compile coven_github_adapter.py tests/test_webhook_adapter.py
  • git diff --check
  • scripts/smoke-webhook.sh http://127.0.0.1:8765/webhook against a temporary local WSGI server

Co-authored-by: Nova nova@opencoven.ai

Copilot AI review requested due to automatic review settings July 6, 2026 08:43
@BunsDev BunsDev merged commit c84e675 into main Jul 6, 2026
1 check passed
@BunsDev BunsDev deleted the chore/webhook-hardening branch July 6, 2026 08:44

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the GitHub webhook adapter by introducing a WSGI entrypoint and enforcing HMAC SHA-256 signature verification before routing deliveries, while also making policy handling more resilient when expected fields are missing.

Changes:

  • Add a WSGI application handling /webhook (POST) and /healthz (GET) with GitHub signature verification.
  • Support GITHUB_WEBHOOK_SECRET with fallback to legacy WEBHOOK_SECRET.
  • Stop falling back to a hardcoded familiar policy; ignore events when familiar policy is missing, and add unit tests covering signature behavior and missing familiar policy.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
coven_github_adapter.py Adds WSGI webhook entrypoint, signature verification, and safer handling of missing familiar policy.
tests/test_webhook_adapter.py Adds unit tests for signature acceptance/rejection, legacy secret env var, and missing familiar policy behavior.
README.md Documents required env vars and adds a local smoke test flow for signature verification.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread coven_github_adapter.py
Comment thread coven_github_adapter.py
Comment thread coven_github_adapter.py
Comment thread tests/test_webhook_adapter.py
BunsDev added a commit that referenced this pull request Jul 6, 2026
Addresses Copilot review follow-ups from #2:
- capped webhook request bodies at 10 MB
- read missing or unparsable WSGI content lengths from capped EOF
- tolerated surrounding whitespace on the GitHub signature header
- added coverage for webhook secret misconfiguration

Verified with:
- python3 -m unittest discover -s tests -v
- python3 -m py_compile coven_github_adapter.py tests/test_webhook_adapter.py
- git diff --check
- scripts/smoke-webhook.sh http://127.0.0.1:8765/webhook smoke-secret

Co-authored-by: Nova <nova@openclaw.local>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants