Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: CI

on:
pull_request:
push:
branches:
- main

permissions:
contents: read

jobs:
test:
name: TypeScript test + build
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: 24
cache: npm

- name: Install dependencies
run: npm ci

- name: Test
run: npm test

- name: Build
run: npm run build
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
__pycache__/
*.pyc
node_modules/
dist/
.env
*.pem
*.key
Expand Down
5 changes: 3 additions & 2 deletions AGENTS.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,9 @@ pull requests against this repo. This is the agent-specific layer; read

## Before opening the PR

- If you touched Python, keep it runnable on the target host: no new heavy deps
unless the deployment target supports them, and don't break the entrypoint.
- If you touched TypeScript, keep it runnable on the target host: avoid heavy
runtime dependencies unless the deployment target supports them, and don't
break the Node entrypoint.
- Smoke-test the webhook handler locally where possible (a signed sample
payload) before relying on the hosted deploy.

Expand Down
37 changes: 32 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Hosted webhook deployment bundle for the Coven GitHub integration.

This repository tracks the Python webhook adapter used to receive GitHub App
This repository tracks the TypeScript webhook adapter used to receive GitHub App
events, capture review context, run `coven-code`, and publish structured review
results back to GitHub.

Expand All @@ -12,8 +12,11 @@ reproduced, and changed through PRs instead of server-only edits.

## Files

- `coven_github_adapter.py` - webhook handler, task runner, PR evidence capture,
Codex-backed headless runtime invocation, and comment publisher.
- `src/adapter.ts` - webhook handler, task router, task runner, PR evidence
capture, Codex-backed headless runtime invocation, and comment publisher.
- `src/server.ts` - Node HTTP entrypoint for `/`, `/healthz`, and `/webhook`.
- `tests/webhook-adapter.test.ts` - parity coverage for signature handling,
request body edge cases, and task routing guards.
- `scripts/smoke-webhook.sh` - local HMAC signature smoke test for a running
webhook endpoint.

Expand All @@ -34,10 +37,27 @@ The deployment expects secrets and mutable state to be supplied outside git:
Do not commit private keys, webhook secrets, OAuth tokens, generated task state,
workspaces, or attempt artifacts.

## Local runtime

Install dependencies, build TypeScript, and start the webhook service:

```bash
npm ci
npm run build
WEBHOOK_SECRET="replace-with-local-secret" npm start
```

For local development without a build step:

```bash
WEBHOOK_SECRET="replace-with-local-secret" npm run dev
```

The server listens on `PORT` or `3000` by default.

## Local smoke test

Run the adapter behind any WSGI server that points at
`coven_github_adapter:application`, then verify signature handling:
Run the adapter, then verify signature handling:

```bash
WEBHOOK_SECRET="replace-with-local-secret" \
Expand All @@ -48,6 +68,13 @@ The smoke test proves that unsigned requests and bad signatures are rejected,
while a correctly HMAC-signed GitHub `ping` delivery is accepted without needing
`coven-code` or a GitHub installation token.

## Verification

```bash
npm test
npm run build
```

## Policy

The default checked-in policy is empty:
Expand Down
Loading
Loading