feat(api): add GitHub webhook receiver for evented refresh by jonnii · Pull Request #1317 · getstackit/stackit

jonnii · 2026-06-23T10:50:13Z

POST /api/v1/webhooks/github turns a verified push into an immediate refresh of
the matching managed checkout, so server state tracks GitHub without waiting for
the next interval tick. The interval loop stays as a backstop.

The route bypasses the session/CSRF gate (GitHub carries neither) but stays
rate-limited, mirroring how /config is mounted on the public mux. It is
authenticated solely by the X-Hub-Signature-256 HMAC and fails closed (404)
when STACKIT_GITHUB_WEBHOOK_SECRET is unset, so it is never an open trigger —
the correct posture for local/dev servers GitHub cannot reach.
The handler acks immediately (202) and runs the mirror-fetch in the
background, since a fetch can outlast GitHub's delivery timeout. Coalescing
bursts is a follow-up.
The shared *reposync.Syncer is now built once in NewServer (guarding the
typed-nil provider trap) and drives both the interval loop and the webhook,
so on-demand refresh works even with the loop disabled. handlers depends on it
only through a narrow RepoSyncer interface.

Stack

PR refactor(web): remove sample alice/bob stacks from repo provider #1313
- PR feat(server): drive deploy posture from STACKIT_ENV, not $PORT #1314
  - PR refactor(api): extract Syncer.SyncRepo for per-repo sync triggers #1315
    - PR feat(api): add GitHub webhook signature + push parsing helper #1316
      - PR feat(api): add GitHub webhook receiver for evented refresh #1317 👈
        
        PR feat(api): coalesce webhook-driven syncs per repo #1318
        
        PR feat(api): add manual sync endpoint for on-demand refresh #1319
        
        PR feat(server): default sync interval to 5m and document evented refresh #1320
        
        PR feat(server): index repos by owner/repo for GitHub-style routes #1322
        
        PR feat(server): serve repos at /repos/{owner}/{repo} path routes #1323
        PR feat(web): GitHub-style path URLs for repos, branches, stacks, PRs #1324

_{Auto-generated by Stackit}

POST /api/v1/webhooks/github turns a verified push into an immediate refresh of the matching managed checkout, so server state tracks GitHub without waiting for the next interval tick. The interval loop stays as a backstop. - The route bypasses the session/CSRF gate (GitHub carries neither) but stays rate-limited, mirroring how /config is mounted on the public mux. It is authenticated solely by the X-Hub-Signature-256 HMAC and fails closed (404) when STACKIT_GITHUB_WEBHOOK_SECRET is unset, so it is never an open trigger — the correct posture for local/dev servers GitHub cannot reach. - The handler acks immediately (202) and runs the mirror-fetch in the background, since a fetch can outlast GitHub's delivery timeout. Coalescing bursts is a follow-up. - The shared *reposync.Syncer is now built once in NewServer (guarding the typed-nil provider trap) and drives both the interval loop and the webhook, so on-demand refresh works even with the loop disabled. handlers depends on it only through a narrow RepoSyncer interface.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(api): add GitHub webhook receiver for evented refresh#1317

feat(api): add GitHub webhook receiver for evented refresh#1317
jonnii wants to merge 1 commit into
jonnii/20260623024903/add-GitHub-webhook-signature-push-parsing-helperfrom
jonnii/20260623025415/add-GitHub-webhook-receiver-for-evented-refresh

jonnii commented Jun 23, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

jonnii commented Jun 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Stack

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

jonnii commented Jun 23, 2026 •

edited

Loading