add option to restrict handling of GH payloads to certain repo urls

Author: yasunariw

lib/action.ml

@@ -211,6 +211,11 @@ module Action (Github_api : Api.Github) (Slack_api : Api.Slack) = struct
       let signing_key = Context.gh_hook_token_of_secrets secrets repo.url in
       Github.validate_signature ?signing_key ~headers body
     in
+    let repo_is_allowed secrets payload =
+      let repo = Github.repo_of_notification payload in
+      let allowed_repos = secrets.allowed_repos in
+      List.is_empty allowed_repos || List.exists allowed_repos ~f:(String.equal repo.url)
+    in
     try%lwt
       let secrets = Context.get_secrets_exn ctx in
       match Github.parse_exn headers body with
@@ -219,6 +224,9 @@ module Action (Github_api : Api.Github) (Slack_api : Api.Slack) = struct
       match validate_signature secrets payload with
       | Error e -> action_error e
       | Ok () ->
+      match repo_is_allowed secrets payload with
+      | false -> action_error "unsupported repository"
+      | true ->
         ( match%lwt refresh_repo_config ctx payload with
         | Error e -> action_error e
         | Ok () ->

lib/config.atd

@@ -49,6 +49,8 @@ type gh_repo_secrets = {
 type secrets = {
   (* repo-specific secrets; overrides global values if defined for a given repo *)
   ~repos <ocaml default="Common.StringMap.empty"> : gh_repo_secrets map_as_object;
+  (* whitelist of repository URLs to handle notifications for *)
+  ~allowed_repos <ocaml default="[]"> : string list;
   (* GitHub personal access token, if repo access requires it *)
   ?gh_token : string nullable;
   (* GitHub webhook token to secure the webhook *)