Skip to content

feat: add GitHub webhook logic#11

Open
juanmahidalgo wants to merge 3 commits intomainfrom
feat/github-webhook
Open

feat: add GitHub webhook logic#11
juanmahidalgo wants to merge 3 commits intomainfrom
feat/github-webhook

Conversation

@juanmahidalgo
Copy link

@juanmahidalgo juanmahidalgo commented Mar 18, 2026

GitHub Webhook Integration

Summary

Adds a GitHub webhook listener that lets the agent respond to comments on issues and PRs directly from GitHub. When someone mentions @jarvis in a GitHub comment, the agent processes the request and replies as a GitHub comment — no Slack required.

What it does

  • POST /github/webhook endpoint that receives GitHub webhook events
  • Handles two event types:
    • issue_comment — comments on issues or PRs (top-level)
    • pull_request_review_comment — inline review comments on PR diffs
  • Detects review requests (@jarvis review this PR) and uses Opus model for those
  • Replies inline to review comment threads, or as top-level comments on issues/PRs
  • Audit logs to Slack when LOG_CHANNEL_ID is configured

Security layers (in order)

Layer What it does
Payload size limit Rejects payloads > 1 MB
HMAC-SHA256 signature Verifies X-Hub-Signature-256 against GITHUB_WEBHOOK_SECRET
Repo org check Rejects events from repos outside the configured org
Repo allowlist Optional — restricts to specific repos via GITHUB_ALLOWED_REPOS
Bot filter Ignores comments from bots and from itself (anti-loop)
Org membership Verifies sender is a member of the GitHub org via gh api (cached 1h)
Per-user rate limit Max 10 requests per user per 5-minute window
Response truncation Caps responses at 65K chars (GitHub comment limit)
Generic error messages Never leaks internal errors to GitHub comments

New environment variables

Variable Required Default Description
GITHUB_WEBHOOK_SECRET Yes (to enable) Webhook secret for signature verification. If not set, webhook handler is disabled.
GITHUB_ORG No decentraland GitHub org for membership checks
GITHUB_ALLOWED_REPOS No Comma-separated repo allowlist. Empty = all org repos allowed.

Notes

  • The GITHUB_TOKEN should have read:org scope for the membership check to work with private org members. Without it, only public members are recognized.
  • The webhook handler uses its own AgentScheduler instance, sharing the same concurrency limit (MAX_CONCURRENT_AGENTS) — a spike in GitHub events won't starve Slack requests since they use separate schedulers.
  • Feature is opt-in: if GITHUB_WEBHOOK_SECRET is not set, the handler is not initialized and the endpoint returns 503.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@juanmahidalgo