Add GitHub webhook endpoint for release events (#1805)

devin-ai-integration[bot] · yujonglee · web-flow · commit 2be392808e9c · 2025-11-23T13:53:42.000+09:00
- Add @octokit/webhooks-types package
- Create github.ts with webhook verification and release handler
- Add GITHUB_WEBHOOK_SECRET and DEVIN_API_KEY to env config
- Implement /webhook/github endpoint that listens for release created events
- Call Devin API with idempotent=true and release info in prompt
- Update .env.sample with new environment variables

Co-authored-by: Devin AI &lt;158243242+devin-ai-integration[bot]@users.noreply.github.com&gt;
Co-authored-by: yujonglee &lt;yujonglee.dev@gmail.com&gt;
diff --git a/apps/api/.env.sample b/apps/api/.env.sample
@@ -1,6 +1,8 @@
 STRIPE_API_KEY=""
 STRIPE_WEBHOOK_SECRET=""
 OPENROUTER_API_KEY=""
+GITHUB_WEBHOOK_SECRET=""
+DEVIN_API_KEY=""
 
 SUPABASE_ANON_KEY=""
 S3_SECRET_KEY=""
diff --git a/apps/api/package.json b/apps/api/package.json
@@ -7,6 +7,7 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
+    "@octokit/webhooks-types": "^7.6.1",
     "@sentry/bun": "^10.25.0",
     "@supabase/supabase-js": "^2.81.1",
     "@t3-oss/env-core": "^0.13.8",
diff --git a/apps/api/src/env.ts b/apps/api/src/env.ts
@@ -14,6 +14,8 @@ export const env = createEnv({
     STRIPE_WEBHOOK_SECRET: z.string().min(1),
     OPENROUTER_API_KEY: z.string().min(1),
     DEEPGRAM_API_KEY: z.string().min(1),
+    GITHUB_WEBHOOK_SECRET: z.string().min(1),
+    DEVIN_API_KEY: z.string().min(1),
   },
   runtimeEnv: Bun.env,
   emptyStringAsUndefined: true,
diff --git a/apps/api/src/github.ts b/apps/api/src/github.ts
@@ -0,0 +1,104 @@
+import type { ReleaseEvent } from "@octokit/webhooks-types";
+import { createMiddleware } from "hono/factory";
+
+import { env } from "./env";
+
+type GitHubWebhookEvent = ReleaseEvent;
+
+async function verifyGitHubSignature(
+  payload: string,
+  signature: string,
+  secret: string,
+): Promise<boolean> {
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"],
+  );
+
+  const signatureBuffer = await crypto.subtle.sign(
+    "HMAC",
+    key,
+    encoder.encode(payload),
+  );
+
+  const expectedSignature = `sha256=${Array.from(
+    new Uint8Array(signatureBuffer),
+  )
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("")}`;
+
+  return signature === expectedSignature;
+}
+
+export const verifyGitHubWebhook = createMiddleware<{
+  Variables: { githubEvent: GitHubWebhookEvent };
+}>(async (c, next) => {
+  const signature = c.req.header("X-Hub-Signature-256");
+
+  if (!signature) {
+    return c.text("missing_github_signature", 400);
+  }
+
+  const body = await c.req.text();
+  try {
+    const isValid = await verifyGitHubSignature(
+      body,
+      signature,
+      env.GITHUB_WEBHOOK_SECRET,
+    );
+
+    if (!isValid) {
+      return c.text("invalid_signature", 401);
+    }
+
+    const event = JSON.parse(body) as GitHubWebhookEvent;
+    c.set("githubEvent", event);
+    await next();
+  } catch (err) {
+    console.error(err);
+    const message = err instanceof Error ? err.message : "unknown_error";
+    return c.text(message, 400);
+  }
+});
+
+export async function handleReleaseEvent(event: ReleaseEvent): Promise<void> {
+  if (event.action !== "created") {
+    return;
+  }
+
+  const { release, repository } = event;
+  const prompt = `New release created for ${repository.full_name}:
+- Tag: ${release.tag_name}
+- Name: ${release.name || release.tag_name}
+- Created at: ${release.created_at}
+- Author: ${release.author?.login || "unknown"}
+- URL: ${release.html_url}
+
+${release.body ? `Release notes:\n${release.body}` : "No release notes provided."}`;
+
+  const response = await fetch("https://api.devin.ai/v1/sessions", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${env.DEVIN_API_KEY}`,
+    },
+    body: JSON.stringify({
+      idempotent: true,
+      prompt,
+    }),
+  });
+
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(
+      `Failed to create Devin session: ${response.status} ${errorText}`,
+    );
+  }
+
+  const result = await response.json();
+  console.log("Devin session created:", result);
+}
diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
@@ -8,6 +8,7 @@ import { logger } from "hono/logger";
 
 import { syncBillingForStripeEvent } from "./billing";
 import { env } from "./env";
+import { handleReleaseEvent, verifyGitHubWebhook } from "./github";
 import { listenSocketHandler } from "./listen";
 import { verifyStripeWebhook } from "./stripe";
 import { requireSupabaseAuth } from "./supabase";
@@ -101,6 +102,17 @@ app.post("/webhook/stripe", verifyStripeWebhook, async (c) => {
   return c.json({ ok: true });
 });
 
+app.post("/webhook/github", verifyGitHubWebhook, async (c) => {
+  try {
+    await handleReleaseEvent(c.var.githubEvent);
+  } catch (error) {
+    console.error(error);
+    return c.json({ error: "github_webhook_failed" }, 500);
+  }
+
+  return c.json({ ok: true });
+});
+
 if (env.NODE_ENV === "development") {
   app.get("/listen", listenSocketHandler);
 } else {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
