Implement GitHub App integration with webhook handling and signature verification

Author: jenilsavani9

.env.example

@@ -105,6 +105,12 @@ TRACING_ENDPOINT=
 API_KEY=
 ALLOWED_HOSTS=["*"]
 
+# =============================================================================
+# App Store Configuration
+# =============================================================================
+
+GITHUB_WEBHOOK_SECRET=
+
 # =============================================================================
 # Feature Flags (Environment-level overrides)
 # Use these to override default feature flag behavior

apps/api/routes/v1/__init__.py

@@ -1,9 +1,10 @@
 from fastapi import APIRouter
-from apps.api.routes.v1 import ask, health, connect
+from apps.api.routes.v1 import ask, health, connect, integrations
 
 v1_router = APIRouter(prefix="/v1")
 
 # Include all v1 route modules
 v1_router.include_router(health.router)
 v1_router.include_router(connect.router)
-v1_router.include_router(ask.router)
+v1_router.include_router(ask.router)
+v1_router.include_router(integrations.router)

apps/api/routes/v1/integrations.py

@@ -0,0 +1,49 @@
+from fastapi import APIRouter, Request, Header, BackgroundTasks
+from packages.config.settings import Settings
+from packages.app_store.github.utils import verify_github_signature, SignatureVerificationError
+from packages.app_store.github.webhook import handle_github_event, run_ingestion
+from apps.api.utils.response import APIResponse
+from apps.api.utils.exceptions import BadRequestException, UnauthorizedException
+import logging
+
+router = APIRouter(prefix="/integrations", tags=["Integrations"])
+settings = Settings()
+logger = logging.getLogger(__name__)
+
+@router.post("/github/webhook")
+async def github_webhook(
+    request: Request,
+    background_tasks: BackgroundTasks,
+    x_github_event: str = Header(None)
+):
+    """
+    Handle GitHub Webhooks.
+    """
+    if not x_github_event:
+        raise BadRequestException(message="Missing X-GitHub-Event header")
+
+    # Always verify signature in production
+    try:
+        await verify_github_signature(request, settings.GITHUB_WEBHOOK_SECRET)
+    except SignatureVerificationError as e:
+        logger.warning(f"GitHub signature verification failed: {str(e)}")
+        raise UnauthorizedException(message=str(e))
+    
+    payload = await request.json()
+    
+    result = handle_github_event(x_github_event, payload)
+    
+    if result.get("status") == "triggered" and result.get("task") == "ingest":
+        repo_url = result.get("repo_url")
+        branch = result.get("branch")
+        if repo_url:
+            background_tasks.add_task(run_ingestion, repo_url, branch)
+            return APIResponse.success(
+                message=f"Ingestion triggered for {repo_url} on {branch}",
+                data={"status": "accepted", "repo_url": repo_url, "branch": branch}
+            )
+            
+    return APIResponse.success(
+        message="Webhook processed",
+        data=result
+    )

packages/app_store/__init__.py

@@ -0,0 +1,30 @@
+import hashlib
+import hmac
+from typing import Optional
+from fastapi import Request
+
+class SignatureVerificationError(Exception):
+    """Raised when GitHub signature verification fails."""
+    pass
+
+async def verify_github_signature(request: Request, secret: Optional[str]):
+    """
+    Verify that the request came from GitHub.
+    Raises SignatureVerificationError if verification fails.
+    """
+    if not secret:
+        # In a production environment, we must have a secret.
+        raise SignatureVerificationError("Webhook secret is not configured")
+
+    signature = request.headers.get("X-Hub-Signature-256")
+    if not signature:
+        raise SignatureVerificationError("Missing X-Hub-Signature-256 header")
+
+    body = await request.body()
+    
+    # Calculate expected signature
+    hash_object = hmac.new(secret.encode("utf-8"), msg=body, digestmod=hashlib.sha256)
+    expected_signature = "sha256=" + hash_object.hexdigest()
+
+    if not hmac.compare_digest(expected_signature, signature):
+        raise SignatureVerificationError("Invalid signature")

packages/app_store/github/__init__.py

@@ -0,0 +1,86 @@
+import logging
+from typing import Dict, Any, Optional
+from packages.ingest.full_ingest import full_ingest
+
+logger = logging.getLogger(__name__)
+
+def handle_github_event(event_type: str, payload: Dict[str, Any]):
+    """
+    Dispatch GitHub events to specific handlers.
+    """
+    logger.info(f"Received GitHub event: {event_type}")
+    
+    if event_type == "pull_request":
+        return handle_pull_request(payload)
+    
+    if event_type == "push":
+        return handle_push(payload)
+
+    return {"status": "ignored", "reason": f"Event type {event_type} not handled"}
+
+def handle_pull_request(payload: Dict[str, Any]):
+    """
+    Handle pull_request events.
+    Specifically look for closed PRs that were merged.
+    """
+    action = payload.get("action")
+    pull_request = payload.get("pull_request", {})
+    merged = pull_request.get("merged", False)
+    
+    logger.info(f"Processing PR action: {action}, merged: {merged}")
+
+    if action == "closed" and merged:
+        # PR was merged
+        repo_info = payload.get("repository", {})
+        repo_url = repo_info.get("clone_url") or repo_info.get("html_url")
+        
+        # The branch where the PR was merged into (usually main/master)
+        base_branch = pull_request.get("base", {}).get("ref")
+        
+        if repo_url and base_branch:
+            logger.info(f"Triggering ingestion for merged PR in {repo_url} on branch {base_branch}")
+            
+            # TODO: Trigger ingestion
+            
+            # Let's define a function that CAN be run in background.
+            return {
+                "status": "triggered",
+                "task": "ingest",
+                "repo_url": repo_url,
+                "branch": base_branch
+            }
+            
+    return {"status": "ignored", "reason": "Not a merged PR"}
+
+def handle_push(payload: Dict[str, Any]):
+    """
+    Handle push events.
+    """
+    ref = payload.get("ref")
+    repo_info = payload.get("repository", {})
+    repo_url = repo_info.get("clone_url") or repo_info.get("html_url")
+    
+    # ref is usually "refs/heads/branch_name"
+    branch = ref.replace("refs/heads/", "") if ref else None
+    
+    if repo_url and branch:
+        logger.info(f"Triggering ingestion for push to {repo_url} on branch {branch}")
+        return {
+            "status": "triggered",
+            "task": "ingest",
+            "repo_url": repo_url,
+            "branch": branch
+        }
+        
+    return {"status": "ignored", "reason": "Invalid push payload"}
+
+def run_ingestion(repo_url: str, branch: Optional[str]):
+    """
+    Wrapper to run full_ingest, suitable for BackgroundTasks.
+    """
+    try:
+        logger.info(f"Starting background ingestion for {repo_url} branch {branch}")
+        full_ingest(repo_url, branch=branch)
+        logger.info(f"Finished background ingestion for {repo_url} branch {branch}")
+    except Exception as e:
+        logger.error(f"Error during background ingestion: {e}", exc_info=True)

packages/app_store/github/utils.py

@@ -307,6 +307,11 @@ class Settings(BaseSettings):
         default=None,
         description="API authentication key"
     )
+
+    GITHUB_WEBHOOK_SECRET: Optional[str] = Field(
+        default=None,
+        description="GitHub Webhook Secret for verifying payloads"
+    )
 
     ALLOWED_HOSTS: list[str] = Field(
         default_factory=lambda: ["*"],