feat: run probabilistic audit on any authenticated webhook #11

Merged

rcsheets merged 1 commit from feat/audit-on-any-hook into master 2026-03-26 04:41:48 +00:00

Conversation 1 Commits 1 Files changed 1 +11 -11

rcsheets commented 2026-03-26 04:40:26 +00:00

Owner

Copy link

Move the MaybeAudit call before the event type check so that any
webhook with a valid signature triggers the reconciliation roll,
not just repository events. This increases audit coverage when
additional hook types (push, issue, etc.) are enabled in Forgejo.

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

Move the MaybeAudit call before the event type check so that any webhook with a valid signature triggers the reconciliation roll, not just repository events. This increases audit coverage when additional hook types (push, issue, etc.) are enabled in Forgejo. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

rcsheets added 1 commit 2026-03-26 04:40:26 +00:00

feat: run probabilistic audit on any authenticated webhook ... 3ffc939605

Move the MaybeAudit call before the event type check so that any
webhook with a valid signature triggers the reconciliation roll,
not just repository events. This increases audit coverage when
additional hook types (push, issue, etc.) are enabled in Forgejo.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pr-reviewer-bot commented 2026-03-26 04:40:29 +00:00

Collaborator

Copy link

Automated review by pr-reviewer v0.15.0 | Safety Check | anthropic | tracking id r-c4b8bc-10930b
This is an AI-generated review and may contain mistakes.

Status: ✅ Completed

---

✅ Verdict: LGTM — The change safely moves the audit trigger to run on all authenticated webhooks instead of only repository events, which aligns with the stated goal.
Complexity: moderate

Safety Check Review

This change moves the MaybeAudit call from after the repository event type check to before it, so that probabilistic reconciliation occurs on any authenticated webhook rather than only repository events.

Key observations:

• The webhook signature validation occurs before this point in the flow, so only authenticated requests will trigger audits
• The async goroutine pattern remains unchanged
• The logic is simply moved up in the function, no behavioral changes to the audit mechanism itself
• Early return for non-repository events still occurs after the audit trigger

No security vulnerabilities, obvious bugs, or breaking changes identified.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.15.0 | Safety Check | anthropic | tracking id `r-c4b8bc-10930b`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — The change safely moves the audit trigger to run on all authenticated webhooks instead of only repository events, which aligns with the stated goal. **Complexity:** moderate # Safety Check Review This change moves the `MaybeAudit` call from after the repository event type check to before it, so that probabilistic reconciliation occurs on any authenticated webhook rather than only repository events. ## Key observations: - The webhook signature validation occurs before this point in the flow, so only authenticated requests will trigger audits - The async goroutine pattern remains unchanged - The logic is simply moved up in the function, no behavioral changes to the audit mechanism itself - Early return for non-repository events still occurs after the audit trigger No security vulnerabilities, obvious bugs, or breaking changes identified.

rcsheets merged commit 688244e30a into master 2026-03-26 04:41:48 +00:00

rcsheets referenced this pull request from a commit 2026-03-26 04:41:49 +00:00

Merge pull request 'feat: run probabilistic audit on any authenticated webhook' (#11) from feat/audit-on-any-hook into master

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

brooktrails/forgejo-runner-operator!11

No description provided.