feat: per-repo issue tracker, Gitea support, PR review pipeline (#10)

2026-03-11 12:13:59 +00:00
parent be4b43ed64
commit 491665559f
22 changed files with 1582 additions and 122 deletions
--- a/compliance-agent/src/webhooks/github.rs
+++ b/compliance-agent/src/webhooks/github.rs
@@ -1,10 +1,9 @@
 use std::sync::Arc;

 use axum::body::Bytes;
-use axum::extract::Extension;
+use axum::extract::{Extension, Path};
 use axum::http::{HeaderMap, StatusCode};
 use hmac::{Hmac, Mac};
-use secrecy::ExposeSecret;
 use sha2::Sha256;

 use compliance_core::models::ScanTrigger;
@@ -15,18 +14,37 @@ type HmacSha256 = Hmac<Sha256>;

 pub async fn handle_github_webhook(
    Extension(agent): Extension<Arc<ComplianceAgent>>,
+    Path(repo_id): Path<String>,
    headers: HeaderMap,
    body: Bytes,
 ) -> StatusCode {
-    // Verify HMAC signature
-    if let Some(secret) = &agent.config.github_webhook_secret {
+    // Look up the repo to get its webhook secret
+    let oid = match mongodb::bson::oid::ObjectId::parse_str(&repo_id) {
+        Ok(oid) => oid,
+        Err(_) => return StatusCode::NOT_FOUND,
+    };
+    let repo = match agent
+        .db
+        .repositories()
+        .find_one(mongodb::bson::doc! { "_id": oid })
+        .await
+    {
+        Ok(Some(repo)) => repo,
+        _ => {
+            tracing::warn!("GitHub webhook: repo {repo_id} not found");
+            return StatusCode::NOT_FOUND;
+        }
+    };
+
+    // Verify HMAC-SHA256 signature using the per-repo secret
+    if let Some(secret) = &repo.webhook_secret {
        let signature = headers
            .get("x-hub-signature-256")
            .and_then(|v| v.to_str().ok())
            .unwrap_or("");

-        if !verify_signature(secret.expose_secret(), &body, signature) {
-            tracing::warn!("GitHub webhook: invalid signature");
+        if !verify_signature(secret, &body, signature) {
+            tracing::warn!("GitHub webhook: invalid signature for repo {repo_id}");
            return StatusCode::UNAUTHORIZED;
        }
    }
@@ -45,8 +63,18 @@ pub async fn handle_github_webhook(
    };

    match event {
-        "push" => handle_push(agent, &payload).await,
-        "pull_request" => handle_pull_request(agent, &payload).await,
+        "push" => {
+            let agent_clone = (*agent).clone();
+            let repo_id = repo_id.clone();
+            tokio::spawn(async move {
+                tracing::info!("GitHub push webhook: triggering scan for {repo_id}");
+                if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
+                    tracing::error!("Webhook-triggered scan failed: {e}");
+                }
+            });
+            StatusCode::OK
+        }
+        "pull_request" => handle_pull_request(agent, &repo_id, &payload).await,
        _ => {
            tracing::debug!("GitHub webhook: ignoring event '{event}'");
            StatusCode::OK
@@ -54,43 +82,9 @@ pub async fn handle_github_webhook(
    }
 }

-async fn handle_push(agent: Arc<ComplianceAgent>, payload: &serde_json::Value) -> StatusCode {
-    let repo_url = payload["repository"]["clone_url"]
-        .as_str()
-        .or_else(|| payload["repository"]["html_url"].as_str())
-        .unwrap_or("");
-
-    if repo_url.is_empty() {
-        return StatusCode::BAD_REQUEST;
-    }
-
-    // Find matching tracked repository
-    let repo = agent
-        .db
-        .repositories()
-        .find_one(mongodb::bson::doc! { "git_url": repo_url })
-        .await
-        .ok()
-        .flatten();
-
-    if let Some(repo) = repo {
-        let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default();
-        let agent_clone = (*agent).clone();
-        tokio::spawn(async move {
-            tracing::info!("GitHub push webhook: triggering scan for {repo_id}");
-            if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
-                tracing::error!("Webhook-triggered scan failed: {e}");
-            }
-        });
-    } else {
-        tracing::debug!("GitHub push webhook: no tracked repo for {repo_url}");
-    }
-
-    StatusCode::OK
-}
-
 async fn handle_pull_request(
-    _agent: Arc<ComplianceAgent>,
+    agent: Arc<ComplianceAgent>,
+    repo_id: &str,
    payload: &serde_json::Value,
 ) -> StatusCode {
    let action = payload["action"].as_str().unwrap_or("");
@@ -98,21 +92,37 @@ async fn handle_pull_request(
        return StatusCode::OK;
    }

-    let repo_url = payload["repository"]["clone_url"].as_str().unwrap_or("");
    let pr_number = payload["pull_request"]["number"].as_u64().unwrap_or(0);
+    let head_sha = payload["pull_request"]["head"]["sha"]
+        .as_str()
+        .unwrap_or("");
+    let base_sha = payload["pull_request"]["base"]["sha"]
+        .as_str()
+        .unwrap_or("");

-    if repo_url.is_empty() || pr_number == 0 {
+    if pr_number == 0 || head_sha.is_empty() || base_sha.is_empty() {
        return StatusCode::BAD_REQUEST;
    }

-    tracing::info!("GitHub PR webhook: PR #{pr_number} {action} on {repo_url}");
-    // PR review scan would be triggered here - runs incremental SAST on diff
-    // and posts review comments via the GitHub tracker
+    let repo_id = repo_id.to_string();
+    let head_sha = head_sha.to_string();
+    let base_sha = base_sha.to_string();
+    let agent_clone = (*agent).clone();
+    tokio::spawn(async move {
+        tracing::info!("GitHub PR webhook: reviewing PR #{pr_number} on {repo_id}");
+        if let Err(e) = agent_clone
+            .run_pr_review(&repo_id, pr_number, &base_sha, &head_sha)
+            .await
+        {
+            tracing::error!("PR review failed for #{pr_number}: {e}");
+        }
+    });

    StatusCode::OK
 }

 fn verify_signature(secret: &str, body: &[u8], signature: &str) -> bool {
+    // GitHub sends sha256=<hex>
    let sig = signature.strip_prefix("sha256=").unwrap_or(signature);
    let sig_bytes = match hex::decode(sig) {
        Ok(b) => b,