akshay/add webhook to observatory backend #4572
Open
+1,480
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Move webhook code from webhook_service/ to app_backend/src/metta/app_backend/github_webhook/ - Update all imports to use new module path (metta.app_backend.github_webhook) - Integrate webhook router into server.py at /webhooks/github endpoint - Add asana dependency to app_backend/pyproject.toml - Remove Secrets Manager fallback for ASANA_WORKSPACE_GID and ASANA_PROJECT_GID (these should only come from environment variables) - Update build-app-backend-image.yml to pass GIDs from GitHub Variables via Helm The webhook endpoint will be available at: https://api.observatory.softmax-research.net/webhooks/github Environment variables required: - ASANA_WORKSPACE_GID (from GitHub Variables) - ASANA_PROJECT_GID (from GitHub Variables) - Other secrets loaded from AWS Secrets Manager via IRSA
Pass ASANA_WORKSPACE_GID and ASANA_PROJECT_GID from GitHub Variables to the Helm deployment via extra_args.
The webhook service needs Secrets Manager access when USE_AWS_SECRETS=true. This adds the required permissions to the existing observatory-backend role instead of creating a new role, following Slava's guidance to reuse existing infrastructure.
- Fix duplicate extra_args in workflow YAML (was causing invalid YAML) - Add USE_AWS_SECRETS=true to Helm deployment via extra_args - Update webhook signature verification to fail in production if secret missing (when USE_AWS_SECRETS=true but GITHUB_WEBHOOK_SECRET is None) - Document configuration requirements in values.yaml and README.md - Required GitHub Variables (ASANA_WORKSPACE_GID, ASANA_PROJECT_GID) - Required AWS Secrets Manager secrets - How env vars are set via Helm extra_args
- Remove empty __init__.py file (Nishad doesn't like empty files) - Remove verbose comments from values.yaml - Remove webhook documentation from README.md - Fix Terraform: keep 'policy' key name instead of changing to 's3_policy'
Resolves issue where stale email addresses in roster project cause task assignment failures. Now resolves GitHub login -> email (from roster) -> Asana user GID (from workspace users API) and uses GID for assignment. This prevents the 'Not a user in Organization' error when emails change (e.g., nishad@softmax.com -> nishad@stem.ai) because GIDs are stable. Fixes the issue mentioned in: https://github.com/Metta-AI/metta/actions/runs/20422510698/job/58676794680
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Comment on lines
+94
to
+96
| try: | ||
| import requests | ||
|
|
There was a problem hiding this comment.
_get_github_to_asana_mapping imports requests, but app_backend/pyproject.toml does not list requests as a dependency, so in a fresh deploy this import raises ImportError, the mapping function returns {}, and every PR webhook runs without an Asana assignee even when the roster project is configured. Add the dependency so assignee resolution works in production.
Useful? React with 👍 / 👎.
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
Comment on lines
40
to
42
| hash_algorithm, github_signature = signature_header.split("=") | ||
| if hash_algorithm != "sha256": | ||
| return False |
Contributor
There was a problem hiding this comment.
The split("=") will fail if signature_header doesn't contain "=". This would raise a ValueError: not enough values to unpack when unpacking into two variables.
if not signature_header or "=" not in signature_header:
return False
hash_algorithm, github_signature = signature_header.split("=", 1)
Suggested change
| hash_algorithm, github_signature = signature_header.split("=") | |
| if hash_algorithm != "sha256": | |
| return False | |
| if not signature_header or "=" not in signature_header: | |
| return False | |
| hash_algorithm, github_signature = signature_header.split("=", 1) |
Spotted by Graphite Agent
Is this helpful? React 👍 or 👎 to let us know.
- add requests dependency (used by roster mapping) - fix signature verification to handle missing '=' in header - fix pyright type errors for asana API response handling
- include both webhook_router and tournament_router - add tournament_routes import
Comment on lines
+83
to
+97
| access_token = _get_asana_access_token() | ||
| except ValueError: | ||
| return {} | ||
|
|
||
| # Get roster project ID from settings | ||
| roster_project_gid = settings.ASANA_ROSTER_PROJECT_GID | ||
| gh_login_field_gid = settings.ASANA_GH_LOGIN_FIELD_GID | ||
| asana_email_field_gid = settings.ASANA_EMAIL_FIELD_GID | ||
|
|
||
| mapping = {} | ||
|
|
||
| try: | ||
| import requests | ||
|
|
||
| access_token = _get_asana_access_token() |
Contributor
There was a problem hiding this comment.
Redundant API call: _get_asana_access_token() is called twice (lines 83 and 97) within the same try block. The first call on line 83 assigns to access_token but then line 97 immediately overwrites it.
# Remove line 83, keep only line 97
# Line 83 should be deleted:
# access_token = _get_asana_access_token() # DELETE THISThis causes unnecessary authentication overhead and potential rate limiting issues.
Suggested change
| access_token = _get_asana_access_token() | |
| except ValueError: | |
| return {} | |
| # Get roster project ID from settings | |
| roster_project_gid = settings.ASANA_ROSTER_PROJECT_GID | |
| gh_login_field_gid = settings.ASANA_GH_LOGIN_FIELD_GID | |
| asana_email_field_gid = settings.ASANA_EMAIL_FIELD_GID | |
| mapping = {} | |
| try: | |
| import requests | |
| access_token = _get_asana_access_token() | |
| try: | |
| # Get roster project ID from settings | |
| roster_project_gid = settings.ASANA_ROSTER_PROJECT_GID | |
| gh_login_field_gid = settings.ASANA_GH_LOGIN_FIELD_GID | |
| asana_email_field_gid = settings.ASANA_EMAIL_FIELD_GID | |
| mapping = {} | |
| import requests | |
| access_token = _get_asana_access_token() |
Spotted by Graphite Agent
Is this helpful? React 👍 or 👎 to let us know.
- fix task creation failure handling: return error plan instead of success when creation fails - fix GitHub URL field config: use settings.ASANA_GITHUB_URL_FIELD_ID instead of os.getenv - fix blocking HTTP calls: run Asana SDK and requests calls in ThreadPoolExecutor to avoid blocking event loop - add metrics for signature verification failures
- make _get_github_to_asana_mapping async (was using await in sync function) - fix all executor leaks with try/finally blocks - ensure executors are always shut down even on exceptions
webhook config Settings class was rejecting fields from .env that belong to the main app_backend config. added extra='ignore' to allow these.
github times out after 10s if webhook doesn't respond quickly. return response immediately and process event in background to avoid timeouts.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
integrate github-asana webhook service into observatory backend
integrates the webhook service as a route in the observatory backend, following slava's guidance to use eks instead of lambda.
changes:
required actions (after merge):
endpoint after deployment: https://api.observatory.softmax-research.net/webhooks/github
Asana Task