Add validation and debug output for Lovable webhook URL configuration

[Copilot]

Workflows using LOVABLE_WEBHOOK_URL would silently fail or produce unclear errors when the secret was misconfigured or unset.

Changes

Validation

• Check LOVABLE_WEBHOOK_URL is set before use
• Validate URL format (must start with http:// or https://)
• Fail fast with actionable error messages

Debug Output

• Display masked URL before curl: https://api.lovable.ai/...
• Hides path components to prevent token exposure in logs

Example

- name: Send to Lovable
  env:
    LOVABLE_WEBHOOK_URL: ${{ secrets.LOVABLE_WEBHOOK_URL }}
  run: |
    # Validate that LOVABLE_WEBHOOK_URL is set
    if [ -z "$LOVABLE_WEBHOOK_URL" ]; then
      echo "Error: LOVABLE_WEBHOOK_URL is not set"
      echo "Please set the LOVABLE_WEBHOOK_URL secret in the repository settings"
      exit 1
    fi

    # Debug: Show masked URL (only show protocol and domain)
    MASKED_URL=$(echo "$LOVABLE_WEBHOOK_URL" | sed -E 's|(https?://[^/]+).*|\1/...|')
    echo "LOVABLE_WEBHOOK_URL=$MASKED_URL"

    # Validate URL format
    if ! echo "$LOVABLE_WEBHOOK_URL" | grep -qE '^https?://'; then
      echo "Error: LOVABLE_WEBHOOK_URL does not appear to be a valid URL"
      echo "Expected format: https://api.lovable.ai/... or similar"
      exit 1
    fi

    curl -X POST "$LOVABLE_WEBHOOK_URL" ...

Applied to both sync-file-changes-to-lovable.yml and sync-issues-prs-to-lovable.yml.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[asperpharma]

fd

[Copilot]

Pull request overview

Improves the Lovable sync GitHub Actions workflows by adding pre-flight validation for the LOVABLE_WEBHOOK_URL secret and logging a masked version of the configured endpoint to make misconfiguration easier to diagnose.

Changes:

• Add a check that LOVABLE_WEBHOOK_URL is set before attempting to send data.
• Add basic URL-format validation (requires http:// or https://).
• Print a masked webhook URL (intended to show only protocol + host) prior to curl.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File	Description
.github/workflows/sync-issues-prs-to-lovable.yml	Adds env var validation, masked debug output, and URL format check before posting issue/PR payloads.
.github/workflows/sync-file-changes-to-lovable.yml	Adds the same validation and masked debug output before posting file-change payloads.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This step-level check won’t run when the secret is unset because the job has if: secrets.LOVABLE_WEBHOOK_URL != '' (line 20), so the workflow will still be silently skipped in the misconfiguration case this PR is trying to surface. Consider removing the job-level if: (or changing it) so the script can fail fast with the actionable message.

[Copilot]

The masking regex can still leak secrets if the webhook URL uses query-string auth (e.g., https://host?token=...) because [^/]+ will consume the entire URL when there’s no / path. It can also include userinfo@host if present. Mask only the origin (scheme://host[:port]) by stopping at /, ?, or # (and stripping any userinfo@) before logging.

Suggested change

	MASKED_URL=$(echo "$LOVABLE_WEBHOOK_URL" | sed -E 's|(https?://[^/]+).*|\1/...|')
	MASKED_URL=$(echo "$LOVABLE_WEBHOOK_URL" | sed -E 's|^(https?://)([^/@]*@)?([^/?#]*).*|\1\3/...|')

[Copilot]

The URL validation only checks for an http(s):// prefix, so values like https:// (no host) or https://host?token=... will pass even though they may still be malformed or unexpected. If the goal is to fail fast with actionable errors, consider requiring at least a host component (e.g., match ^https?://[^/?#]+), and optionally reject whitespace.

Suggested change

	# Validate URL format
	if ! echo "$LOVABLE_WEBHOOK_URL" | grep -qE '^https?://'; then
	echo "Error: LOVABLE_WEBHOOK_URL does not appear to be a valid URL"
	echo "Expected format: https://api.lovable.ai/... or similar"
	# Validate URL format: no whitespace, must be http(s) with non-empty host
	if echo "$LOVABLE_WEBHOOK_URL" | grep -qE '[[:space:]]'; then
	echo "Error: LOVABLE_WEBHOOK_URL contains whitespace, which is not allowed"
	echo "Please ensure the URL is copied exactly, without spaces or newlines"
	exit 1
	fi
	if ! echo "$LOVABLE_WEBHOOK_URL" | grep -qE '^https?://[^/?#[:space:]]+'; then
	echo "Error: LOVABLE_WEBHOOK_URL does not appear to be a valid URL"
	echo "Expected format: https://api.lovable.ai/... or similar, with a non-empty host"

[Copilot]

The masking regex can still leak secrets if the webhook URL uses query-string auth (e.g., https://host?token=...) because [^/]+ will consume the entire URL when there’s no / path. It can also include userinfo@host if present. Mask only the origin (scheme://host[:port]) by stopping at /, ?, or # (and stripping any userinfo@) before logging.

Suggested change

	# Debug: Show masked URL (only show protocol and domain)
	MASKED_URL=$(echo "$LOVABLE_WEBHOOK_URL" | sed -E 's|(https?://[^/]+).*|\1/...|')
	# Debug: Show masked URL (only show protocol and domain; strip userinfo, query, and fragment)
	MASKED_URL=$(echo "$LOVABLE_WEBHOOK_URL" | sed -E 's#^(https?://)([^/@?#]+@)?([^/?#]+).*#\1\3/...#')

[Copilot]

The URL validation only checks for an http(s):// prefix, so values like https:// (no host) will pass and then fail later in curl with a less actionable error. Consider requiring at least a host component (e.g., match ^https?://[^/?#]+) to better align with the stated “validate URL format” goal.

Suggested change

	if ! echo "$LOVABLE_WEBHOOK_URL" | grep -qE '^https?://'; then
	if ! echo "$LOVABLE_WEBHOOK_URL" | grep -qE '^https?://[^/?#]+'; then