Add GitHub Automations Feature (#572)

<img width="1248" height="944" alt="image"
src="https://github.com/user-attachments/assets/85eeefc4-5dab-4fad-8f2e-228df02808b1"
/>

Unlocks the GitHub automation

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* GitHub trigger integration (PRs, issues, comments, check suites) with
selectable event types, normalization, and forwarding to the control
plane.
  * Human-readable GitHub event context blocks for automations.

* **Enhancements**
* UI: event-type selector, enabled GitHub trigger card, and
GitHub-specific instruction placeholder.
* New automation condition types: branch, label, path patterns, actor,
check conclusion.
* Session archiving UI and archiveSession helper; sidebar archive flow.

* **Tests**
* Added tests for GitHub normalization, identity parsing, tokens, and
queue behavior.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Cole Murray <colemurray.cs@gmail.com>
Co-authored-by: Kartikye Mittal <kartikye.mittal@gmail.com>
Co-authored-by: Kartikye <kartikye@dots.dev>

Author: 4 people

package-lock.json

@@ -0,0 +1,84 @@
+/**
+ * GitHub automation event webhook route — internal endpoint that receives
+ * pre-normalized GitHubAutomationEvents from the github-bot and proxies
+ * them to the SchedulerDO for automation matching and session dispatch.
+ */
+
+import type { GitHubAutomationEvent } from "@open-inspect/shared";
+import { verifyInternalToken } from "../auth/internal";
+import type { Route, RequestContext } from "../routes/shared";
+import { parsePattern, json, error } from "../routes/shared";
+import type { Env } from "../types";
+
+async function handleGitHubAutomationEvent(
+  request: Request,
+  env: Env,
+  _match: RegExpMatchArray,
+  _ctx: RequestContext
+): Promise<Response> {
+  // 0. Authenticate — fail closed if secret is unconfigured or token is invalid
+  if (!env.INTERNAL_CALLBACK_SECRET) {
+    return error("Internal authentication not configured", 500);
+  }
+  const isValid = await verifyInternalToken(
+    request.headers.get("Authorization"),
+    env.INTERNAL_CALLBACK_SECRET
+  );
+  if (!isValid) {
+    return error("Unauthorized", 401);
+  }
+
+  // 1. Parse body
+  let body: unknown;
+  try {
+    body = await request.json();
+  } catch {
+    return error("Invalid JSON", 400);
+  }
+
+  // 2. Validate required fields
+  const event = body as Partial<GitHubAutomationEvent>;
+  if (event.source !== "github") {
+    return error("Invalid event: source must be 'github'", 400);
+  }
+  if (!event.repoOwner || !event.repoName) {
+    return error("Invalid event: repoOwner and repoName are required", 400);
+  }
+  if (!event.eventType || !event.triggerKey || !event.concurrencyKey) {
+    return error("Invalid event: eventType, triggerKey, and concurrencyKey are required", 400);
+  }
+
+  // 3. Forward to SchedulerDO
+  if (!env.SCHEDULER) {
+    return error("Scheduler not configured", 503);
+  }
+
+  const doId = env.SCHEDULER.idFromName("global-scheduler");
+  const stub = env.SCHEDULER.get(doId);
+
+  let response: Response;
+  try {
+    response = await stub.fetch("http://internal/internal/event", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(event),
+    });
+  } catch (_e) {
+    return json({ ok: false, error: "Failed to reach scheduler" }, 502);
+  }
+
+  let result: { triggered: number; skipped: number };
+  try {
+    result = await response.json<{ triggered: number; skipped: number }>();
+  } catch {
+    return json({ ok: false, error: "Invalid response from scheduler" }, 502);
+  }
+
+  return json({ ok: true, ...result }, response.status);
+}
+
+export const githubAutomationEventRoute: Route = {
+  method: "POST",
+  pattern: parsePattern("/internal/github-event"),
+  handler: handleGitHubAutomationEvent,
+};

packages/control-plane/src/webhooks/github.ts

@@ -5,5 +5,10 @@
 import type { Route } from "../routes/shared";
 import { sentryWebhookRoute } from "./sentry";
 import { automationWebhookRoute } from "./automation-webhook";
+import { githubAutomationEventRoute } from "./github";
 
-export const webhookRoutes: Route[] = [sentryWebhookRoute, automationWebhookRoute];
+export const webhookRoutes: Route[] = [
+  sentryWebhookRoute,
+  automationWebhookRoute,
+  githubAutomationEventRoute,
+];

packages/control-plane/src/webhooks/index.ts

@@ -16,6 +16,7 @@ import type {
 import type { Logger } from "./logger";
 import { createLogger, parseLogLevel } from "./logger";
 import { verifyWebhookSignature } from "./verify";
+import { normalizeGitHubEvent, buildInternalAuthHeaders } from "@open-inspect/shared";
 import {
   handlePullRequestOpened,
   handleReviewRequested,
@@ -185,6 +186,38 @@ async function handleWebhook(
     wideEvent.handler_action = result.handler_action;
   }
   log.info("webhook.handled", wideEvent);
+
+  // Forward normalized event to control-plane for automation triggering.
+  // This is additive — failures here must not affect existing bot behavior.
+  if (event) {
+    const normalizedEvent = normalizeGitHubEvent(event, p);
+    if (normalizedEvent !== null) {
+      try {
+        const body = JSON.stringify(normalizedEvent);
+        const authHeaders = await buildInternalAuthHeaders(env.INTERNAL_CALLBACK_SECRET, traceId);
+        const response = await env.CONTROL_PLANE.fetch("https://internal/internal/github-event", {
+          method: "POST",
+          headers: { "Content-Type": "application/json", ...authHeaders },
+          body,
+        });
+        if (!response.ok) {
+          log.warn("webhook.github_event_forward_failed", {
+            trace_id: traceId,
+            delivery_id: deliveryId,
+            event_type: event,
+            status: response.status,
+          });
+        }
+      } catch (err) {
+        log.warn("webhook.github_event_forward_error", {
+          trace_id: traceId,
+          delivery_id: deliveryId,
+          event_type: event,
+          error: err instanceof Error ? err : new Error(String(err)),
+        });
+      }
+    }
+  }
 }
 
 function dispatchHandler(

packages/github-bot/src/index.ts

@@ -24,6 +24,7 @@
     "vitest": "^4.0.18"
   },
   "dependencies": {
+    "@octokit/webhooks-types": "^7.6.1",
     "cron-parser": "^5.5.0"
   }
 }