Wire GitHub push webhook to dashboard_sync enqueue

Close the live-update path for GitHub-backed dashboard templates: a
new POST /docverse/webhooks/github endpoint verifies the HMAC, parses
the push payload, and enqueues one dashboard_sync job per binding
whose root_path was actually touched by the push. Truncated payloads
fall back to the GitHub compare API; mis-signed deliveries get 401;
deployments without GitHub App secrets configured see a 404.

Key decisions:
- Route HMAC validation through gidgethub.sansio.Event.from_http and
  dispatch through gidgethub.routing.Router rather than safir.github
  (which only exposes Pydantic webhook payload models — no router or
  HMAC helper, despite the issue body's hopeful "or the equivalent
  registration API" wording). The gidgethub router is held at module
  scope: registering a fresh router per request would defeat its
  registration model. Keeps the handler aligned with Times Square /
  Semaphore and avoids hand-rolling HMAC, satisfying user story 23.
- Feature-disabled (no GitHub App config) returns 404, not 503.
  Caught at handler entry by routing both
  ``get_github_webhook_secret`` and ``create_push_event_processor``
  through ``GitHubAppNotConfiguredError``. The 503 used by the
  org-admin binding endpoints (#235) would surface as a permanent
  GitHub redelivery loop on a misconfigured deployment; 404 hides
  the URL until secrets are wired and lets GitHub stop retrying.
- Added ``Factory.get_github_webhook_secret`` (public accessor) so
  the webhook handler does not reach into ``_github_webhook_secret``
  directly. Mirrors ``create_github_app_client``: validates that all
  three secrets are set and raises the same
  ``GitHubAppNotConfiguredError`` so the handler's single
  except-clause covers both paths.
- ``PushEventProcessor.process`` returns ``[]`` rather than raising
  on no-op cases (no bindings match repo/ref; no binding root_paths
  intersect changed paths; truncated payload with no before/after).
  The webhook handler's surrounding ``session.begin()`` + commit
  still runs on the empty path because logging the no-op outcome is
  cheap and the empty enqueue list is the natural success result —
  the Slack-integration loop in ``main.py`` makes the same trade.
- ``_root_path_matches`` normalises ``root_path`` exactly the way
  ``GitHubTreeFetcher._normalize_root`` does: ``"/"`` strips to ``""``
  and matches any non-empty changed-path set, while ``"templates/blue"``
  matches paths that start with ``"templates/blue/"`` or equal the
  bare directory entry. Keeps the webhook filter and the syncer's
  filter in lockstep so a binding never gets a sync enqueued for a
  path the syncer would then have ignored as out-of-scope.
- ``DashboardGitHubTemplateBindingStore.list_by_repo_ref`` is keyed
  by name (``github_owner``/``github_repo``/``github_ref``), not by
  numeric ID. Numeric-ID lookup is task #240's job; this slice
  matches by the same composite name index
  (``idx_dashboard_github_template_bindings_repo_ref``) that the PRD
  identifies as the push-lookup index for v1, with the rename-
  robustness ID-preferential lookup deferred per the PRD's "GitHub
  identity stability" section.
- The webhook handler's gidgethub router is registered with a single
  ``"push"`` callback. ``ping`` and any other event types arrive,
  signature-verify, and return 200 with no enqueue — gidgethub's
  ``dispatch`` is a fan-out to a possibly empty callback set, so
  unrelated events naturally no-op. This satisfies user story 23
  ("does not hand-roll HMAC or event parsing") and keeps GitHub's
  redelivery machinery quiet for events we deliberately ignore.
- Test fixture ``github_app_enabled`` toggles the three GitHub App
  secrets on the autouse ``context_dependency`` for the lifetime of
  one test and restores them on teardown. The default-disabled state
  preserved between tests is what makes the 404-feature-disabled
  test trivial: it just hits the URL with no fixture and asserts on
  the absence of GitHub config.

Next-iteration notes:
- Slice #240/#242 (rename-robustness) will add an ID-preferential
  binding lookup alongside ``list_by_repo_ref``. The push processor
  can then consult ``list_by_repo_id_ref`` first and fall back to
  the name-based path for un-synced bindings. The handler's plumbing
  does not need to change — only the processor's binding-lookup step.
- The handler currently registers only ``push`` events. Adding
  ``installation`` (created/deleted/suspend/unsuspend) and
  ``repository.renamed`` / ``repository.transferred`` /
  ``organization.renamed`` event handlers is task #242's scope; they
  plug into the same ``_event_router.register(...)`` decorator, so
  no further wiring change is needed. The ``create_push_event_
  processor`` factory method will likely sprout sibling
  ``create_installation_event_processor`` /
  ``create_rename_event_processor`` methods.
- Squarebot/Kafka event delivery (PRD §"Out of Scope") still goes
  through this same ``PushEventProcessor`` if it ever lands — the
  only thing the Squarebot path would change is the request entry
  point (a Kafka consumer instead of a FastAPI endpoint). The
  processor itself takes a raw payload dict, so swapping the input
  layer is a tracer-bullet exercise.
- Payload field extraction is duck-typed off the raw push dict
  (``payload["repository"]["owner"]["login"]`` etc.) rather than
  going through ``safir.github.GitHubPushEventModel``. The model
  only carries ``repository`` / ``installation`` / ``ref`` /
  ``before`` / ``after`` — it doesn't include the ``commits`` array
  that ``extract_changed_paths_from_push`` reads — so once we have
  to drop into the dict for ``commits`` and ``size`` anyway, parsing
  the rest off the dict is the simpler shape. A future refactor
  could parse a richer model and pass it through; the dict path is
  the minimum needed today.

Closes #238

Author: jonathansick

src/docverse/factory.py

@@ -21,6 +21,7 @@
     DashboardSyncEnqueuer,
     DashboardTemplateBindingService,
     DashboardTemplateSyncer,
+    PushEventProcessor,
     TemplateResolver,
 )
 from .services.edition import EditionService
@@ -416,6 +417,52 @@ def create_dashboard_template_syncer(self) -> DashboardTemplateSyncer:
             logger=self._logger,
         )
 
+    def get_github_webhook_secret(self) -> str:
+        """Return the configured GitHub webhook HMAC secret.
+
+        Callers (the webhook handler) need the secret to verify the
+        ``x-hub-signature-256`` header on each delivery. Routes
+        through this accessor instead of reading the private
+        attribute directly so the GitHub App's "all-or-nothing"
+        invariant is enforced in one place.
+
+        Raises
+        ------
+        GitHubAppNotConfiguredError
+            If any of the three GitHub App secrets is unset.
+        """
+        if (
+            self._github_app_id is None
+            or self._github_app_private_key is None
+            or self._github_webhook_secret is None
+        ):
+            msg = "GitHub App is not configured"
+            raise GitHubAppNotConfiguredError(msg)
+        return self._github_webhook_secret.get_secret_value()
+
+    def create_push_event_processor(self) -> PushEventProcessor:
+        """Create a :class:`PushEventProcessor` for the webhook handler.
+
+        Raises
+        ------
+        GitHubAppNotConfiguredError
+            If the GitHub App feature is not configured. The webhook
+            handler translates this into a 404 response so the feature
+            stays cleanly disabled when secrets are unset.
+        RuntimeError
+            If the shared HTTP client is not configured.
+        """
+        if self._http_client is None:
+            msg = "HTTP client is required to build a PushEventProcessor"
+            raise RuntimeError(msg)
+        return PushEventProcessor(
+            binding_store=self.create_dashboard_github_template_binding_store(),
+            enqueuer=self.create_dashboard_sync_enqueuer(),
+            app_client=self.create_github_app_client(),
+            http_client=self._http_client,
+            logger=self._logger,
+        )
+
     def create_dashboard_publisher(self) -> DashboardPublisher:
         """Create a DashboardPublisher for one render.
 

src/docverse/handlers/webhooks/__init__.py

@@ -0,0 +1,7 @@
+"""HTTP handlers for GitHub webhooks."""
+
+from __future__ import annotations
+
+from .github import router as webhook_router
+
+__all__ = ["webhook_router"]

src/docverse/handlers/webhooks/github.py

@@ -0,0 +1,129 @@
+"""GitHub webhook endpoint dispatching push events to the sync queue."""
+
+from __future__ import annotations
+
+from typing import Annotated
+
+import gidgethub
+from fastapi import APIRouter, Depends, HTTPException, Request, status
+from gidgethub import sansio
+from gidgethub.routing import Router as GidgethubRouter
+
+from docverse.dependencies.context import RequestContext, context_dependency
+from docverse.services.dashboard_templates import PushEventProcessor
+from docverse.storage.github import GitHubAppNotConfiguredError
+
+__all__ = ["router"]
+
+router = APIRouter(include_in_schema=False)
+"""FastAPI router for GitHub webhook endpoints.
+
+Mounted under ``config.path_prefix`` from ``main.py`` so the public
+URL is ``POST {path_prefix}/webhooks/github``. Excluded from the
+OpenAPI schema because the API surface is GitHub's webhook contract,
+not the Docverse REST API.
+"""
+
+
+_event_router = GidgethubRouter()
+"""Module-level gidgethub router for event-type dispatch.
+
+Using a fresh router per request would defeat gidgethub's intended
+registration model and force every callback to re-bind on every
+delivery. Holding it at module scope mirrors the pattern in
+``safir.github`` and Times Square / Semaphore: register handlers
+once, dispatch many.
+"""
+
+
+@_event_router.register("push")
+async def _handle_push(
+    event: sansio.Event,
+    *,
+    processor: PushEventProcessor,
+    context: RequestContext,
+) -> None:
+    """Translate a push event into ``dashboard_sync`` enqueues.
+
+    The processor owns transaction-free DB writes through the
+    enqueuer; the handler wraps both the binding lookup and the
+    enqueue in a single ``session.begin()`` so a failure aborts the
+    whole webhook delivery cleanly.
+    """
+    async with context.session.begin():
+        jobs = await processor.process(event.data)
+        await context.session.commit()
+    context.logger.info(
+        "Processed push webhook",
+        delivery_id=event.delivery_id,
+        enqueued=len(jobs),
+    )
+
+
+@router.post(
+    "/webhooks/github",
+    status_code=status.HTTP_200_OK,
+    summary="GitHub App webhook receiver",
+    name="github_webhook",
+)
+async def post_github_webhook(
+    request: Request,
+    context: Annotated[RequestContext, Depends(context_dependency)],
+) -> dict[str, str]:
+    """Receive a GitHub webhook delivery and dispatch by event type.
+
+    Returns ``404`` when the GitHub App feature is not configured
+    (any of ``github_app_id`` / ``github_app_private_key`` /
+    ``github_webhook_secret`` unset). This keeps the URL effectively
+    invisible to a misconfigured deployment without surfacing a 5xx
+    that would page operators on every GitHub redelivery attempt.
+
+    Returns ``401`` when the request is unsigned or the HMAC does
+    not match the configured webhook secret. ``415`` is returned by
+    ``gidgethub`` directly when the content-type is wrong.
+
+    Returns ``200`` for all signed deliveries — including event
+    types this app does not subscribe to — so GitHub's redelivery
+    machinery does not retry deliveries we have intentionally
+    chosen not to act on.
+    """
+    try:
+        secret = context.factory.get_github_webhook_secret()
+        processor = context.factory.create_push_event_processor()
+    except GitHubAppNotConfiguredError as exc:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="GitHub App is not configured",
+        ) from exc
+
+    body = await request.body()
+    try:
+        event = sansio.Event.from_http(
+            _lowercase_headers(request.headers), body, secret=secret
+        )
+    except gidgethub.ValidationFailure as exc:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid webhook signature",
+        ) from exc
+
+    context.rebind_logger(
+        github_event=event.event, github_delivery_id=event.delivery_id
+    )
+
+    await _event_router.dispatch(event, processor=processor, context=context)
+
+    return {"status": "ok"}
+
+
+def _lowercase_headers(headers: object) -> dict[str, str]:
+    """Return a dict of request headers with lower-cased keys.
+
+    ``gidgethub.sansio.Event.from_http`` expects a mapping that
+    supports lower-cased keys; FastAPI's ``Request.headers`` already
+    is case-insensitive but ``Event.from_http`` indexes via
+    ``headers["x-github-event"]`` directly, so a plain dict with
+    pre-lower-cased keys is the safest contract.
+    """
+    items = headers.items() if hasattr(headers, "items") else []
+    return {str(k).lower(): str(v) for k, v in items}

src/docverse/main.py

@@ -26,6 +26,7 @@
 from .handlers.internal import internal_router
 from .handlers.orgs import orgs_router
 from .handlers.queue import queue_router
+from .handlers.webhooks import webhook_router
 from .services.credential_encryptor import CredentialEncryptor
 from .storage.user_info_store import GafaelfawrUserInfoStore
 
@@ -138,6 +139,7 @@ async def lifespan(app: FastAPI) -> AsyncIterator[None]:  # noqa: ARG001
 app.include_router(admin_router, prefix=config.path_prefix)
 app.include_router(orgs_router, prefix=config.path_prefix)
 app.include_router(queue_router, prefix=config.path_prefix)
+app.include_router(webhook_router, prefix=config.path_prefix)
 app.add_middleware(XForwardedMiddleware)
 
 if config.slack_webhook:

src/docverse/services/dashboard_templates/__init__.py

@@ -8,6 +8,7 @@
 )
 from .enqueue import DashboardSyncEnqueuer
 from .fanout import DashboardRebuildFanout
+from .push_processor import PushEventProcessor
 from .resolver import (
     ResolvedTemplate,
     ResolvedTemplateOrigin,
@@ -22,6 +23,7 @@
     "DashboardTemplateBindingService",
     "DashboardTemplateSyncError",
     "DashboardTemplateSyncer",
+    "PushEventProcessor",
     "ResolvedTemplate",
     "ResolvedTemplateOrigin",
     "TemplateResolver",