ref(gitlab): Skip webhook refresh when the secret is unchanged#119421
Draft
billyvg wants to merge 1 commit into
Draft
Conversation
Contributor
Sentry Snapshot Testing
|
c95ae46 to
16058ad
Compare
ad5c39c to
12c289b
Compare
on_create_repository stores a one-way fingerprint of the token it pushes to GitLab (external_id:webhook_secret) on repo.config. On a later invocation, if a webhook_id is present and the fingerprint still matches, return before making any GitLab call — the common bulk-reactivation path (scm repo sync, auto-link-by-name) no longer issues a PUT per repo for an unchanged hook. The fingerprint tracks our token, not the hook's existence on GitLab: a hook deleted out-of-band without a secret rotation is not recreated until the secret rotates or the fingerprint is cleared. This is accepted — external deletion of a Sentry-managed hook is rare, and any secret change still flows through the heal path. Kept as a separate change from the correctness fix it stacks on so it can be reviewed (and reverted) on its own.
16058ad to
6cfc743
Compare
12c289b to
303c8c0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Makes
on_create_repositoryskip the GitLab round trip when a repo's webhook is already up to date. Purely a call-volume optimization on top of the heal fix — no change to the heal/recreate behavior itself.on_create_repositorynow stores a one-way fingerprint of the token it pushes to GitLab (sha256(external_id:webhook_secret)) onrepo.config["webhook_fingerprint"]. On a later invocation, if awebhook_idis present and the fingerprint still matches, it returns before touching GitLab (or even resolving the OAuth client):webhook_idwebhook_unchanged)update_project_webhook(404 → recreate), then store the new fingerprintWhy
Without this, every reactivation of a repo that already has a
webhook_idissues aPUT— including the bulk paths (scm_repo_sync_beat, auto-link-by-name) that feed many repos throughon_create_repositoryat once, none of which have rotated. The fingerprint lets us detect "nothing changed" locally: the secret is derived from the OAuthclient_id, so it rotates exactly when an org reinstalls against a new OAuth app — the one case we must re-push. The fingerprint (andexternal_id) live onIntegration.metadata, which is region-local, so the check needs no extra network or cross-silo call.Trade-off (accepted)
The fingerprint tracks our token, not the hook's existence on GitLab. A Sentry-managed hook deleted out-of-band on GitLab without a secret rotation will not be recreated until the secret rotates or the fingerprint is cleared. This is accepted: external deletion of a Sentry-managed hook is rare, and any secret change still flows through the heal path in #119340. If we later decide that gap matters more than the saved calls, this whole PR reverts cleanly without touching the correctness fix underneath.
Notes
webhook_fingerprint, so their next reactivation heals once (onePUT) and backfills the fingerprint — self-migrating, no backfill job.gitlab.repository.webhook_unchanged(the skip). The heal/create events from fix(gitlab): Heal webhooks on integration reinstall #119340/ref(gitlab): Logon_create_repositorywebhook creation path #119333 are unchanged.