Skip to content

chore: remove unused GitHub App webhook artifacts#181

Open
risu729 wants to merge 1 commit into
jdx:mainfrom
risu729:remove-unused-github-app-webhook
Open

chore: remove unused GitHub App webhook artifacts#181
risu729 wants to merge 1 commit into
jdx:mainfrom
risu729:remove-unused-github-app-webhook

Conversation

@risu729
Copy link
Copy Markdown
Contributor

@risu729 risu729 commented May 11, 2026

What changed

  • Remove the no-op web/src/pages/webhooks/github.ts handler.
  • Remove the obsolete manual scripts/deploy.sh helper that still asked for GitHub App private-key/webhook setup and advertised /webhooks/github.
  • Remove unused GITHUB_APP_ID, GITHUB_PRIVATE_KEY, and GITHUB_WEBHOOK_SECRET declarations/comments from the active web env typing and root wrangler secret list.
  • Keep GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET; those are still required by /api/auth/login and /api/auth/callback for GitHub OAuth user-token collection.

History

  • c2f0eb18 (init, 2025-12-15) added the original Worker token-manager shape, including the manual scripts/deploy.sh, root wrangler GitHub App secret comments, and a /webhooks/github route in worker/routes/misc.ts. That webhook only logged x-github-event and returned 200.
  • 573b0782 (feat: migrate web frontend to Astro SSR, 2025-12-17) added web/env.d.ts and carried over both the active OAuth client secrets and the unused GitHub App private-key/webhook secrets.
  • f7fc9576 (feat: migrate all routes from Worker to Astro SSR, 2025-12-17) moved token collection to Astro routes and added web/src/pages/webhooks/github.ts, but the handler stayed the same no-op log-and-200 behavior.
  • The active token collection path is the OAuth flow in /api/auth/login and /api/auth/callback, which exchanges a GitHub OAuth code with GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET, then stores the user token in D1. It does not read GITHUB_APP_ID, GITHUB_PRIVATE_KEY, or GITHUB_WEBHOOK_SECRET.
  • The likely cleanup miss was that the webhook/deploy-script artifacts were left behind after the Astro route migration while the token pool settled on OAuth user tokens instead of GitHub App installation webhooks/private-key auth.

Why the webhook is not the OAuth callback

GitHub OAuth redirects users back to /api/auth/callback with code and state; that route validates state, exchanges the code via @octokit/auth-oauth-user, and stores the resulting user token. /webhooks/github is a POST webhook endpoint. It never validates a GitHub webhook signature, never exchanges OAuth codes, never stores tokens, and has no callers in workflows or runtime code.

Relationship to #179

This PR deliberately does not touch worker/index.ts to avoid overlapping with #179, which removes that stale Worker entrypoint entirely. As a result, old type-only GitHub App names still appear inside worker/index.ts until #179 lands, but the active wrangler config, active web env typing, no-op webhook route, and obsolete deploy helper are cleaned here.

Validation

  • npm run test:js
  • npm run test:shell
  • bunx tsc --noEmit
  • npm run build -w web
  • git diff --check

@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented May 11, 2026

Greptile Summary

This PR removes GitHub App webhook artifacts that were left behind after the project settled on GitHub OAuth user tokens instead of GitHub App installation webhooks. No active code paths are affected.

  • Deletes scripts/deploy.sh (obsolete manual deploy helper referencing removed secrets) and web/src/pages/webhooks/github.ts (no-op POST handler that only logged and returned 200).
  • Removes GITHUB_APP_ID, GITHUB_PRIVATE_KEY, and GITHUB_WEBHOOK_SECRET from web/env.d.ts and their corresponding comments in wrangler.jsonc; the active OAuth secrets (GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET) are retained.

Confidence Score: 5/5

Safe to merge — all removed code was either a no-op handler or referenced secrets that are unused by any active route.

Every deleted artifact was either a log-and-return webhook handler with no callers, a manual deploy script referencing obsolete secrets, or type/comment declarations for credentials not consumed by any live code path. The retained OAuth secrets and env types remain intact.

No files require special attention.

Important Files Changed

Filename Overview
scripts/deploy.sh Deleted obsolete manual deployment helper that configured GitHub App secrets (GITHUB_APP_ID, GITHUB_PRIVATE_KEY, GITHUB_WEBHOOK_SECRET) and advertised the now-removed /webhooks/github route.
web/env.d.ts Removes unused GITHUB_APP_ID, GITHUB_PRIVATE_KEY, and GITHUB_WEBHOOK_SECRET from the Env interface; retains GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET used by the active OAuth flow.
web/src/pages/webhooks/github.ts Deleted no-op POST webhook handler that only logged x-github-event and returned 200 without any validation or side effects.
wrangler.jsonc Removes stale secret comments for GITHUB_APP_ID, GITHUB_PRIVATE_KEY, and GITHUB_WEBHOOK_SECRET from the wrangler config; keeps active OAuth and API_SECRET comments.

Reviews (1): Last reviewed commit: "Remove unused GitHub App webhook artifac..." | Re-trigger Greptile

gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request removes GitHub App-related components, including the deployment script, the webhook handler, and several environment variables (GITHUB_APP_ID, GITHUB_PRIVATE_KEY, and GITHUB_WEBHOOK_SECRET) from the environment interface and configuration. I have no feedback to provide.

@risu729 risu729 mentioned this pull request May 11, 2026
Open
@risu729 risu729 marked this pull request as ready for review May 11, 2026 11:39
Copilot AI review requested due to automatic review settings May 11, 2026 11:39
@risu729 risu729 changed the title Remove unused GitHub App webhook artifacts chore: remove unused GitHub App webhook artifacts May 11, 2026
Copilot AI reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Cleans up legacy GitHub App webhook/deployment artifacts that are no longer used now that token collection happens via the GitHub OAuth flow (/api/auth/login + /api/auth/callback) in the Astro SSR app.

Changes:

  • Removes the no-op /webhooks/github Astro page handler.
  • Deletes the obsolete scripts/deploy.sh helper that referenced GitHub App webhook/private-key setup.
  • Removes unused GitHub App secret typings/comments (GITHUB_APP_ID, GITHUB_PRIVATE_KEY, GITHUB_WEBHOOK_SECRET) from active web env typing and the root wrangler.jsonc secret list (keeps OAuth client secrets).

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File Description
wrangler.jsonc Drops obsolete GitHub App webhook/private-key secret comments from the wrangler secret list.
web/src/pages/webhooks/github.ts Deletes an unused, no-op webhook endpoint.
web/env.d.ts Removes unused GitHub App env bindings from the active Cloudflare/Astro runtime typing.
scripts/deploy.sh Removes a stale manual deployment script that referenced obsolete webhook/private-key setup.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@risu729