github-webhook_8js_source.html

/**

 * @file github-webhook.js

 * @description GitHub webhook handler for automated CI/CD builds. Listens for push events to main branch,

 * detects agent/tray file modifications, and triggers builds via builder service. Includes HMAC

 * signature verification and infinite loop prevention for version bump commits.

 * @module routes/github-webhook

 */


/**

 * @apiDefine GitHubWebhookGroup GitHub Webhook CI/CD

 * GitHub webhook automation for agent builds

 */


// GitHub Webhook handler for automated agent builds

const express = require('express');

const router = express.Router();

const crypto = require('crypto');

const axios = require('axios');

const { execSync } = require('child_process');

const path = require('path');


// Verify GitHub webhook signature

/**

 *

 * @param req

 * @param secret

 */

function verifyGitHubSignature(req, secret) {

  const signature = req.headers['x-hub-signature-256'];

  if (!signature) return false;


  const hmac = crypto.createHmac('sha256', secret);

  const digest = 'sha256=' + hmac.update(JSON.stringify(req.body)).digest('hex');


  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(digest));

}


/**

 * @api {post} /api/github/webhook GitHub Webhook Handler

 * @apiName GitHubWebhook

 * @apiGroup GitHubWebhookGroup

 * @apiDescription Receives GitHub push webhooks from main branch, validates HMAC signature, detects agent/tray

 * file modifications, and queues build jobs. Ignores version bump commits to prevent infinite loops.

 * Uses BUILDER_URL to queue jobs. No authentication beyond webhook signature.

 * @apiHeader {string} x-hub-signature-256 HMAC SHA256 signature for request validation

 * @apiHeader {string} x-github-event GitHub event type (e.g., 'push')

 * @apiParam {string} ref Git ref (e.g., refs/heads/main)

 * @apiParam {object[]} commits Array of commit objects

 * @apiParam {string} commits.message Commit message

 * @apiParam {string[]} commits.added Added files

 * @apiParam {string[]} commits.modified Modified files

 * @apiParam {string[]} commits.removed Removed files

 * @apiSuccess {boolean} success Build job queued or skipped

 * @apiSuccess {string} message Description of action taken

 * @apiSuccess {string} [jobId] Build job UUID (if build queued)

 * @apiSuccess {number} commits Number of commits processed

 * @apiError 401 Invalid HMAC signature

 * @apiError 500 Failed to queue build job

 * @apiExample {curl} GitHub Webhook:

 *   curl -X POST https://api.example.com/api/github/webhook \

 *     -H "x-hub-signature-256: sha256=abc123..." \

 *     -H "x-github-event: push" \

 *     -H "Content-Type: application/json" \

 *     -d '{"ref":"refs/heads/main", "commits":[...]}'

 * @apiExample {json} Success-Response (200) - Build Queued:

 *   {

 *     "success": true,

 *     "message": "Agent build job queued",

 *     "jobId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",

 *     "commits": 3

 *   }

 * @apiExample {json} Success-Response (200) - Skipped:

 *   {

 *     "success": true,

 *     "message": "No agent or tray changes detected",

 *     "commits": 2

 *   }

 */

// POST /api/github/webhook

router.post('/webhook', express.json(), async (req, res) => {

  try {

    const webhookSecret = process.env.GITHUB_WEBHOOK_SECRET || process.env.github_token;


    // Verify signature if secret is set

    if (webhookSecret && !verifyGitHubSignature(req, webhookSecret)) {

      console.log('[GitHub Webhook] Invalid signature');

      return res.status(401).json({ error: 'Invalid signature' });

    }


    const event = req.headers['x-github-event'];

    const payload = req.body;


    console.log('[GitHub Webhook] Received event:', event);


    // Only handle push events to main branch

    if (event === 'push' && payload.ref === 'refs/heads/main') {

      const commits = payload.commits || [];


      // Ignore version bump commits from builder (prevents infinite loop)

      const hasNonVersionBumpCommits = commits.some(commit =>

        !commit.message || !commit.message.startsWith('chore: bump agent version')

      );


      if (!hasNonVersionBumpCommits) {

        console.log('[GitHub Webhook] Only version bump commits detected, skipping build to prevent loop');

        return res.json({

          success: true,

          message: 'Version bump commits ignored',

          commits: commits.length

        });

      }


      const agentModified = commits.some(commit => {

        const files = [...(commit.added || []), ...(commit.modified || []), ...(commit.removed || [])];

        return files.some(file => file.startsWith('rmm-psa-platform/agent/'));

      });


      const trayModified = commits.some(commit => {

        const files = [...(commit.added || []), ...(commit.modified || []), ...(commit.removed || [])];

        return files.some(file => file.startsWith('rmm-psa-platform/trayicon/'));

      });


      if (agentModified) {

        console.log('[GitHub Webhook] Agent files modified, queuing build job...');


        // Queue build job via builder service (non-blocking)

        try {

          const builderUrl = process.env.BUILDER_URL || 'http://127.0.0.1:3001';

          const response = await axios.post(`${builderUrl}/api/build/agent`, {}, {

            timeout: 5000

          });


          console.log('[GitHub Webhook] Build job queued:', response.data);


          return res.json({

            success: true,

            message: 'Agent build job queued',

            jobId: response.data.jobId,

            commits: commits.length

          });

        } catch (buildErr) {

          console.error('[GitHub Webhook] Failed to queue build:', buildErr.message);

          return res.status(500).json({

            error: 'Failed to queue build job',

            details: buildErr.message

          });

        }

      } else if (trayModified) {

        console.log('[GitHub Webhook] Tray files modified, triggering tray build...');


        // Trigger tray build directly (lighter than full agent build)

        try {

          await buildTrayIcon();


          return res.json({

            success: true,

            message: 'Tray build completed',

            commits: commits.length

          });

        } catch (buildErr) {

          console.error('[GitHub Webhook] Failed to build tray:', buildErr.message);

          return res.status(500).json({

            error: 'Failed to build tray',

            details: buildErr.message

          });

        }

      } else {

        console.log('[GitHub Webhook] No agent or tray files modified, skipping build');

        return res.json({

          success: true,

          message: 'No agent or tray changes detected',

          commits: commits.length

        });

      }

    }


    res.json({ success: true, message: 'Event received but not processed' });

  } catch (err) {

    console.error('[GitHub Webhook] Error:', err);

    res.status(500).json({ error: err.message });

  }

});


/**

 * @api {post} /api/github/build Trigger Manual Agent Build

 * @apiName TriggerManualBuild

 * @apiGroup GitHubWebhookGroup

 * @apiDescription Manually triggers an agent build job via builder service. No authentication required.

 * Returns jobId for status polling. Useful for testing or manual rebuilds.

 * @apiSuccess {boolean} success Build job queued successfully

 * @apiSuccess {string} message Confirmation message

 * @apiSuccess {string} jobId Build job UUID

 * @apiSuccess {string} checkStatus URL to check build status

 * @apiError 500 Failed to queue build job (builder service unavailable)

 * @apiExample {curl} Manual Build:

 *   curl -X POST https://api.example.com/api/github/build \

 *     -H "Content-Type: application/json"

 * @apiExample {json} Success-Response (200):

 *   {

 *     "success": true,

 *     "message": "Agent build job queued",

 *     "jobId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",

 *     "checkStatus": "http://127.0.0.1:3001/api/build/status/a1b2c3d4-e5f6-7890-abcd-ef1234567890"

 *   }

 */

// Manual build trigger endpoint (queues job via builder)

router.post('/build', async (req, res) => {

  try {

    console.log('[GitHub Webhook] Manual build triggered');


    const builderUrl = process.env.BUILDER_URL || 'http://127.0.0.1:3001';

    const response = await axios.post(`${builderUrl}/api/build/agent`, {}, {

      timeout: 5000

    });


    console.log('[GitHub Webhook] Build job queued:', response.data);


    res.json({

      success: true,

      message: 'Agent build job queued',

      jobId: response.data.jobId,

      checkStatus: `${builderUrl}/api/build/status/${response.data.jobId}`

    });

  } catch (err) {

    console.error('[GitHub Webhook] Failed to queue build:', err.message);

    res.status(500).json({

      error: 'Failed to queue build job',

      details: err.message

    });

  }

});


// Build tray icon function

/**

 *

 */

async function buildTrayIcon() {

  const GIT_DIR = path.resolve(process.cwd(), '..');

  const TRAY_DIR = path.join(GIT_DIR, 'trayicon');


  console.log('[Tray Build] Starting tray icon build...');


  try {

    // Run tray build script

    execSync('./build_tray.sh', {

      cwd: TRAY_DIR,

      stdio: 'inherit',

      timeout: 300000 // 5 minute timeout

    });


    console.log('[Tray Build] ✅ Tray build completed successfully');

  } catch (err) {

    console.error('[Tray Build] ❌ Tray build failed:', err.message);

    throw err;

  }

}


// Build agent function (for compatibility)

/**

 *

 */

async function buildAgent() {

  try {

    const builderUrl = process.env.BUILDER_URL || 'http://127.0.0.1:3001';

    const response = await axios.post(`${builderUrl}/api/build/agent`, {}, {

      timeout: 5000

    });


    console.log('[Agent Build] Build job queued:', response.data);

    return response.data;

  } catch (err) {

    console.error('[Agent Build] Failed to queue build:', err.message);

    throw err;

  }

}


module.exports = {

  router,

  buildAgent,

  buildTrayIcon

};