Allow GitHub webhook ping events for unapproved plugins (#347)

Move the X-GitHub-Event header check before the plugin approval gate
so that GitHub's test ping returns 200 regardless of plugin status.
This lets developers verify webhook setup before their plugin is approved.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: simonhamp

app/Http/Controllers/PluginWebhookController.php

@@ -18,12 +18,16 @@ public function __invoke(Request $request, string $secret, PluginSyncService $sy
             return response()->json(['error' => 'Invalid webhook secret'], 404);
         }
 
+        $event = $request->header('X-GitHub-Event');
+
+        if ($event === 'ping') {
+            return response()->json(['success' => true, 'message' => 'pong']);
+        }
+
         if (! $plugin->isApproved()) {
             return response()->json(['error' => 'Plugin is not approved'], 403);
         }
 
-        $event = $request->header('X-GitHub-Event');
-
         if ($event === 'release') {
             // Sync plugin metadata to update latest_version
             $syncService->sync($plugin);

tests/Feature/PluginWebhookTest.php

@@ -0,0 +1,70 @@
+<?php
+
+namespace Tests\Feature;
+
+use App\Models\Plugin;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use PHPUnit\Framework\Attributes\Test;
+use Tests\TestCase;
+
+class PluginWebhookTest extends TestCase
+{
+    use RefreshDatabase;
+
+    #[Test]
+    public function ping_event_succeeds_for_unapproved_plugin(): void
+    {
+        $plugin = Plugin::factory()->create();
+
+        $response = $this->postJson(
+            route('webhooks.plugins', $plugin->webhook_secret),
+            [],
+            ['X-GitHub-Event' => 'ping']
+        );
+
+        $response->assertOk()
+            ->assertJson(['success' => true, 'message' => 'pong']);
+    }
+
+    #[Test]
+    public function ping_event_succeeds_for_approved_plugin(): void
+    {
+        $plugin = Plugin::factory()->approved()->create();
+
+        $response = $this->postJson(
+            route('webhooks.plugins', $plugin->webhook_secret),
+            [],
+            ['X-GitHub-Event' => 'ping']
+        );
+
+        $response->assertOk()
+            ->assertJson(['success' => true, 'message' => 'pong']);
+    }
+
+    #[Test]
+    public function non_ping_event_returns_403_for_unapproved_plugin(): void
+    {
+        $plugin = Plugin::factory()->create();
+
+        $response = $this->postJson(
+            route('webhooks.plugins', $plugin->webhook_secret),
+            [],
+            ['X-GitHub-Event' => 'push']
+        );
+
+        $response->assertForbidden()
+            ->assertJson(['error' => 'Plugin is not approved']);
+    }
+
+    #[Test]
+    public function invalid_secret_returns_404(): void
+    {
+        $response = $this->postJson(
+            route('webhooks.plugins', 'invalid-secret'),
+            [],
+            ['X-GitHub-Event' => 'ping']
+        );
+
+        $response->assertNotFound();
+    }
+}