feat(trogon-sink-github): add webhook receiver that sinks events to NATS JetStream

Signed-off-by: Yordis Prieto <yordis.prieto@gmail.com>

Author: yordis

devops/docker/compose/compose.yml

@@ -2,13 +2,51 @@ name: trogonai
 
 services:
   nats:
-    image: nats:latest
+    image: nats:alpine
     container_name: nats
-    command: 
+    command:
       - "--jetstream"
       - "--store_dir=/data"
+      - "--http_port=8222"
+    ports:
+      - "4222:4222"
+      - "8222:8222"
     volumes:
       - nats_data:/data
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:8222/healthz"]
+      interval: 5s
+      timeout: 3s
+      start_period: 5s
+      retries: 3
+
+  trogon-sink-github:
+    build:
+      context: ../../../rsworkspace
+      dockerfile: crates/trogon-sink-github/Dockerfile
+    ports:
+      - "${GITHUB_WEBHOOK_PORT:-8080}:${GITHUB_WEBHOOK_PORT:-8080}"
+    environment:
+      NATS_URL: "nats:4222"
+      GITHUB_WEBHOOK_SECRET: "${GITHUB_WEBHOOK_SECRET:?GITHUB_WEBHOOK_SECRET is required}"
+      GITHUB_WEBHOOK_PORT: "${GITHUB_WEBHOOK_PORT:-8080}"
+      GITHUB_SUBJECT_PREFIX: "${GITHUB_SUBJECT_PREFIX:-github}"
+      GITHUB_STREAM_NAME: "${GITHUB_STREAM_NAME:-GITHUB}"
+      GITHUB_STREAM_MAX_AGE_SECS: "${GITHUB_STREAM_MAX_AGE_SECS:-604800}"
+      GITHUB_NATS_ACK_TIMEOUT_SECS: "${GITHUB_NATS_ACK_TIMEOUT_SECS:-10}"
+      GITHUB_MAX_BODY_SIZE: "${GITHUB_MAX_BODY_SIZE:-26214400}"
+      RUST_LOG: "${RUST_LOG:-info}"
+    depends_on:
+      nats:
+        condition: service_healthy
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "curl", "-sf", "http://localhost:${GITHUB_WEBHOOK_PORT:-8080}/health"]
+      interval: 10s
+      timeout: 3s
+      start_period: 10s
+      retries: 3
 
 volumes:
   nats_data:

rsworkspace/.dockerignore

@@ -0,0 +1,27 @@
+# Rust build artifacts — largest offender, can be many GBs
+target/
+
+# Dev tooling
+.git/
+.github/
+.cargo/
+
+# Test/CI artifacts
+lcov.info
+coverage.xml
+*.profraw
+*.profdata
+mutants.out*/
+
+# IDE / OS
+.idea/
+.vscode/
+.DS_Store
+Thumbs.db
+*.swp
+*.swo
+
+# Environment files with secrets
+.env
+.env.*
+!.env.example

rsworkspace/Cargo.lock

@@ -5,13 +5,15 @@
 pub enum ServiceName {
     AcpNatsStdio,
     AcpNatsWs,
+    TrogonSinkGithub,
 }
 
 impl ServiceName {
     pub fn as_str(self) -> &'static str {
         match self {
             Self::AcpNatsStdio => "acp-nats-stdio",
             Self::AcpNatsWs => "acp-nats-ws",
+            Self::TrogonSinkGithub => "trogon-sink-github",
         }
     }
 }
@@ -30,11 +32,16 @@ mod tests {
     fn as_str_returns_expected_values() {
         assert_eq!(ServiceName::AcpNatsStdio.as_str(), "acp-nats-stdio");
         assert_eq!(ServiceName::AcpNatsWs.as_str(), "acp-nats-ws");
+        assert_eq!(ServiceName::TrogonSinkGithub.as_str(), "trogon-sink-github");
     }
 
     #[test]
     fn display_delegates_to_as_str() {
         assert_eq!(format!("{}", ServiceName::AcpNatsStdio), "acp-nats-stdio");
         assert_eq!(format!("{}", ServiceName::AcpNatsWs), "acp-nats-ws");
+        assert_eq!(
+            format!("{}", ServiceName::TrogonSinkGithub),
+            "trogon-sink-github"
+        );
     }
 }

rsworkspace/crates/acp-telemetry/src/service_name.rs

@@ -246,6 +246,10 @@ impl MockJetStreamPublisher {
             .map(|m| m.payload.clone())
             .collect()
     }
+
+    pub fn published_messages(&self) -> Vec<MockPublishedJsMessage> {
+        self.published.lock().unwrap().clone()
+    }
 }
 
 impl Default for MockJetStreamPublisher {

rsworkspace/crates/trogon-nats/src/jetstream/mocks.rs

@@ -0,0 +1,32 @@
+[package]
+name = "trogon-sink-github"
+version = "0.1.0"
+edition = "2024"
+
+[lints]
+workspace = true
+
+[[bin]]
+name = "trogon-sink-github"
+path = "src/main.rs"
+
+[dependencies]
+acp-telemetry = { workspace = true }
+async-nats = { workspace = true, features = ["jetstream"] }
+axum = { workspace = true }
+bytes = { workspace = true }
+hex = "0.4"
+hmac = "0.12"
+sha2 = "0.10"
+tokio = { workspace = true, features = ["full"] }
+tower-http = { workspace = true, features = ["limit"] }
+tracing = { workspace = true }
+trogon-nats = { workspace = true }
+trogon-std = { workspace = true }
+
+[dev-dependencies]
+tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
+tower = "0.5"
+tracing-subscriber = { workspace = true }
+trogon-nats = { workspace = true, features = ["test-support"] }
+trogon-std = { workspace = true, features = ["test-support"] }

rsworkspace/crates/trogon-sink-github/Cargo.toml

@@ -0,0 +1,30 @@
+# ── Stage 1: build ────────────────────────────────────────────────────────────
+FROM rust:1.87-slim AS builder
+
+WORKDIR /build
+
+COPY Cargo.toml Cargo.lock ./
+COPY crates/ crates/
+
+RUN cargo build --release -p trogon-sink-github
+
+# ── Stage 2: runtime ──────────────────────────────────────────────────────────
+FROM debian:bookworm-slim AS runtime
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN useradd --no-create-home --shell /usr/sbin/nologin trogon
+
+COPY --from=builder /build/target/release/trogon-sink-github /usr/local/bin/trogon-sink-github
+
+USER trogon
+
+EXPOSE 8080
+
+HEALTHCHECK --interval=10s --timeout=3s --start-period=5s --retries=3 \
+    CMD ["/bin/sh", "-c", "curl -sf http://localhost:${GITHUB_WEBHOOK_PORT:-8080}/health || exit 1"]
+
+ENTRYPOINT ["/usr/local/bin/trogon-sink-github"]