fix: honor SSL context for Slack workflow webhooks

haritamar · haritamar · commit ed661581235f · 2026-02-09T22:12:01.000+02:00
- Update _initial_client in SlackWebhookClient to configure requests.Session with SSL verification
- When ssl_context is provided, set session.verify to certifi CA bundle
- Add warning when workflow webhooks cannot fully honor --use-system-ca-files setting
- Ensures SSL context is respected for workflow webhook requests
diff --git a/elementary/clients/slack/client.py b/elementary/clients/slack/client.py
@@ -3,8 +3,8 @@
 from abc import ABC, abstractmethod
 from typing import Dict, List, Optional, Tuple, Union
 
-import requests
 import certifi
+import requests
 from ratelimit import limits, sleep_and_retry
 from slack_sdk import WebClient, WebhookClient
 from slack_sdk.errors import SlackApiError
@@ -67,7 +67,7 @@ def create_client(
                 webhook=config.slack_webhook,
                 is_workflow=config.is_slack_workflow,
                 tracking=tracking,
-                ssl_context=ssl_context
+                ssl_context=ssl_context,
             )
         return None
 
@@ -262,7 +262,18 @@ def __init__(
 
     def _initial_client(self, ssl_context: Optional[ssl.SSLContext]):
         if self.is_workflow:
-            return requests.Session()
+            session = requests.Session()
+            if ssl_context is not None:
+                # For workflow webhooks, requests.Session doesn't directly support ssl.SSLContext,
+                # so we configure it to use certifi's CA bundle instead.
+                # The ssl_context parameter indicates that certifi should be used (not system CA files).
+                logger.warning(
+                    "Workflow webhooks use requests.Session which doesn't fully support SSLContext. "
+                    "Using certifi CA bundle for SSL verification instead of --use-system-ca-files setting."
+                )
+                session.verify = certifi.where()
+            # If ssl_context is None, use system CA files (requests default behavior)
+            return session
 
         return WebhookClient(
             url=self.webhook,
