feat(webhook): Support skipping sending GitHub webhooks to Codecov (#107946)

We're seeing intermittent slow downs doing code reviews for the
getsentry PRs.
The forwarding [from control to
region](https://redash.getsentry.net/queries/10522#13744) tends to be
slow.
I've noticed a lot of Codecov API calls failing on [this
issue](https://sentry.sentry.io/issues/6696659077).

My theory is that we skip the calls to Codecov we will stop having this
problem.

Author: armenzg

src/sentry/hybridcloud/tasks/deliver_webhooks.py

@@ -555,6 +555,36 @@ def perform_region_request(region: Region, payload: WebhookPayload) -> None:
         raise DeliveryFailed() from err
 
 
+def _should_skip_codecov_forward_for_github_owner(payload: WebhookPayload) -> bool:
+    """
+    Return True if this payload should be skipped (not forwarded to Codecov).
+    The payload is still deleted by the caller when skipped.
+    """
+    skip_github_owners = options.get("codecov.forward-webhooks.skip-github-owners") or ()
+    skip_set = (
+        frozenset(str(x) for x in skip_github_owners if x) if skip_github_owners else frozenset()
+    )
+    if not skip_set:
+        return False
+    try:
+        body = orjson.loads(payload.request_body)
+    except orjson.JSONDecodeError:
+        return False
+    if not isinstance(body, dict):
+        return False
+    repository = body.get("repository") if isinstance(body.get("repository"), dict) else None
+    owner = (
+        repository.get("owner")
+        if repository and isinstance(repository.get("owner"), dict)
+        else None
+    )
+    login = owner.get("login") if owner else None
+    if isinstance(login, str) and login in skip_set:
+        metrics.incr("hybridcloud.deliver_webhooks.send_request_to_codecov.filtered")
+        return True
+    return False
+
+
 def perform_codecov_request(payload: WebhookPayload) -> None:
     """
     We don't retry forwarding Codecov requests for now. We want to prove out that it would work.
@@ -581,6 +611,9 @@ def perform_codecov_request(payload: WebhookPayload) -> None:
             )
             return
 
+        if _should_skip_codecov_forward_for_github_owner(payload):
+            return
+
         # hard coding this because the endpoint path is different from the original request
         endpoint = "/webhooks/sentry"
 

src/sentry/options/defaults.py

@@ -700,6 +700,13 @@
 register("codecov.forward-webhooks.rollout", default=0.0, flags=FLAG_AUTOMATOR_MODIFIABLE)
 # if a region is in this list, it's safe to forward to codecov
 register("codecov.forward-webhooks.regions", default=[], flags=FLAG_AUTOMATOR_MODIFIABLE)
+# GitHub owners whose webhooks we skip forwarding to Codecov (payload is still deleted)
+register(
+    "codecov.forward-webhooks.skip-github-owners",
+    type=Sequence,
+    default=["getsentry"],
+    flags=FLAG_AUTOMATOR_MODIFIABLE,
+)
 
 
 # GitHub Integration

tests/sentry/hybridcloud/tasks/test_deliver_webhooks.py

@@ -348,11 +348,7 @@ def test_drain_success(self) -> None:
 
     @responses.activate
     @override_settings(CODECOV_API_BASE_URL="https://api.codecov.io")
-    @override_options(
-        {
-            "codecov.api-bridge-signing-secret": "test",
-        }
-    )
+    @override_options({"codecov.api-bridge-signing-secret": "test"})
     @override_regions(region_config)
     def test_drain_success_codecov(self) -> None:
         responses.add(
@@ -393,11 +389,7 @@ def test_drain_codecov_configuration_error(self) -> None:
 
     @responses.activate
     @override_settings(CODECOV_API_BASE_URL="https://api.codecov.io")
-    @override_options(
-        {
-            "codecov.api-bridge-signing-secret": "test",
-        }
-    )
+    @override_options({"codecov.api-bridge-signing-secret": "test"})
     @override_regions(region_config)
     def test_drain_codecov_request_error(self) -> None:
         responses.add(
@@ -417,6 +409,63 @@ def test_drain_codecov_request_error(self) -> None:
         assert hook is None
         assert len(responses.calls) == 3
 
+    @responses.activate
+    def test_drain_codecov_filtered_getsentry_owner(self) -> None:
+        """Skip list uses default option (getsentry); no client or request needed."""
+        records = create_payloads_with_destination_type(
+            1, "github:codecov:123", DestinationType.CODECOV
+        )
+        records[0].request_body = '{"repository":{"owner":{"login":"getsentry"}}}'
+        records[0].save(update_fields=["request_body"])
+        drain_mailbox(records[0].id)
+
+        assert len(responses.calls) == 0
+        assert not WebhookPayload.objects.filter().exists()
+
+    @responses.activate
+    @override_settings(CODECOV_API_BASE_URL="https://api.codecov.io")
+    @override_options({"codecov.api-bridge-signing-secret": "test"})
+    @override_regions(region_config)
+    def test_drain_codecov_not_filtered_other_owner(self) -> None:
+        responses.add(
+            responses.POST,
+            "https://api.codecov.io/webhooks/sentry",
+            status=200,
+            body="",
+        )
+        records = create_payloads_with_destination_type(
+            3, "github:codecov:123", DestinationType.CODECOV
+        )
+        for record in records:
+            record.request_body = '{"repository":{"owner":{"login":"other-org"}}}'
+            record.save(update_fields=["request_body"])
+        drain_mailbox(records[0].id)
+
+        assert len(responses.calls) == 3
+        assert not WebhookPayload.objects.filter().exists()
+
+    @responses.activate
+    @override_settings(CODECOV_API_BASE_URL="https://api.codecov.io")
+    @override_options({"codecov.api-bridge-signing-secret": "test"})
+    @override_regions(region_config)
+    def test_drain_codecov_not_filtered_malformed_body(self) -> None:
+        responses.add(
+            responses.POST,
+            "https://api.codecov.io/webhooks/sentry",
+            status=200,
+            body="",
+        )
+        records = create_payloads_with_destination_type(
+            3, "github:codecov:123", DestinationType.CODECOV
+        )
+        for record in records:
+            record.request_body = "{}"
+            record.save(update_fields=["request_body"])
+        drain_mailbox(records[0].id)
+
+        assert len(responses.calls) == 3
+        assert not WebhookPayload.objects.filter().exists()
+
     @responses.activate
     @override_regions(region_config)
     def test_drain_time_limit(self) -> None: