Skip to content

feat(repos): Activate repo webhook and syncing task for GHE #112247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wedamija merged 1 commit into from
Apr 7, 2026
+115 −2
Merged

feat(repos): Activate repo webhook and syncing task for GHE #112247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/sentry/integrations/github/tasks/sync_repos.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -246,7 +246,7 @@ def github_repo_sync_beat() -> None:
name="github_repo_sync",
schedule_key="github-repo-sync-beat",
queryset=OrganizationIntegration.objects.filter(
integration__provider="github",
integration__provider__in=["github", "github_enterprise"],
integration__status=ObjectStatus.ACTIVE,
status=ObjectStatus.ACTIVE,
),
Expand Down
8 changes: 8 additions & 0 deletions src/sentry/integrations/github_enterprise/webhook.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
from sentry.integrations.github.webhook import (
GitHubWebhook,
InstallationEventWebhook,
InstallationRepositoriesEventWebhook,
IssuesEventWebhook,
PullRequestEventWebhook,
PushEventWebhook,
Expand Down Expand Up @@ -106,6 +107,12 @@ class GitHubEnterpriseInstallationEventWebhook(GitHubEnterpriseWebhook, Installa
pass


class GitHubEnterpriseInstallationRepositoriesEventWebhook(
GitHubEnterpriseWebhook, InstallationRepositoriesEventWebhook
):
pass


class GitHubEnterprisePushEventWebhook(GitHubEnterpriseWebhook, PushEventWebhook):
pass

Expand Down Expand Up @@ -348,6 +355,7 @@ class GitHubEnterpriseWebhookEndpoint(GitHubEnterpriseWebhookBase):
"push": GitHubEnterprisePushEventWebhook,
"pull_request": GitHubEnterprisePullRequestEventWebhook,
"installation": GitHubEnterpriseInstallationEventWebhook,
"installation_repositories": GitHubEnterpriseInstallationRepositoriesEventWebhook,
"issues": GitHubEnterpriseIssuesEventWebhook,
}

Comment on lines 355 to 361
Copy link
Copy Markdown
Contributor

@sentry sentry Bot Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The GitHubEnterpriseWebhookEndpoint uses @cell_silo_endpoint, but middleware routes installation_repositories events to the CONTROL silo, causing a routing conflict and request failure.
Severity: HIGH

Suggested Fix

Change the decorator on GitHubEnterpriseWebhookEndpoint from @cell_silo_endpoint to @all_silo_endpoint. This will allow the endpoint to execute in both CELL and CONTROL silos, resolving the conflict with the middleware's routing logic for control-only events.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: src/sentry/integrations/github_enterprise/webhook.py#L355-L361

Potential issue: There is a silo routing conflict for the GitHub Enterprise
`installation_repositories` webhook event. The middleware correctly identifies this
event as control-silo-only and routes the request to the CONTROL silo. However, the
`GitHubEnterpriseWebhookEndpoint` is decorated with `@cell_silo_endpoint`, which
enforces that it can only run in the CELL silo. When the request is dispatched in
CONTROL silo mode, the decorator will reject it, resulting in a 404 error or an
`AvailabilityError`. This will cause webhook deliveries for repository updates to fail,
preventing repository data from being synchronized.

Did we get this right? 👍 / 👎 to inform future reviews.

Expand Down
44 changes: 43 additions & 1 deletion tests/sentry/integrations/github/tasks/test_sync_repos.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,12 @@
from sentry.constants import ObjectStatus
from sentry.integrations.github.integration import GitHubIntegrationProvider
from sentry.integrations.github.tasks.sync_repos import sync_repos_for_org
from sentry.integrations.github_enterprise.integration import GitHubEnterpriseIntegrationProvider
from sentry.integrations.models.organization_integration import OrganizationIntegration
from sentry.models.auditlogentry import AuditLogEntry
from sentry.models.repository import Repository
from sentry.silo.base import SiloMode
from sentry.testutils.cases import IntegrationTestCase
from sentry.testutils.cases import IntegrationTestCase, TestCase
from sentry.testutils.silo import assume_test_silo_mode, assume_test_silo_mode_of, control_silo_test


Expand Down Expand Up @@ -218,3 +219,44 @@ def test_rate_limited_raises_for_retry(self, _: MagicMock) -> None:

with self.feature("organizations:github-repo-auto-sync"), pytest.raises(RetryTaskError):
sync_repos_for_org(self.oi.id)


@control_silo_test
class SyncReposForOrgGHETestCase(TestCase):
@patch("sentry.integrations.github.client.GitHubBaseClient.get_repos")
def test_creates_new_repos_for_ghe(self, mock_get_repos: MagicMock) -> None:
GitHubEnterpriseIntegrationProvider().setup()

integration = self.create_integration(
organization=self.organization,
external_id="35.232.149.196:12345",
provider="github_enterprise",
metadata={
"domain_name": "35.232.149.196/testorg",
"installation_id": "12345",
"installation": {
"id": "2",
"private_key": "private_key",
"verify_ssl": True,
},
},
)
oi = OrganizationIntegration.objects.get(
organization_id=self.organization.id, integration=integration
)

mock_get_repos.return_value = [
{"id": 1, "full_name": "testorg/repo1"},
{"id": 2, "full_name": "testorg/repo2"},
]

with self.feature(
["organizations:github-repo-auto-sync", "organizations:github-repo-auto-sync-apply"]
):
sync_repos_for_org(oi.id)

with assume_test_silo_mode(SiloMode.CELL):
repos = Repository.objects.filter(organization_id=self.organization.id).order_by("name")

assert len(repos) == 2
assert repos[0].provider == "integrations:github_enterprise"
63 changes: 63 additions & 0 deletions tests/sentry/integrations/github_enterprise/test_webhooks.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@
PULL_REQUEST_OPENED_EVENT_EXAMPLE,
PUSH_EVENT_EXAMPLE_INSTALLATION,
)
from sentry.integrations.github_enterprise.webhook import (
GitHubEnterpriseInstallationRepositoriesEventWebhook,
)
from sentry.integrations.services.integration import integration_service
from sentry.models.commit import Commit
from sentry.models.commitauthor import CommitAuthor
Expand Down Expand Up @@ -253,6 +256,66 @@ def test_missing_signature_fail_without_option_set(self, mock_installation: Magi
assert b"Missing headers X-Hub-Signature-256 or X-Hub-Signature" in response.content


@patch("sentry.integrations.github_enterprise.client.get_jwt")
@patch("sentry.integrations.github_enterprise.webhook.get_installation_metadata")
class InstallationRepositoriesEventWebhookTest(APITestCase):
def setUp(self) -> None:
self.url = "/extensions/github-enterprise/webhook/"
self.metadata = {
"url": "35.232.149.196",
"id": "2",
"name": "test-app",
"webhook_secret": "b3002c3e321d4b7880360d397db2ccfd",
"private_key": "private_key",
"verify_ssl": True,
}

@patch(
"sentry.integrations.github.tasks.sync_repos_on_install_change.sync_repos_on_install_change.apply_async"
)
def test_handler_dispatches_task_with_ghe_provider(
self,
mock_apply_async: MagicMock,
mock_get_installation_metadata: MagicMock,
mock_get_jwt: MagicMock,
) -> None:
"""Verify the GHE handler looks up integrations with the correct provider."""
mock_get_jwt.return_value = ""
mock_get_installation_metadata.return_value = self.metadata

integration = self.create_integration(
external_id="35.232.149.196:12345",
organization=self.project.organization,
provider="github_enterprise",
metadata={
"domain_name": "35.232.149.196/testorg",
"installation_id": "12345",
"installation": {
"id": "2",
"private_key": "private_key",
"verify_ssl": True,
},
},
)

handler = GitHubEnterpriseInstallationRepositoriesEventWebhook()
handler(
event={
"installation": {"id": 12345},
"action": "added",
"repositories_added": [{"id": 1, "full_name": "testorg/repo", "private": False}],
"repositories_removed": [],
"repository_selection": "selected",
"sender": {"id": 1, "login": "testuser"},
},
host="35.232.149.196",
)

mock_apply_async.assert_called_once()
kwargs = mock_apply_async.call_args[1]["kwargs"]
assert kwargs["integration_id"] == integration.id


@patch("sentry.integrations.github_enterprise.client.get_jwt")
@patch("sentry.integrations.github_enterprise.webhook.get_installation_metadata")
class PushEventWebhookTest(APITestCase):
Expand Down
Loading