fix(triggers): clean up GitLab and PagerDuty webhooks on failed setup

Extend the orphan-prevention fix to the remaining providers. When a create
call succeeds but post-create validation fails, the created webhook is now
deleted before throwing:
- GitLab: if the create response can't be parsed for its hook id, the hook is
  located by its URL and deleted.
- PagerDuty: if the subscription response lacks an id or signing secret, the
  subscription is deleted (by id when known, otherwise located by URL).

Both cleanups are best-effort and never throw.

Author: waleedlatif1

apps/sim/lib/webhooks/providers/gitlab.ts

@@ -26,6 +26,35 @@ function gitlabProjectHooksUrl(projectId: string): string {
   return `${GITLAB_API_BASE}/projects/${encodeURIComponent(projectId)}/hooks`
 }
 
+/**
+ * Best-effort cleanup that deletes any project hook pointing at `url`. Used to
+ * avoid orphaning a hook when the create response can't be parsed for its id.
+ */
+async function cleanupGitLabHookByUrl(
+  projectId: string,
+  accessToken: string,
+  url: string
+): Promise<void> {
+  const res = await fetch(gitlabProjectHooksUrl(projectId), {
+    headers: { 'PRIVATE-TOKEN': accessToken },
+  }).catch(() => null)
+  if (!res || !res.ok) return
+
+  const hooks = (await res.json().catch(() => null)) as Array<{ id?: number; url?: string }> | null
+  if (!Array.isArray(hooks)) return
+
+  await Promise.all(
+    hooks
+      .filter((hook) => hook.url === url && hook.id != null)
+      .map((hook) =>
+        fetch(`${gitlabProjectHooksUrl(projectId)}/${hook.id}`, {
+          method: 'DELETE',
+          headers: { 'PRIVATE-TOKEN': accessToken },
+        }).catch(() => null)
+      )
+  )
+}
+
 export const gitlabHandler: WebhookProviderHandler = {
   /**
    * GitLab echoes the configured "Secret token" verbatim in the `X-Gitlab-Token`
@@ -119,6 +148,9 @@ export const gitlabHandler: WebhookProviderHandler = {
 
     const created = (await res.json().catch(() => ({}))) as { id?: number | string }
     if (created.id === undefined || created.id === null) {
+      // The hook was created but we can't read its id — delete it by URL so it
+      // is not orphaned in GitLab.
+      await cleanupGitLabHookByUrl(projectId, accessToken, getNotificationUrl(ctx.webhook))
       throw new Error('GitLab webhook created but no hook ID was returned.')
     }
 

apps/sim/lib/webhooks/providers/pagerduty.ts

@@ -46,6 +46,34 @@ function asRecord(value: unknown): Record<string, unknown> {
   return (value as Record<string, unknown>) || {}
 }
 
+/**
+ * Best-effort cleanup of a webhook subscription after a failed setup. Deletes by
+ * id when known, otherwise finds the subscription pointing at `url` and deletes
+ * it, so a created subscription is never orphaned in PagerDuty.
+ */
+async function cleanupPagerDutySubscription(
+  apiKey: string,
+  url: string,
+  subscriptionId?: string
+): Promise<void> {
+  let id = subscriptionId
+  if (!id) {
+    const listRes = await fetch(`${PAGERDUTY_API_BASE}/webhook_subscriptions`, {
+      headers: pagerdutyHeaders(apiKey),
+    }).catch(() => null)
+    if (!listRes || !listRes.ok) return
+    const body = (await listRes.json().catch(() => null)) as {
+      webhook_subscriptions?: Array<{ id?: string; delivery_method?: { url?: string } }>
+    } | null
+    id = body?.webhook_subscriptions?.find((sub) => sub.delivery_method?.url === url)?.id
+  }
+  if (!id) return
+  await fetch(`${PAGERDUTY_API_BASE}/webhook_subscriptions/${id}`, {
+    method: 'DELETE',
+    headers: pagerdutyHeaders(apiKey),
+  }).catch(() => null)
+}
+
 function referenceSummary(
   value: unknown
 ): { id?: unknown; summary?: unknown; html_url?: unknown } | null {
@@ -154,9 +182,13 @@ export const pagerdutyHandler: WebhookProviderHandler = {
     const externalId = subscription.id as string | undefined
     const secret = asRecord(subscription.delivery_method).secret as string | undefined
 
-    if (!externalId)
-      throw new Error('PagerDuty webhook created but no subscription ID was returned.')
-    if (!secret) {
+    // The subscription exists once PagerDuty returns success; if it is missing
+    // its id or signing secret, delete it so it is not orphaned, then fail.
+    if (!externalId || !secret) {
+      await cleanupPagerDutySubscription(apiKey, getNotificationUrl(ctx.webhook), externalId)
+      if (!externalId) {
+        throw new Error('PagerDuty webhook created but no subscription ID was returned.')
+      }
       throw new Error('PagerDuty webhook created but no signing secret was returned on creation.')
     }