Skip to content

honor webhook http 422 as unconditional deny#4703

Open
Sanskarzz wants to merge 1 commit intostacklok:mainfrom
Sanskarzz:denyinwebhook
Open

honor webhook http 422 as unconditional deny#4703
Sanskarzz wants to merge 1 commit intostacklok:mainfrom
Sanskarzz:denyinwebhook

Conversation

@Sanskarzz
Copy link
Copy Markdown
Contributor

@Sanskarzz Sanskarzz commented Apr 9, 2026

Summary

This PR fixes webhook HTTP 422 handling to match RFC THV-0017.

Both validating and mutating webhook middleware now treat an HTTP 422 response from a webhook as an unconditional deny, regardless of whether the webhook failure_policy is fail or ignore.

Fixes #4663

Changes

  • Added a shared helper in pkg/webhook/errors.go to detect webhook errors that must always deny.
  • Updated pkg/webhook/validating/middleware.go to deny on webhook HTTP 422 before applying failure policy.
  • Updated pkg/webhook/mutating/middleware.go to deny on webhook HTTP 422 before applying failure policy.
  • Added focused tests covering HTTP 422 behavior for both middleware types under both fail and ignore policies.

Why

Per RFC THV-0017, webhook HTTP 422 is a semantic rejection and should not be treated like a normal operational error. Previously, failure_policy: ignore could allow the request to continue even when the webhook returned 422.

Test plan

  • Unit tests (task test)
  • E2E tests (task test-e2e)
  • Linting (task lint-fix)
  • Manual testing (describe below)

@Sanskarzz
honor webhook http 422 as unconditional deny
34e81b4 
Signed-off-by: Sanskarzz <sanskar.gur@gmail.com>
@github-actions github-actions bot added the size/S Small PR: 100-299 lines changed label Apr 9, 2026
@Sanskarzz Sanskarzz requested a review from JAORMX as a code owner April 9, 2026 13:19
@github-actions github-actions bot added size/S Small PR: 100-299 lines changed and removed size/S Small PR: 100-299 lines changed labels Apr 9, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 9, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.74%. Comparing base (ccad93a) to head (34e81b4).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4703      +/-   ##
==========================================
+ Coverage   68.72%   68.74%   +0.02%     
==========================================
  Files         515      515              
  Lines       53590    53602      +12     
==========================================
+ Hits        36829    36850      +21     
+ Misses      13919    13912       -7     
+ Partials     2842     2840       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JAORMX JAORMX JAORMX approved these changes

Assignees

No one assigned

Labels

size/S Small PR: 100-299 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Handle HTTP 422 as unconditional deny in webhook middleware

2 participants

@Sanskarzz @JAORMX