Skip to content

honor webhook http 422 as unconditional deny#4703

Merged
JAORMX merged 1 commit intostacklok:mainfrom
Sanskarzz:denyinwebhook
Apr 12, 2026
Merged

honor webhook http 422 as unconditional deny#4703
JAORMX merged 1 commit intostacklok:mainfrom
Sanskarzz:denyinwebhook

Conversation

@Sanskarzz
Copy link
Copy Markdown
Contributor

@Sanskarzz Sanskarzz commented Apr 9, 2026

Summary

This PR fixes webhook HTTP 422 handling to match RFC THV-0017.

Both validating and mutating webhook middleware now treat an HTTP 422 response from a webhook as an unconditional deny, regardless of whether the webhook failure_policy is fail or ignore.

Fixes #4663

Changes

  • Added a shared helper in pkg/webhook/errors.go to detect webhook errors that must always deny.
  • Updated pkg/webhook/validating/middleware.go to deny on webhook HTTP 422 before applying failure policy.
  • Updated pkg/webhook/mutating/middleware.go to deny on webhook HTTP 422 before applying failure policy.
  • Added focused tests covering HTTP 422 behavior for both middleware types under both fail and ignore policies.

Why

Per RFC THV-0017, webhook HTTP 422 is a semantic rejection and should not be treated like a normal operational error. Previously, failure_policy: ignore could allow the request to continue even when the webhook returned 422.

Test plan

  • Unit tests (task test)
  • E2E tests (task test-e2e)
  • Linting (task lint-fix)
  • Manual testing (describe below)

@github-actions github-actions bot added the size/S Small PR: 100-299 lines changed label Apr 9, 2026
@Sanskarzz Sanskarzz requested a review from JAORMX as a code owner April 9, 2026 13:19
@github-actions github-actions bot added size/S Small PR: 100-299 lines changed and removed size/S Small PR: 100-299 lines changed labels Apr 9, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 9, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.82%. Comparing base (c9a5402) to head (07f2f4c).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4703      +/-   ##
==========================================
- Coverage   68.84%   68.82%   -0.02%     
==========================================
  Files         516      516              
  Lines       54314    54326      +12     
==========================================
  Hits        37391    37391              
- Misses      14063    14071       +8     
- Partials     2860     2864       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Sanskarzz
honor webhook http 422 as unconditional deny
07f2f4c 
Signed-off-by: Sanskarzz <sanskar.gur@gmail.com>
@github-actions github-actions bot added size/S Small PR: 100-299 lines changed and removed size/S Small PR: 100-299 lines changed labels Apr 11, 2026
@JAORMX JAORMX merged commit 275c56b into stacklok:main Apr 12, 2026
75 of 77 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JAORMX JAORMX JAORMX approved these changes

Assignees

No one assigned

Labels

size/S Small PR: 100-299 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Handle HTTP 422 as unconditional deny in webhook middleware

2 participants

@Sanskarzz @JAORMX