Add GitLab webhook support #56
Conversation
Implement full GitLab webhook processing pipeline: - Add database migrations for gitlab and gitlab_user tables - Create gitlabwebhookhandler with plain text token validation - Create gitlabstorage with nullable field handling for varying payloads - Add gitlabconsumer service for Kafka message processing - Update webhookserver with /v1/webhook/gitlab endpoint - Add Dockerfile and docker-compose service for gitlab-consumer - Add GitHub Actions workflows for gitlab-consumer (build + staging) - Add rake task for running gitlab consumer locally - Update pre-commit config to use TekWizely/pre-commit-golang Supports all GitLab webhook event types including premium/ultimate events (user_add_to_group, project_create, subgroup_create) with fallback handling for object_kind vs event_name and nested vs flat user/project fields. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Codecov Report❌ Patch coverage is
... and 4 files with indirect coverage changes 🚀 New features to boost your workflow:
|
- Add TestMessageQueue_Full for handler queue full scenario - Add TestStore_Success_SkipsZeroProjectID for zero project_id - Add TestStore_Success_SkipsZeroUserID for zero user_id Coverage improved: - gitlabwebhookhandler: 97.7% → 98.9% - gitlabstorage: 97.6% → 98.8% 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive GitLab webhook support to the cauldron system, implementing a complete processing pipeline parallel to the existing GitHub functionality. The implementation includes webhook handling, Kafka-based message queuing, persistent storage, and consumer processing for all GitLab event types including premium/ultimate tier events.
- Adds GitLab webhook HTTP handler with token-based authentication
- Implements database schema migrations for gitlab and gitlab_user tables with optimized partial indexes
- Creates complete GitLab consumer with storage layer for processing webhook events
Reviewed changes
Copilot reviewed 24 out of 24 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| migrations/000007_gitlab.up.sql | Creates gitlab table with partial indexes for nullable fields and GIN index for payload JSONB |
| migrations/000007_gitlab.down.sql | Rollback script for gitlab table |
| migrations/000008_gitlab_user.up.sql | Creates gitlab_user table with foreign key to app_user and indexes |
| migrations/000008_gitlab_user.down.sql | Rollback script for gitlab_user table |
| internal/transport/http/gitlabwebhookhandler/gitlabwebhookhandler.go | HTTP handler for GitLab webhooks with token validation and Kafka message queuing |
| internal/transport/http/gitlabwebhookhandler/gitlabwebhookhandler_test.go | Comprehensive test suite (21 tests) for GitLab webhook handler |
| internal/storage/gitlabstorage/gitlabstorage.go | Storage layer for persisting GitLab webhook data to PostgreSQL |
| internal/storage/gitlabstorage/gitlabstorage_test.go | Test suite (17 tests) for GitLab storage with mocked database |
| cmd/gitlabconsumer/main.go | Kafka consumer application for processing GitLab webhook messages |
| cmd/webhookserver/main.go | Updated to include GitLab webhook endpoint and worker pool |
| docker-compose.infra.yml | Adds gitlab-consumer service configuration |
| Dockerfile.gitlab-consumer | Multi-stage Docker build for GitLab consumer |
| .pre-commit-config.yaml | Updates to TekWizely/pre-commit-golang for better Go tooling |
| README.md | Updates badges and adds supported Git providers section |
| scripts/local/rake/run.rake | Adds rake task for running GitLab consumer locally |
| .github/workflows/*.yml | New and updated workflows for building and deploying GitLab consumer |
Comments suppressed due to low confidence (1)
internal/transport/http/gitlabwebhookhandler/gitlabwebhookhandler_test.go:503
- This test has a race condition. The message is read from the channel twice: once inside the goroutine (line 497) and once at the assertion (line 503). This will cause the test to hang or fail intermittently as the second read will block indefinitely. Remove either the goroutine or the final assertion.
// Wait a bit for goroutine to execute default case (queue full)
time.Sleep(50 * time.Millisecond)
assert.Equal(t, fasthttp.StatusAccepted, ctx.Response.StatusCode())
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - "8000:8000" | ||
| environment: | ||
| GITHUB_HMAC_SECRET: "${GITHUB_HMAC_SECRET}" | ||
| GITLAB_HMAC_SECRET: "${GITLAB_HMAC_SECRET}" |
There was a problem hiding this comment.
The environment variable name is inconsistent with the actual secret mechanism used. GitLab uses a plain token authentication (X-Gitlab-Token header), not HMAC-based authentication. This variable should be named GITLAB_WEBHOOK_SECRET or GITLAB_TOKEN instead of GITLAB_HMAC_SECRET to accurately reflect the authentication mechanism.
| GITLAB_HMAC_SECRET: "${GITLAB_HMAC_SECRET}" | |
| GITLAB_WEBHOOK_SECRET: "${GITLAB_WEBHOOK_SECRET}" |
|
|
||
| var wg sync.WaitGroup | ||
|
|
||
| // GitHub message workers |
There was a problem hiding this comment.
The comment is misleading as these workers were already processing GitHub messages. This comment suggests a change in behavior when it's actually just clarification. Consider rewording to "// Process GitHub webhook messages" to be clearer about the existing behavior.
| // GitHub message workers | |
| // Process GitHub webhook messages |
| }() | ||
| } | ||
|
|
||
| // GitLab message workers |
There was a problem hiding this comment.
The comment is misleading as these are new workers added in this PR. Consider rewording to "// Process GitLab webhook messages" to match the style of the GitHub workers comment and be more descriptive about what messages are being processed.
| // GitLab message workers | |
| // Process GitLab webhook messages |
| go func() { | ||
| select { | ||
| case h.MessageQueue <- message: | ||
| h.Logger.Info( | ||
| "kafka message queued for processing", | ||
| "key", string(gitlabEventUUID), | ||
| "topic", h.Topic, | ||
| ) | ||
| case <-ctx.Done(): | ||
| h.Logger.Info("received context Done") | ||
| default: | ||
| h.Logger.Error( | ||
| "kafka message queue full, dropping message", | ||
| "key", string(gitlabEventUUID), | ||
| "topic", h.Topic, | ||
| ) | ||
| } | ||
| }() |
There was a problem hiding this comment.
The goroutine for message queue handling has a potential issue. The select statement's default case will immediately drop messages if the queue is full, which may lead to silent data loss. Consider either blocking until the message can be sent, or returning an error status to the webhook caller when the queue is full so they can retry. The current implementation responds with StatusAccepted even if the message is dropped.
| go func() { | |
| select { | |
| case h.MessageQueue <- message: | |
| h.Logger.Info( | |
| "kafka message queued for processing", | |
| "key", string(gitlabEventUUID), | |
| "topic", h.Topic, | |
| ) | |
| case <-ctx.Done(): | |
| h.Logger.Info("received context Done") | |
| default: | |
| h.Logger.Error( | |
| "kafka message queue full, dropping message", | |
| "key", string(gitlabEventUUID), | |
| "topic", h.Topic, | |
| ) | |
| } | |
| }() | |
| select { | |
| case h.MessageQueue <- message: | |
| h.Logger.Info( | |
| "kafka message queued for processing", | |
| "key", string(gitlabEventUUID), | |
| "topic", h.Topic, | |
| ) | |
| case <-ctx.Done(): | |
| h.Logger.Info( | |
| "received context Done before queuing kafka message", | |
| "key", string(gitlabEventUUID), | |
| "topic", h.Topic, | |
| ) | |
| ctx.SetStatusCode(fasthttp.StatusServiceUnavailable) | |
| return | |
| } |
| {Key: []byte("project-id"), Value: []byte(``)}, // empty, should skip | ||
| }, | ||
| } |
There was a problem hiding this comment.
This test has duplicate headers with the same key "project-id" but different values (empty string and "0"). The test intent is unclear - in real Kafka messages, the last header value would typically take precedence. Consider separating these into distinct test cases or clarifying the expected behavior when both conditions should be tested.
cmd/gitlabconsumer/main.go
Outdated
| } | ||
| } | ||
|
|
||
| // Run runs kafa gitlab consumer. |
There was a problem hiding this comment.
Typo in comment: "kafa" should be "kafka".
| // Run runs kafa gitlab consumer. | |
| // Run runs kafka gitlab consumer. |
| serverIdleTimeout := getenv.Duration("SERVER_IDLE_TIMEOUT", webhookserver.ServerDefaultIdleTimeout) | ||
|
|
||
| githubHMACSecret := getenv.String("GITHUB_HMAC_SECRET", "") | ||
| gitlabHMACSecret := getenv.String("GITLAB_HMAC_SECRET", "") |
There was a problem hiding this comment.
The environment variable name is inconsistent with the actual secret mechanism used. GitLab uses a plain token authentication (X-Gitlab-Token header), not HMAC-based authentication. This variable should be named GITLAB_WEBHOOK_SECRET or GITLAB_TOKEN instead of GITLAB_HMAC_SECRET to accurately reflect the authentication mechanism.
| gitlabHMACSecret := getenv.String("GITLAB_HMAC_SECRET", "") | |
| gitlabWebhookSecret := getenv.String("GITLAB_WEBHOOK_SECRET", "") | |
| gitlabHMACSecret := getenv.String("GITLAB_HMAC_SECRET", *gitlabWebhookSecret) |
| FROM alpine:latest AS certs | ||
| RUN apk add --update --no-cache ca-certificates | ||
|
|
||
| FROM busybox:latest |
There was a problem hiding this comment.
This Dockerfile uses unpinned base images alpine:latest and busybox:latest, which are mutable tags and introduce a supply-chain risk if the upstream images are compromised. Because the GitLab consumer container will be built and run with access to Kafka and database credentials, a malicious update to those tags could silently run attacker-controlled code inside your deployment. Pin these images to immutable digests or at least specific version tags to ensure you only run trusted image content.
Main entry point files don't have unit tests as they're integration points. Ignore them from patch coverage calculation. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Summary
Test plan
🤖 Generated with Claude Code