w3c / ash-nazg

One interface to find all group contributors and in IPR bind them
https://labs.w3.org/repo-manager/
MIT License
23 stars 24 forks source link

Delete old webhooks when re-importing a repository #247

Open jyasskin opened 2 years ago

jyasskin commented 2 years ago

From observing a couple of these, but not debugging the source code, the root cause of the issue in #213 seems to be that when ash-nazg imports a repository it adds a webhook but doesn't delete old copies, so the hooks run multiple times, and the old copies fail with "GitHub signature does not match known secret". Can it either delete the old ones or update them?

deniak commented 2 years ago

Indeed, importing a repository will add a new webhook without checking if there's one already so adding that check can be useful even if we expect a repository to be imported once only. Do you have a use case where you had to import a repository again?

We also found that the signature error happened a few times even with a single import/webhook but it's not clear yet why the webhook secret no longer pass verification.

jyasskin commented 2 years ago

The hooks also break when a repository is moved between orgs, for example when it's adopted by a CG or WG, and the receiving chairs have learned to re-import the repositories in those cases.