Open jyasskin opened 2 years ago
Indeed, importing a repository will add a new webhook without checking if there's one already so adding that check can be useful even if we expect a repository to be imported once only. Do you have a use case where you had to import a repository again?
We also found that the signature error happened a few times even with a single import/webhook but it's not clear yet why the webhook secret no longer pass verification.
The hooks also break when a repository is moved between orgs, for example when it's adopted by a CG or WG, and the receiving chairs have learned to re-import the repositories in those cases.
From observing a couple of these, but not debugging the source code, the root cause of the issue in #213 seems to be that when ash-nazg imports a repository it adds a webhook but doesn't delete old copies, so the hooks run multiple times, and the old copies fail with "GitHub signature does not match known secret". Can it either delete the old ones or update them?