feat(triggers): add GitLab, PagerDuty, and Zendesk webhook triggers by waleedlatif1 · Pull Request #5150 · simstudioai/sim

waleedlatif1 · 2026-06-20T06:02:46Z

Summary

Add webhook triggers for GitLab, PagerDuty, and Zendesk — three integrations that had blocks but no trigger support.
GitLab: push, merge request, issue, pipeline, comment, and all-events. Verifies the X-Gitlab-Token secret token; filters by object_kind.
PagerDuty: incident triggered / acknowledged / resolved / escalated / reassigned, and all-events. Verifies X-PagerDuty-Signature (HMAC-SHA256 over the raw body, handles comma-separated rotation signatures); dedups on event id.
Zendesk: ticket created / status changed / comment added / priority changed, and all-events. Verifies X-Zendesk-Webhook-Signature (base64 HMAC-SHA256 over timestamp + body); dedups on event id.
Register GitLab's X-Gitlab-Event-UUID delivery header for webhook idempotency.

All three use the manual-registration model (user creates the webhook in the provider UI, pastes the signing secret) consistent with the existing GitHub trigger — no fragile auto-create API calls. Every signature scheme, event string, and payload field was verified against the providers' live docs.

Type of Change

New feature

Testing

Tested manually: bun run type-check passes; idempotency + provider handler tests pass. Output schema ↔ formatInput alignment verified for all triggers. First real delivery from each provider is the standard post-merge smoke test.

Checklist

Code follows project style guidelines
Self-reviewed my changes
Tests added/updated and passing
No new warnings introduced
I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Add webhook trigger support for three integrations that previously had blocks but no triggers: - GitLab: push, merge request, issue, pipeline, comment, and all-events. Verifies the X-Gitlab-Token secret token; filters by object_kind. - PagerDuty: incident triggered/acknowledged/resolved/escalated/reassigned and all-events. Verifies X-PagerDuty-Signature (HMAC-SHA256 over raw body, comma-separated rotation); idempotency on event id. - Zendesk: ticket created/status changed/comment added/priority changed and all-events. Verifies X-Zendesk-Webhook-Signature (base64 HMAC-SHA256 over timestamp+body); idempotency on event id. Register GitLab's X-Gitlab-Event-UUID delivery header for webhook idempotency dedup.

vercel · 2026-06-20T06:02:52Z

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Jun 20, 2026 9:46pm

cursor · 2026-06-20T06:02:56Z

PR Summary

Medium Risk
Touches webhook ingress (auth, replay protection, subscription lifecycle) and external API calls on deploy; mistakes could drop events, accept bad payloads, or leave orphaned hooks in third-party accounts.

Overview
Adds webhook-based workflow triggers for GitLab, PagerDuty, and Zendesk—integrations that already had action blocks but could not start workflows from inbound events.

GitLab, PagerDuty, and Zendesk blocks now set triggerAllowed: true, merge trigger sub-blocks via getTrigger, and declare triggers.enabled with their event-specific trigger IDs.

Trigger definitions are registered for GitLab (push, MR, issue, pipeline, comment, catch-all), PagerDuty (incident lifecycle + catch-all), and Zendesk (ticket created/status/comment/priority + catch-all), each with shared utils for event mapping, UI fields, and workflow outputs.

New webhook provider handlers implement provider-specific auth (GitLab X-Gitlab-Token, PagerDuty HMAC v1=, Zendesk timestamp + HMAC), matchEvent filtering, normalized formatInput, and auto create/delete subscriptions on deploy/undeploy (project hooks, PagerDuty webhook subscriptions, Zendesk webhooks + signing secret fetch), with cleanup when setup fails. createHmacVerifier gains requireSecret so auto-registered webhooks fail closed without a secret.

Registry wires gitlab, pagerduty, and zendesk handlers; idempotency recognizes GitLab’s x-gitlab-event-uuid header (PagerDuty/Zendesk use body event ids via extractIdempotencyId).

^{Reviewed by Cursor Bugbot for commit 04ab0b0. Configure here.}

waleedlatif1 · 2026-06-20T06:08:35Z

@greptile review

waleedlatif1 · 2026-06-20T06:08:36Z

@cursor review

cursor

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit fd4de8d. Configure here.}

greptile-apps · 2026-06-20T06:19:30Z

Greptile Summary

Adds webhook trigger support for GitLab, PagerDuty, and Zendesk — three providers that already had action blocks but no inbound trigger capability. Each provider gets a full set of event-specific triggers plus a catch-all webhook trigger, auto-registration of the webhook on deploy/teardown on undeploy, and correct signature verification.

GitLab: plain token comparison via X-Gitlab-Token, auto-registers project hooks using a PAT + project ID, routes events by object_kind, and registers X-Gitlab-Event-UUID for idempotency dedup.
PagerDuty: HMAC-SHA256 verification supporting comma-separated rotation signatures in X-PagerDuty-Signature, creates account-level webhook subscriptions, deduplicates on event.id.
Zendesk: base64 HMAC-SHA256 over timestamp + body, includes a timestamp-freshness guard (5 min window) added after the previous review, deduplicates on body.id, fetches the signing secret from the API after creating the webhook.

Confidence Score: 5/5

Safe to merge — all three new webhook integrations use correct, provider-documented signature schemes, timestamp guards where required, and consistent auto-registration/cleanup patterns.

The auth paths are correct for each provider (plain-token compare for GitLab, HMAC with rotation for PagerDuty, timestamped HMAC for Zendesk), idempotency headers and IDs are wired properly, and the deploy/undeploy subscription lifecycle handles failure cases with orphan-cleanup logic. Previously flagged items from earlier review rounds have been addressed. The remaining open items are cosmetic duplication and a trivial missing guard that do not affect runtime correctness.

No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/lib/webhooks/providers/gitlab.ts	New provider handler: plain-token auth (correct for GitLab), auto-registers project hooks, cleanup by URL when ID can't be parsed. `asRecord` helper is duplicated from the other two new providers.
apps/sim/lib/webhooks/providers/pagerduty.ts	New provider handler: HMAC-SHA256 with comma-separated rotation-signature support, creates account-level subscriptions, best-effort cleanup on partial failures. `asRecord` duplicated from other providers.
apps/sim/lib/webhooks/providers/zendesk.ts	New provider handler: base64 HMAC-SHA256 over timestamp+body with freshness check, fetches signing secret post-creation. `validateZendeskSignature` still omits the `!body` guard (previously flagged).
apps/sim/triggers/gitlab/utils.ts	Trigger utilities for GitLab: `object_kind` routing, event-flag mapping, output schemas, setup instructions. Previously flagged unused-parameter issue is now fixed.
apps/sim/triggers/pagerduty/utils.ts	Trigger utilities for PagerDuty: event-type routing, subscription event list, shared incident output schema, setup instructions. Clean implementation.
apps/sim/triggers/zendesk/utils.ts	Trigger utilities for Zendesk: `zen:event-type:*` routing, subscription list helper, shared ticket output schema, setup instructions. Clean implementation.
apps/sim/lib/webhooks/providers/utils.ts	Adds `requireSecret` option to `createHmacVerifier` so providers with auto-registered secrets fail closed (401) instead of skipping verification when the secret is missing.
apps/sim/lib/core/idempotency/service.ts	One-line addition: registers `X-Gitlab-Event-UUID` as a recognized delivery-ID header for webhook idempotency deduplication.
apps/sim/triggers/registry.ts	Registers all 17 new triggers (6 GitLab, 6 PagerDuty, 5 Zendesk) in the central trigger registry. Straightforward additive change.
apps/sim/lib/webhooks/providers/registry.ts	Registers the three new provider handlers (gitlab, pagerduty, zendesk) in the webhook provider registry. Straightforward additive change.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Provider as GitLab / PagerDuty / Zendesk
    participant Sim as Sim Webhook Handler
    participant Auth as verifyAuth
    participant Match as matchEvent
    participant Idem as IdempotencyService
    participant WF as Workflow Engine

    Note over Provider,Sim: Inbound webhook delivery
    Provider->>Sim: "POST /webhook/{id} + signature headers"
    Sim->>Auth: verifyAuth(request, rawBody, providerConfig)
    alt GitLab
        Auth-->>Sim: safeCompare(X-Gitlab-Token, secret)
    else PagerDuty
        Auth-->>Sim: "HMAC-SHA256 over rawBody, any v1= part matches"
    else Zendesk
        Auth-->>Sim: timestamp freshness check + HMAC-SHA256 over timestamp+body
    end
    Sim->>Idem: deduplicate(X-Gitlab-Event-UUID / event.id / body.id)
    Idem-->>Sim: "new | duplicate"
    Sim->>Match: matchEvent(body, triggerId)
    Match-->>Sim: "true (event type matches) | false (skip)"
    Sim->>WF: formatInput → execute workflow

    Note over Provider,Sim: On deploy / undeploy
    Sim->>Provider: createSubscription (PAT / API key)
    Provider-->>Sim: externalId + signingSecret
    Sim->>Provider: deleteSubscription(externalId) on undeploy

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Provider as GitLab / PagerDuty / Zendesk
    participant Sim as Sim Webhook Handler
    participant Auth as verifyAuth
    participant Match as matchEvent
    participant Idem as IdempotencyService
    participant WF as Workflow Engine

    Note over Provider,Sim: Inbound webhook delivery
    Provider->>Sim: "POST /webhook/{id} + signature headers"
    Sim->>Auth: verifyAuth(request, rawBody, providerConfig)
    alt GitLab
        Auth-->>Sim: safeCompare(X-Gitlab-Token, secret)
    else PagerDuty
        Auth-->>Sim: "HMAC-SHA256 over rawBody, any v1= part matches"
    else Zendesk
        Auth-->>Sim: timestamp freshness check + HMAC-SHA256 over timestamp+body
    end
    Sim->>Idem: deduplicate(X-Gitlab-Event-UUID / event.id / body.id)
    Idem-->>Sim: "new | duplicate"
    Sim->>Match: matchEvent(body, triggerId)
    Match-->>Sim: "true (event type matches) | false (skip)"
    Sim->>WF: formatInput → execute workflow

    Note over Provider,Sim: On deploy / undeploy
    Sim->>Provider: createSubscription (PAT / API key)
    Provider-->>Sim: externalId + signingSecret
    Sim->>Provider: deleteSubscription(externalId) on undeploy

_{Reviews (9): Last reviewed commit: "docs(triggers): note GitLab tag_push onl..." | Re-trigger Greptile}

waleedlatif1 · 2026-06-20T06:20:27Z

@greptile review

greptile-apps · 2026-06-20T06:20:45Z

Greptile Summary

Adds webhook trigger support for GitLab, PagerDuty, and Zendesk — three integrations that previously had blocks but no inbound trigger capability. Each follows the existing manual-registration pattern (user pastes the signing secret, no fragile auto-create calls).

GitLab: six triggers (push, merge request, issue, pipeline, comment, all-events) verified via plain X-Gitlab-Token comparison; X-Gitlab-Event-UUID registered for idempotency dedup.
PagerDuty: six triggers (five specific incident states + all-events) using HMAC-SHA256 over the raw body with comma-separated rotation-signature support.
Zendesk: five triggers (four ticket events + all-events) using base64 HMAC-SHA256 over timestamp + rawBody, with idempotency dedup on body.id.

Confidence Score: 4/5

The three new integrations are well-structured and follow the established provider pattern; the only issues are a dead function parameter and a minor inconsistency in the Zendesk body guard.

The signature verification logic for all three providers is correct, the event-matching maps align with documented payload shapes, and idempotency is wired up consistently. The triggerLabel dead parameter in gitlabSetupInstructions has no runtime effect but could mislead future contributors. The Zendesk validator's missing !body check is an inconsistency with the PagerDuty counterpart; it cannot bypass authentication (a wrong body still produces a mismatched HMAC) but it diverges from the pattern set everywhere else. Neither finding breaks functionality today.

apps/sim/triggers/gitlab/utils.ts (unused triggerLabel parameter) and apps/sim/lib/webhooks/providers/zendesk.ts (missing body guard in validateZendeskSignature).

Important Files Changed

Filename	Overview
apps/sim/lib/webhooks/providers/gitlab.ts	New GitLab webhook provider: verifies X-Gitlab-Token via safeCompare, routes by object_kind; duplicates the asRecord helper that could live in shared utils.
apps/sim/lib/webhooks/providers/pagerduty.ts	New PagerDuty V3 provider: HMAC-SHA256 verification with rotation support (comma-separated v1= signatures), correct body guard, clean extraction of event_type and incident fields.
apps/sim/lib/webhooks/providers/zendesk.ts	New Zendesk provider: base64 HMAC-SHA256 over timestamp+body; missing empty-body guard in validateZendeskSignature unlike the PagerDuty counterpart.
apps/sim/triggers/gitlab/utils.ts	Shared GitLab trigger utilities: gitlabSetupInstructions has an unused first parameter (triggerLabel) that is never interpolated; only checkboxLabel is used.
apps/sim/triggers/pagerduty/utils.ts	Shared PagerDuty trigger utilities: correct V3 event_type strings, clean output schema matching formatInput in the provider.
apps/sim/triggers/zendesk/utils.ts	Shared Zendesk trigger utilities: zen:event-type strings align with provider matchEvent, output schema consistent with formatInput.
apps/sim/lib/core/idempotency/service.ts	Adds x-gitlab-event-uuid to the delivery-header idempotency chain; minimal, correct one-liner change.
apps/sim/triggers/registry.ts	Registers all 17 new triggers (6 GitLab, 6 PagerDuty, 5 Zendesk) into the global TRIGGER_REGISTRY; no conflicts or missing entries.
apps/sim/lib/webhooks/providers/registry.ts	Registers three new webhook provider handlers (gitlab, pagerduty, zendesk) in alphabetical order; consistent with existing pattern.
apps/sim/blocks/blocks/gitlab.ts	Enables trigger support for the GitLab block: sets triggerAllowed: true, spreads all six trigger subBlocks, and declares the triggers config.
apps/sim/blocks/blocks/pagerduty.ts	Enables trigger support for the PagerDuty block; adds triggerAllowed, spreads five incident trigger subBlocks plus webhook, declares triggers config.
apps/sim/blocks/blocks/zendesk.ts	Enables trigger support for the Zendesk block; adds four ticket-event trigger subBlocks and the catch-all webhook trigger.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant P as Provider<br/>(GitLab/PagerDuty/Zendesk)
    participant W as Webhook Route
    participant R as Provider Registry
    participant H as Provider Handler
    participant I as Idempotency Service
    participant Q as Execution Queue

    P->>W: "POST /webhook/{id}"
    W->>R: getHandler(provider)
    R-->>W: gitlabHandler / pagerdutyHandler / zendeskHandler
    W->>H: verifyAuth(secret, headers, rawBody)
    alt Signature valid
        H-->>W: null (pass)
    else Invalid
        H-->>W: 401 Unauthorized
    end
    W->>H: matchEvent(triggerId, body)
    alt Event matches trigger
        H-->>W: true
    else No match
        H-->>W: false (skip)
    end
    W->>I: checkIdempotency(x-gitlab-event-uuid / event.id / body.id)
    alt Not a duplicate
        I-->>W: proceed
        W->>H: formatInput(body, headers)
        H-->>W: "{ input: { ... } }"
        W->>Q: enqueue execution
    else Duplicate
        I-->>W: skip (already processed)
    end

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant P as Provider<br/>(GitLab/PagerDuty/Zendesk)
    participant W as Webhook Route
    participant R as Provider Registry
    participant H as Provider Handler
    participant I as Idempotency Service
    participant Q as Execution Queue

    P->>W: "POST /webhook/{id}"
    W->>R: getHandler(provider)
    R-->>W: gitlabHandler / pagerdutyHandler / zendeskHandler
    W->>H: verifyAuth(secret, headers, rawBody)
    alt Signature valid
        H-->>W: null (pass)
    else Invalid
        H-->>W: 401 Unauthorized
    end
    W->>H: matchEvent(triggerId, body)
    alt Event matches trigger
        H-->>W: true
    else No match
        H-->>W: false (skip)
    end
    W->>I: checkIdempotency(x-gitlab-event-uuid / event.id / body.id)
    alt Not a duplicate
        I-->>W: proceed
        W->>H: formatInput(body, headers)
        H-->>W: "{ input: { ... } }"
        W->>Q: enqueue execution
    else Duplicate
        I-->>W: skip (already processed)
    end

Comments Outside Diff (3)

apps/sim/triggers/gitlab/utils.ts, line 758 (link)

Unused triggerLabel parameter

The first parameter triggerLabel is declared but never referenced in the function body — only checkboxLabel appears in the template string. Every call site passes two strings, but the first string has no effect. This creates misleading dead code; callers might believe the first argument controls something visible in the instructions.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
apps/sim/lib/webhooks/providers/zendesk.ts, line 428 (link)

Missing empty-body guard in validateZendeskSignature

Unlike the PagerDuty validator (which includes !body in its guard clause), this function does not bail out when body is empty. If rawBody arrives as "", the HMAC is computed over only the timestamp — a different message than Zendesk actually signed, so verification still fails. The real risk is a subtle divergence: a future change that pre-computes or caches the HMAC could accidentally match the truncated input. Adding || !body to the guard brings this in line with validatePagerDutySignature and makes the invariant explicit.
apps/sim/lib/webhooks/providers/gitlab.ts, line 181-183 (link)

asRecord helper duplicated across all three new provider files

The exact same three-line asRecord helper is copy-pasted into gitlab.ts, pagerduty.ts, and zendesk.ts. The shared utils.ts in this directory is the right home for it — any future change (e.g. adding a runtime typeof check) would need to be applied in three places today.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

_{Reviews (2): Last reviewed commit: "feat(triggers): add GitLab, PagerDuty, a..." | Re-trigger Greptile}

…protection Address review feedback: - Add paramVisibility: 'user-only' to the webhookSecret fields for GitLab, PagerDuty, and Zendesk so signing secrets are scoped to the credential owner and not exposed to workspace collaborators (repo convention). - Reject Zendesk deliveries whose signed timestamp is more than 5 minutes from now, closing a replay window once an event id ages out of the idempotency cache. The X-Zendesk-Webhook-Signature-Timestamp header is ISO-8601, so it is parsed with Date.parse (matches the Slack handler's skew-check convention).

waleedlatif1 · 2026-06-20T06:43:28Z

@greptile review

waleedlatif1 · 2026-06-20T06:43:29Z

@cursor review

cursor

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit c2e7e01. Configure here.}

Replace the manual-registration model with automatic webhook creation on deploy and cleanup on undeploy, via createSubscription/deleteSubscription on each provider handler: - GitLab: POST /projects/:id/hooks with a Personal Access Token; generates the secret token (stored for X-Gitlab-Token verification) and enables only the event flags for the selected trigger. Deletes the hook on undeploy. - PagerDuty: POST /webhook_subscriptions (account-scoped) with a REST API key; captures delivery_method.secret (returned only on create) for X-PagerDuty-Signature verification. Deletes the subscription on undeploy. - Zendesk: POST /api/v2/webhooks with native event subscriptions, then GET /webhooks/:id/signing_secret for X-Zendesk-Webhook-Signature verification. Deletes the webhook on undeploy. Trigger config now collects the provider credentials (user-only) instead of a pasted signing secret; the signing secret is generated or fetched and stored in providerConfig by the orchestration layer (no route/deploy changes).

waleedlatif1 · 2026-06-20T21:20:59Z

@greptile review

waleedlatif1 · 2026-06-20T21:21:00Z

@cursor review

…desk orphans Address review feedback on the auto-registration changes: - verifyAuth now rejects (401) when webhookSecret is absent for GitLab, PagerDuty, and Zendesk. Since the secret is generated/fetched during auto-registration and stored before the webhook can receive deliveries, a missing secret indicates misconfiguration and must fail closed rather than skip signature verification. Adds an opt-in requireSecret flag to createHmacVerifier (default off, preserving behavior for other providers). - Zendesk createSubscription now deletes the just-created webhook if the follow-up signing-secret fetch fails, avoiding an orphaned subscription in Zendesk when setup cannot complete.

waleedlatif1 · 2026-06-20T21:30:41Z

@greptile review

waleedlatif1 · 2026-06-20T21:30:42Z

@cursor review

Extend the orphan-prevention fix to the remaining providers. When a create call succeeds but post-create validation fails, the created webhook is now deleted before throwing: - GitLab: if the create response can't be parsed for its hook id, the hook is located by its URL and deleted. - PagerDuty: if the subscription response lacks an id or signing secret, the subscription is deleted (by id when known, otherwise located by URL). Both cleanups are best-effort and never throw.

waleedlatif1 · 2026-06-20T21:39:57Z

@greptile review

waleedlatif1 · 2026-06-20T21:39:58Z

@cursor review

cursor

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 7db4ca8. Configure here.}

…s trigger

waleedlatif1 · 2026-06-20T21:46:49Z

@greptile review

waleedlatif1 · 2026-06-20T21:46:50Z

@cursor review

cursor

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 04ab0b0. Configure here.}

waleedlatif1 · 2026-06-20T21:56:38Z

@greptile review