Migrate the Slack notification workflow to a GitHub App + Cloudflare Worker#7246
Migrate the Slack notification workflow to a GitHub App + Cloudflare Worker#7246GabrielBianconi wants to merge 4 commits intomainfrom
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c92899f866
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // --- Post to Slack --- | ||
|
|
||
| async function postToSlack(notification, env) { | ||
| await fetch("https://slack.com/api/chat.postMessage", { |
There was a problem hiding this comment.
Fail webhook when Slack post is rejected
postToSlack awaits fetch but never checks the HTTP status or Slack's JSON ok field, so the handler still returns 200 OK when Slack rejects the message (for example invalid_auth, missing_scope, or rate-limit responses). In those cases GitHub considers delivery successful and will not retry, which silently drops notifications instead of surfacing an operational failure.
Useful? React with 👍 / 👎.
| function buildNotification(event, payload, env) { | ||
| const channel = env.SLACK_CHANNEL; | ||
|
|
||
| switch (event) { |
There was a problem hiding this comment.
Restrict notifications to the intended repository
The worker builds notifications for any matching event type without checking payload.repository, so if the GitHub App installation is broadened beyond tensorzero/tensorzero (common with org-level installs), activity from other repos will be forwarded into this Slack channel. This is a behavior regression from the deleted workflow, which was inherently repo-scoped by where it ran, and can leak unrelated repo activity.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 6228102. Configure here.
| @@ -0,0 +1,14 @@ | |||
| name = "tensorzero-slack-notifications" | |||
| main = "worker.js" | |||
| compatibility_date = "2024-01-01" | |||
There was a problem hiding this comment.
Missing nodejs_compat flag breaks worker at runtime
High Severity
The wrangler.toml is missing compatibility_flags = ["nodejs_compat"]. The locked dependency @octokit/webhooks-methods v6.0.0 imports createHmac and timingSafeEqual from node:crypto and Buffer from node:buffer. These Node.js built-in modules are unavailable in Cloudflare Workers without the nodejs_compat flag, so app.webhooks.verify() will fail on every request, making the entire worker non-functional. The compatibility_date also likely needs updating to at least 2024-09-23 for full nodejs_compat v2 polyfill support.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 6228102. Configure here.
| const isValid = await app.webhooks.verify( | ||
| body, | ||
| request.headers.get("X-Hub-Signature-256") || "", | ||
| ); |
There was a problem hiding this comment.
Webhook verify throws on missing signature header
Medium Severity
The || "" fallback for a missing X-Hub-Signature-256 header produces an empty string, which is falsy. The underlying @octokit/webhooks-methods verify() checks !signature and throws a TypeError ("secret, eventPayload & signature required") rather than returning false. This unhandled exception causes the Cloudflare Worker to return a 500 instead of the intended 401 for any request missing the signature header (e.g., scanners, bots, misconfigured clients). A try/catch around the verify call, or a guard checking for a truthy signature before calling verify, would prevent this.
Reviewed by Cursor Bugbot for commit 6228102. Configure here.
| return true; // 204 = is a member | ||
| } catch { | ||
| return false; // 404 = not a member | ||
| } |
There was a problem hiding this comment.
Broad catch treats API failures as non-members
Low Severity
The bare catch in shouldSkip treats every error from the GitHub API — including authentication failures, rate limiting (403/429), and network errors — the same as a 404 "not a member" response. If the GitHub App credentials become invalid or the API is degraded, every webhook event (including org-member activity) will produce a Slack notification, potentially flooding the channel.
Reviewed by Cursor Bugbot for commit 6228102. Configure here.
| "dependencies": { | ||
| "@octokit/app": "^16.1.2", | ||
| "@octokit/core": "^7.0.6", | ||
| "@octokit/plugin-paginate-rest": "^14.0.0", |
There was a problem hiding this comment.
Unused direct dependency @octokit/plugin-paginate-rest
Low Severity
@octokit/plugin-paginate-rest is listed as a direct dependency in package.json but is never imported or used in worker.js. It's already pulled in transitively by @octokit/app. This is unnecessary dead weight in the dependency list.
Reviewed by Cursor Bugbot for commit 6228102. Configure here.
Note
Medium Risk
Replaces a GitHub Actions-based notification workflow with a new externally deployed webhook service, changing auth/secrets handling and delivery path for Slack alerts. Risk is mostly around correct webhook verification, org-membership checks, and operational deployment/configuration in Cloudflare.
Overview
Migrates Slack alerting off the
.github/workflows/slack-notifications.ymlGitHub Actions workflow (deleted) to a manually deployed Cloudflare Worker underci/slack-notifications-worker.Adds a webhook-driven worker (
worker.js) that verifies GitHub webhook signatures via a GitHub App, filters out bots and org members via the GitHub API, and posts formatted notifications to Slack for issues, issue comments, PR opens, PR reviews, discussions, and discussion comments. Includes Wrangler config (wrangler.toml), dependencies (package.json/package-lock.json), and setup/deploy documentation (README.md).Reviewed by Cursor Bugbot for commit 6228102. Bugbot is set up for automated code reviews on this repo. Configure here.