Should a payload's repo be validated by something besides URL?

Currently, a webhook can be validated by the repository URL (to ensure the event it's for the expected repo), using the [Webhook\UrlCallbackRule](https://github.com/katmore/webhook/blob/master/src/UrlCallbackRule.php) class

This can potentially cause unwanted/unexpected disruption if a repository name is changed, or an organization's name is changed.

There may be no way to mitigate the use-case of a repository name changing, as the payload does not seem to have any list of "old" names, etc.

To mitigate the use-case of an organization name changing, a new [CallbackRule](https://github.com/katmore/webhook/blob/master/src/CallbackRule.php) child class could be created to validate the `name` property from the `repository` object of the payload (`RepoNameCallbackRule`). This would simplify deployment process for the endpoint, as only the name of the repo would need to be configured.

```txt
{
  "ref": "refs/heads/some-branch",
  ...
  "repository": {
      "id": 123456,
      "node_id": "aGVsbG8=",
      "name": "my-repo",
      "full_name": "my-org-or-username/my-repo",
  }
  ...
}
```

Finally, perhaps it never made sense to validate by a repo "url" anyway? A new [CallbackRule](https://github.com/katmore/webhook/blob/master/src/CallbackRule.php) child class should be created to validate the `full_name` property from the `repository` object of the payload (`RepoFullNameCallbackRule`).


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Should a payload's repo be validated by something besides URL? #1

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Should a payload's repo be validated by something besides URL? #1

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions