Support Github rebuild via webooks.

[tmcgilchrist]

Passing job_id through to set_status, which then gets sent back via webhooks and can be looked up as a job to rebuild. The core piece is CheckRunStatus now includes the job_id

  type t = {
      state: state;
      description: string option;
      url: Uri.t option;
      job_id: string option;
    }

[talex5]

This looks good. However, if we're performing actions in response to webhooks (rather than just triggering another query to GitHub) then we really should be validating incoming webhooks:

https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks

We should also think a bit about access control. Who does GitHub allow to click on the rebuild button? Possibly it should be tied in with the existing has_role access control system. At least, it needs to be documented.

[tmcgilchrist]

We should also think a bit about access control. Who does GitHub allow to click on the rebuild button? Possibly it should be tied in with the existing has_role access control system. At least, it needs to be documented.

Happily we get the GH User (as sender on the Webhook) that requested the rebuild so we can filter with has_role. We don't seem to have an option to not show the Re-run button for different users.
But we can provide our own set of actions as buttons on the CheckRun.

[talex5]

I think the secret is needed for all web-hooks, not just for apps.

[talex5]

I think we should just require the secret in all cases.

[tmcgilchrist]

Renamed this.

[talex5]

Checking for true in each case seems unnecessary. Also, the error message is rather unclear ("or invalid X-Hub-Signature-256 false").

Suggested change

	begin match event, validate_webhook_payload webhook_secret body headers with
	| Some "installation_repositories", true -> Installation.input_installation_repositories_webhook ()
	| Some "installation", true -> App.input_installation_webhook ()
	| Some ("pull_request" | "push" | "create"), true -> Api.input_webhook json_body
	| Some "check_run", true -> Api.rebuild_webhook ~engine ~has_role json_body
	| Some x, b -> Log.warn (fun f -> f "Unknown GitHub event type %S or invalid X-Hub-Signature-256 %b" x b)
	| None, _ -> Log.warn (fun f -> f "Missing GitHub event type in webhook!")
	end;
	if validate_webhook_payload webhook_secret body headers then (
	match event with
	| Some "installation_repositories" -> Installation.input_installation_repositories_webhook ()
	| Some "installation" -> App.input_installation_webhook ()
	| Some ("pull_request" | "push" | "create") -> Api.input_webhook json_body
	| Some "check_run" -> Api.rebuild_webhook ~engine ~has_role json_body
	| Some x -> Log.warn (fun f -> f "Unknown GitHub event type %S" x)
	| None, _ -> Log.warn (fun f -> f "Missing GitHub event type in webhook!")
	) else (
	Log.warn (fun f -> f "Invalid X-Hub-Signature-256" x)
	)

[talex5]

Perhaps this should be moved into the plugin? Everyone using OAuth is going to need this.

[tmcgilchrist]

This was only for the demo, the webhook secret from a file is here.
https://github.com/ocurrent/ocurrent/pull/283/files/4e0305335ff9d4feafae708c8926a1880766bdd6#diff-cdd21afd7356cc62801e8a3d1e29ed9791707d3f6639c817603b72cd21817ae3R210-R216

[talex5]

That link is broken now. But we want to make sure people read the secret from a file for OAuth pipelines too.

[tmcgilchrist]

Changed the examples to read this from a file and restructured the types in Current_github.App and Api to include the web hook_secret. The examples now work the same as the other pipelines like ocaml-ci

[talex5]

Looks good to me!

[talex5]

Suggested change

	(** [v ?text ?summary ?url ?actions ?identifier] creates a CheckRunStatus with [?text] description, a link to
	(** [v ?text ?summary ?url ?actions ?identifier state] creates a CheckRunStatus with [?text] description, a link to