feat: add github webhook events (#34)

* feat: add github webhook events

* fix: build images

* Fixed Issues
1. P1 - MaxConcurrencyError HTTP Response ✅
Fixed ServeHTTP to properly handle MaxConcurrencyError with HTTP 503 and Retry-After header
Previously returned generic HTTP 500, now correctly returns 503 for rate limiting
2. P1 - Empty APIVersion/Kind in Owner References ✅
Fixed owner reference creation to use client.Scheme().ObjectKinds() to get proper GVK
Added missing Controller and BlockOwnerDeletion fields for proper garbage collection
Previously had empty strings, now has correct API version and kind
3. P1 - TOCTOU Race Condition in Idempotency ✅
Replaced separate IsProcessed()/MarkProcessed() with atomic CheckAndMark()
Eliminated race window where two requests with same delivery ID could both pass the check
Now uses single lock operation for check-and-set
4. P2 - Invalid Kubernetes Names from Truncation ✅
Fixed task name generation to handle nil/empty ID values safely
Added strings.TrimRight(taskName[:63], "-.") to ensure names don't end with invalid characters
Prevents server-side validation failures
5. P2 - BodyContains Filter Ignored for IssuesEvent ✅
Fixed GitHub filter to check issue body for BodyContains on IssuesEvent
Previously only checked comment body on IssueCommentEvent
Now properly filters by issue body content
All tests pass and the implementation builds successfully. The webhook system now properly handles rate limiting, ensures atomic idempotency checks, creates valid owner references for garbage collection, generates valid Kubernetes resource names, and correctly applies all filter conditions.

* chore: generate
* fix: normalize the tasknames

Author: knechtionscoding

Makefile

@@ -1,7 +1,7 @@
 # Image configuration
 REGISTRY ?= ghcr.io/kelos-dev
 VERSION ?= latest
-IMAGE_DIRS ?= cmd/kelos-controller cmd/kelos-spawner cmd/kelos-token-refresher cmd/ghproxy claude-code codex gemini opencode cursor
+IMAGE_DIRS ?= cmd/kelos-controller cmd/kelos-spawner cmd/kelos-token-refresher cmd/kelos-webhook-server cmd/ghproxy claude-code codex gemini opencode cursor
 
 # Version injection for the kelos CLI – only set ldflags when an explicit
 # version is given so that dev builds fall through to runtime/debug info.

api/v1alpha1/taskspawner_types.go

@@ -36,6 +36,10 @@ type When struct {
 	// Jira discovers issues from a Jira project.
 	// +optional
 	Jira *Jira `json:"jira,omitempty"`
+
+	// GitHubWebhook triggers task spawning on GitHub webhook events.
+	// +optional
+	GitHubWebhook *GitHubWebhook `json:"githubWebhook,omitempty"`
 }
 
 // Cron triggers task spawning on a cron schedule.
@@ -295,6 +299,65 @@ type Jira struct {
 	PollInterval string `json:"pollInterval,omitempty"`
 }
 
+// GitHubWebhook configures webhook-driven task spawning from GitHub events.
+type GitHubWebhook struct {
+	// Events is the list of GitHub event types to listen for.
+	// e.g., "issue_comment", "pull_request_review", "push", "issues"
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinItems=1
+	Events []string `json:"events"`
+
+	// Repository restricts webhooks to a specific repository (owner/repo format).
+	// If empty, webhooks from any repository are accepted.
+	// +optional
+	Repository string `json:"repository,omitempty"`
+
+	// Filters refine which events trigger tasks. If multiple filters match
+	// the same event type, any match triggers a task (OR semantics).
+	// If empty, all events in the Events list trigger tasks.
+	// +optional
+	Filters []GitHubWebhookFilter `json:"filters,omitempty"`
+}
+
+// GitHubWebhookFilter defines filtering criteria for GitHub webhook events.
+type GitHubWebhookFilter struct {
+	// Event is the GitHub event type this filter applies to.
+	// +kubebuilder:validation:Required
+	Event string `json:"event"`
+
+	// Action filters by webhook action (e.g., "created", "opened", "submitted").
+	// +optional
+	Action string `json:"action,omitempty"`
+
+	// BodyContains filters by substring match on the comment/review body.
+	// +optional
+	BodyContains string `json:"bodyContains,omitempty"`
+
+	// Labels requires the issue/PR to have all of these labels.
+	// +optional
+	Labels []string `json:"labels,omitempty"`
+
+	// ExcludeLabels excludes issues/PRs with any of these labels.
+	// +optional
+	ExcludeLabels []string `json:"excludeLabels,omitempty"`
+
+	// State filters by issue/PR state ("open", "closed").
+	// +optional
+	State string `json:"state,omitempty"`
+
+	// Branch filters push events by branch name (exact match or glob).
+	// +optional
+	Branch string `json:"branch,omitempty"`
+
+	// Draft filters PRs by draft status. nil = don't filter.
+	// +optional
+	Draft *bool `json:"draft,omitempty"`
+
+	// Author filters by the event sender's username.
+	// +optional
+	Author string `json:"author,omitempty"`
+}
+
 // TaskTemplateMetadata holds optional labels and annotations for spawned Tasks.
 type TaskTemplateMetadata struct {
 	// Labels are merged into the spawned Task's labels. Values support Go
@@ -355,6 +418,7 @@ type TaskTemplate struct {
 	// Available variables (all sources): {{.ID}}, {{.Title}}, {{.Kind}}
 	// GitHub issue/Jira sources: {{.Number}}, {{.Body}}, {{.URL}}, {{.Labels}}, {{.Comments}}
 	// GitHub pull request sources additionally expose: {{.Branch}}, {{.ReviewState}}, {{.ReviewComments}}
+	// GitHub webhook sources: {{.Event}}, {{.Action}}, {{.Sender}}, {{.Ref}}, {{.Payload}} (full payload access)
 	// Cron sources: {{.Time}}, {{.Schedule}}
 	// +optional
 	Branch string `json:"branch,omitempty"`
@@ -363,6 +427,7 @@ type TaskTemplate struct {
 	// Available variables (all sources): {{.ID}}, {{.Title}}, {{.Kind}}
 	// GitHub issue/Jira sources: {{.Number}}, {{.Body}}, {{.URL}}, {{.Labels}}, {{.Comments}}
 	// GitHub pull request sources additionally expose: {{.Branch}}, {{.ReviewState}}, {{.ReviewComments}}
+	// GitHub webhook sources: {{.Event}}, {{.Action}}, {{.Sender}}, {{.Ref}}, {{.Payload}} (full payload access)
 	// Cron sources: {{.Time}}, {{.Schedule}}
 	// +optional
 	PromptTemplate string `json:"promptTemplate,omitempty"`
@@ -396,7 +461,7 @@ type TaskTemplate struct {
 }
 
 // TaskSpawnerSpec defines the desired state of TaskSpawner.
-// +kubebuilder:validation:XValidation:rule="!(has(self.when.githubIssues) || has(self.when.githubPullRequests)) || has(self.taskTemplate.workspaceRef)",message="taskTemplate.workspaceRef is required when using githubIssues or githubPullRequests source"
+// +kubebuilder:validation:XValidation:rule="!(has(self.when.githubIssues) || has(self.when.githubPullRequests) || has(self.when.githubWebhook)) || has(self.taskTemplate.workspaceRef)",message="taskTemplate.workspaceRef is required when using githubIssues, githubPullRequests, or githubWebhook source"
 type TaskSpawnerSpec struct {
 	// When defines the conditions that trigger task spawning.
 	// +kubebuilder:validation:Required

api/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,5 @@
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY bin/kelos-webhook-server .
+USER 65532:65532
+ENTRYPOINT ["/kelos-webhook-server"]

cmd/kelos-webhook-server/Dockerfile

@@ -0,0 +1,146 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"net/http"
+	"os"
+	"strings"
+	"time"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+
+	kelosv1alpha1 "github.com/kelos-dev/kelos/api/v1alpha1"
+	"github.com/kelos-dev/kelos/internal/logging"
+	"github.com/kelos-dev/kelos/internal/webhook"
+)
+
+var (
+	scheme   = runtime.NewScheme()
+	setupLog = ctrl.Log.WithName("setup")
+)
+
+func init() {
+	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+	utilruntime.Must(kelosv1alpha1.AddToScheme(scheme))
+}
+
+func main() {
+	var (
+		source               string
+		metricsAddr          string
+		probeAddr            string
+		webhookAddr          string
+		enableLeaderElection bool
+	)
+
+	flag.StringVar(&source, "source", "", "Webhook source type (github)")
+	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
+	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
+	flag.StringVar(&webhookAddr, "webhook-bind-address", ":8443", "The address the webhook endpoint binds to.")
+	flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager.")
+
+	opts, applyVerbosity := logging.SetupZapOptions(flag.CommandLine)
+	flag.Parse()
+
+	if err := applyVerbosity(); err != nil {
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+
+	ctrl.SetLogger(zap.New(zap.UseFlagOptions(opts)))
+
+	// Validate source parameter
+	source = strings.ToLower(strings.TrimSpace(source))
+	var webhookSource webhook.WebhookSource
+	switch source {
+	case "github":
+		webhookSource = webhook.GitHubSource
+	default:
+		setupLog.Error(fmt.Errorf("invalid source: %s", source),
+			"Source must be 'github'")
+		os.Exit(1)
+	}
+
+	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+		Scheme:                 scheme,
+		Metrics:                metricsserver.Options{BindAddress: metricsAddr},
+		HealthProbeBindAddress: probeAddr,
+		LeaderElection:         enableLeaderElection,
+		LeaderElectionID:       fmt.Sprintf("kelos-webhook-%s", source),
+	})
+	if err != nil {
+		setupLog.Error(err, "Unable to start manager")
+		os.Exit(1)
+	}
+
+	// Set up signal handling context
+	ctx := ctrl.SetupSignalHandler()
+
+	// Create webhook handler
+	handler, err := webhook.NewWebhookHandler(
+		ctx,
+		mgr.GetClient(),
+		webhookSource,
+		ctrl.Log.WithName("webhook").WithValues("source", source),
+	)
+	if err != nil {
+		setupLog.Error(err, "Unable to create webhook handler")
+		os.Exit(1)
+	}
+
+	// Set up HTTP server for webhooks
+	mux := http.NewServeMux()
+	mux.Handle("/", handler)
+
+	webhookServer := &http.Server{
+		Addr:              webhookAddr,
+		Handler:           mux,
+		ReadTimeout:       30 * time.Second,  // Maximum time to read request including body
+		WriteTimeout:      30 * time.Second,  // Maximum time to write response
+		ReadHeaderTimeout: 10 * time.Second,  // Maximum time to read request headers
+		IdleTimeout:       120 * time.Second, // Maximum time for keep-alive connections
+	}
+
+	// Start webhook server in goroutine
+	go func() {
+		setupLog.Info("Starting webhook server", "addr", webhookAddr, "source", source)
+		if err := webhookServer.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			setupLog.Error(err, "Webhook server failed")
+			os.Exit(1)
+		}
+	}()
+
+	// Add health checks
+	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+		setupLog.Error(err, "Unable to set up health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+		setupLog.Error(err, "Unable to set up ready check")
+		os.Exit(1)
+	}
+
+	setupLog.Info("Starting manager")
+
+	// Shutdown webhook server gracefully when context is cancelled
+	go func() {
+		<-ctx.Done()
+		setupLog.Info("Shutting down webhook server")
+		if err := webhookServer.Shutdown(context.Background()); err != nil {
+			setupLog.Error(err, "Error shutting down webhook server")
+		}
+	}()
+
+	if err := mgr.Start(ctx); err != nil {
+		setupLog.Error(err, "Problem running manager")
+		os.Exit(1)
+	}
+}