Skip to content

feature/git-push-webhook #166

Description

@bwalsh

ADR-0003: GitHub App Webhook Ingestion with Argo Events

Status

Accepted

Context

This ADR documents how GitHub App webhooks are securely ingested and dispatched
to per-repository Argo WorkflowTemplates using Argo Events and Argo CD.

Decision

  • Use a single global webhook EventSource for all GitHub App installations.
  • Validate GitHub webhook signatures (HMAC SHA-256) outside Argo Events.
  • Dispatch events to per-repo WorkflowTemplates via one Sensor per repo.
  • Enforce multi-tenancy via Argo CD AppProject boundaries.

Architecture

GitHub App -> Webhook Verifier -> Argo Events EventSource -> Sensor -> WorkflowTemplate

Rationale

Argo Events generic webhook EventSource does not natively validate GitHub HMAC
signatures. Validation is required per GitHub security guidance.

Consequences

Pros:

  • Secure webhook ingestion
  • Scales with number of repos
  • Clean tenant isolation

Cons:

  • Requires a small verification component or hardened ingress

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions