GitHub Pull Request Webhook Integration
Generate a random secret
Save it securely - you'll need it for both GitHub and Blueberry
Store in Google Secret Manager for Blueberry
In your Helm values or environment config
In GitHub webhook settings, click "Recent Deliveries"
Find the ping event and check the response
Or send a test webhook manually
In Blueberry webhook configuration
- Webhook Event Processing
  - Pull Request Opened
Signature validation
Equivalent API call
- Validation
- Troubleshooting
  - Webhook Signature Validation Fails
Verify secret in both places matches
GitHub: Settings → Webhooks → Edit → Secret
Blueberry: Check Secret Manager value
Verify GitHub token has required permissions
repo:status - to post commit statuses
Check token is configured

GitHub Pull Request Webhook Integration

Overview

This workflow processes GitHub pull request webhooks to automatically create and manage ephemeral environments. When a PR is opened, updated, or closed, the webhook triggers appropriate actions in the Blueberry IDP.

Prerequisites

[ ] Access Requirements
Admin access to GitHub repository settings
Blueberry API webhook endpoint URL
Webhook secret for signature validation
[ ] Tools and Software
GitHub repository with admin permissions
openssl for generating webhook secrets
curl for testing webhooks
[ ] Knowledge Requirements
Understanding of GitHub webhook events
Familiarity with HMAC signature validation
Basic knowledge of HTTP headers

Steps

1. Generate Webhook Secret

Create a secure webhook secret:

# Generate a random secret
openssl rand -hex 32

# Save it securely - you'll need it for both GitHub and Blueberry
export WEBHOOK_SECRET="your-generated-secret"

# Store in Google Secret Manager for Blueberry
gcloud secrets create github-webhook-secret \
  --data-file=- <<< "$WEBHOOK_SECRET"

2. Configure Blueberry to Accept Webhooks

Update the Blueberry configuration:

# In your Helm values or environment config
webhooks:
  github:
    enabled: true
    secret: github-webhook-secret  # Reference to Secret Manager
    allowedOrganizations:
      - "your-org"
    allowedRepositories:
      - "your-org/your-repo"

3. Create GitHub Webhook

In your GitHub repository settings:

Navigate to Settings → Webhooks → Add webhook
Configure the webhook:

Payload URL: https://blueberry.example.com/api/webhooks/github
Content type: application/json
Secret: [paste your generated secret]
SSL verification: Enable

Which events would you like to trigger this webhook?
☑ Pull requests
☐ Pushes
☐ Everything

Click Add webhook

4. Verify Webhook Configuration

Test the webhook delivery:

# In GitHub webhook settings, click "Recent Deliveries"
# Find the ping event and check the response

# Or send a test webhook manually
curl -X POST https://blueberry.example.com/api/webhooks/github \
  -H "Content-Type: application/json" \
  -H "X-GitHub-Event: ping" \
  -H "X-Hub-Signature-256: sha256=$(echo -n '{"zen":"test"}' | openssl dgst -sha256 -hmac $WEBHOOK_SECRET -binary | xxd -p)" \
  -d '{"zen":"test"}'

Expected Response:

{
  "status": "pong",
  "message": "Webhook configured successfully"
}

5. Configure Environment Creation Rules

Set up rules for when to create environments:

# In Blueberry webhook configuration
webhook_rules = {
    "create_on": ["opened", "synchronize"],
    "delete_on": ["closed", "merged"],
    "skip_draft": True,
    "required_labels": ["deploy-preview"],
    "branch_pattern": "^(feature|fix)/.*$"
}

Webhook Event Processing

Pull Request Opened

When a PR is opened, Blueberry:

Validates the webhook
python # Signature validation signature = request.headers.get("X-Hub-Signature-256") if not validate_signature(signature, request.body, webhook_secret): return 401
Extracts PR information
json { "action": "opened", "number": 123, "pull_request": { "head": { "ref": "feature/new-feature", "sha": "abc123" } } }
Creates environment
bash # Equivalent API call curl -X POST https://blueberry.example.com/api/environments \ -d '{ "name": "pr-123", "pr_number": 123, "pr_branch": "feature/new-feature", "git_commit_sha": "abc123" }'

Pull Request Updated

When a PR is synchronized (new commits pushed):

Updates the existing environment
Triggers new deployment with latest commit
Posts status back to GitHub

Pull Request Closed

When a PR is closed or merged:

Deletes the associated environment
Cleans up all resources
Updates GitHub commit status

Validation

Verify the webhook integration is working:

Check Webhook Deliveries
In GitHub: Settings → Webhooks → Recent Deliveries
All should show green checkmarks
Monitor Blueberry Logs
bash kubectl logs -n blueberry deployment/blueberry-api -f | grep webhook
Verify Environment Creation
Open a test PR with required labels
Check that environment is created within 2-3 minutes
Verify GitHub commit status is updated

Troubleshooting

Webhook Signature Validation Fails

Symptoms:
- 401 Unauthorized responses
- "Invalid signature" in logs

Cause:
Webhook secret mismatch

Solution:

# Verify secret in both places matches
# GitHub: Settings → Webhooks → Edit → Secret
# Blueberry: Check Secret Manager value

gcloud secrets versions access latest --secret=github-webhook-secret

Environment Not Created

Symptoms:
- Webhook delivers successfully
- No environment created
- No errors in logs

Cause:
PR doesn't meet creation criteria

Solution:
Check webhook rules:
- PR has required labels
- Branch name matches pattern
- PR is not a draft
- Repository is in allowed list

GitHub Status Not Updated

Symptoms:
- Environment created successfully
- No status appears on GitHub PR

Cause:
Missing GitHub API token or permissions