CODE [INPUT]

Webhooks Overview

Set up real-time notifications and integrations with external services when repository events occur
June 29, 2025
CodeInput Team

Webhooks Overview

CodeInput webhooks enable real-time communication between your repositories and external services. Get instant notifications about merge conflicts, PR status changes, and resolution events.

What Are Webhooks?

Webhooks are HTTP callbacks that send event data to a URL of your choice when specific events occur in your repositories. They enable automation and integration with your existing tools.

Supported Events

Merge Conflict Events

{
  "event": "conflict.detected",
  "repository": "acme/api",
  "branch": "feature/new-auth",
  "conflict_count": 3,
  "timestamp": "2025-01-28T10:30:00Z"
}

Events:

  • conflict.detected - New conflicts found
  • conflict.resolved - Conflicts successfully resolved
  • conflict.failed - Resolution attempt failed
  • conflict.escalated - Conflict escalated to senior team

Pull Request Events

{
  "event": "pr.status_changed",
  "repository": "acme/api",
  "pr_number": 123,
  "old_status": "conflicts",
  "new_status": "review_required",
  "timestamp": "2025-01-28T10:35:00Z"
}

Events:

  • pr.opened - New pull request created
  • pr.status_changed - PR status updated
  • pr.merged - PR successfully merged
  • pr.closed - PR closed without merging

Approval Events

{
  "event": "approval.requested",
  "repository": "acme/api",
  "pr_number": 123,
  "approver": "john@example.com",
  "files": ["src/auth.ts", "src/users.ts"],
  "timestamp": "2025-01-28T10:40:00Z"
}

Events:

  • approval.requested - Review requested from owner
  • approval.granted - Owner approved changes
  • approval.declined - Owner requested changes
  • approval.cancelled - Approval request cancelled

Repository Events

{
  "event": "repository.connected",
  "repository": "acme/api",
  "workspace": "acme-corp",
  "timestamp": "2025-01-28T10:45:00Z"
}

Events:

  • repository.connected - Repository linked to workspace
  • repository.disconnected - Repository unlinked
  • repository.settings_changed - Settings updated

Setting Up Webhooks

Via Dashboard

  1. Navigate to Repository Settings
  2. Select "Webhooks" from the sidebar
  3. Click "Add Webhook"
  4. Configure your webhook:
    • URL: Endpoint to receive events
    • Events: Select events to subscribe to
    • Secret: Optional secret for signature verification
    • Active: Enable/disable webhook

Via API

curl -X POST https://api.codeinput.com/v1/webhooks \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "repository": "acme/api",
    "url": "https://your-app.com/webhooks",
    "events": ["conflict.detected", "conflict.resolved"],
    "secret": "your-webhook-secret"
  }'

Via Configuration File

# .codeinput.yml
webhooks:
  - url: https://slack.example.com/webhooks
    events:
      - conflict.detected
      - conflict.resolved
    secret: ${SLACK_WEBHOOK_SECRET}


  - url: https://jira.example.com/webhooks

Webhook Payload Structure

All webhook payloads follow this structure:

{
  "id": "evt_1234567890",
  "event": "conflict.detected",
  "timestamp": "2025-01-28T10:30:00Z",
  "signature": "sha256=...",
  "data": {
    "repository": {
      "name": "acme/api",
      "url": "https://github.com/acme/api",

Security

Signature Verification

Each webhook includes an HMAC signature in the X-CodeInput-Signature header:

const crypto = require('crypto');


function verifySignature(payload, signature, secret) {
  const hmac = crypto.createHmac('sha256', secret);
  const digest = hmac.update(payload).digest('hex');
  const expectedSignature = `sha256=${digest}`;
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSignature)

IP Whitelisting

Restrict webhook delivery to specific IP ranges:

# CodeInput webhook IPs 52.0.0.0/16 54.0.0.0/16

Retry Policy

Automatic retry with exponential backoff:

  • Attempt 1: Immediate
  • Attempt 2: 1 minute later
  • Attempt 3: 5 minutes later
  • Attempt 4: 30 minutes later
  • Attempt 5: 2 hours later

Maximum 5 retry attempts over 24 hours.

Common Integrations

Slack Notifications

// Receive webhook and post to Slack
app.post('/webhooks', (req, res) => {
  const { event, data } = req.body;


  if (event === 'conflict.detected') {
    axios.post(process.env.SLACK_WEBHOOK_URL, {
      text: `🚨 New conflicts in ${data.repository.name}`,
      attachments: [{
        color: 'danger',

Jira Ticket Creation

app.post('/webhooks', (req, res) => {
  const { event, data } = req.body;


  if (event === 'conflict.detected') {
    axios.post('https://acme.atlassian.net/rest/api/3/issue', {
      fields: {
        project: { key: 'ENG' },
        summary: `Resolve merge conflicts in ${data.repository.name}`,
        description: `${data.conflict_count} conflicts detected on branch ${data.branch}`,

Custom Analytics

app.post('/webhooks', (req, res) => {
  const { event, timestamp } = req.body;


  db.analytics.insert({
    event,
    timestamp: new Date(timestamp),
    processed_at: new Date()
  });

Testing Webhooks

Test Endpoint

Use webhook testing tools like:

Sample Payloads

View and replay sample payloads from the dashboard:

  1. Go to Repository Settings → Webhooks
  2. Select your webhook
  3. Click "View Recent Deliveries"
  4. Click any delivery to see full payload
  5. Click "Redeliver" to resend

CLI Testing

# Test webhook with sample payload
codeinput webhook test \
  --url https://your-app.com/webhooks \
  --event conflict.detected \
  --payload '{"repository":"acme/api","branch":"feature/test"}'

Best Practices

Endpoint Design

  1. Return 200 OK Quickly: Process events asynchronously
  2. Idempotency: Handle duplicate deliveries gracefully
  3. Error Handling: Log errors but always return 200
  4. Time Limits: Process within 30 seconds to avoid timeout

Reliability

  1. Retry Logic: Implement your own retry if needed
  2. Logging: Log all webhook deliveries for debugging
  3. Monitoring: Track delivery success rates
  4. Alerts: Get notified of webhook failures

Security

  1. Always Verify Signatures: Never skip signature validation
  2. Use HTTPS: Endpoints must use HTTPS
  3. Rotate Secrets: Change webhook secrets regularly
  4. Rate Limiting: Protect against abuse

Troubleshooting

Webhook Not Delivering

  • Check endpoint URL is correct and accessible
  • Verify your server accepts POST requests
  • Check firewall/security group settings
  • Review webhook delivery logs in dashboard

Signature Verification Failing

  • Ensure you're using the correct secret
  • Check you're comparing the full signature including sha256=
  • Verify you're using raw payload body (not parsed)

Missing Events

  • Confirm events are enabled in webhook settings
  • Check your plan includes the required events
  • Verify events are occurring in your repository

Getting Started

  1. Create Endpoint: Set up HTTPS endpoint to receive events
  2. Add Webhook: Configure webhook in CodeInput dashboard
  3. Verify Signature: Implement signature verification
  4. Test Delivery: Use test button to verify integration
  5. Go Live: Enable webhook and monitor deliveries

Need Help?