coven-github-webhook is the TypeScript deployment bundle for the
OpenCoven/coven-github product
surface. It receives GitHub App webhooks, verifies signatures, applies
installation/repository routing policy, and starts coven-code headless runs.
Use the canonical coven-github repo for the product spec, GitHub App
permissions, event list, headless contract, and hosted/self-hosted operating
model. Use this repo when you want the lightweight Node deployment entrypoint.
Register the GitHub App with the manifest from coven-github:
OpenCoven/coven-github/docs/app-manifest.json
Set the manifest webhook URL to this service:
https://your-host/webhook
The manifest subscribes to the events this adapter can route:
issuesissue_commentpull_request_reviewpull_request_review_commentcheck_suitecheck_run
After creating the App, keep these values outside git:
- App ID ->
GITHUB_APP_ID - Webhook secret ->
GITHUB_WEBHOOK_SECRET - Private key PEM ->
GITHUB_APP_PRIVATE_KEY, or private key PEM path ->GITHUB_APP_PRIVATE_KEY_PATH
For 1Password-backed local runs, copy
.env.1password.example to an ignored local env file and update the op://
references to the fields in your item:
cp .env.1password.example .env.1password.localThen run commands through 1Password without exposing secret values:
op run --env-file .env.1password.local -- npm run doctor:app
op run --env-file .env.1password.local -- npm startThis adapter uses a local JSON policy file to map a GitHub installation and repository to a familiar route. Start with:
cp config/example-policy.json coven-github-policy.jsonThen replace:
123456with the GitHub App installation ID.987654321with the repository ID.bot_usernameswith the GitHub App bot login, for examplecoven-cody[bot].trigger_labelswith labels that should start tasks.familiarwith the familiar id, display name, model, and skills to pass tocoven-code.
Point the service at the file:
export COVEN_GITHUB_POLICY_PATH="$PWD/coven-github-policy.json"Keep publication.mode as record_only for first smoke runs. Switch it to
comment only after you have verified the App installation, coven-code
runtime, Codex token, and workspace permissions.
npm ci
npm run build
export GITHUB_APP_ID="123456"
export GITHUB_WEBHOOK_SECRET="replace-with-github-secret"
export GITHUB_APP_PRIVATE_KEY_PATH="$PWD/keys/coven-github.private-key.pem"
export COVEN_GITHUB_POLICY_PATH="$PWD/coven-github-policy.json"
export COVEN_GITHUB_STATE_DIR="$PWD/coven-github-state"
export COVEN_CODE_BIN="$(command -v coven-code)"
npm run doctor:app
npm startIn another shell:
WEBHOOK_SECRET="$GITHUB_WEBHOOK_SECRET" \
scripts/smoke-webhook.sh http://localhost:3000/webhookThat proves the HTTP endpoint and HMAC signature path before any GitHub token or runtime work is attempted.
Before creating a real GitHub App, run the self-contained demo:
npm run smoke:appThe demo starts the built Node server on localhost, signs an issues.labeled
payload with the same sha256= HMAC format GitHub uses, loads
config/example-policy.json, and prints the resulting delivery, task, session
brief, and result paths.
It runs with COVEN_GITHUB_DEMO_MODE=1. That mode is intentionally explicit:
it verifies the app ingress and routing path, but does not mint GitHub
installation tokens, clone repositories, run coven-code, or publish comments.
On a repository where the App is installed:
- Copy the installation ID and repository ID into
coven-github-policy.json. - Add one of the configured labels, such as
coven:fix, to an issue. - Confirm a delivery record appears under
COVEN_GITHUB_STATE_DIR/deliveries. - Confirm a task record appears under
COVEN_GITHUB_STATE_DIR/tasks. - Inspect the attempt directory if the runtime fails before enabling comment publication.
This keeps the first app connection auditable: GitHub delivery, policy route, task creation, runtime attempt, and publication are separate files.