Fix webhook handler processing any label from any sender#2307
Merged
hiroshinishio merged 1 commit intomainfrom Feb 22, 2026
Merged
Fix webhook handler processing any label from any sender#2307hiroshinishio merged 1 commit intomainfrom
hiroshinishio merged 1 commit intomainfrom
Conversation
- Check label name matches PRODUCT_ID before processing (root cause: dependabot labels like "dependencies" triggered full agent pipeline) - Reject bot senders except GitAuto's own app (allow schedule triggers) - Return early for non-gitauto branch prefixes instead of defaulting to "dashboard" - Add tests for all three guard checks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pull_request.labeledwebhook handler was triggered by ANY label on ANY PR, not just thegitautolabel. This caused Dependabot PRs with labels likedependenciesto trigger 4 simultaneous agent runs, waste credits, post duplicate comments, and cause git lock contention on EFS.gitauto, (2) reject bot senders except GitAuto's own app, (3) return early for non-gitauto branch prefixes instead of silently defaulting todashboardtrigger.Social Media Post (GitAuto)
Dependabot bumped a dependency on a customer repo. Four Lambda functions spun up, each trying to write unit tests for a lockfile change. Root cause: our webhook handler triggered on any label, not just "gitauto". Three lines of guard checks fixed it.
Social Media Post (Wes)
Debugging why a customer got 4 duplicate bot comments on a Dependabot PR. Our pull_request.labeled handler had no filter - it ran on every label, not just ours. Dependabot adds labels like "dependencies" and "npm_and_yarn" when creating PRs, each firing a separate webhook. Four concurrent Lambdas fought over the same git repo on shared storage. Added label name check, bot sender check, and branch prefix check.