Merge pull request #12 from TrustSignal-dev/copilot/fix-trustsignal-github-app

chrismaz11 · web-flow · commit 396a288c8a09 · 2026-03-16T13:31:30.000-05:00
Fix three verification failure causes in push, check_suite, and TrustSignal client
diff --git a/apps/action/dist/index.js b/apps/action/dist/index.js
@@ -4175,6 +4175,7 @@ var TrustSignalVerificationClient = class {
           method: "POST",
           headers: {
             "content-type": "application/json",
+            "accept": "application/json",
             authorization: `Bearer ${this.apiKey}`
           },
           body: payloadText,
@@ -4296,11 +4297,12 @@ function normalizeReleasePayload(payload) {
     }
   };
 }
+var ZERO_SHA = "0000000000000000000000000000000000000000";
 function normalizePushPayload(payload) {
   const repository = payload.repository;
   const ref = String(payload.ref || "");
   const branchName = ref.replace("refs/heads/", "");
-  if (branchName && repository.default_branch && branchName !== repository.default_branch) {
+  if (branchName && repository.default_branch && branchName !== repository.default_branch || !payload.after || payload.after === ZERO_SHA) {
     return null;
   }
   return {
@@ -4342,7 +4344,7 @@ function normalizeCheckSuitePayload(payload) {
     headSha,
     externalId: `check_suite:${checkSuite.id}`,
     summaryContext: `check suite ${checkSuite.id}`,
-    detailsUrl: checkSuite.url,
+    detailsUrl: checkSuite.html_url || `${repository.html_url}/commit/${headSha}`,
     provenance: {
       action: payload.action,
       checkSuiteStatus: checkSuite.status,
diff --git a/src/trustsignal/client.ts b/src/trustsignal/client.ts
@@ -56,6 +56,7 @@ export class TrustSignalVerificationClient {
           method: "POST",
           headers: {
             "content-type": "application/json",
+            "accept": "application/json",
             authorization: `Bearer ${this.apiKey}`,
           },
           body: payloadText,
diff --git a/src/trustsignal/github.ts b/src/trustsignal/github.ts
@@ -79,12 +79,18 @@ export function normalizeReleasePayload(payload: Record<string, any>): GitHubVer
   };
 }
 
+const ZERO_SHA = "0000000000000000000000000000000000000000";
+
 export function normalizePushPayload(payload: Record<string, any>): GitHubVerificationEnvelope | null {
   const repository = payload.repository;
   const ref = String(payload.ref || "");
   const branchName = ref.replace("refs/heads/", "");
 
-  if (branchName && repository.default_branch && branchName !== repository.default_branch) {
+  if (
+    (branchName && repository.default_branch && branchName !== repository.default_branch) ||
+    !payload.after ||
+    payload.after === ZERO_SHA
+  ) {
     return null;
   }
 
@@ -137,7 +143,7 @@ export function normalizeCheckSuitePayload(payload: Record<string, any>): GitHub
     headSha,
     externalId: `check_suite:${checkSuite.id}`,
     summaryContext: `check suite ${checkSuite.id}`,
-    detailsUrl: checkSuite.url,
+    detailsUrl: checkSuite.html_url || `${repository.html_url}/commit/${headSha}`,
     provenance: {
       action: payload.action,
       checkSuiteStatus: checkSuite.status,
diff --git a/tests/normalizeEvent.test.ts b/tests/normalizeEvent.test.ts
@@ -1,5 +1,6 @@
 import { describe, expect, it } from "vitest";
 import { normalizeWorkflowRunEvent } from "../src/webhooks/handlers/workflowRun";
+import { normalizePushPayload, normalizeCheckSuitePayload } from "../src/trustsignal/github";
 
 describe("normalizeWorkflowRunEvent", () => {
   it("normalizes a completed workflow run", () => {
@@ -29,3 +30,107 @@ describe("normalizeWorkflowRunEvent", () => {
     expect(job?.headSha).toBe("abc123");
   });
 });
+
+describe("normalizePushPayload", () => {
+  it("returns null for branch deletion events (zero SHA)", () => {
+    const result = normalizePushPayload({
+      ref: "refs/heads/main",
+      before: "abc1234def5678901234567890abcdef12345678",
+      after: "0000000000000000000000000000000000000000",
+      repository: {
+        name: "repo",
+        default_branch: "main",
+        html_url: "https://github.com/acme/repo",
+        owner: { login: "acme" },
+      },
+    });
+
+    expect(result).toBeNull();
+  });
+
+  it("returns null when after is missing", () => {
+    const result = normalizePushPayload({
+      ref: "refs/heads/main",
+      before: "abc1234def5678901234567890abcdef12345678",
+      repository: {
+        name: "repo",
+        default_branch: "main",
+        html_url: "https://github.com/acme/repo",
+        owner: { login: "acme" },
+      },
+    });
+
+    expect(result).toBeNull();
+  });
+
+  it("returns an envelope for a default-branch push with a valid SHA", () => {
+    const result = normalizePushPayload({
+      ref: "refs/heads/main",
+      before: "abc1234def5678901234567890abcdef12345678",
+      after: "def5678abc1234901234567890abcdef12345678",
+      repository: {
+        name: "repo",
+        default_branch: "main",
+        html_url: "https://github.com/acme/repo",
+        owner: { login: "acme" },
+      },
+    });
+
+    expect(result).not.toBeNull();
+    expect(result?.headSha).toBe("def5678abc1234901234567890abcdef12345678");
+    expect(result?.externalId).toBe("push:def5678abc1234901234567890abcdef12345678");
+  });
+});
+
+describe("normalizeCheckSuitePayload", () => {
+  it("uses html_url for detailsUrl when available", () => {
+    const result = normalizeCheckSuitePayload({
+      action: "requested",
+      check_suite: {
+        id: 321,
+        head_sha: "def5678abc1234901234567890abcdef12345678",
+        status: "queued",
+        conclusion: null,
+        html_url: "https://github.com/acme/repo/actions/runs/321",
+        url: "https://api.github.com/repos/acme/repo/check-suites/321",
+        app: { slug: "some-app" },
+        pull_requests: [],
+      },
+      repository: {
+        id: 1,
+        name: "repo",
+        default_branch: "main",
+        html_url: "https://github.com/acme/repo",
+        owner: { login: "acme" },
+      },
+    });
+
+    expect(result).not.toBeNull();
+    expect(result?.detailsUrl).toBe("https://github.com/acme/repo/actions/runs/321");
+  });
+
+  it("falls back to commit URL for detailsUrl when html_url is absent", () => {
+    const result = normalizeCheckSuitePayload({
+      action: "requested",
+      check_suite: {
+        id: 654,
+        head_sha: "abc1234def5678901234567890abcdef12345678",
+        status: "queued",
+        conclusion: null,
+        url: "https://api.github.com/repos/acme/repo/check-suites/654",
+        app: { slug: "some-app" },
+        pull_requests: [],
+      },
+      repository: {
+        id: 1,
+        name: "repo",
+        default_branch: "main",
+        html_url: "https://github.com/acme/repo",
+        owner: { login: "acme" },
+      },
+    });
+
+    expect(result).not.toBeNull();
+    expect(result?.detailsUrl).toBe("https://github.com/acme/repo/commit/abc1234def5678901234567890abcdef12345678");
+  });
+});
diff --git a/tests/trustsignalClient.test.ts b/tests/trustsignalClient.test.ts
@@ -56,6 +56,7 @@ describe("TrustSignalVerificationClient", () => {
         method: "POST",
         headers: expect.objectContaining({
           authorization: "Bearer secret",
+          "accept": "application/json",
         }),
       })
     );
