Webhooks & external events
Coro jobs routinely park waiting for merges, approvals, tracker comments, or plugin-specific signals. Reliable automation depends on inbound events — see /concepts/job-lifecycle/ (or the park/resume discussion in /concepts/runner-spec/) alongside this guide.
What fires webhooks
Built-in SCM plugins (GitHub, Bitbucket, GitLab…) and trackers (for example Jira) expose normalised payloads the runner consumes. Plugins declare a webhook descriptor:
algorithm—hmac-sha256,hmac-sha1, ornone.header/format— how the SCM signs the POST body (X-Hub-Signature,x-hub-signature-256, etc.).- Optional
pathSuffixfor distinguishing multiple ingress routes behind the cloud edge.
Hybrid cloud stores per-team webhook rows (tenant_plugin_webhooks), loads secrets from Postgres, and verifies raw body MAC comparisons before emitting event:pluginWebhook frames to connected runners (/guides/hybrid-mode/).
SCM webhooks vs tracker webhooks
| Source | Typical event | Runner effect |
|---|---|---|
| Git host | PR approved, merged, comment | Resume review / evaluation phases awaiting pull_request:*. |
| Issue tracker | Comment, assignment, epic link | Planner / campaign agents receive tracker prompts. |
Misconfigured tracker credentials downgrade to stubs — behaviours fall back documented in /concepts/architecture/.
HMAC verification (team mode)
Teams should treat webhook secrets like API keys:
- Provision secret in SCM UI → store encrypted-at-rest mirror in cloud DB via dashboard automation (exact UI depends on installer).
- Rotate with dual-record overlap to avoid wedging parked jobs stuck awaiting dead endpoints.
- When algorithm is
none(classic Jira webhook variant relies on opaque URL secrets), keep URLs unguessable and rotate alongside PATs.
Solo / polling fallback
Without cloud forwarding, parked jobs may rely on coro resume, coro message, or periodic SCM polls (plugin-dependent). Operational runbooks must state explicit SLAs: “solo developers must leave coro start alive or resume manually”. Encourage migrating teams to hybrid once more than one person depends on merges.
Manual escape hatches (coro resume --job …) remain available for tabletop exercises (/reference/cli/ when published).
Configuration checklist
host.webhookSecret/ cloud equivalents align with SCM app settings (/guides/team-setup/).- ngrok/static tunnel docs for local labs live in /contributing/local-setup/.
- Guardrail
merge-requires-approvalinteracts with SCM approval events — flipping guardrails blindly can deadlock automation (/guides/configure-guardrails/).
Related reading
- /guides/hybrid-mode/ — why WebSockets carry webhook fan-out post verification.
- /guides/run-campaign/ — coordinator events multiplex child jobs similarly.