feat(triggers): add Vercel webhook triggers with automatic registration by waleedlatif1 · Pull Request #3988 · simstudioai/sim

waleedlatif1 · 2026-04-06T17:57:26Z

Summary

Add 8 Vercel webhook triggers: deployment created/ready/error/canceled, project created/removed, domain created, and generic webhook (all events)
Automatic webhook registration via Vercel REST API (POST /v1/webhooks) with Bearer token auth
Automatic cleanup on trigger removal (DELETE /v1/webhooks/{id})
Supports optional team ID scoping and project ID filtering
Webhook input formatting extracts deployment, project, team, user, target, plan, and domain from Vercel's envelope payload

Type of Change

New feature

Testing

Tested manually

Checklist

Code follows project style guidelines
Self-reviewed my changes
Tests added/updated and passing
No new warnings introduced
I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

cursor · 2026-04-06T17:57:31Z

PR Summary

Medium Risk
Adds a new webhook provider with HMAC verification and automatic subscription creation/deletion via Vercel’s API; issues here could cause missed/extra webhook deliveries or leaked/misused credentials if misconfigured.

Overview
Adds Vercel webhook trigger support: registers 8 new Vercel triggers (deployment created/ready/error/canceled, project created/removed, domain created, and a generic vercel_webhook) in TRIGGER_REGISTRY and exposes them from the Vercel block via triggers.available and injected trigger subBlocks.

Introduces a new vercel webhook provider handler that auto-creates and deletes Vercel webhook subscriptions (scoped by optional teamId and projectIds filters), verifies incoming requests using x-vercel-signature HMAC, and normalizes incoming payloads into consistent trigger inputs.

^{Reviewed by Cursor Bugbot for commit ee040aa. Configure here.}

vercel · 2026-04-06T17:57:32Z

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 6, 2026 7:20pm

greptile-apps · 2026-04-06T18:03:05Z

Greptile Summary

This PR adds 8 Vercel webhook triggers (deployment created/ready/error/canceled, project created/removed, domain created, and a generic all-events trigger) with automatic webhook lifecycle management — registration on trigger save and cleanup on trigger removal. The implementation closely follows established provider patterns from Ashby, Attio, and others: HMAC-SHA1 signature verification via createHmacVerifier, providerConfigUpdates for persisting externalId + webhookSecret, and formatInput to normalize Vercel's envelope payload into typed workflow inputs.

Previously flagged critical issues (discarded webhookSecret, missing verifyAuth) have been properly resolved
verifyAuth is correctly implemented using HMAC-SHA1 via the x-vercel-signature header and the createHmacVerifier factory
createSubscription stores both externalId and webhookSecret in providerConfigUpdates
deleteSubscription handles 404 gracefully (Vercel may have already cleaned up the webhook)
formatInput extracts all relevant fields from Vercel's webhook envelope (deployment, project, team, user, target, plan, domain)
All 8 triggers are registered in both triggers/registry.ts and lib/webhooks/providers/registry.ts; the Vercel block's triggers.available is updated accordingly
Two minor P2 items remain: (1) webhookSecret falls back to '' rather than throwing when absent, silently bypassing HMAC auth; (2) the non-ok path in deleteSubscription doesn't consume the response body

Confidence Score: 5/5

Safe to merge — the integration is functionally complete, all prior critical issues are resolved, and remaining findings are minor defensive-coding suggestions

All remaining findings are P2. HMAC auth, auto-registration, and cleanup are correctly implemented following the codebase's established provider patterns. The empty-string secret fallback is the only item worth addressing before shipping but does not block merge.

apps/sim/lib/webhooks/providers/vercel.ts — the webhookSecret empty-string fallback on lines 150–155 and the unconsumed response body on lines 192–199 are the only items to address

Important Files Changed

Filename	Overview
apps/sim/lib/webhooks/providers/vercel.ts	Core Vercel webhook provider: HMAC-SHA1 verifyAuth, auto-registration via POST /v1/webhooks, cleanup via DELETE — webhookSecret falls back to empty string if absent from API response
apps/sim/lib/webhooks/providers/registry.ts	Registers vercelHandler in PROVIDER_HANDLERS map under the 'vercel' key
apps/sim/triggers/vercel/utils.ts	Shared Vercel trigger utilities: trigger options dropdown, setup instructions HTML, extra form fields (apiKey with user-only visibility, optional teamId and filterProjectIds), and typed output builders
apps/sim/triggers/vercel/webhook.ts	Generic Vercel webhook trigger subscribing to all supported event types
apps/sim/triggers/vercel/deployment_created.ts	Deployment Created trigger — primary trigger with dropdown for selecting event type
apps/sim/triggers/vercel/deployment_ready.ts	Deployment Ready trigger config using shared deployment outputs
apps/sim/triggers/vercel/deployment_error.ts	Deployment Error trigger config using shared deployment outputs
apps/sim/triggers/vercel/deployment_canceled.ts	Deployment Canceled trigger config using shared deployment outputs
apps/sim/triggers/vercel/project_created.ts	Project Created trigger config using shared project outputs
apps/sim/triggers/vercel/project_removed.ts	Project Removed trigger config using shared project outputs
apps/sim/triggers/vercel/domain_created.ts	Domain Created trigger config using shared domain outputs
apps/sim/triggers/vercel/index.ts	Barrel export for all 8 Vercel trigger configs
apps/sim/triggers/registry.ts	All 8 Vercel triggers correctly registered in TRIGGER_REGISTRY
apps/sim/blocks/blocks/vercel.ts	Vercel block updated to expose all 8 webhook triggers in triggers.available

Sequence Diagram

sequenceDiagram
    actor User
    participant Sim
    participant VercelAPI as Vercel API
    participant VercelEvents as Vercel Event System

    User->>Sim: Configure trigger (apiKey, teamId, projectIds)
    Sim->>VercelAPI: POST /v1/webhooks (events, url, projectIds)
    VercelAPI-->>Sim: { id: webhookId, secret: webhookSecret }
    Sim->>Sim: Store externalId + webhookSecret in providerConfig

    Note over Sim,VercelEvents: Later, when a Vercel event occurs...

    VercelEvents->>Sim: POST /webhook-url (event payload + x-vercel-signature)
    Sim->>Sim: Verify HMAC-SHA1 signature (webhookSecret + raw body)
    alt Signature invalid
        Sim-->>VercelEvents: 401 Unauthorized
    else Signature valid
        Sim->>Sim: Extract payload fields (deployment, project, team, domain...)
        Sim->>Sim: Execute workflow with formatted input
        Sim-->>VercelEvents: 200 OK
    end

_{Reviews (6): Last reviewed commit: "fix(triggers): add paramVisibility user-..." | Re-trigger Greptile}

apps/sim/lib/webhooks/providers/vercel.ts

…eneric events

waleedlatif1 · 2026-04-06T18:16:42Z

@greptile

waleedlatif1 · 2026-04-06T18:16:47Z

@cursor review

apps/sim/lib/webhooks/providers/vercel.ts

…rphaned webhooks

waleedlatif1 · 2026-04-06T18:31:10Z

@greptile

waleedlatif1 · 2026-04-06T18:31:14Z

@cursor review

apps/sim/lib/webhooks/providers/vercel.ts

waleedlatif1 · 2026-04-06T18:49:43Z

@greptile

waleedlatif1 · 2026-04-06T18:49:47Z

@cursor review

apps/sim/lib/webhooks/providers/vercel.ts

…ck for Vercel webhooks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

waleedlatif1 · 2026-04-06T19:05:19Z

@greptile

waleedlatif1 · 2026-04-06T19:05:23Z

@cursor review

cursor

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit c637317. Configure here.}

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

waleedlatif1 · 2026-04-06T19:21:53Z

@greptile

waleedlatif1 · 2026-04-06T19:21:57Z

@cursor review

cursor

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit ee040aa. Configure here.}

…on (#3988) * feat(triggers): add Vercel webhook triggers with automatic registration * fix(triggers): add Vercel webhook signature verification and expand generic events * fix(triggers): validate Vercel webhook ID before storing to prevent orphaned webhooks * fix(triggers): add triggerId validation warning and JSON parse fallback for Vercel webhooks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(triggers): add paramVisibility user-only to Vercel apiKey subblock Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

feat(triggers): add Vercel webhook triggers with automatic registration

820ad85

greptile-apps bot reviewed Apr 6, 2026

View reviewed changes

apps/sim/lib/webhooks/providers/vercel.ts Outdated Show resolved Hide resolved

apps/sim/lib/webhooks/providers/vercel.ts Show resolved Hide resolved