Update Rootly webhook configuration to use URL token parameter

[naomi-robusta]

Summary

Updated the Rootly webhook integration documentation to pass the Robusta API key as a URL parameter instead of a custom HTTP header, since Rootly webhooks don't support custom outgoing headers.

Key Changes

• Modified the webhook URL to include &token=<ROBUSTA_API_KEY> parameter
• Removed the custom Authorization: Bearer header configuration step
• Added a note explaining why the token must be passed as a URL parameter rather than a header
• Added clarification text for replacing placeholder values (<ACCOUNT_ID> and <ROBUSTA_API_KEY>)
• Renumbered the remaining configuration steps after removing the header step

Implementation Details

• The API key is now passed directly in the webhook URL as a query parameter, which is the only viable approach given Rootly's webhook limitations
• The documentation now clearly explains this constraint to users
• All other webhook configuration steps remain functionally the same

https://claude.ai/code/session_013L7mUcwgJHs1xc32xyTB5F

[github-actions]

✅ Docker image ready for a1a0c30 (built in 2m 51s)

• us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:a1a0c30

⚠️ Warning: does not support ARM (ARM images are built on release only - not on every PR)

Use this tag to pull the image for testing.

📋 Copy commands

⚠️ Temporary images are deleted after 30 days. Copy to a permanent registry before using them:

gcloud auth configure-docker us-central1-docker.pkg.dev
docker pull us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:a1a0c30
docker tag us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:a1a0c30 me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:a1a0c30
docker push me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:a1a0c30

Patch Helm values in one line:

helm upgrade --install robusta robusta/robusta \
  --reuse-values \
  --set runner.image=me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:a1a0c30

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b340bd9f-f6e8-466a-86cc-497b8a97289a

📥 Commits

Reviewing files that changed from the base of the PR and between 93eaeca and 71f0cca.

📒 Files selected for processing (1)

• docs/configuration/exporting/send-events/rootly.rst

💤 Files with no reviewable changes (1)

• docs/configuration/exporting/send-events/rootly.rst

---

Walkthrough

Updated Rootly webhook docs to pass the Robusta API key as token=<ROBUSTA_API_KEY> in the outgoing webhook URL (with type, origin, and account_id), removed the custom Authorization header configuration step, and renumbered steps while keeping alert subscription guidance.

Changes

Rootly webhook authentication configuration

Layer / File(s)	Summary
Webhook URL token authentication and setup steps docs/configuration/exporting/send-events/rootly.rst	Updated example webhook URL to include token=<ROBUSTA_API_KEY> and account_id, removed the instruction to add a custom Authorization header, adjusted step numbering, and retained guidance to subscribe to alert.* events.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• robusta-dev/robusta#2091: Modifies the same Rootly webhook documentation file, updating the authentication mechanism from custom Authorization header to token query parameter approach.

Suggested reviewers

• Sheeproid

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: updating Rootly webhook configuration to use a URL token parameter instead of a custom HTTP header.
Description check	✅ Passed	The description is directly related to the changeset, providing clear context about the motivation, key changes, and implementation details of the Rootly webhook documentation update.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/hopeful-goldberg-4atkM

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

docs/configuration/exporting/send-events/rootly.rst (1)

23-26: ⚡ Quick win

Add a security caveat for token-in-URL authentication.

Since the API key is now embedded in the URL, please add a short warning to avoid logging/sharing full webhook URLs and to rotate the key if exposure is suspected. This reduces accidental secret leakage risk in logs and screenshots.

Suggested doc patch

 .. note::
 
    Rootly outgoing webhooks **do not let you add custom outgoing HTTP headers**, so the Robusta API key goes in the ``&token=`` URL parameter rather than an ``Authorization`` header.
+   Treat the full webhook URL as a secret (it contains credentials): avoid exposing it in logs/screenshots and rotate the API key if it may have been disclosed.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/configuration/exporting/send-events/rootly.rst` around lines 23 - 26,
Add a short security caveat immediately after the existing note that begins
"Rootly outgoing webhooks **do not let you add custom outgoing HTTP headers**"
warning that embedding the API key in the URL can leak secrets; instruct readers
not to log, share, or commit full webhook URLs (e.g., avoid printing the &token=
URL), and advise rotating the API key immediately if exposure is suspected to
mitigate accidental secret leakage in logs/screenshots.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/configuration/exporting/send-events/rootly.rst`:
- Around line 23-26: Add a short security caveat immediately after the existing
note that begins "Rootly outgoing webhooks **do not let you add custom outgoing
HTTP headers**" warning that embedding the API key in the URL can leak secrets;
instruct readers not to log, share, or commit full webhook URLs (e.g., avoid
printing the &token= URL), and advise rotating the API key immediately if
exposure is suspected to mitigate accidental secret leakage in logs/screenshots.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ab51a7b6-817e-4a96-8490-516b79062b36

📥 Commits

Reviewing files that changed from the base of the PR and between f0861b1 and 93eaeca.

📒 Files selected for processing (1)

• docs/configuration/exporting/send-events/rootly.rst