feat(triggers): auto-register GitLab, PagerDuty, and Zendesk webhooks

Replace the manual-registration model with automatic webhook creation on
deploy and cleanup on undeploy, via createSubscription/deleteSubscription
on each provider handler:

- GitLab: POST /projects/:id/hooks with a Personal Access Token; generates
  the secret token (stored for X-Gitlab-Token verification) and enables only
  the event flags for the selected trigger. Deletes the hook on undeploy.
- PagerDuty: POST /webhook_subscriptions (account-scoped) with a REST API
  key; captures delivery_method.secret (returned only on create) for
  X-PagerDuty-Signature verification. Deletes the subscription on undeploy.
- Zendesk: POST /api/v2/webhooks with native event subscriptions, then GET
  /webhooks/:id/signing_secret for X-Zendesk-Webhook-Signature verification.
  Deletes the webhook on undeploy.

Trigger config now collects the provider credentials (user-only) instead of a
pasted signing secret; the signing secret is generated or fetched and stored
in providerConfig by the orchestration layer (no route/deploy changes).

Author: waleedlatif1

apps/sim/lib/webhooks/providers/gitlab.ts

@@ -1,20 +1,31 @@
 import { createLogger } from '@sim/logger'
 import { safeCompare } from '@sim/security/compare'
+import { generateId } from '@sim/utils/id'
 import { NextResponse } from 'next/server'
+import { getNotificationUrl, getProviderConfig } from '@/lib/webhooks/provider-subscription-utils'
 import type {
   AuthContext,
+  DeleteSubscriptionContext,
   EventMatchContext,
   FormatInputContext,
   FormatInputResult,
+  SubscriptionContext,
+  SubscriptionResult,
   WebhookProviderHandler,
 } from '@/lib/webhooks/providers/types'
 
 const logger = createLogger('WebhookProvider:GitLab')
 
+const GITLAB_API_BASE = 'https://gitlab.com/api/v4'
+
 function asRecord(value: unknown): Record<string, unknown> {
   return (value as Record<string, unknown>) || {}
 }
 
+function gitlabProjectHooksUrl(projectId: string): string {
+  return `${GITLAB_API_BASE}/projects/${encodeURIComponent(projectId)}/hooks`
+}
+
 export const gitlabHandler: WebhookProviderHandler = {
   /**
    * GitLab echoes the configured "Secret token" verbatim in the `X-Gitlab-Token`
@@ -65,4 +76,80 @@ export const gitlabHandler: WebhookProviderHandler = {
       input: { ...b, event_type: eventType, branch },
     }
   },
+
+  async createSubscription(ctx: SubscriptionContext): Promise<SubscriptionResult | undefined> {
+    const config = getProviderConfig(ctx.webhook)
+    const accessToken = config.accessToken as string | undefined
+    const projectId = config.projectId as string | undefined
+    const triggerId = config.triggerId as string | undefined
+
+    if (!accessToken)
+      throw new Error('GitLab Personal Access Token is required to create the webhook.')
+    if (!projectId) throw new Error('GitLab Project ID is required to create the webhook.')
+
+    const { getGitLabEventFlags } = await import('@/triggers/gitlab/utils')
+    const secretToken = generateId()
+    const res = await fetch(gitlabProjectHooksUrl(projectId), {
+      method: 'POST',
+      headers: { 'PRIVATE-TOKEN': accessToken, 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        url: getNotificationUrl(ctx.webhook),
+        token: secretToken,
+        enable_ssl_verification: true,
+        ...getGitLabEventFlags(triggerId ?? 'gitlab_webhook'),
+      }),
+    })
+
+    if (!res.ok) {
+      const detail = await res.text().catch(() => '')
+      logger.error(`[${ctx.requestId}] Failed to create GitLab webhook (${res.status})`, { detail })
+      if (res.status === 401)
+        throw new Error(
+          'GitLab authentication failed. Verify your Personal Access Token has the api scope.'
+        )
+      if (res.status === 403)
+        throw new Error(
+          'GitLab access denied. You need the Maintainer or Owner role on the project.'
+        )
+      if (res.status === 404) throw new Error('GitLab project not found. Verify the Project ID.')
+      throw new Error(`Failed to create GitLab webhook: ${res.status}`)
+    }
+
+    const created = (await res.json().catch(() => ({}))) as { id?: number | string }
+    if (created.id === undefined || created.id === null) {
+      throw new Error('GitLab webhook created but no hook ID was returned.')
+    }
+
+    logger.info(`[${ctx.requestId}] Created GitLab webhook ${created.id} for project ${projectId}`)
+    return { providerConfigUpdates: { externalId: String(created.id), webhookSecret: secretToken } }
+  },
+
+  async deleteSubscription(ctx: DeleteSubscriptionContext): Promise<void> {
+    const config = getProviderConfig(ctx.webhook)
+    const accessToken = config.accessToken as string | undefined
+    const projectId = config.projectId as string | undefined
+    const externalId = config.externalId as string | undefined
+
+    if (!accessToken || !projectId || !externalId) {
+      if (ctx.strict) throw new Error('Missing GitLab credentials or hook ID for webhook deletion.')
+      logger.warn(
+        `[${ctx.requestId}] Skipping GitLab webhook cleanup — missing token, project, or hook ID`
+      )
+      return
+    }
+
+    const res = await fetch(`${gitlabProjectHooksUrl(projectId)}/${externalId}`, {
+      method: 'DELETE',
+      headers: { 'PRIVATE-TOKEN': accessToken },
+    })
+
+    if (!res.ok && res.status !== 404) {
+      if (ctx.strict) throw new Error(`Failed to delete GitLab webhook: ${res.status}`)
+      logger.warn(
+        `[${ctx.requestId}] Failed to delete GitLab webhook ${externalId} (non-fatal): ${res.status}`
+      )
+      return
+    }
+    logger.info(`[${ctx.requestId}] Deleted GitLab webhook ${externalId}`)
+  },
 }

apps/sim/lib/webhooks/providers/pagerduty.ts

@@ -1,16 +1,31 @@
 import crypto from 'crypto'
 import { createLogger } from '@sim/logger'
 import { safeCompare } from '@sim/security/compare'
+import { getNotificationUrl, getProviderConfig } from '@/lib/webhooks/provider-subscription-utils'
 import type {
+  DeleteSubscriptionContext,
   EventMatchContext,
   FormatInputContext,
   FormatInputResult,
+  SubscriptionContext,
+  SubscriptionResult,
   WebhookProviderHandler,
 } from '@/lib/webhooks/providers/types'
 import { createHmacVerifier } from '@/lib/webhooks/providers/utils'
 
 const logger = createLogger('WebhookProvider:PagerDuty')
 
+const PAGERDUTY_API_BASE = 'https://api.pagerduty.com'
+
+/** Shared headers for PagerDuty REST API calls (the v2 Accept header is required). */
+function pagerdutyHeaders(apiKey: string): Record<string, string> {
+  return {
+    Authorization: `Token token=${apiKey}`,
+    'Content-Type': 'application/json',
+    Accept: 'application/vnd.pagerduty+json;version=2',
+  }
+}
+
 /**
  * PagerDuty V3 signs the raw body with HMAC-SHA256 and sends it in the
  * `X-PagerDuty-Signature` header as one or more comma-separated `v1=<hex>`
@@ -96,4 +111,81 @@ export const pagerdutyHandler: WebhookProviderHandler = {
     const event = asRecord(asRecord(body).event)
     return (event.id as string | undefined) || null
   },
+
+  async createSubscription(ctx: SubscriptionContext): Promise<SubscriptionResult | undefined> {
+    const config = getProviderConfig(ctx.webhook)
+    const apiKey = config.apiKey as string | undefined
+    const triggerId = config.triggerId as string | undefined
+
+    if (!apiKey)
+      throw new Error('PagerDuty API Key is required to create the webhook subscription.')
+
+    const { getPagerDutyEvents } = await import('@/triggers/pagerduty/utils')
+    const res = await fetch(`${PAGERDUTY_API_BASE}/webhook_subscriptions`, {
+      method: 'POST',
+      headers: pagerdutyHeaders(apiKey),
+      body: JSON.stringify({
+        webhook_subscription: {
+          type: 'webhook_subscription',
+          delivery_method: { type: 'http_delivery_method', url: getNotificationUrl(ctx.webhook) },
+          events: getPagerDutyEvents(triggerId ?? 'pagerduty_webhook'),
+          filter: { type: 'account_reference' },
+        },
+      }),
+    })
+
+    if (!res.ok) {
+      const detail = await res.text().catch(() => '')
+      logger.error(`[${ctx.requestId}] Failed to create PagerDuty webhook (${res.status})`, {
+        detail,
+      })
+      if (res.status === 401)
+        throw new Error('PagerDuty authentication failed. Verify your REST API key.')
+      if (res.status === 403)
+        throw new Error('PagerDuty access denied. The API key must have read/write access.')
+      throw new Error(`Failed to create PagerDuty webhook subscription: ${res.status}`)
+    }
+
+    const created = asRecord((await res.json().catch(() => ({}))) as unknown)
+    const subscription = asRecord(created.webhook_subscription)
+    const externalId = subscription.id as string | undefined
+    const secret = asRecord(subscription.delivery_method).secret as string | undefined
+
+    if (!externalId)
+      throw new Error('PagerDuty webhook created but no subscription ID was returned.')
+    if (!secret) {
+      throw new Error('PagerDuty webhook created but no signing secret was returned on creation.')
+    }
+
+    logger.info(`[${ctx.requestId}] Created PagerDuty webhook subscription ${externalId}`)
+    return { providerConfigUpdates: { externalId, webhookSecret: secret } }
+  },
+
+  async deleteSubscription(ctx: DeleteSubscriptionContext): Promise<void> {
+    const config = getProviderConfig(ctx.webhook)
+    const apiKey = config.apiKey as string | undefined
+    const externalId = config.externalId as string | undefined
+
+    if (!apiKey || !externalId) {
+      if (ctx.strict) throw new Error('Missing PagerDuty API key or subscription ID for deletion.')
+      logger.warn(
+        `[${ctx.requestId}] Skipping PagerDuty webhook cleanup — missing API key or subscription ID`
+      )
+      return
+    }
+
+    const res = await fetch(`${PAGERDUTY_API_BASE}/webhook_subscriptions/${externalId}`, {
+      method: 'DELETE',
+      headers: pagerdutyHeaders(apiKey),
+    })
+
+    if (!res.ok && res.status !== 404) {
+      if (ctx.strict) throw new Error(`Failed to delete PagerDuty webhook: ${res.status}`)
+      logger.warn(
+        `[${ctx.requestId}] Failed to delete PagerDuty webhook ${externalId} (non-fatal): ${res.status}`
+      )
+      return
+    }
+    logger.info(`[${ctx.requestId}] Deleted PagerDuty webhook subscription ${externalId}`)
+  },
 }

apps/sim/lib/webhooks/providers/zendesk.ts

@@ -2,11 +2,15 @@ import crypto from 'crypto'
 import { createLogger } from '@sim/logger'
 import { safeCompare } from '@sim/security/compare'
 import { NextResponse } from 'next/server'
+import { getNotificationUrl, getProviderConfig } from '@/lib/webhooks/provider-subscription-utils'
 import type {
   AuthContext,
+  DeleteSubscriptionContext,
   EventMatchContext,
   FormatInputContext,
   FormatInputResult,
+  SubscriptionContext,
+  SubscriptionResult,
   WebhookProviderHandler,
 } from '@/lib/webhooks/providers/types'
 
@@ -16,6 +20,16 @@ function asRecord(value: unknown): Record<string, unknown> {
   return (value as Record<string, unknown>) || {}
 }
 
+/** Zendesk API base for a subdomain. */
+function zendeskApiBase(subdomain: string): string {
+  return `https://${subdomain}.zendesk.com/api/v2`
+}
+
+/** Basic auth header for the Zendesk API-token scheme (`email/token:apiToken`). */
+function zendeskAuthHeader(email: string, apiToken: string): string {
+  return `Basic ${Buffer.from(`${email}/token:${apiToken}`).toString('base64')}`
+}
+
 /** Maximum allowed clock skew (5 minutes) between Zendesk's signed timestamp and now, per Zendesk docs. */
 const ZENDESK_TIMESTAMP_MAX_SKEW_MS = 5 * 60 * 1000
 
@@ -130,4 +144,101 @@ export const zendeskHandler: WebhookProviderHandler = {
   extractIdempotencyId(body: unknown) {
     return (asRecord(body).id as string | undefined) || null
   },
+
+  async createSubscription(ctx: SubscriptionContext): Promise<SubscriptionResult | undefined> {
+    const config = getProviderConfig(ctx.webhook)
+    const subdomain = config.subdomain as string | undefined
+    const email = config.email as string | undefined
+    const apiToken = config.apiToken as string | undefined
+    const triggerId = config.triggerId as string | undefined
+
+    if (!subdomain) throw new Error('Zendesk subdomain is required to create the webhook.')
+    if (!email) throw new Error('Zendesk admin email is required to create the webhook.')
+    if (!apiToken) throw new Error('Zendesk API token is required to create the webhook.')
+
+    const { getZendeskSubscriptions } = await import('@/triggers/zendesk/utils')
+    const apiBase = zendeskApiBase(subdomain)
+    const authHeader = zendeskAuthHeader(email, apiToken)
+
+    const createRes = await fetch(`${apiBase}/webhooks`, {
+      method: 'POST',
+      headers: { Authorization: authHeader, 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        webhook: {
+          name: `Sim webhook (${ctx.webhook.id})`,
+          endpoint: getNotificationUrl(ctx.webhook),
+          http_method: 'POST',
+          request_format: 'json',
+          status: 'active',
+          subscriptions: getZendeskSubscriptions(triggerId ?? 'zendesk_webhook'),
+        },
+      }),
+    })
+
+    if (!createRes.ok) {
+      const detail = await createRes.text().catch(() => '')
+      logger.error(`[${ctx.requestId}] Failed to create Zendesk webhook (${createRes.status})`, {
+        detail,
+      })
+      if (createRes.status === 401 || createRes.status === 403) {
+        throw new Error(
+          'Zendesk authentication failed. Verify the subdomain, admin email, and API token.'
+        )
+      }
+      throw new Error(`Failed to create Zendesk webhook: ${createRes.status}`)
+    }
+
+    const created = asRecord((await createRes.json().catch(() => ({}))) as unknown)
+    const externalId = asRecord(created.webhook).id as string | undefined
+    if (!externalId) throw new Error('Zendesk webhook created but no webhook ID was returned.')
+
+    const secretRes = await fetch(`${apiBase}/webhooks/${externalId}/signing_secret`, {
+      headers: { Authorization: authHeader },
+    })
+    if (!secretRes.ok) {
+      const detail = await secretRes.text().catch(() => '')
+      logger.error(
+        `[${ctx.requestId}] Created Zendesk webhook ${externalId} but failed to fetch signing secret (${secretRes.status})`,
+        { detail }
+      )
+      throw new Error(`Failed to fetch Zendesk signing secret: ${secretRes.status}`)
+    }
+
+    const secretBody = asRecord((await secretRes.json().catch(() => ({}))) as unknown)
+    const secret = asRecord(secretBody.signing_secret).secret as string | undefined
+    if (!secret) throw new Error('Zendesk did not return a signing secret for the webhook.')
+
+    logger.info(`[${ctx.requestId}] Created Zendesk webhook ${externalId}`)
+    return { providerConfigUpdates: { externalId, webhookSecret: secret } }
+  },
+
+  async deleteSubscription(ctx: DeleteSubscriptionContext): Promise<void> {
+    const config = getProviderConfig(ctx.webhook)
+    const subdomain = config.subdomain as string | undefined
+    const email = config.email as string | undefined
+    const apiToken = config.apiToken as string | undefined
+    const externalId = config.externalId as string | undefined
+
+    if (!subdomain || !email || !apiToken || !externalId) {
+      if (ctx.strict) throw new Error('Missing Zendesk credentials or webhook ID for deletion.')
+      logger.warn(
+        `[${ctx.requestId}] Skipping Zendesk webhook cleanup — missing credentials or webhook ID`
+      )
+      return
+    }
+
+    const res = await fetch(`${zendeskApiBase(subdomain)}/webhooks/${externalId}`, {
+      method: 'DELETE',
+      headers: { Authorization: zendeskAuthHeader(email, apiToken) },
+    })
+
+    if (!res.ok && res.status !== 404) {
+      if (ctx.strict) throw new Error(`Failed to delete Zendesk webhook: ${res.status}`)
+      logger.warn(
+        `[${ctx.requestId}] Failed to delete Zendesk webhook ${externalId} (non-fatal): ${res.status}`
+      )
+      return
+    }
+    logger.info(`[${ctx.requestId}] Deleted Zendesk webhook ${externalId}`)
+  },
 }

apps/sim/triggers/gitlab/comment.ts

@@ -18,7 +18,7 @@ export const gitlabCommentTrigger: TriggerConfig = {
   subBlocks: buildTriggerSubBlocks({
     triggerId: 'gitlab_comment',
     triggerOptions: gitlabTriggerOptions,
-    setupInstructions: gitlabSetupInstructions('Comment', 'Comments'),
+    setupInstructions: gitlabSetupInstructions('Comment'),
     extraFields: buildGitLabExtraFields('gitlab_comment'),
   }),
   outputs: buildGitLabCommentOutputs(),

apps/sim/triggers/gitlab/issue.ts

@@ -18,7 +18,7 @@ export const gitlabIssueTrigger: TriggerConfig = {
   subBlocks: buildTriggerSubBlocks({
     triggerId: 'gitlab_issue',
     triggerOptions: gitlabTriggerOptions,
-    setupInstructions: gitlabSetupInstructions('Issue', 'Issues events'),
+    setupInstructions: gitlabSetupInstructions('Issue'),
     extraFields: buildGitLabExtraFields('gitlab_issue'),
   }),
   outputs: buildGitLabIssueOutputs(),

apps/sim/triggers/gitlab/merge_request.ts

@@ -18,7 +18,7 @@ export const gitlabMergeRequestTrigger: TriggerConfig = {
   subBlocks: buildTriggerSubBlocks({
     triggerId: 'gitlab_merge_request',
     triggerOptions: gitlabTriggerOptions,
-    setupInstructions: gitlabSetupInstructions('Merge Request', 'Merge request events'),
+    setupInstructions: gitlabSetupInstructions('Merge Request'),
     extraFields: buildGitLabExtraFields('gitlab_merge_request'),
   }),
   outputs: buildGitLabMergeRequestOutputs(),

apps/sim/triggers/gitlab/pipeline.ts

@@ -18,7 +18,7 @@ export const gitlabPipelineTrigger: TriggerConfig = {
   subBlocks: buildTriggerSubBlocks({
     triggerId: 'gitlab_pipeline',
     triggerOptions: gitlabTriggerOptions,
-    setupInstructions: gitlabSetupInstructions('Pipeline', 'Pipeline events'),
+    setupInstructions: gitlabSetupInstructions('Pipeline'),
     extraFields: buildGitLabExtraFields('gitlab_pipeline'),
   }),
   outputs: buildGitLabPipelineOutputs(),