Use GH package events (package.published) to make Dockrev check matching services first; only fall back to discovery when no managed service matches or the payload can only identify the owner.
| Field | Purpose | Notes |
|---|---|---|
| Enable | Turns GHCR webhook integration on/off. | When disabled, Dockrev will not sync or consume GHCR webhooks. |
| GitHub PAT (leave empty to keep current) | Used to resolve owner/repo targets and sync repository webhooks. | Empty input does not clear saved PAT; enter a new PAT and save to rotate it. |
| Callback URL | Webhook endpoint used by GitHub. | Must be publicly reachable HTTPS, typically https://<your-domain>/api/webhooks/github-packages. |
| Repos / Add Repo | Manage tracked repositories. | Accepts owner/repo, org/repo, https://github.com/org/repo, https://github.com/<owner>. |
| Resolve and Add | Resolves input to repository candidates and appends them. | Depends on PAT scope and GitHub API reachability. |
| Search owner/repo | Filter the tracked repository list. | UI-only filtering; does not change webhook config itself. |
| Selected state | Marks repos that should participate in webhook sync. | Only selected repos get created/updated webhooks. |
selected=true).created/noop/updated results.package.published) and confirm matching services enqueue check.service jobs in Dockrev Queue/logs; only zero-match or owner-only payloads should fall back to one discovery job.package.published hits a managed repo, Dockrev enqueues check.service per matching service (reason=webhook) instead of going straight to global discovery.X-GitHub-Delivery; if a matching service already has a queued/running check, Dockrev reuses that job, and fallback discovery also reuses the existing global discovery job.reason=webhook check finds new versions, Dockrev sends the same new_version_discovered schema as scheduled checks. UI-triggered manual checks stay silent.This is the smallest configuration that actually works in production-like setups.
| Item | Recommended value |
|---|---|
| Enable | ON |
| GitHub PAT | Classic PAT: repo + admin:repo_hook (public-only repos can use public_repo + admin:repo_hook) |
| Callback URL | https://<your-domain>/api/webhooks/github-packages (example: https://dockrev.ivanli.cc/api/webhooks/github-packages) |
| Add Repo | Enter owner/repo (example: ivanli-cn/dockrev) then click Resolve and Add |
| selected | At least 1 repository selected (repos_selected_total > 0) |
| Sync webhook | Result must be created / updated / noop (no error or conflict) |
Fine-grained PAT also works: grant repository
Webhookspermission (write) and ensure repo listing is allowed (at leastMetadataread).
Dockrev uses these GitHub APIs in the GHCR webhook flow:
GET /orgs/{owner}/repos, GET /users/{owner}/repos (resolve owner/profile to repository list)GET/POST/PATCH/DELETE /repos/{owner}/{repo}/hooks (read/create/update/delete webhooks)So configure PAT with one of the following:
repo + admin:repo_hookpublic_repo + admin:repo_hookWhen creating the token, set:
Webhooks: Read and writeMetadata: Read-only
Packagespermission is not required for webhook sync itself; this feature manages repository webhooks.
ghp_...).0 anymore).created/updated/noop.Settings -> Webhooks, callback exists with package event.check.service for matching services; if no managed service matches that repo, Dockrev falls back to a single discovery job.POST /api/webhooks/github-packages.curl without a GitHub signature often returns 400/401; this is expected.401 invalid_signature: webhook secret mismatch/signature failure422: PAT missing or insufficient permissionconflict: duplicate webhook entries detected; resolve and retry0: repos were not added successfully, or they were not selected.Dockrev supports:
smtpUrl with to/from query)Then configure keys in Settings and test browser subscription.
/api/webhooks/trigger can be used by external systems to trigger check/update.
X-Dockrev-Webhook-Secretaction, scope, optional stackId/serviceId