wfe/wfe-server at 550dcd1f0c15cecf5d8b991dce70c638a9e55501 - wfe

studio/wfe

Files

Sienna Meridian Satterwhite cbbeaf6d67

feat(wfe-server): headless workflow server with gRPC, webhooks, and OIDC auth

Single-binary server exposing the WFE engine over gRPC (13 RPCs) with
HTTP webhook support (GitHub, Gitea, generic events).

Features:
- gRPC API: workflow CRUD, lifecycle event streaming, log streaming,
  log search via OpenSearch
- HTTP webhooks: HMAC-SHA256 verified GitHub/Gitea webhooks with
  configurable triggers that auto-start workflows
- OIDC/JWT auth: discovers JWKS from issuer, validates with asymmetric
  algorithm allowlist to prevent algorithm confusion attacks
- Static bearer token auth with constant-time comparison
- Lifecycle event broadcasting via tokio::broadcast
- Log streaming: real-time stdout/stderr via LogSink trait, history
  replay, follow mode
- Log search: full-text search via OpenSearch with workflow/step/stream
  filters
- Layered config: CLI flags > env vars > TOML file
- Fail-closed on OIDC discovery failure, fail-loud on config parse errors
- 2MB webhook payload size limit
- Blocked sensitive env var injection (PATH, LD_PRELOAD, etc.)

2026-04-01 14:37:25 +01:00

src

feat(wfe-server): headless workflow server with gRPC, webhooks, and OIDC auth

2026-04-01 14:37:25 +01:00

Cargo.toml

feat(wfe-server): headless workflow server with gRPC, webhooks, and OIDC auth

2026-04-01 14:37:25 +01:00