add option to restrict handling of GH payloads to certain repo urls

lib/action.ml

@@ -223,6 +223,11 @@ module Action (Github_api : Api.Github) (Slack_api : Api.Slack) = struct
       let signing_key = Context.gh_hook_token_of_secrets secrets repo.url in
       Github.validate_signature ?signing_key ~headers body
     in
+    let repo_is_allowed secrets payload =
+      let repo = Github.repo_of_notification payload in
+      let allowed_repositories = secrets.allowed_repositories in
+      List.is_empty allowed_repositories || List.exists allowed_repositories ~f:(String.equal repo.url)
+    in
     try%lwt
       let secrets = Context.get_secrets_exn ctx in
       match Github.parse_exn headers body with
@@ -231,6 +236,9 @@ module Action (Github_api : Api.Github) (Slack_api : Api.Slack) = struct
       match validate_signature secrets payload with
       | Error e -> action_error e
       | Ok () ->
+      match repo_is_allowed secrets payload with
+      | false -> action_error "unsupported repository"
+      | true ->
         ( match%lwt refresh_repo_config ctx payload with
         | Error e -> action_error e
         | Ok () ->

lib/config.atd

@@ -49,4 +49,5 @@ type secrets = {
   ?gh_token : string option; (* GitHub personal access token, if repo access requires it *)
   ?gh_hook_token : string option; (* GitHub webhook token to secure the webhook *)
   ~repositories <ocaml default="Common.StringMap.empty"> : gh_repo_secrets map_as_object;
+  ~allowed_repositories <ocaml default="[]"> : string list; (* whitelist of repository URLs to handle notifications for *)
 }