docs: clarify GitHub webhook setup (org vs repo) and warn about duplicate notifications

[ewwollesen]

Summary

Documentation-only update to the GitHub plugin integration guide (source/integrations-guide/github.rst), in the Manual configuration tab under Create a webhook in GitHub.

The guide previously said to "create a webhook in GitHub for each GitHub organization you want to set up", which (a) implied org-level webhooks were the only/expected approach, (b) didn't mention that repository-level webhooks work equally well, and (c) gave no warning that overlapping webhooks cause duplicated notifications.

This change replaces that single sentence with guidance that:

• Both organization-level and repository-level webhooks are valid and supported. The plugin's webhook handler authenticates each delivery with the configured Webhook Secret and routes purely on the repository in the event payload — it doesn't care whether the delivering webhook is org-scoped or repo-scoped. The setup wizard can also create org-level hooks, so org-level is a first-class path.
• Exactly one webhook must deliver a given repository's events (added as an .. important:: admonition). There is no cross-webhook de-duplication — each delivery is a distinct event and the plugin posts once per delivery — so a repository covered by both an org-level and a repo-level webhook (or by duplicate webhooks) produces duplicate notifications.
• A .. note:: documents the misleading No webhook was found for this repository or organization message shown when subscribing to a specific repo (/github subscribe owner/repository) while relying on an org-level webhook. The plugin's existence check only lists repository-level hooks, so the message is informational and doesn't mean events are missing.

Step 1 of the numbered setup steps was lightly tweaked to clarify the Settings page can be your organization or a specific repository. The remaining numbered steps (Payload URL, Content Type, Secret, event selection) are unchanged.

Motivation

Support ticket 51590: a multi-node HA customer saw the same GitHub event posted multiple times (triple-posted) in Mattermost. Root cause was configuration — several repository-level webhooks plus an organization-level webhook all firing for the same repo. GitHub sends one delivery per webhook and the plugin posts once per delivery, so overlapping webhooks produce duplicate notifications. The fix is configuration (one webhook per repository's events); this PR documents that so customers can self-diagnose and avoid it.

Verified the documented behavior against the plugin source (mattermost/mattermost-plugin-github, tag v2.7.0): handleWebhook / GetSubscribedChannelsForRepository (scope-agnostic routing), flows.go (Organizations.CreateHook for org-level setup), and checkIfConfiguredWebhookExists in command.go (repo-level-only existence check).

Type

Documentation-only. No plugin source is modified.

Related follow-up (separate, not in this PR)

The plugin's checkIfConfiguredWebhookExists (server/plugin/command.go) only lists repository-level hooks when a user subscribes to a specific repo, so it never detects an org-level webhook that is correctly delivering events — which is why the misleading "No webhook was found…" note appears. A code fix to also check org-level hooks on a repo subscription is being tracked separately (to be filed as a Jira/GitHub issue), not in this documentation PR.

Testing

Validated the edited RST structurally with docutils (the .. important:: and .. note:: admonitions and bullet lists parse with zero system messages; only the Sphinx-specific .. tab:: directive is non-standard). The full Sphinx build environment (Python 3.12 / pipenv) was not bootstrapped locally; CI will run the full gmake html build.

🤖 Generated with Claude Code

[coderabbitai]

📝 Walkthrough

Walkthrough

The "Create a webhook in GitHub" section in the GitHub integration guide is updated to support both organization-level and repository-level webhook creation. An "important" warning is added about avoiding duplicate webhooks, and a note is added explaining the plugin's false-negative "No webhook was found" message when using organization-level webhooks.

Changes

GitHub Webhook Documentation

Layer / File(s)

Summary

Expanded webhook setup instructions source/integrations-guide/github.rst

Replaces per-organization-only webhook guidance with instructions covering both organization-level and repository-level options. Adds an "important" warning that exactly one webhook must deliver events per repository to prevent duplicate notifications. Adds a note that the plugin may incorrectly report "No webhook was found for this repository or organization" when an organization-level webhook is used, because the plugin checks only repository-level webhooks, while events may still be delivered correctly.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: clarifying GitHub webhook setup with organization vs repository options and warning about duplicate notifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description clearly details documentation changes to the GitHub plugin integration guide, explaining the rationale for updating webhook configuration guidance and addressing a specific support issue.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/github-webhook-org-vs-repo-duplicates

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

source/integrations-guide/github.rst (1)

80-82: ⚡ Quick win

Clarify the note's advice to align with the "only one webhook" requirement.

The final sentence—"To avoid the message, add a repository-level webhook for that repository"—could be misunderstood as adding a repository-level webhook in addition to the organization-level webhook you already have. Since the preceding .. important:: block explicitly requires only one webhook per repository, this phrasing should clarify that users should replace the organization-level webhook with a repository-level one, not add both.

Suggested clarification

Replace the final sentence with one of the following:

Option 1 (direct):

-    To avoid the message, add a repository-level webhook for that repository.
+    To avoid the message while maintaining only one webhook per repository, switch from using an organization-level webhook to a repository-level webhook for that repository instead.

Option 2 (concise):

-    To avoid the message, add a repository-level webhook for that repository.
+    To avoid the message, use a repository-level webhook instead.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@source/integrations-guide/github.rst` around lines 80 - 82, The final
sentence of the note starting with "To avoid the message, add a repository-level
webhook for that repository" is ambiguous and could be misinterpreted as
instructing users to add a repository-level webhook in addition to the existing
organization-level webhook. Since the preceding important block requires only
one webhook per repository, reword this sentence to explicitly clarify that
users should replace the organization-level webhook with a repository-level
webhook for that specific repository, not add both.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@source/integrations-guide/github.rst`:
- Around line 80-82: The final sentence of the note starting with "To avoid the
message, add a repository-level webhook for that repository" is ambiguous and
could be misinterpreted as instructing users to add a repository-level webhook
in addition to the existing organization-level webhook. Since the preceding
important block requires only one webhook per repository, reword this sentence
to explicitly clarify that users should replace the organization-level webhook
with a repository-level webhook for that specific repository, not add both.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8833175a-3237-40a2-a595-65124aae29ec

📥 Commits

Reviewing files that changed from the base of the PR and between 8f28007 and 221f3f7.

📒 Files selected for processing (1)

• source/integrations-guide/github.rst

[github-actions]

Newest code from mattermost has been published to preview environment for Git SHA 221f3f7

[github-actions]

Newest code from mattermost has been published to preview environment for Git SHA 0286a1a

[Copilot]

Pull request overview

Updates the GitHub integration guide to clarify webhook setup options (organization-level vs repository-level) and to warn readers that overlapping webhooks can cause duplicate Mattermost notifications.

Changes:

• Replaces org-only webhook guidance with explicit org-level and repo-level webhook options.
• Adds an .. important:: admonition warning that each repository’s events must be delivered by exactly one webhook to avoid duplicate notifications.
• Adds an .. note:: explaining a potentially misleading “No webhook was found…” message when relying on org-level webhooks.