Skip to content

v0.5.113: jira, ashby, google ads, grain updates#3557

Merged
icecrasher321 merged 5 commits intomainfrom
staging
Mar 13, 2026
Merged

v0.5.113: jira, ashby, google ads, grain updates#3557
icecrasher321 merged 5 commits intomainfrom
staging

Conversation

@icecrasher321
Copy link
Collaborator

@icecrasher321 icecrasher321 commented Mar 13, 2026

Summary

waleedlatif1 and others added 5 commits March 12, 2026 14:08
@waleedlatif1
fix(jira): remove unnecessary projectId dependency from manualIssueKey (
fdd587d 
#3547)

Issue keys are self-sufficient identifiers in Jira (e.g., PROJ-123).
The manualIssueKey field is a text input where users type the key directly,
so it should not depend on projectId/manualProjectId. This dependency
caused the field to clear unnecessarily when the project selection changed.
@waleedlatif1
feat(ashby): add webhook triggers with automatic lifecycle management (
4cb0f4a 
…#3548)

* feat(ashby): add webhook triggers with automatic lifecycle management

* fix(ashby): address PR review comments

- Restore mode: 'advanced' on updateName sub-block
- Move action after spread in formatWebhookInput to prevent override
- Remove generic webhook trigger (Ashby requires webhookType)

* fix(ashby): throw on unknown triggerId, always include webhookType

* fix(ashby): address PR review feedback - paramVisibility, stageType, json catch

- Add paramVisibility: 'user-only' to apiKey extra field
- Remove stageType from candidateStageChange/candidateHire outputs (TriggerOutput type conflict with 'type' field)
- Add .catch() fallback to .json() parse in createAshbyWebhookSubscription
- Fix candidateStageChange outputs to match actual Ashby application payload structure

* fix(ashby): add missing applicationSubmit outputs, fix delete log branches

- Add candidate, currentInterviewStage, job to applicationSubmit outputs
- Split delete webhook log into ok/404/error branches for accurate logging

* fix(ashby): drain response body on delete, clarify decidedAt description

- Cancel unconsumed response body in ok/404 delete branches to free connections
- Update decidedAt description to note it's typically null at offer creation

* fix(ashby): eliminate double-logging, fix hiringTeam JSDoc

- Remove pre-throw warn/error logs; catch block is single logging point
- Remove hiringTeam from candidateHire JSDoc (TriggerOutput doesn't support arrays)
@waleedlatif1 @claude
fix(executor): skip Response block formatting for internal JWT callers (
72bb7e6 
#3551)

* fix(executor): skip Response block formatting for internal JWT callers

The workflow executor tool received `{error: true}` despite successful child
workflow execution when the child had a Response block. This happened because
`createHttpResponseFromBlock()` hijacked the response with raw user-defined
data, and the executor's `transformResponse` expected the standard
`{success, executionId, output, metadata}` wrapper.

Fix: skip Response block formatting when `authType === INTERNAL_JWT` since
Response blocks are designed for external API consumers, not internal
workflow-to-workflow calls. Also extract `AuthType` constants from magic
strings across all auth type comparisons in the codebase.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test(executor): add route-level tests for Response block auth gating

Verify that internal JWT callers receive standard format while external
callers (API key, session) get Response block formatting. Tests the
server-side condition directly using workflowHasResponseBlock and
createHttpResponseFromBlock with AuthType constants.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(testing): add AuthType to all hybrid auth test mocks

Route code now imports AuthType from @/lib/auth/hybrid, so test mocks
must export it too. Added AuthTypeMock to @sim/testing and included it
in all 15 test files that mock the hybrid auth module.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
@waleedlatif1 @claude
feat(google-ads): add google ads integration for campaign and ad perf…
a8bbab2 
…ormance queries (#3360)

* feat(google-ads): add google ads integration for campaign and ad performance queries

* fix(google-ads): add input validation for GAQL query parameters

* fix(google-ads): remove deprecated pageSize param, fix searchSettings nesting, add missing date ranges

* fix(google-ads): validate managerCustomerId before use in login-customer-id header

* chore(docs): regenerate docs after google ads integration

* fix(google-ads): use centralized scope utilities and add type re-export

- Replace hardcoded scopes in auth.ts with getCanonicalScopesForProvider('google-ads')
- Replace hardcoded requiredScopes in block with getScopesForService('google-ads')
- Add type re-export from index.ts barrel

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(google-ads): add userinfo scopes to oauth provider config

Align google-ads with all other Google services by including
userinfo.email and userinfo.profile scopes in the centralized
OAUTH_PROVIDERS config.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* lint

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
@icecrasher321
fix(grain): update to stable version of API (#3556)
d90f828 
* fix(grain): update to stable version of API

* fix prewebhook lookup

* update pending webhook verification infra

* add generic webhook test event verification subblock
@vercel
Copy link

vercel bot commented Mar 13, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Mar 13, 2026 5:50am

Request Review

@cursor
Copy link

cursor bot commented Mar 13, 2026
edited
Loading

PR Summary

High Risk
Touches workflow execution responses, webhook trigger routing/deployment, and shared auth-type handling; regressions here could affect API callers and trigger reliability. Also adds new external integrations (Google Ads, Ashby, Grain API changes) with new request shapes and credentials handling.

Overview
Adds Google Ads as a first-class integration across docs + UI + backend: new google_ads block, OAuth provider/service registration, icon + docs page, and a suite of tools for listing customers/campaigns/ad groups and fetching campaign/ad performance (GAQL + metrics queries).

Expands webhook capabilities by introducing managed Ashby webhook triggers (new trigger configs and automatic create/delete lifecycle), plus a new “pending webhook verification” mechanism (Redis/in-memory) so providers like Grain (and optionally generic) can get 200 OK verification responses before a webhook DB row exists; webhook deploy now registers/clears these entries and the trigger route now supports pre-lookup verification for GET and empty POST probes.

Stabilizes and adjusts existing integrations/infra: Grain webhook APIs are updated to the newer endpoints and now require viewId (adds grain_list_views and updates hook create/list/delete shapes), Jira’s manual issue key input removes unnecessary dependencies, and workflow execution skips Response-block formatting for internal_jwt callers; AuthType is centralized and replaces string literals throughout routes/tests.

Written by Cursor Bugbot for commit d90f828. Configure here.

@icecrasher321 icecrasher321 merged commit 4c12914 into main Mar 13, 2026
27 checks passed
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Mar 13, 2026
edited
Loading

Greptile Summary

This PR bundles five distinct improvements: a Jira fix removing unnecessary projectId dependencies, full Ashby webhook trigger support with lifecycle management, an executor fix that skips Response block formatting for internal JWT callers, a new Google Ads integration for campaign/ad performance queries, and a Grain API update to the stable (non-versioned) API surface.

Key points:

  • Ashby webhooks are created/deleted via the Ashby API and the PendingWebhookVerificationTracker elegantly handles provider URL probes before the webhook row exists.
  • Grain stable API migration replaces hook_type/filters with view_id/actions and removes the deprecated Public-Api-Version header.
  • Google Ads integration is thorough: six tools with input validation helpers, OAuth scaffolding, and a well-structured block definition.
  • Executor fix adds AuthType const-enum to replace magic strings and correctly gates Response-block HTTP formatting away from internal JWT callers.
  • The Ashby inbound webhook handler at formatWebhookInput both spreads body.data at the top level and redundantly re-attaches it under data, diverging from the declared trigger output schemas.
  • Incoming Ashby webhook payloads are not signature-verified, leaving the endpoint open to forged requests from anyone who discovers the webhook URL.
  • Both ad_performance.ts and campaign_performance.ts silently fall back to a predefined date range when only one of startDate/endDate is provided, which can produce confusing query results.

Confidence Score: 3/5

  • Safe to merge with caveats — the Ashby webhook handler lacks signature verification and the Google Ads date-range fallback can silently produce unexpected queries.
  • Most of the changes are well-structured and well-tested. The executor fix and auth enum refactor are low-risk improvements. The Grain API migration and pending-verification infrastructure are solid. The score is held at 3 because: (1) the missing Ashby inbound webhook signature verification is a real security gap — anyone who learns the webhook URL can forge events; and (2) the partial-date-range silent fallback in ad/campaign performance tools will produce unexpectedly broad queries without any user feedback.
  • apps/sim/lib/webhooks/provider-subscriptions.ts (Ashby signature verification), apps/sim/tools/google_ads/ad_performance.ts and apps/sim/tools/google_ads/campaign_performance.ts (partial date range handling), apps/sim/lib/webhooks/utils.server.ts (Ashby output schema redundancy).

Important Files Changed

Filename Overview
apps/sim/app/api/workflows/[id]/execute/route.ts Refactors string literals to AuthType enum constants and adds a guard to skip Response block formatting for internal JWT callers — a clean, correct fix.
apps/sim/lib/webhooks/provider-subscriptions.ts Adds Ashby webhook create/delete integration and updates Grain to stable API v2; the Ashby inbound payload handler lacks signature verification, which is a security concern.
apps/sim/lib/webhooks/pending-verification.ts New module that registers short-lived pending verification entries (Redis or in-memory) to handle provider URL probes before the webhook record is created; well-structured with proper TTL and cleanup.
apps/sim/lib/webhooks/processor.ts Adds handlePreLookupWebhookVerification to handle provider reachability probes before a webhook row exists; replaces the static PROVIDERS_WITH_PRE_DEPLOYMENT_VERIFICATION set with the dynamic requiresPendingWebhookVerification check.
apps/sim/lib/webhooks/utils.server.ts Adds an Ashby formatter that spreads body.data at the top level and also re-attaches it as a nested data key, creating redundant output fields not declared in the trigger output schemas.
apps/sim/tools/google_ads/types.ts Defines shared Google Ads types and validation helpers; validateDate only checks format (not logical validity) and validateNumericId silently strips dashes, which could cause unexpected API errors.
apps/sim/tools/google_ads/ad_performance.ts New tool for ad performance queries; the partial custom date range (only startDate or endDate) silently falls back to the predefined dateRange without validation or warning.
apps/sim/tools/google_ads/campaign_performance.ts New campaign performance tool; same partial date range fallback issue as ad_performance.ts.
apps/sim/blocks/blocks/google_ads.ts Comprehensive Google Ads block definition with conditional subBlocks, tool routing, and proper OAuth setup; well-structured.
apps/sim/blocks/blocks/jira.ts Removes the unnecessary projectId and manualProjectId dependencies from manualIssueKey, fixing the overly restrictive dependsOn condition.
apps/sim/triggers/ashby/utils.ts Defines Ashby trigger options, setup instructions, extra fields, and output builders for all six event types; thorough and well-documented.
apps/sim/tools/grain/create_hook.ts Updated to Grain stable API: replaces hook_type/filters/includes with view_id/actions and removes the deprecated Public-Api-Version header.
apps/sim/lib/auth/hybrid.ts Introduces AuthType const-enum to replace magic string literals; clean refactor with no behavioral changes.
apps/sim/lib/webhooks/deploy.ts Integrates PendingWebhookVerificationTracker into the deploy flow to register and clean up pending verification entries around external subscription creation.

Sequence Diagram

sequenceDiagram
    participant Client as External Provider<br/>(Ashby / Grain)
    participant Route as /api/webhooks/trigger/[path]
    participant Processor as processor.ts
    participant PendingStore as PendingVerification<br/>(Redis / In-Memory)
    participant DB as Database
    participant Executor as Workflow Executor

    Note over Client,PendingStore: Phase 1 – Deploy (URL Probe Window)
    Client->>Route: GET/POST probe (URL verification)
    Route->>Processor: handlePreLookupWebhookVerification()
    Processor->>PendingStore: getPendingWebhookVerification(path)
    PendingStore-->>Processor: PendingVerification entry (TTL 120s)
    Processor-->>Route: 200 OK { status: "ok" }
    Route-->>Client: 200 OK

    Note over Client,Executor: Phase 2 – Normal Event Delivery
    Client->>Route: POST event payload
    Route->>DB: findAllWebhooksForPath(path)
    DB-->>Route: webhook record(s)
    Route->>Processor: checkWebhookPreprocessing()
    Processor->>Processor: shouldSkipWebhookEvent()
    Processor->>Executor: preprocessExecution()
    Executor-->>Route: ExecutionResult
    Route-->>Client: 200 OK

    Note over Client,Executor: Phase 3 – Internal JWT (A2A / sub-workflow)
    Client->>Route: POST /workflows/[id]/execute (internal_jwt)
    Route->>Executor: execute workflow
    Executor-->>Route: ExecutionResult (with Response block)
    alt auth.authType === INTERNAL_JWT
        Route-->>Client: Standard JSON result (no HTTP-block formatting)
    else API key / Session
        Route-->>Client: HTTP response shaped by Response block
    end
Loading

Comments Outside Diff (3)

  1. apps/sim/tools/google_ads/types.ts, line 976-981 (link)

    Date format validation does not check logical validity

    validateDate only confirms the string matches YYYY-MM-DD via regex — it does not validate whether the date is actually valid (e.g. 2024-99-99 passes). An invalid date will be forwarded to the Google Ads API, which will return an opaque error instead of a descriptive one from the Sim layer.

    Consider adding a logical range check or using Date.parse / new Date(value) to catch clearly invalid dates before the request is made:

  2. apps/sim/tools/google_ads/ad_performance.ts, line 426-433 (link)

    Partial custom date range silently ignored

    When a user provides only startDate without endDate (or vice versa), the condition params.startDate && params.endDate is false and the code silently falls back to the predefined dateRange. This means a partially-filled custom date range is ignored without any warning or error, which can produce unexpected query results.

    The same pattern exists in apps/sim/tools/google_ads/campaign_performance.ts at the equivalent body handler.

    Consider adding an explicit guard:

  3. apps/sim/lib/webhooks/provider-subscriptions.ts, line 613-629 (link)

    Missing incoming Ashby webhook signature verification

    Ashby's webhook delivery includes a secretToken field in the subscription creation response and sends signed requests. Without verifying an HMAC or shared secret on incoming payloads, any actor who discovers the webhook URL (e.g. from logs or network traffic) can trigger arbitrary workflow executions by POST-ing a forged Ashby event.

    Most other providers in this codebase that accept inbound webhooks (Stripe, GitHub, Twilio, etc.) implement signature validation in shouldSkipWebhookEvent or via dedicated helpers. Consider storing the secret returned by responseBody.results at webhook-creation time in providerConfig and then validating the X-Ashby-Signature or equivalent header in shouldSkipWebhookEvent / handleProviderChallenges before processing the payload.

Last reviewed commit: d90f828

greptile-apps[bot]
greptile-apps bot reviewed Mar 13, 2026
View reviewed changes
apps/sim/lib/webhooks/utils.server.ts
Comment on lines 1244 to +1253
return extractPageData(body)
}

if (foundWebhook.provider === 'ashby') {
return {
...(body.data || {}),
action: body.action,
data: body.data || {},
}
}
Copy link
Contributor

@greptile-apps greptile-apps bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Redundant data in Ashby webhook output

The Ashby formatter spreads the contents of body.data at the top level AND re-attaches it under the data key. This means every event field (e.g. application, candidate) appears twice in the workflow output — once at the root and once nested under data.

This dual representation isn't harmful, but it diverges from the output schemas defined in triggers/ashby/utils.ts, which only declare top-level output keys (no nested data). Users who inadvertently reference output.data.application instead of output.application will get the same value, which could mask configuration mistakes or confuse debugging.

Consider removing the redundant data key to keep the output schema consistent with the declared trigger outputs:

Suggested change
return extractPageData(body)
}
if (foundWebhook.provider === 'ashby') {
return {
...(body.data || {}),
action: body.action,
data: body.data || {},
}
}
if (foundWebhook.provider === 'ashby') {
return {
...(body.data || {}),
action: body.action,
}
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@icecrasher321 @waleedlatif1