Skip to content

Git-event automation

Git-event automation moves a task’s board card automatically when its linked pull/merge request changes state — so the board reflects delivery without anyone dragging cards. When a linked PR/MR opens, the card moves to Review; when it merges, the card moves to Complete (#1257, backend #329).

The receiver is off by default and project-scoped: each project has its own webhook URL and signing secret. It moves cards forward only and never bypasses your board’s WIP or permission rules.

The Git-event automation section is project-admin only (Owner or Admin). A Member never sees it. Configuration lives under Project → Settings → Integrations → Git-event automation.

  1. Open Project → Settings → Integrations. In the Git-event automation section, turn the toggle on. It is off by default — cards only move while it is on.
  2. Copy the webhook URL. It is unique to this project.
  3. Click Generate secret. The signing secret is shown once — copy it immediately. It can’t be retrieved again; if you lose it, rotate to issue a new one.
  4. Add the webhook in your Git provider (see below), pasting in the URL and the secret.

If automation is on but no secret is set, the receiver rejects every webhook until you generate one — the settings page warns you when this is the case.

In the repository’s Settings → Webhooks → Add webhook:

  • Payload URL — the webhook URL you copied
  • Content typeapplication/json
  • Secret — the generated secret
  • Which eventsLet me select individual eventsPull requests

In the project’s Settings → Webhooks:

  • URL — the webhook URL you copied
  • Secret token — the generated secret
  • TriggerMerge request events

Click Rotate secret to issue a new signing secret. The previous secret stops working immediately, so update your provider’s webhook with the new value or automation will stop. As with generation, the new secret is shown only once.

  • Signature-verified. Every inbound webhook must carry a valid signature computed from the project’s secret; unsigned or mis-signed requests are rejected. The secret is stored encrypted and is never returned by the API after generation.
  • Off by default. Nothing happens until an admin both enables automation and sets a secret.
  • Forward-only. Cards advance (→ Review, → Complete); the receiver never moves a card backward and never overrides board permissions.

This is the OSS, user-driven, per-project automation. The org-wide, bidirectional Integration Hub (centrally administered connectors with writeback) is an Enterprise feature (ADR-0097). Git-event automation needs no Enterprise edition — a single team can wire it up themselves.